大家好,欢迎来到IT知识分享网。
安全性对任何产品来说都非常重要,比如著名的HeartBleed就曾经给很多忽视安全问题的企业带来了很大的影响。而随着容器化的推进,早在2015年的一次调查中,研究者就曾发现取样的Dockerhub上有30%-40%的镜像存在安全性的问题。Anchore正是这样一款针对容器的安全扫描的工具,类似于Docker在其收费版中提供的功能那样,能对应用容器的脆弱性进行静态扫描,同时支持whitelist/blacklist以及评估策略的设定。
项目地址
| 项目 | 详细 |
|---|---|
| 项目地址 | https://github.com/anchore/anchore |
| 开发语言 | Python |
| License | Apache 2 |
为什么使用Anchore
随着容器化的逐渐推进,使用的安全性也受到越来越多地重视。在很多场景下,都需要对容器的脆弱性进行扫描,比如
| 项目 | 详细 |
|---|---|
| 镜像来源不明 | 在互联网上下载的镜像,可以直接使用,非常的方便,但是是否真正安全还非常难说 |
| 生产环境的实践 | 容器上到生产环境之后,生产环境对容器的安全性要求一般较高,此时需要容器的安全性得到保证 |
依赖条件
以下列出本文安装Anchore所需的依赖
| 依赖 | 详细 |
|---|---|
| CentOS版本 | CentOS 7 |
| Docker版本 | >1.10 |
| epel-release | yum install epel-release |
| rpm-python | yum install rpm-python |
| dpkg | yum install dpkg |
| python-pip | yum install python-pip |
工作原理
通过对容器的layer进行扫描,发现漏洞并进行预警,其使用数据是基于Common Vulnerabilities and Exposures数据库(简称CVE), 各Linux发行版一般都有自己的CVE源,而Anchore则是与其进行匹配以判断漏洞的存在与否,比如HeartBleed的CVE为:CVE-2014-0160, Anchore通过query 命令的 cve-scan选项可以对镜像的CVE进行扫描。
运行方式
Anchore支持两种方式
| 项番 | 方式 |
|---|---|
| 镜像方式 | 使用Anchore的镜像 |
| 普通安装 | 使用yum或者apt等直接安装 |
事前准备
docker版本
[root@liumiaocn ~]# docker version Client: Version: 1.12.6 API version: 1.24 Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64 Go version: go1.7.4 Git commit: 88a4867/1.12.6 Built: Mon Jul 3 16:02:02 2017 OS/Arch: linux/amd64 Server: Version: 1.12.6 API version: 1.24 Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64 Go version: go1.7.4 Git commit: 88a4867/1.12.6 Built: Mon Jul 3 16:02:02 2017 OS/Arch: linux/amd64 [root@liumiaocn ~]#运行Clair
Step 1: 使用pip安装Anchore
[root@liumiaocn ~]# pip install anchore Collecting anchore Downloading anchore-1.1.3-py2-none-any.whl (184kB) 100% |████████████████████████████████| 194kB 45kB/s Collecting click (from anchore) Downloading click-6.7-py2.py3-none-any.whl (71kB) 100% |████████████████████████████████| 71kB 51kB/s Requirement already satisfied (use --upgrade to upgrade): pyyaml in /usr/lib64/python2.7/site-packages (from anchore) Collecting docker-py (from anchore) Downloading docker_py-1.10.6-py2.py3-none-any.whl (50kB) 100% |████████████████████████████████| 51kB 63kB/s Collecting requests<2.11 (from anchore) Downloading requests-2.10.0-py2.py3-none-any.whl (506kB) 100% |████████████████████████████████| 512kB 44kB/s Collecting clint (from anchore) Downloading clint-0.5.1.tar.gz Collecting prettytable (from anchore) Downloading prettytable-0.7.2.zip Requirement already satisfied (use --upgrade to upgrade): websocket-client>=0.32.0 in /usr/lib/python2.7/site-packages (from docker-py->anchore) Requirement already satisfied (use --upgrade to upgrade): backports.ssl-match-hostname>=3.5; python_version < "3.5" in /usr/lib/python2.7/site-packages (from docker-py->anchore) Requirement already satisfied (use --upgrade to upgrade): ipaddress>=1.0.16; python_version < "3.3" in /usr/lib/python2.7/site-packages (from docker-py->anchore) Requirement already satisfied (use --upgrade to upgrade): six>=1.4.0 in /usr/lib/python2.7/site-packages (from docker-py->anchore) Requirement already satisfied (use --upgrade to upgrade): docker-pycreds>=0.2.1 in /usr/lib/python2.7/site-packages (from docker-py->anchore) Collecting args (from clint->anchore) Downloading args-0.1.0.tar.gz Installing collected packages: click, requests, docker-py, args, clint, prettytable, anchore Found existing installation: requests 2.11.1 Uninstalling requests-2.11.1: Successfully uninstalled requests-2.11.1 Running setup.py install for args ... done Running setup.py install for clint ... done Running setup.py install for prettytable ... done Successfully installed anchore-1.1.3 args-0.1.0 click-6.7 clint-0.5.1 docker-py-1.10.6 prettytable-0.7.2 requests-2.10.0 You are using pip version 8.1.2, however version 9.0.1 is available. You should consider upgrading via the 'pip install --upgrade pip' command. [root@liumiaocn ~]#Step 2:安装后版本确认
[root@liumiaocn ~]# anchore --version anchore, version 1.1.3 [root@liumiaocn ~]# Step 3:初期化Anchore的Database
使用feeds sync命令,可以看出Anchore从不同的Linux发行版中取出相应的CVE等的信息存到其Database的过程如下:
[root@liumiaocn ~]# anchore feeds sync syncing data for subscribed feed (vulnerabilities) ... syncing group data: debian:unstable: ... skipping group data: ubuntu:16.04: ... skipping group data: centos:6: ... skipping group data: centos:7: ... skipping group data: centos:5: ... skipping group data: ubuntu:14.10: ... skipping group data: ubuntu:15.04: ... skipping group data: debian:9: ... syncing group data: debian:8: ... syncing group data: ubuntu:12.04: ... syncing group data: debian:7: ... syncing group data: ubuntu:16.10: ... syncing group data: alpine:3.3: ... syncing group data: alpine:3.4: ... syncing group data: alpine:3.5: ... syncing group data: alpine:3.6: ... syncing group data: ol:6: ... syncing group data: ubuntu:14.04: ... syncing group data: ubuntu:15.10: ... syncing group data: ubuntu:12.10: ... syncing group data: ubuntu:17.04: ... syncing group data: ol:7: ... syncing group data: ubuntu:13.04: ... syncing group data: ol:5: ... skipping data sync for unsubscribed feed (packages) ... [root@liumiaocn ~]# 镜像准备
