This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Policy Packs

Introduction

Anchore Enterprise provides pre-built policy packs to scan for the following compliance frameworks:

1 - FedRAMP

Throughout this guide, we break down the deployment and configuration of the FedRAMP policy with the following sections:

Current FedRAMP policy pack version: Anchore FedRAMP v5 Checks v20241001

Introduction

FedRAMP (Federal Risk and Authorization Management Program) is a standardized approach for assessing, authorizing, and monitoring cloud service providers (CSPs) that provide service to federal agencies. Through a rigorous and comprehensive process, FedRAMP ensures that CSPs meet security standards by providing a baseline set of security controls in order to enhance the overall security for federal information systems.

Anchore’s FedRAMP policy validates whether container images scanned by Anchore Enterprise are compliant with the FedRAMP Vulnerability Scanning Requirements and also validates them against FedRAMP controls specified in NIST 800-53 Rev 5 and NIST 800-190.

Anchore’s FedRAMP policy only checks for specification requirements relevant to software supply chain security.

Anchore’s FedRAMP policy checks for the following specifications:

  • AC-6(10) ACCESS CONTROL: Prevent Non-Privileged Users from Executing Privileged Functions
  • CM-2(2), CM-3(1), CM-6 CONFIGURATION MANAGEMENT: Baseline Configuration | Configure Systems and Components for High-risk Areas
  • CM-10 CONFIGURATION MANAGEMENT: Software Usage Restrictions
  • CM-5(5) CONFIGURATION MANAGEMENT: Access Restrictions for Change | Privilege Limitation for Production and Operation
  • CM-7(1) CONFIGURATION MANAGEMENT: Least Functionality - Network Port Exposure Checks
  • CM-7(5), CM-8(3) CONFIGURATION MANAGEMENT: Least Functionality - Container Image Build Content Checks
  • IA-05(7) IDENTIFICATION AND AUTHENTICATION: Authenticator Management | No Embedded Unencrypted Static Authenticators
  • RA-5, SI-02(2) RISK ASSESSMENT: Vulnerability Monitoring and Scanning
  • SC-5 SYSTEM AND COMMUNICATIONS PROTECTION: Denial-of-Service Protection

Enabling the FedRAMP Policy

  1. If you are an Anchore Enterprise customer, you will receive an email, which includes a json file for the specific FedRAMP policy that comes with your service.

  2. Navigate to the Policies tab in Anchore Enterprise and click on the ‘Import Policy’.

    fedramppolicy

  3. Drag and drop, or paste the .json file to import the policy into Anchore Enterprise.

    import

    Or run the following command using AnchoreCTL

    # anchorectl policy add --input FedRAMP_policy_pack_json_file
    ✔ Added policy                                                                                                                         
    Name: Anchore FedRAMP v5 Checks
    Policy Id: 1346c770-c49b-46be-b8f0-961ee40afbc3
    Active: false
    Updated: 2024-05-01T21:09:41Z
    
  4. After a successful import, the FedRAMP policy will be available in the Policies tab.

    fedramplist

    Or run the following command using AnchoreCTL

    # anchorectl policy list
    ✔ Fetched policies
    ┌───────────────────────────┬──────────────────────────────────────┬────────┬──────────────────────┐
    │ NAME                      │ POLICY ID                            │ ACTIVE │ UPDATED              │
    ├───────────────────────────┼──────────────────────────────────────┼────────┼──────────────────────┤
    │ Default policy            │ 2c53a13c-1765-11e8-82ef-23527761d060 │ true   │ 2024-04-25T18:21:54Z │
    │ Anchore FedRAMP v5 Checks │ 1346c770-c49b-46be-b8f0-961ee40afbc3 │ false  │ 2024-04-25T18:23:10Z │
    └───────────────────────────┴──────────────────────────────────────┴────────┴──────────────────────┘
    

    In order to activate the FedRAMP policy, simply click on the circle under ‘Active’.

    fedrampactive1

    Once activated, you will see that the FedRAMP policy is highlighted in green.

