Anchore STIG
The Anchore Enterprise STIG capability requires an additional license entitlement. Please contact Anchore Customer Success for more information.
The Anchore STIG for Container Images feature is intended to allow users to perform STIG evaluations against container images and then
manage them from within Anchore Enterprise.
The Anchore STIG for Kubernetes Containers feature is intended to allow users to perform STIG evaluations against running containers in a
kubernetes deployment.
1 -
Anchore STIG for Container Images
The Anchore Enterprise STIG capability requires an additional license entitlement. Please contact Anchore Customer Success for more information.
Introduction
The Anchore STIG for Container Images feature is intended to allow users to perform STIG evaluations against container images and then
manage them from within Anchore Enterprise. The STIG evaluation can be generated by using an AnchoreCTL workflow,
described below. AnchoreCTL will generate a STIG evaluation using the cinc-auditor tool and a specified STIG profile.
STIG evaluations can be generated using an AnchoreCTL workflow.
Prerequisites of running STIG checks locally
AnchoreCTL STIG evaluations are performed locally and as such there are some dependencies that must be present.
- Docker - Install docs
- Cinc Auditor - Install docs
- AnchoreCTL - Install docs
- Anchore Static STIG AddOn entitlement - This is a static entitlement that must be added to your Anchore license and
enabled on your Anchore Enterprise deployment. Please contact your Anchore Customer Success Team to obtain your entitlement.
- The AnchoreCTL instance must be running on a linux host or a linux container that has access to the docker socket.
STIG Profiles
Anchore provides a set of STIG profiles that can be used to perform STIG evaluations against container images.
You may also use any STIG profile that is compatible with cinc-auditor.
Anchore provides the following OS STIG profiles:
- ubi8
- ubi9
- ubuntu2204
- ubuntu2404
Before these profiles can be used, they need to be writen to disk in an accessible location for subsequent AnchoreCTL
invocations to reach.
anchorectl stig write-profiles <PATH_TO_WRITE_PROFILES> [--include-experimental]
This could be a one time operation in some persistent storage for CI use.
For an air-gapped deployment, this command must have connectivity with your Anchore Enterprise deployment. These profiles can be
written to disk on a ‘connected’ device and then transferred as needed.
Anchore also provides an option to include experimental profiles that are not yet fully supported.
Generating STIG Evaluations
There are two methods of generating a STIG evaluation.
- Image Add Workflow
- Independent STIG evaluation
Managing STIG evaluations
AnchoreCTL provides commands to manage STIG evaluations that have been uploaded to your Anchore Enterprise deployment.
You can list, download, delete and add STIG evaluations for a specific image digest.
Uploading new STIG evaluations can be done using the anchorectl stig docker image add
command. This command allows you
to upload a STIG evaluation for a specific image digest. If using the same profile, the new STIG evaluation will
overwrite the existing one when specifying the evaluation UUID of the existing evaluation. Example:
anchorectl stig docker image add docker.io/redhat/ubi8:latest@sha256:3e6410626323e6f11af16b28b8e73faa4799fe0dbdb4b1cfbf6f029c34b038f3 ./ubi8-stig-evaluation.json --stig-eval-uuid 12345678-1234-1234-1234-123456789012
STIG Compliance
Anchore Enterprise also provides STIG policy gate and triggers to ensure that your images are compliant. For more
information on how to use the STIG policy gate, please see the
STIG Policy Gate documentation.
STIG Metrics
For monitoring purposes, Anchore Enterprise has included a set of metrics that can be used to monitor STIG evaluations.
anchore_stig_image_counts
- Number of images with STIG evaluations uploadedanchore_stig_counts
- Total number of STIG evaluations uploaded
For more information on Prometheus metrics, please see the Prometheus documentation.
2 -
Anchore STIG for Kubernetes Containers
The Anchore Enterprise STIG capability requires an additional license entitlement. Please contact Anchore Customer Success for more information.
Introduction
The Anchore STIG for Kubernetes Containers feature is intended to allow users to perform STIG evaluations against running containers
in a Kubernetes deployment. The STIG evaluation can be generated by using an AnchoreCTL workflow,
described below. AnchoreCTL will generate a STIG evaluation using the cinc-auditor tool and a specified STIG profile.
STIG evaluations can be generated using an AnchoreCTL workflow.
Prerequisites of running STIG checks locally
AnchoreCTL STIG evaluations are performed locally and as such there are some
dependencies that must be present where anchorectl is invoked.
- AnchoreCTL - Install docs
- Cinc Auditor - Install docs
- Cinc Auditor train-k8s-container plugin - Install docs
- Kubectl - Install docs
- A valid KUBECONFIG must be present in the default path
$HOME/.kube/config
, exposed via the KUBECONFIG
environment variable, or
you must be running in a Kubernetes job that has cluster access via a
service account
- Anchore Runtime STIG AddOn entitlement - This is a static entitlement that
must be added to your Anchore license and
enabled on your Anchore Enterprise deployment. Please contact your Anchore
Customer Success Team to obtain your entitlement.
STIG Profiles
Anchore provides a set of STIG profiles that can be used to perform STIG
evaluations against container images. You may also use any STIG profile that is
compatible with cinc-auditor.
Anchore provides the following OS STIG profiles:
- ubi8
- ubi9
- ubuntu2204
- ubuntu2404
Before these profiles can be used, they need to be writen to disk in an
accessible location for subsequent AnchoreCTL invocations to reach.
anchorectl stig write-profiles <PATH_TO_WRITE_PROFILES> [--include-experimental]
This could be a one time operation in some persistent storage for CI use. For
an air-gapped deployment, this command must have connectivity with your Anchore
Enterprise deployment. These profiles can be
written to disk on a ‘connected’ device and then transferred as needed.
Anchore also provides an option to include experimental profiles that are not
yet fully supported.
Generating STIG Evaluations
In order to generate a STIG evaluation of a Kubernetes Container you must call
the anchorectl stig k8s container execute
command, with the profile you wish to use.
You must provide at minimum the namespace and pod of the container you wish to
evaluate. If a pod contains more than one container then you must also specify
the container with the --container
flag.
Example:
anchorectl stig k8s container execute my-namespace my-pod --stig-profile ./stig-profiles/ubi8/anchore-ubi8-disa-stig-1.0.0.tar.gz