Skip to main content
Minimus offers hardened images following STIG guidelines for enhanced security. STIGs are Security Technical Implementation Guides published by the Defense Information Systems Agency (DISA). You can filter for STIG compliant containers in the Minimus gallery.

Verify Security Content Automation Protocol (SCAP)

OpenSCAP tools are the recommended toolset for validating the configuration of container images and reviewing the configuration of an image file system. For ease of use, Minimus provides a hardened OpenSCAP image that always includes the most up-to-date package version for all of the included packages and dependencies. Use the Minimus OpenSCAP image to scan your Docker images and containers without the need to install OpenSCAP locally. This image comes preloaded with a Minimus STIG file for security and compliance assessments.

How to verify STIG compliance for Minimus images

To test the Minimus OpenSCAP image, follow the steps below to scan an image using its file system.
Docker runtime is required as a pre-requisite for running the Minimus OpenSCAP docker image.
1

Download OpenSCAP from Minimus

Authenticate to the Minimus registry with your token. Visit the token page in your Minimus console to copy the command with your embedded token:
example of docker login command
docker login reg.mini.dev -u minimus -p mini_***
Pull the OpenSCAP latest image from the Minimus registry:
docker pull reg.mini.dev/openscap:latest
2

Download the Data Stream file

The data stream module (ds) is provided by Minimus and used to automatically validate the image or container. Download the file ssg-minimus-gpos-ds.xml from the Minimus public GitHub repo.To pull the file locally:
curl -O https://raw.githubusercontent.com/minimusio/examples/main/STIG/ssg-minimus-gpos-ds.xml
For good measure, verify the file:
docker run --user root \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v "$PWD/ssg-minimus-gpos-ds.xml:/ssg-minimus-gpos-ds.xml:ro" \
  --entrypoint "" \
  reg.mini.dev/openscap \
  /usr/bin/oscap info ssg-minimus-gpos-ds.xml
You should see a printout of file details, beginning with Document type: Source Data Stream and version information.
3

Create a directory for the scan results

mkdir -p "$PWD/openscap_results"
Change the directory ownership to match the container’s UID to grant the OpenSCAP container write access:
sudo chown 1000:1000 "$PWD/openscap_results"
4

Pull the image to be scanned

Pull the image you plan to scan from the Minimus registry, for example:
docker pull reg.mini.dev/nginx-fips:latest
5

Run the OpenSCAP scan

Use the oscap-docker tool to perform offline scanning from the Minimus provided image:
docker run --user root \
  -v "$PWD/ssg-minimus-gpos-ds.xml:/ssg-minimus-gpos-ds.xml:ro" \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v "$PWD/openscap_results:/output" \
  --entrypoint "" \
  reg.mini.dev/openscap \
  /usr/bin/oscap-docker image reg.mini.dev/nginx-fips:latest -- \
    xccdf eval \
    --profile "xccdf_basic_profile_.check" \
    --results /output/scan-results.xml \
    --report  /output/report.html \
    /ssg-minimus-gpos-ds.xml
  • --results indicates where to place the XML formatted report
  • --report indicates where to place the HTML report
  • The data stream location points to the location of the SCAP source data stream file
6

Interpret your results

The test outputs two files: An XML report and an HTML page. You can use either to review your results.

XCCDF Format

The eXtensible Configuration Checklist Description Format is part of the SCAP standard. OpenSCAP tooling uses XCCDF to automate compliance and configuration remediation. XCCDF STIG reports can be viewed in dedicated viewing tools endorsed by the DoD. Currently, STIG Viewer 3 is the most up to date. The relevant style sheet is bundled with the STIG. (Link to download the STIG Viewer.)