Table of Contents


Every release of Prisma Cloud Compute we perform an SCAP scan of the Console and Defender images and post the results here. This process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We then compare the scan results to IronBank’s latest approved UBI8-minimal scan findings, any discrepancies are addressed or justified and the results are posted here.
The scanning process is as follows:
  1. Build RedHat Enterprise Linux server
  2. Install openscap-utils package
  3. Pull the latest SCAP content from the Compliance as Code GitHub repository.
    Download the most current binary archive from the repository releases page, eg - the scap-security-guide-<latest version>.tar.bz2 or scap-security-guide-<latest version>.zip files. The source file archives require additional build steps before they can be used to scan an image.
    Once the archive file has been downloaded, expand it to create the subdirectory scap-security-guide-<latest version>. For example, if the current version is 0.1.67, the files will be unpacked to scap-security-guide-0.1.67.
  4. Scan the Console and Defender images
    oscap-podman <imageID> xccdf eval \ --fetch-remote-resources \ --profile xccdf_org.ssgproject.content_profile_stig \ --report scan_report_name.html scap-security-guide-<latest version>/ssg-rhel8-ds.xml
  5. Compare findings against the IronBank daily issued UBI8-minimal image.

Recommended For You