Using Qualys Policy Compliance to Scan Docker
The Qualys Policy Compliance module is able to be used to scan Docker technology.
The requirements to scan Docker are:
- The system(s) running docker must be registered under host assets.
- The Operating System(s) must have an authentication record.
- A Docker application authentication record must be created.
- An asset group or tag with the target system must either be setup new or use existing.
- The Docker Policy must imported from the policy library.
- The target will need to be scanned.
Setting up Policy Compliance for Docker Scanning
Docker is able to be run on a standalone machine (e.g. RedHat 7, MacOS, etc.) or in a cloud environment (e.g. AWS).
- Complete and verify the docker install as documented on the docker project pages.
In Qualys Policy Compliance
- Under Assets → Host Assets, register the ip address(es) of the host(s) running docker.
- An existing asset group may be used that contains the system running docker.
Optional: Under Assets → Asset Groups, create an asset group for the systems running docker.
Authentication Record Setup
- If an authentication record for the operating system not been setup for the host running Docker, please setup the record before proceeding under Scans →
Account access requirements are available under Help/resources in the Qualys UI. The account that is used required root equivalent on Linux/Unix systems and Administrator equivalent on Windows systems.
- Under Scans → Authentication, setup an application authentication record for docker.
- In the Docker authentication record, the minimum information required are the IP addresses for the systems with docker installed.
Import the policy
- In the Policy Library: Under Policies → Policies → New → Policy → Import from Library
- Select Docker 1.x under the Technology category.
- Select the policy that is suitable for your organization and click Next.
- Name the Policy to your organization’s standards.
- Verify that the boxes are checked to:
- import as unlocked
- activate the policy
- click Create.
- Once the Policy has been created, click Edit under Asset Groups, and add the Asset group that contains the systems running docker to your policy.
- Save the Policy.
Scan the asset
- Once the policy is saved, a scan of the asset group or individual host running docker may be run.
- For this example, the host docker is running on is RedHat Linux. In the scan results of the Policy Compliance Scan, we are looking for the two entries below to demonstrate successful OS and docker authentication.
Run a Report
- An existing report template may already be established for your organization. If not, setup a report template: Reports → Create a new policy template. The default template includes the controls that are pass, fail and error with the detail of the control.
- Under Reports → Reports, select New → Compliance Report → Policy Report.
- Include the appropriate title for the report, select the report template, format for the report and Docker policy.
- Click Run.