[patch] oscap scanning and hardening images (#29)

Author: HariPalleti

build/bin/.env.sh

@@ -5,6 +5,12 @@
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 export PATH=$PATH:$DIR:$DIR/ptc
+CONFIG_DIR=$DIR/config
+
+# Use OSCAP tools to produce image hardening report for built images
+export OSCAP_ENABLED=${OSCAP_ENABLED:-true}
+export OSCAP_DIR=$GITHUB_WORKSPACE/.oscap
+
 
 # Version file (semver)
 export VERSION_FILE=${GITHUB_WORKSPACE}/.version

build/bin/.functions.sh

@@ -101,3 +101,9 @@ function artifactory_upload() {
   echo "Uploading $1 to $2"
   curl -H "Authorization:Bearer $ARTIFACTORY_TOKEN"  -H "X-Checksum-Md5: $md5Value" -H "X-Checksum-Sha1: $sha1Value" -T $1 $2 || exit 1
 }
+
+# install oscap tools
+function install_oscap() {
+  sudo apt-get update
+  sudo apt-get install -y openscap-scanner
+}

build/bin/build.sh

@@ -5,6 +5,17 @@ TARGET_PLATFORM=$1
 echo "GITHUB_REF=$GITHUB_REF"
 echo "GITHUB_EVENT_NAME=$GITHUB_EVENT_NAME"
 
+export ARTIFACTORY_GENERIC_RELEASE_URL=${ARTIFACTORY_GENERIC_RELEASE_URL:-https://na.artifactory.swg-devops.com/artifactory/wiotp-generic-release}
+export ARTIFACTORY_GENERIC_LOCAL_URL=${ARTIFACTORY_GENERIC_LOCAL_URL:-https://na.artifactory.swg-devops.com/artifactory/wiotp-generic-local}
+export OSCAP_REMEDIATION_URL=${ARTIFACTORY_GENERIC_LOCAL_URL}/dependencies/oscap/ubi9/remediate.sh
+export OSCAP_REMEDIATION_FILE=${GITHUB_WORKSPACE}/image/cli-base/remediate.sh
+
+echo "OSCAP_REMEDIATION_URL: $OSCAP_REMEDIATION_URL"
+echo "OSCAP_REMEDIATION_FILE: $OSCAP_REMEDIATION_FILE"
+
+# Copy OSCAP remediation file from artifactory
+wget --header="Authorization:Bearer ${ARTIFACTORY_TOKEN}" ${OSCAP_REMEDIATION_URL} -O ${OSCAP_REMEDIATION_FILE}
+
 # Login to quay.io
 docker login --username $QUAYIO_USERNAME --password $QUAYIO_PASSWORD quay.io
 if [[ "$TARGET_PLATFORM" == "s390x" || "$TARGET_PLATFORM" == "ppc64le" ]]; then
@@ -14,7 +25,7 @@ if [[ "$TARGET_PLATFORM" == "s390x" || "$TARGET_PLATFORM" == "ppc64le" ]]; then
     python3 $GITHUB_WORKSPACE/build/bin/python-collect-prebuilt-wheels.py --req-file $GITHUB_WORKSPACE/image/cli-base/install/requirements.txt --dest $GITHUB_WORKSPACE/image/cli-base/install/ --add-dependency cryptography --target-platform $TARGET_PLATFORM
 fi
 # Build the image
-$GITHUB_WORKSPACE/build/bin/docker-build.sh -r quay.io/ibmmas/cli-base --target-platform $TARGET_PLATFORM -b image/cli-base
+$GITHUB_WORKSPACE/build/bin/docker-build.sh -r quay.io/ibmmas/cli-base --target-platform $TARGET_PLATFORM -b image/cli-base --scap-data-stream ssg-rhel9-ds
 
 # Squash the image layers
 python3 -m pip install docker-squash

build/bin/config/oscap/ssg-rhel9-ds.xml

@@ -26,6 +26,10 @@ do
         TARGET_PLATFORM="$2"
         ;;
 
+        --scap-data-stream)
+        SCAP_DATA_STREAM="$2"
+        ;;
+
         *)
         # unknown option, use as additional params directly to docker
         EXTRA_PARAMS="$EXTRA_PARAMS $key $2"
@@ -78,3 +82,31 @@ docker buildx build --progress plain \
   --build-arg VCS_REF=$GITHUB_SHA \
   --build-arg VCS_URL=https://github.com/$GITHUB_REPOSITORY \
   -t $LOCAL_TAG $EXTRA_PARAMS -f $DOCKERFILE $BUILDPATH || exit 1
+
+# 5. Generate OSCAP(Security Content Automation Protocol) report
+# ---------------------------------------------------------------------------------------------------------------------
+echo_h2 "Generate OSCAP scan report and remediation script"
+if [[ "$TARGET_PLATFORM" == "amd64" ]]; then
+  if [[ "$OSCAP_ENABLED" != "true" ]]; then
+    echo "SCAP scan is disabled, set OSCAP_ENABLED=true for SCAP scanning and image hardening during image build ${NAMESPACE}/${IMAGE}:${DOCKER_TAG}"
+  else
+    install_oscap
+    mkdir -p $OSCAP_DIR
+    echo "SCAP Data Stream: ${SCAP_DATA_STREAM}.xml"
+    echo "Generating OSCAP scan report"
+    image_name="${REPOSITORY##*/}"
+    if [[ "$TARGET_PLATFORM" == "" ]]; then
+      sudo $DIR/oscap-docker.sh $REPOSITORY:latest xccdf eval --report $OSCAP_DIR/$image_name-report.html --results $OSCAP_DIR/$image_name-results.xml --profile stig $CONFIG_DIR/oscap/${SCAP_DATA_STREAM}.xml
+    else
+      sudo $DIR/oscap-docker.sh $REPOSITORY:$DOCKER_TAG-$TARGET_PLATFORM xccdf eval --report $OSCAP_DIR/$image_name-report.html --results $OSCAP_DIR/$image_name-results.xml --profile stig $CONFIG_DIR/oscap/${SCAP_DATA_STREAM}.xml
+    fi
+    sudo oscap xccdf generate fix --fix-type bash --output $OSCAP_DIR/$image_name-remediation.sh --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig $OSCAP_DIR/$image_name-results.xml
+    
+    # Upload the results to Artifactory    
+    artifactory_upload $OSCAP_DIR/$image_name-report.html $ARTIFACTORY_GENERIC_RELEASE_URL/github/ibm-mas/$image_name/$DOCKER_TAG/$image_name-report.html
+    artifactory_upload $OSCAP_DIR/$image_name-results.xml $ARTIFACTORY_GENERIC_RELEASE_URL/github/ibm-mas/$image_name/$DOCKER_TAG/$image_name-results.xml
+  fi
+else
+  echo "OSCAP tooling can only process amd64 container images"
+fi
+