    fedrampactive2

    Or run the following command using AnchoreCTL

    # anchorectl policy activate 1346c770-c49b-46be-b8f0-961ee40afbc3 
    ✔ Activate policy
    Name: Anchore FedRAMP v5 Checks
    Policy Id: 1346c770-c49b-46be-b8f0-961ee40afbc3
    Active: true
    Updated: 2024-04-25T18:30:24Z
    
  5. Navigate to the Image tab in Anchore Enterprise and you will now be able to evaluate an image with the FedRAMP policy.

    poicyUI

    Or run the following command using AnchoreCTL

    As an example, we will add a centos image and evaluate it using the FedRAMP policy. please give it some time for Anchore to analyze the image when added

    # anchorectl image add docker.io/centos:latest --wait
    ✔ Added Image                                                                                                                docker.io/centos:latest
    ✔ Analyzed Image                                                                                                             docker.io/centos:latest
    Image:
      status:           analyzed (active)
      tag:              docker.io/centos:latest
      digest:           sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
      id:               5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6
      distro:           centos@8 (amd64)
      layers:           1
    

    To apply the active FedRAMP policy and see all the details of violation:

    #anchorectl image check docker.io/centos:latest --detail
    

    To apply the active FedRAMP policy and get a simple pass/fail check:

    #anchorectl image check -f docker.io/centos:latest
    ✔ Evaluated against policy                  [failed]                                                                         docker.io/centos:latest
    Tag: docker.io/centos:latest
    Digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
    Policy ID: 1346c770-c49b-46be-b8f0-961ee40afbc3
    Last Evaluation: 2024-04-25T18:40:15Z
    Evaluation: fail
    Final Action: stop
    Reason: policy_evaluation
    error: 1 error occurred:
      * failed policies: 
    

Configuring Rule Sets for the FedRAMP Policy

Some of the control specifications need configuration based on the user’s environment. The control specifications are represented by ‘Rule Sets’ in Anchore Enterprise. Navigate to the Policies tab and click on the ‘Edit’ under ‘Actions’.

It is recommended all configuration changes to rule sets be done in the Anchore Enterprise UI.

rulesets

You will be able to view all the FedRAMP specifications Anchore analyzes for. Under each Rule Set, please edit the ones that require configuration.

As an example, a user may need to change the port configuration for CM-7(1) CONFIGURATION MANAGEMENT, which checks for network port exposures.

editrules

Make sure to go through each of the Rule Sets to configure all applicable specifications. Save and close.

The following rule sets MUST be configured before using the FedRAMP policy:

  • CM-2(2), CM-3(1), CM-6 CONFIGURATION MANAGEMENT: Baseline Configuration | Configure Systems and Components for High-risk Areas
  • CM-10 CONFIGURATION MANAGEMENT: Software Usage Restrictions
  • CM-5(5) CONFIGURATION MANAGEMENT: Access Restrictions for Change | Privilege Limitation for Production and Operation
  • CM-7(1) CONFIGURATION MANAGEMENT: Least Functionality - Network Port Exposure Checks
  • CM-7(5), CM-8(3) CONFIGURATION MANAGEMENT: Least Functionality - Container Image Build Content Checks

2 - NIST

Throughout this guide, we break down the deployment and configuration of the NIST policy with the following sections:

Current NIST 800-53 policy pack version: Anchore NIST 800-53 v20240901

Introduction

The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S Commerce Department that provides industry standards and guidelines to help federal agencies meet requirements set by the Federal Information Security Management Act (FISMA).

Anchore Enterprise scans for the following NIST policies:

  • NIST 800-53
  • NIST 800-190

Anchore also covers NIST 800-218 (SSDF) with the SSDF Attestation Form Guide and Evidence document, which includes evidence-based artifacts for an official SSDF Attestation Form submission. To learn more, click here.

NIST 800-53 provides guidelines to ensure the security of information systems used within the federal government. In order to maintain the integrity, confidentiality and security of federal information systems, NIST 800-53 provides a catalogue of controls in order for federal agencies to meet industry standard and compliance.

