🧹 Improving Linux policies to fit for Container images as well

[HRouhani]

No description provided.

[HRouhani]

The following script runs the mondoo-linux-security.mql.yaml for all container Images and saves the results. At the moment, we made sure that none of the tests face with Errors on any Images:

#!/bin/bash

cnspec_path="/cnspec/cnspec-11.0.3"
mql_file="mondoo-linux-security.mql.yaml"

# List of container images
declare -a containers=(
    "alpine:3.16"
    "alpine:3.17"
    "alpine:3.18"
    "alpine:3.19"
    "almalinux:8.9"
    "almalinux:9.3"
    "amazonlinux:2"
    "amazonlinux:2023"
    "centos:7"
    "centos:8"
    "debian:7"
    "debian:8"
    "debian:9"
    "debian:10"
    "debian:11"
    "debian:12"
    "fedora:37"
    "fedora:38"
    "fedora:39"
    "fedora:40"
    "opensuse/leap:15.5"
    "opensuse/leap:42.3"
    "opensuse/tumbleweed"
    "oraclelinux:8.9"
    "oraclelinux:9"
    "photon:3.0"
    "photon:4.0"
    "photon:5.0"
    "registry.access.redhat.com/ubi7/ubi-minimal:7.9-1313"
    "registry.access.redhat.com/ubi8/ubi:8.0-122"
    "registry.access.redhat.com/ubi8/ubi:8.9-1107"
    "rockylinux:8.9"
    "rockylinux:9.3"
    "registry.suse.com/bci/bci-base:15.5"
    "registry.suse.com/suse/sles12sp5:6.5.559"
    "ubuntu:14.04"
    "ubuntu:16.04"
    "ubuntu:18.04"
    "ubuntu:20.04"
    "ubuntu:22.04"
)

# Loop through the containers and run the scan
for container in "${containers[@]}"
do
    #echo "Scanning $container" >> scan-results-new3.txt
    #$cnspec_path scan container "$container" -f $mql_file | grep '! Error:' >> scan-results-new3.txt
    $cnspec_path scan container "$container" -f $mql_file  >> scan-results-new4.txt
done

Next step would be to improving the tests itself and tune it for container images!

[chris-rock]

Thank you @HRouhani