build/bin/docker-build.sh

@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+source ${DIR}/.functions.sh  || exit 1
+source ${DIR}/.env.sh || exit 1
+
+function die()
+{
+    echo "$*" >&2
+    exit 1
+}
+
+function invalid()
+{
+    echo -e "$*\n" >&2
+    usage
+    exit 1
+}
+
+function usage()
+{
+    echo "oscap-docker -- Tool for SCAP evaluation of Docker images and containers."
+    echo
+    echo "Compliance scan of Docker image:"
+    echo "$ sudo oscap-docker [--oscap=<OSCAP_BINARY>] IMAGE_NAME OSCAP_ARGUMENT [OSCAP_ARGUMENT...]"
+    echo
+    echo "Compliance scan of Docker container:"
+    echo "$ sudo oscap-docker [--oscap=<OSCAP_BINARY>] CONTAINER_NAME OSCAP_ARGUMENT [OSCAP_ARGUMENT...]"
+    echo
+    echo "See \`man oscap\` to learn more about semantics of OSCAP_ARGUMENT options."
+}
+
+OSCAP_BINARY=oscap
+
+if [ $# -lt 1 ]; then
+    invalid "No arguments provided."
+elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
+    usage
+    exit 0
+elif [[ "$1" == --oscap=* ]] && [ $# -gt 2 ]; then
+    OSCAP_BINARY=${1#"--oscap="}
+    shift
+elif [ "$#" -gt 1 ]; then
+    true
+else
+    invalid "Invalid arguments provided."
+fi
+
+if [ "$(id -u)" -ne 0 ]; then
+    die "This script cannot run in rootless mode."
+fi
+if grep -q -- "--remediate" <<< "$@"; then
+    die "This script does not support '--remediate' option."
+fi
+
+IMAGE_NAME=$(docker image inspect --format "{{.Id}} {{.RepoTags}}" "$1")
+
+# Check if the target of scan is image or container.
+CLEANUP=0
+if [ -n "$IMAGE_NAME" ]; then
+    ID=$(docker create $1 sh) || die "Unable to create a container."
+    TARGET="docker-image://$IMAGE_NAME"
+    CLEANUP=1
+else
+    die "Target of the scan not found: '$1'."
+fi
+
+
+MOUNT_TMP=$(mktemp -d)
+docker export "$ID" | tar -C "$MOUNT_TMP" -xf - || die "Failed to export container."
+
+DIR="$MOUNT_TMP"
+if [ ! -f "$DIR/run/.containerenv" ]; then
+    # ubi8-init image does not create .containerenv when running docker init, but we need to make sure that the file is there
+    touch "$DIR/run/.containerenv"
+fi
+
+ls -l $DIR/run/.containerenv
+export OSCAP_CONTAINER_VARS
+OSCAP_CONTAINER_VARS=`docker inspect $ID --format '{{join .Config.Env "\n"}}'`
+
+export OSCAP_PROBE_ROOT
+OSCAP_PROBE_ROOT="$(cd "$DIR" && pwd)" || die "Unable to change current directory to OSCAP_PROBE_ROOT (DIR)."
+export OSCAP_EVALUATION_TARGET="$TARGET"
+shift 1
+
+#echo_begingroup "OSCAP scan report for $NAMESPACE/$IMAGE"
+$OSCAP_BINARY "$@" | echo
+EXIT_CODE=$?
+#echo_debug "EXIT_CODE:$EXIT_CODE"
+#echo_endgroup
+
+if [ $CLEANUP -eq 1 ]; then
+    # docker-rm should handle also unmounting of the container filesystem.
+    docker rm "$ID" &> /dev/null || die "Failed to clean up."
+    rm -rf "$MOUNT_TMP"
+fi
+exit $EXIT_CODE
+

build/bin/oscap-docker.sh

@@ -43,6 +43,13 @@ RUN rm -rf /tmp/install && \
 ADD https://github.com/krallin/tini/releases/download/v0.19.0/tini-$ARCHITECTURE /tini
 RUN chmod +x /tini
 
+# 5. Run remediation
+COPY remediate.sh /tmp
+RUN chmod a+x /tmp/remediate.sh
+RUN bash /tmp/remediate.sh
+
+# 6. Cleanup
+RUN rm -rf /tmp/*
 # 11. Setup working environment
 WORKDIR /mascli
 ENTRYPOINT ["/tini", "--"]