Anchore checks for the following control specifications in the NIST 800-53 policy:

  • AC-6(10) Container Image Must Have Permissions Removed from Executables that Allow a User to Execute Software at Higher Privileges
  • CM-6(b) Confidential Data Checks
  • CM-7(1b) Network Port Exposure Checks
  • CM-7(a) Container Image Build Content Checks
  • IA-5(2a) Base Image Checks
  • IA-5(7) Embedded Credentials
  • RA-5 Software Vulnerability Checks
  • SC-5 Image Checks
  • SC-8(2) Base Image Checks
  • SI-2(6) Image Software Update/Layer Checks

NIST 800-190 provides guidelines to ensure the security of application containers used within the federal government. In order to maintain the integrity, confidentiality and security of federal application containers, NIST 800-190 provides a catalogue of controls in order for federal agencies to meet industry standard and compliance.

Anchore checks for the following control specifications in the NIST 800-190 policy:

  • 3.1.1 Image Vulnerabilities
  • 3.1.2 Image Configuration Defects
  • 3.1.3 Embedded Malware
  • 3.1.4 Embedded Clear Text Secrets

Enabling the NIST Policy

For this walkthrough, we will be using the NIST 800-53 policy for demonstration.

  1. If you are an Anchore Enterprise customer, you will receive an email, which includes a json file for the NIST 800-53 policy that comes with your service.

  2. Navigate to the Policies tab in Anchore Enterprise and click on the ‘Import Policy’.

    policies

  3. Drag and drop, or paste the .json file to import the policy into Anchore Enterprise.

    import

    Or run the following command using AnchoreCTL

    # anchorectl policy add --input NIST_800_53_policy_pack.json 
    ✔ Added policy                                                                                                                         
    Name: NIST 800-53
    Policy Id: 5-NIST-800-53-policy
    Active: false
    Updated: 2024-05-01T21:05:36Z
    
  4. After a successful import, the NIST 800-53 policy will be available in the Policies tab.

    nistlist

    Or run the following command using AnchoreCTL

    # anchorectl policy list
    ✔ Fetched policies                                                                                                                     
    ┌────────────────┬──────────────────────────────────────┬────────┬──────────────────────┐
    │ NAME           │ POLICY ID                            │ ACTIVE │ UPDATED              │
    ├────────────────┼──────────────────────────────────────┼────────┼──────────────────────┤
    │ Default policy │ 2c53a13c-1765-11e8-82ef-23527761d060 │ true   │ 2024-05-01T21:03:55Z │
    │ NIST 800-53    │ 5-NIST-800-53-policy                 │ false  │ 2024-05-01T21:05:36Z │
    └────────────────┴──────────────────────────────────────┴────────┴──────────────────────┘
    

    In order to activate the NIST 800-53 policy, simply click on the circle under ‘Active’.

    nistactive1

    Once activated, you will see that the NIST 800-53 policy is highlighted in green.

    nistactive2

    Or run the following command using AnchoreCTL

    # anchorectl policy activate 5-NIST-800-53-policy 
    ✔ Activate policy                                                                                                                      
    Name: NIST 800-53
    Policy Id: 5-NIST-800-53-policy
    Active: true
    Updated: 2024-05-01T21:15:43Z
    
  5. Navigate to the Image tab in Anchore Enterprise and you will now be able to evaluate an image with the NIST 800-53 policy.

    nistui

    Or run the following command using AnchoreCTL

    As an example, we will add a centos image and evaluate it using the NIST 800-53 policy. please give it some time for Anchore to analyze the image when added

    # anchorectl image add docker.io/centos:latest --wait
    ✔ Added Image                                                                                                                docker.io/centos:latest
    ✔ Analyzed Image                                                                                                             docker.io/centos:latest
    Image:
      status:           analyzed (active)
      tag:              docker.io/centos:latest
      digest:           sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
      id:               5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6
      distro:           centos@8 (amd64)
      layers:           1
    

    To apply the active NIST 800-53 policy and see all the details of violation:

    #anchorectl image check docker.io/centos:latest --detail
    

    To apply the active NIST 800-53 policy and get a simple pass/fail check:

    #anchorectl image check -f docker.io/centos:latest
    ✔ Evaluated against policy                  [failed]                                                            docker.io/centos:latest
    Tag: docker.io/centos:latest
    Digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
    Policy ID: 5-NIST-800-53-policy
    Last Evaluation: 2024-05-01T21:17:51Z
    Evaluation: fail
    Final Action: stop
    Reason: denylisted
    error: 1 error occurred:
      * failed policies: 
    

Configuring Rule Sets for the NIST 800-53 Policy

Some of the control specifications need configuration based on the user’s environment. The control specifications are represented by ‘Rule Sets’ in Anchore Enterprise. Navigate to the Policies tab and click on the ‘Edit’ under ‘Actions’.

It is recommended all configuration changes to rule sets be done in the Anchore Enterprise UI.

nistrule

You will be able to view all the NIST 800-53 specifications Anchore analyzes for.

As an example, a user may need to change the port configuration for CM-7(1b): Network Port Exposure Checks, which checks for network port exposures.

nistconfig

Make sure to go through each of the Rule Sets to configure all applicable specifications. Save and close.

The following rule sets MUST be configured before using the NIST 800-53 policy:

  • CM-6(b) Confidential Data Checks
  • CM-7(1b) Network Port Exposure Checks
  • CM-7(a) Container Image Build Content Checks

2.1 - SSDF

In February 2021, The National Institute of Standards and Technology (NIST) created NIST SP 800-218, otherwise known as Secure Software Development Framework (SSDF), in response to a new executive order mandated by the federal government.

SSDF provides a comprehensive set of guidelines aimed at integrating security into the software development lifecycle, thereby enhancing the security posture of software products from inception to deployment. To verify and validate that organizations meet the controls needed to be SSDF compliant, CISA created an official SSDF Attestation Form that allows organizations to verify and attest that they adhere to the SSDF guidelines and comply with a subset of security controls.

Purpose

Anchore provides a downloadable document that serves as an evidence attachment for the SSDF Attestation Form. The document makes the assumption Anchore Enterprise is used in the organization’s environment and is configured to scan the software that is in scope for the SSDF Attestation Form.

The SSDF Attestation Form consists of three sections that must be completed. Sections I and II cover organization-specific details, whereas Section III lists requirements against various security controls. The intent of this document is to provide guidance for first time applicants and help organizations save time collecting evidence required for Section III of the SSDF Attestation Form.

Download

Detailed instructions to complete the form can be found on page 1. This document uses the official SSDF Attestation Form as its base template. Once completed, the document can be directly attached to an SSDF Attestation Form submission. Click below to obtain the form:

Download SSDF Attestation Form Guide and Evidence Output

Additional Resources

  1. SSDF Attestation 101: A practical guide for Software Producers - Download eBook
  2. Using the Common Form for SSDF Attestation: What Software Producers Need to Know - Read blog
  3. Automate NIST compliance and SSDF attestation with Anchore Enterprise - Learn more

If you want to contact one of our experts, please contact us.

3 - CIS

Throughout this guide, we break down the deployment and configuration of the CIS policy with the following sections:

Current CIS policy pack version: Anchore CIS Docker Benchmark V1.6.0 v20241001

Introduction

The Center for Internet Security (CIS) provides prescriptive configuration recommendations for a variety of software vendors. Anchore’s CIS policy pack is based off of the CIS Docker 1.6 Benchmark and validates a subset of security and compliance checks against container images deployed on Docker version 1.6.

Anchore checks for the following control specifications in the CIS policy:

  • 4.1 Ensure that a user for the container has been created
  • 4.2 Ensure that containers use only trusted base
  • 4.3 Ensure that unnecessary packages are not installed in the container
  • 4.4 Ensure images are scanned and rebuilt to include security patches
  • 4.6 Ensure that HEALTHCHECK instructions have been added to container images
  • 4.7 Ensure update instructions are not used alone in Dockerfiles
  • 4.8 Ensure setuid and setgid permissions are removed
  • 4.9 Ensure that COPY is used instead of ADD in Dockerfiles
  • 4.10 Ensure secrets are not stored in Dockerfiles
  • 4.11 Ensure only verified packages are installed
  • 5.8 Ensure privileged ports are not mapped within containers

Enabling the CIS Policy

For this walkthrough, we will be using the IronBank policy for demonstration.