随便找一个镜像,作为用来进行扫描的对象,本次扫描使用Clair中使用的Database的镜像源。
[root@liumiaocn ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/postgres latest 33b13ed6b80a 5 days ago 268.8 MB [root@liumiaocn ~]#对镜像进行分析
[root@liumiaocn ~]# anchore analyze --image docker.io/postgres:latest --imagetype base Analyzing image: docker.io/postgres:latest 33b13ed6b80a: analyzed. [root@liumiaocn ~]# 生成结果报告
[root@liumiaocn ~]# anchore gate --image docker.io/postgres:latest 33b13ed6b80a: evaluating policies ... +--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+ | Image Id | Repo Tag | Gate | Trigger | Check Output | Gate Action | +--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+ | 33b13ed6b80a | docker.io/postgres:latest | DOCKERFILECHECK | FROMSCRATCH | 'FROM' container is 'scratch' - | GO | | | | | | (scratch) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNLOW | Low Vulnerability found in package | GO | | | | | | - coreutils (CVE-2016-2781 - https | | | | | | | ://security-tracker.debian.org/trac | | | | | | | ker/CVE-2016-2781) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Negligible Vulnerability found in | GO | | | | | | package - login (CVE-2007-5686 - | | | | | | | https://security-tracker.debian.org | | | | | | | /tracker/CVE-2007-5686) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Negligible Vulnerability found in | GO | | | | | | package - passwd (CVE-2007-5686 - | | | | | | | https://security-tracker.debian.org | | | | | | | /tracker/CVE-2007-5686) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNMEDIUM | Medium Vulnerability found in | WARN | | | | | | package - libxml2 (CVE-2017-9048 - | | | | | | | https://security-tracker.debian.org | | | | | | | /tracker/CVE-2017-9048) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNMEDIUM | Medium Vulnerability found in | WARN | | | | | | package - libxml2 (CVE-2017-9049 - | | | | | | | https://security-tracker.debian.org | | | | | | | /tracker/CVE-2017-9049) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Negligible Vulnerability found in | GO | | | | | | package - python2.7 (CVE-2013-7040 | | | | | | | - https://security-tracker.debian.o | | | | | | | rg/tracker/CVE-2013-7040) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNHIGH | High Vulnerability found in package | STOP | | | | | | - libsqlite3-0 (CVE-2017-10989 - | | | | | | | https://security-tracker.debian.org | | | | | | | /tracker/CVE-2017-10989) | | ... | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Unknown Vulnerability found in | GO | | | | | | package - locales (CVE-2017-12132 - | | | | | | | https://security-tracker.debian.org | | | | | | | /tracker/CVE-2017-12132) | | | 33b13ed6b80a | docker.io/postgres:latest | FINAL | FINAL | | STOP | +--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+确认CVE
[root@liumiaocn ~]# anchore query --image docker.io/postgres:latest cve-scan all +------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+ | CVE ID | Severity | *Total Affected | Vulnerable Package | Fix Available | Fix Images | Rebuild Images | URL | +------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+ | CVE-2017-9525 | Medium | 1 | cron-3.0pl1-127+deb8u1 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d | | | | | | | tgres:latest) | | ebian.org/tracker/CVE-2017 | | | | | | | | | -9525 | | CVE-2017-9050 | Medium | 1 | libxml2-2.9.1+dfsg1-5+deb8 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d | | | | | u4 | | tgres:latest) | | ebian.org/tracker/CVE-2017 | | | | | | | | | -9050 | | CVE-2017-9049 | Medium | 1 | libxml2-2.9.1+dfsg1-5+deb8 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d | | | | | u4 | | tgres:latest) | | ebian.org/tracker/CVE-2017 | | | | | | | | | -9049 | ... | CVE-2004-0971 | Negligible | 1 | krb5-locales-1.12.1+dfsg-1 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d | | | | | 9+deb8u2 | | tgres:latest) | | ebian.org/tracker/CVE-2004 | | | | | | | | | -0971 | +------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+ 总结
本文简单介绍了Anchore这款针对于镜像的安全工具的安装到使用方法,而Anchore的功能不仅限于此,在DevOps落地的时候引入Anchore作为其中的一环对镜像的安全保驾护航不算是一个坏的注意。
免责声明:本站所有文章内容,图片,视频等均是来源于用户投稿和互联网及文摘转载整编而成,不代表本站观点,不承担相关法律责任。其著作权各归其原作者或其出版社所有。如发现本站有涉嫌抄袭侵权/违法违规的内容,侵犯到您的权益,请在线联系站长,一经查实,本站将立刻删除。 本文来自网络,若有侵权,请联系删除,如若转载,请注明出处:https://haidsoft.com/116400.html
