BigFix Inventory container scanning

cstoneba · April 6, 2021, 3:53pm

I see that this article https://help.hcltechsw.com/bigfix/10.0/inventory/Inventory/planinconf/c_docker_discovery.html discuss how BFI scans docker containers (with some requirements).

Does anyone have any experience in doing this?
Any gotchas other than what’s in the article?
Any support for Kubernetes too?

ssakunala · April 6, 2021, 4:38pm

Kubernetes support has been added with BFI 10.0.1.1 version
https://help.hcltechsw.com/bigfix/10.0/inventory/Inventory/overview/Release_notes.html?hl=kubernetes

cstoneba · April 6, 2021, 5:22pm

So it was, yet the v10 doc has zero results for Kubernetes. I think the v10 doc needs a section called “Discovering software in containers” with a sub for Docker and another for Kubernetes.

cstoneba · April 7, 2021, 4:22pm

My scans are successful against the host but the installed software in the container is not showing up in Software Installations. The host is RHEL 7.9.
Is the requirements saying that only software with a swid tag included will be detected? No package scans results/scanned files from the docker instance will show in BFI?

Requirements
BigFix Inventory discovers software that is installed in Docker containers on condition that:
Only one Docker engine is deployed on the host computer.
The Docker container is deployed on one of the following platforms:
Red Hat Enterprise Linux 7 for x86
Red Hat Enterprise Linux 7 for BigFix 64-bit)
SUSE Linux 12 for x86
The Docker container is running.
The BigFix client is installed on the host computer.
Scans and uploads of their results are enabled on the host computer.
Software that is installed in the Docker container delivers software ID tags.

cstoneba · April 8, 2021, 3:34pm

New enhancement request, please vote - https://bigfix-ideas.hcltechsw.com/ideas/BFINV-I-200

Docker scans only find SWID tags, nothing else.
Kubernetes is only finding the Kubernetes software on the host, no capabilities for scanning the containers.

ITSAM · April 14, 2021, 2:33pm

"To take advantage of container licensing, IBM License Service must be used to track license usage and determine your required entitlement. There are no exceptions to this rule."
https://www.ibm.com/software/passportadvantage/containerlicenses.html

I find it ironic that IBM requires a special discovery/reporting tool that does NOT interface with their asset management system (ICD) and does not work with their discovery tool ILMT. Containers and IBM Cloud Pak are new challenges.

ITSAM · May 2, 2022, 3:39pm

Just wondering if anyone in the last year has successfully implemented BigFix Inventory reporting for Red Hat OpenShift containers.