  1. If you are an Anchore Enterprise customer, you will receive an email, which includes a json file for the IronBank policy that comes with your service.

  2. Navigate to the Policies tab in Anchore Enterprise and click on the ‘Import Policy’.

    Import-policy

  3. Drag and drop, or paste the .json file to import the policy into Anchore Enterprise.

    Paste-json

    Or run the following command using AnchoreCTL

    # anchorectl policy add --input anchore_dod_iron_bank_security_policies_09212022.json 
    ✔ Added policy                                                                                                                         
    Name: anchore_dod_iron_bank_security_policies_09212022
    Policy Id: 5-DoD-Iron-Bank-Docker
    Active: false
    Updated: 2024-05-03T21:42:53Z
    
  4. After a successful import, the IronBank policy will be available in the Policies tab.

    Iron-bank-policy

    Or run the following command using AnchoreCTL

    # anchorectl policy list
    ✔ Fetched policies                                                                                                                     
    ┌──────────────────────────────────────────────────┬──────────────────────────────────────┬────────┬──────────────────────┐
    │ NAME                                             │ POLICY ID                            │ ACTIVE │ UPDATED              │
    ├──────────────────────────────────────────────────┼──────────────────────────────────────┼────────┼──────────────────────┤
    │ Default policy                                   │ 2c53a13c-1765-11e8-82ef-23527761d060 │ true   │ 2024-05-03T22:04:08Z │
    │ anchore_dod_iron_bank_security_policies_09212022 │ 5-DoD-Iron-Bank-Docker               │ false  │ 2024-05-03T22:04:08Z │
    └──────────────────────────────────────────────────┴──────────────────────────────────────┴────────┴──────────────────────┘
    

    In order to activate the IronBank policy, simply click on the circle under ‘Active’.

    Activate-policy

    Once activated, you will see that the IronBank policy is highlighted in green.

    Or run the following command using AnchoreCTL

    # anchorectl policy activate 5-DoD-Iron-Bank-Docker 
    ✔ Activate policy                                                                                                                      
    Name: anchore_dod_iron_bank_security_policies_09212022
    Policy Id: 5-DoD-Iron-Bank-Docker
    Active: true
    Updated: 2024-05-03T22:07:54Z
    
  5. Navigate to the Image tab in Anchore Enterprise and you will now be able to evaluate an image with the IronBank policy.

    CIS-policy

    Or run the following command using AnchoreCTL

    As an example, we will add a centos image and evaluate it using the IronBank policy. please give it some time for Anchore to analyze the image when added

    # anchorectl image add docker.io/centos:latest --wait
    ✔ Added Image                                                                                                                docker.io/centos:latest
    ✔ Analyzed Image                                                                                                             docker.io/centos:latest
    Image:
    status:           analyzed (active)
    tag:              docker.io/centos:latest
    digest:           sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
    id:               5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6
    distro:           centos@8 (amd64)
    layers:           1
    

    To apply the active IronBank policy and see all the details of violation:

    #anchorectl image check docker.io/centos:latest --detail
    

    To apply the active IronBank policy and get a simple pass/fail check:

    #anchorectl image check -f docker.io/centos:latest
    ✔ Evaluated against policy                  [failed]                                                            docker.io/centos:latest
    Tag: docker.io/centos:latest
    Digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
    Policy ID: 5-DoD-Iron-Bank-Docker
    Last Evaluation: 2024-05-03T22:08:52Z
    Evaluation: fail
    Final Action: stop
    Reason: policy_evaluation
    

Configuring Rule Sets for the CIS Policy

Some of the control specifications need configuration based on the user’s environment. The control specifications are represented by ‘Rule Sets’ in Anchore Enterprise. Navigate to the Policies tab and click on the ‘Edit’ under ‘Actions’.

It is recommended all configuration changes to rule sets be done in the Anchore Enterprise UI.

