Prisma Cloud Compute’s Console and Defender base image is the RedHat Universal Base Image 8 Minimal. We use the UBI8-minimal image to keep our image sizes as small as possible, still retain functionality and support OpenSCAP scanning. RedHat states the minimal image is designed for applications that contain their own dependencies which is the case for Prisma Cloud Compute.
Every release of Prisma Cloud Compute we perform an SCAP scan of the Console and Defender images and post the results here. This process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We then compare the scan results to IronBank’s latest approved UBI8-minimal scan findings, any discrepancies are addressed or justified and the results are posted here.
The scanning process is as follows:
Build RedHat Enterprise Linux server
Install openscap-utils package
Pull the latest SCAP content from the Compliance as Code GitHub repository.
Scan the Console and Defender images
oscap-podman <imageID> xccdf eval \ --fetch-remote-resources \ --profile xccdf_org.ssgproject.content_profile_stig \ --report scan_report_name.html scap-security-guide-*latest*/ssg-rhel8-ds.xml
Compare findings against the IronBank daily issued UBI8-minimal image.