Skip to main content
Minimus offers hardened images following STIG guidelines for enhanced security. STIG stands for DISA’s Security Technical Implementation Guides (STIGs). You can filter for STIG compliant containers in the Minimus gallery.

Verify Security Content Automation Protocol (SCAP)

You can use OpenSCAP tools to validate the configuration of your container images and review the configuration of the image file system. The toolset is also used to perform interactive checks by executing commands against running containers.

How to verify STIG compliance for Minimus images

You can use OpenSCAP tooling to scan Minimus images and containers and verify their STIG compliance.
1

Set up OpenSCAP

If you already have OpenSCAP installed, you can skip ahead to the next step. Otherwise, follow the OpenSCAP guide to install the tool locally.Platform-specific instructions are provided for Debian, Ubuntu, RHEL 7, Fedora, and other distributions.Recent OpenSCAP updates require installation of the specific package openscap-utils and not the openscap-scanner referenced in the above guide. Use your relevant OS package manager to install the openscap-utils package.For Ubuntu/Debian: sudo apt-get install openscap-utilsFor RHEL: sudo yum install openscap-utils
2

Download the Data Stream file

The data stream module (ds) is provided by Minimus and used to automatically validate the image or container. Download the file from this link - ssg-minimus-gpos-ds.xmlFor good measure, verify the file:
oscap info ssg-minimus-gpos-ds.xml
You should see a printout of file details, beginning with Document type: Source Data Stream and version information.
3

Scan a container or an image

Use the oscap-podman tool to perform offline scanning - the scan mounts the filesystem of the container in read-only mode to a directory on the host. This allows OpenSCAP to assess the container from the host without installing an agent in the container or altering it in any way.
sudo oscap-podman reg.mini.dev/nginx xccdf eval \
--results ./scan-results.xml \
--report ./scan-report.html \
ssg-minimus-gpos-ds.xml
  • --results indicates where to place the XML formatted report
  • --report indicates where to place the HTML report
  • The data stream location points to the location of the SCAP source data stream file
Note that oscap-docker isn’t available on Fedora and on Red Hat Enterprise Linux 8 or newer. For those systems, use oscap-podman instead.
Use image when scanning container images directly, and container when scanning running containers. For most use cases, scanning images is preferred as it doesn’t require a running container.
4

Interpret your results

The test outputs two files: An XML report and an HTML page. You can use either to review your results.

XCCDF Format

The eXtensible Configuration Checklist Description Format is part of the SCAP standard. OpenSCAP tooling uses XCCDF to automate compliance and configuration remediation. XCCDF STIG reports can be viewed in dedicated viewing tools endorsed by the DoD. Currently, STIG Viewer 3 is the most up to date. The relevant style sheet is bundled with the STIG. (Link to download the STIG Viewer.)