The following rule sets MUST be configured before using the CIS policy:

  • 4.2 Ensure that containers use only trusted base
  • 4.3 Ensure that unnecessary packages are not installed in the container
  • 5.8 Ensure privileged ports are not mapped within containers

4 - DoD

Throughout this guide, we break down the deployment and configuration of the DoD policy with the following sections:

Current IronBank policy pack version: Anchore DoD Iron Bank v20241001
Current DISA policy pack version: Anchore DISA Image Creation and Hardening Guide v20241001

Introduction

Anchore Enterprise scans for the following DoD policies:

  • DISA Image Creation and Deployment Guide
  • IronBank

Being part of the Department of Defense (DoD), Defense Information Systems Administration (DISA) is the agency that provides IT and communications support to both the US government and federal organizations. The DISA Image Creation and Deployment Guide Policy provides security and compliance checks that align with specific NIST 800-53 and NIST 800-190 security controls and requirements as described in the DoD Container Image Creation and Deployment Guide.

Anchore checks for the following control specifications in the DISA policy:

  • AC6(10) Container Image Must Have Permissions Removed from Executables that Allow a User to Execute Software at Higher Privileges
  • CM-6(b) Confidential Data Checks
  • CM-7(1b) Network Port Exposure Checks
  • CM-7(a) Container Image Build Content Checks
  • IA-5(2a) Base Image Checks
  • IA-5(7) Embedded Credentials
  • RA-5 Software Vulnerability Checks
  • SC-5 Image Checks
  • SC-8(2) Base Image Checks
  • SI-2(6) Image Software Update/Layer Checks

The DoD IronBank policy validates images against DoD security and compliance requirements in alignment with U.S. Air Force security standards at Platform One and IronBank. The IronBank policy has been written in accordance to the following DoD documentation.

  • Dockerfile Checks
  • User Checks
  • File Checks
  • Istio Checks
  • Software Checks
  • Transfer Protocol Checks
  • Node.js Checks
  • Etcd Checks
  • Snort Checks
  • Jenkins Checks
  • Grafana Checks
  • UBI7 Checks
  • Chef Checks
  • Sonarqube Checks
  • Prometheus Checks
  • Postgres Checks
  • Nginx Checks
  • OpenJDK Checks
  • Twistlock Checks
  • Keycloak Checks
  • Fluentd Checks
  • Elasticsearch Checks
  • Kibana Checks
  • Redis Checks
  • Apache HTTP Checks
  • Apache Tomcat Checks

Enabling the DoD Policy

For this walkthrough, we will be using the IronBank policy for demonstration.

  1. If you are an Anchore Enterprise customer, you will receive an email, which includes a json file for the IronBank policy that comes with your service.

  2. Navigate to the Policies tab in Anchore Enterprise and click on the ‘Import Policy’.

    policies

  3. Drag and drop, or paste the .json file to import the policy into Anchore Enterprise.

    importdod

    Or run the following command using AnchoreCTL

    # anchorectl policy add --input anchore_dod_iron_bank_security_policies_09212022.json 
    ✔ Added policy                                                                                                                         
    Name: anchore_dod_iron_bank_security_policies_09212022
    Policy Id: 5-DoD-Iron-Bank-Docker
    Active: false
    Updated: 2024-05-03T21:42:53Z
    
  4. After a successful import, the IronBank policy will be available in the Policies tab.

    dodlist

    Or run the following command using AnchoreCTL

    # anchorectl policy list
    ✔ Fetched policies                                                                                                                     
    ┌──────────────────────────────────────────────────┬──────────────────────────────────────┬────────┬──────────────────────┐
    │ NAME                                             │ POLICY ID                            │ ACTIVE │ UPDATED              │
    ├──────────────────────────────────────────────────┼──────────────────────────────────────┼────────┼──────────────────────┤
    │ Default policy                                   │ 2c53a13c-1765-11e8-82ef-23527761d060 │ true   │ 2024-05-03T22:04:08Z │
    │ anchore_dod_iron_bank_security_policies_09212022 │ 5-DoD-Iron-Bank-Docker               │ false  │ 2024-05-03T22:04:08Z │
    └──────────────────────────────────────────────────┴──────────────────────────────────────┴────────┴──────────────────────┘
    

