Starting with Red Hat Enterprise Linux 8.7 and 9.1, image builder offers an easy way to embed containers. RHEL image builder works at build time and allows for containerized applications or services to be baked in, making the resulting images near production-ready. Furthermore, the image builder team worked with the OpenSCAP team to deliver security-hardened images. The OpenSCAP project provides security guidelines and baselines for securing images. This integration uses existing OpenSCAP tooling to run security remediation during the image build process.

How to embed the container

Containers can now be embedded into images at build time. The source of the container can be specified in the blueprint with the following:

source = "registry.access.redhat.com/ubi9:latest"
name = “rhel-9”
tls-verify = true

This will download the container referred to by the source and add it to the image’s container registry. Of course you can use your own custom-built container image that provides the application or service you want to deploy.

If the registry you are pulling from requires authentication, the credentials can be provided by configuring the worker to read them from a containers-auth file. Create a containers-auth.json file and add the following to /etc/osbuild-worker/osbuild-worker.toml:

auth_file_path = "/etc/osbuild-worker/containers-auth.json"

The containers-auth.json file can be conveniently generated with Podman using the following command:

podman login --authfile=/etc/osbuild-worker/container-auth.json REGISTRY

Refer to our guides for more information.

Use OpenSCAP remediation at build time

The reason for remediating the image during build time is to streamline the process by producing images that are security hardened and compliant out of the box.

Once an image has been built, it is difficult to ensure that it is security compliant. For example, the volumes would need to be repartitioned to verify that certain mount points are mounted to separate partitions. But if we remediate during the image build, we will already know that the partitions meet the criteria for a security benchmark.

How to use the oscap tool

OpenSCAP remediations can be enabled with customization options in the image builder blueprint. To get started, add customizations to the blueprint. The oscap command-line tool can assist in generating the following customizations:

profile_id = "xccdf_org.ssgproject.content_profile_cis" 
datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"

In the customization, the profile is the CIS security benchmark. The data stream is the file that contains all the security rules and the remediation instructions.

Wrap up

We explained how image builder has improved and demonstrated how to remediate a RHEL 8.7 image. Refer to our guides for supported distros and security profiles. Once the image has been created, you can boot it up. If desired, you can scan it again using the oscap tool to see the results or generate a report for profile compliance.

Feel free to comment below if you have questions. We welcome your feedback.