Overview

Prisma Cloud Compute’s Console and Defender base image is the RedHat Universal Base Image 8 Minimal. We use the UBI8-minimal image to keep our image sizes as small as possible, still retain functionality and support OpenSCAP scanning. RedHat states the minimal image is designed for applications that contain their own dependencies which is the case for Prisma Cloud Compute.

Methodology

Every release of Prisma Cloud Compute we perform an SCAP scan of the Console and Defender images and post the results here. This process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We then compare the scan results to IronBank’s latest approved UBI8-minimal scan findings, any discrepancies are addressed or justified and the results are posted here.

The scanning process is as follows:

  1. Build RedHat Enterprise Linux server

  2. Install openscap-utils package

  3. Pull the latest SCAP content from the Compliance as Code GitHub repository.

  4. Scan the Console and Defender images

    oscap-podman <imageID> xccdf eval \
    --fetch-remote-resources \
    --profile xccdf_org.ssgproject.content_profile_stig \
    --report scan_report_name.html scap-security-guide-*latest*/ssg-rhel8-ds.xml
  5. Compare findings against the IronBank daily issued UBI8-minimal image.

Scan results by release

Release Notes

21.04.412

Scan results for the "Hamilton" major release 21.04 (21.04.412).

20.12.541

Scan results for the second update to the 20.12 (20.12.531) release.