    In order to activate the IronBank policy, simply click on the circle under ‘Active’.

    dodactive1

    Once activated, you will see that the IronBank policy is highlighted in green.

    dodactive2

    Or run the following command using AnchoreCTL

    # anchorectl policy activate 5-DoD-Iron-Bank-Docker 
    ✔ Activate policy                                                                                                                      
    Name: anchore_dod_iron_bank_security_policies_09212022
    Policy Id: 5-DoD-Iron-Bank-Docker
    Active: true
    Updated: 2024-05-03T22:07:54Z
    
  5. Navigate to the Image tab in Anchore Enterprise and you will now be able to evaluate an image with the IronBank policy.

    uidod

    Or run the following command using AnchoreCTL

    As an example, we will add a centos image and evaluate it using the IronBank policy. please give it some time for Anchore to analyze the image when added

    # anchorectl image add docker.io/centos:latest --wait
    ✔ Added Image                                                                                                                docker.io/centos:latest
    ✔ Analyzed Image                                                                                                             docker.io/centos:latest
    Image:
    status:           analyzed (active)
    tag:              docker.io/centos:latest
    digest:           sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
    id:               5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6
    distro:           centos@8 (amd64)
    layers:           1
    

    To apply the active IronBank policy and see all the details of violation:

    #anchorectl image check docker.io/centos:latest --detail
    

    To apply the active IronBank policy and get a simple pass/fail check:

    #anchorectl image check -f docker.io/centos:latest
    ✔ Evaluated against policy                  [failed]                                                            docker.io/centos:latest
    Tag: docker.io/centos:latest
    Digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
    Policy ID: 5-DoD-Iron-Bank-Docker
    Last Evaluation: 2024-05-03T22:08:52Z
    Evaluation: fail
    Final Action: stop
    Reason: policy_evaluation
    

Configuring Rule Sets for the DoD Policy

Some of the control specifications need configuration based on the user’s environment. The control specifications are represented by ‘Rule Sets’ in Anchore Enterprise. Navigate to the Policies tab and click on the ‘Edit’ under ‘Actions’.

It is recommended all configuration changes to rule sets be done in the Anchore Enterprise UI.

The IronBank policy does not need any configuration changes for the Rule Sets. However, the DISA policy will need configuration changes for certain specifications.

As an example, a user may need to change the port configuration for CM-7(1b): Network Port Exposure Checks, which checks for network port exposures.

editdod

Make sure to go through each of the Rule Sets to configure all applicable specifications. Save and close.

The following rule sets MUST be configured before using the DISA policy pack:

  • CM-6(b) Confidential Data Checks
  • CM-7(1b) Network Port Exposure Checks
  • CM-7(a) Container Image Build Content Checks

5 - Secure

The default Secure policy pack comes included (and enabled) in every fresh deployment of Anchore Enterprise.

Current Secure policy pack version: Anchore Enterprise - Secure v20241001

Introduction

Anchore’s default Secure policy pack includes standard vulnerability and system-level checks and can be used against an image SBOM for policy compliance based on the policy actions configured in each rule. All the rules that are configured by default can (and should) be adjusted acccording to an organization’s security policy.

Anchore checks for the following control specifications in the Secure policy:

  • Feed Data not available Fail if feed data is unavailable
  • Outdated Feed Data Warn if feed data is more than 2 days old. This value can be adjusted based on internal requirements (Available for both Container and Source)
  • Warn on low and moderate with fixes Warn when there are low and medium severity vulnerabilities found that also have a fix present (Available for both Container and Source)
  • Warn on week old Important Warn when there are important severity vulnerabilities found that are more than a week old (Available for both Container and Source)
    “Important” indicates the severity of a vulnerability. By default, it is set to “High” but this can be configured in the policy rule set
  • Fail on criticals Fail when there are critical severity vulnerabilities present (Available for both Container and Source)