安全防护工具之:Anchore
安全性对任何产品来说都非常重要,比如著名的HeartBleed就曾经给很多忽视安全问题的企业带来了很大的影响。而随着容器化的推进,早在2015年的一次调查中,研究者就曾发现取样的Dockerhub上有30%-40%的镜像存在安全性的问题。Anchore正是这样一款针对容器的安全扫描的工具,类似于Docker在其收费版中提供的功能那样,能对应用容器的脆弱性进行静态扫描
·
安全性对任何产品来说都非常重要,比如著名的HeartBleed就曾经给很多忽视安全问题的企业带来了很大的影响。而随着容器化的推进,早在2015年的一次调查中,研究者就曾发现取样的Dockerhub上有30%-40%的镜像存在安全性的问题。Anchore正是这样一款针对容器的安全扫描的工具,类似于Docker在其收费版中提供的功能那样,能对应用容器的脆弱性进行静态扫描,同时支持whitelist/blacklist以及评估策略的设定。
项目地址
| 项目 | 详细 |
|---|---|
| 项目地址 | https://github.com/anchore/anchore |
| 开发语言 | Python |
| License | Apache 2 |
为什么使用Anchore
随着容器化的逐渐推进,使用的安全性也受到越来越多地重视。在很多场景下,都需要对容器的脆弱性进行扫描,比如
| 项目 | 详细 |
|---|---|
| 镜像来源不明 | 在互联网上下载的镜像,可以直接使用,非常的方便,但是是否真正安全还非常难说 |
| 生产环境的实践 | 容器上到生产环境之后,生产环境对容器的安全性要求一般较高,此时需要容器的安全性得到保证 |
依赖条件
以下列出本文安装Anchore所需的依赖
| 依赖 | 详细 |
|---|---|
| CentOS版本 | CentOS 7 |
| Docker版本 | >1.10 |
| epel-release | yum install epel-release |
| rpm-python | yum install rpm-python |
| dpkg | yum install dpkg |
| python-pip | yum install python-pip |
工作原理
通过对容器的layer进行扫描,发现漏洞并进行预警,其使用数据是基于Common Vulnerabilities and Exposures数据库(简称CVE), 各Linux发行版一般都有自己的CVE源,而Anchore则是与其进行匹配以判断漏洞的存在与否,比如HeartBleed的CVE为:CVE-2014-0160, Anchore通过query 命令的 cve-scan选项可以对镜像的CVE进行扫描。
运行方式
Anchore支持两种方式
| 项番 | 方式 |
|---|---|
| 镜像方式 | 使用Anchore的镜像 |
| 普通安装 | 使用yum或者apt等直接安装 |
事前准备
docker版本
[root@liumiaocn ~]# docker version
Client:
Version: 1.12.6
API version: 1.24
Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64
Go version: go1.7.4
Git commit: 88a4867/1.12.6
Built: Mon Jul 3 16:02:02 2017
OS/Arch: linux/amd64
Server:
Version: 1.12.6
API version: 1.24
Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64
Go version: go1.7.4
Git commit: 88a4867/1.12.6
Built: Mon Jul 3 16:02:02 2017
OS/Arch: linux/amd64
[root@liumiaocn ~]#运行Clair
Step 1: 使用pip安装Anchore
[root@liumiaocn ~]# pip install anchore
Collecting anchore
Downloading anchore-1.1.3-py2-none-any.whl (184kB)
100% |████████████████████████████████| 194kB 45kB/s
Collecting click (from anchore)
Downloading click-6.7-py2.py3-none-any.whl (71kB)
100% |████████████████████████████████| 71kB 51kB/s
Requirement already satisfied (use --upgrade to upgrade): pyyaml in /usr/lib64/python2.7/site-packages (from anchore)
Collecting docker-py (from anchore)
Downloading docker_py-1.10.6-py2.py3-none-any.whl (50kB)
100% |████████████████████████████████| 51kB 63kB/s
Collecting requests<2.11 (from anchore)
Downloading requests-2.10.0-py2.py3-none-any.whl (506kB)
100% |████████████████████████████████| 512kB 44kB/s
Collecting clint (from anchore)
Downloading clint-0.5.1.tar.gz
Collecting prettytable (from anchore)
Downloading prettytable-0.7.2.zip
Requirement already satisfied (use --upgrade to upgrade): websocket-client>=0.32.0 in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Requirement already satisfied (use --upgrade to upgrade): backports.ssl-match-hostname>=3.5; python_version < "3.5" in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Requirement already satisfied (use --upgrade to upgrade): ipaddress>=1.0.16; python_version < "3.3" in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Requirement already satisfied (use --upgrade to upgrade): six>=1.4.0 in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Requirement already satisfied (use --upgrade to upgrade): docker-pycreds>=0.2.1 in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Collecting args (from clint->anchore)
Downloading args-0.1.0.tar.gz
Installing collected packages: click, requests, docker-py, args, clint, prettytable, anchore
Found existing installation: requests 2.11.1
Uninstalling requests-2.11.1:
Successfully uninstalled requests-2.11.1
Running setup.py install for args ... done
Running setup.py install for clint ... done
Running setup.py install for prettytable ... done
Successfully installed anchore-1.1.3 args-0.1.0 click-6.7 clint-0.5.1 docker-py-1.10.6 prettytable-0.7.2 requests-2.10.0
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
[root@liumiaocn ~]#Step 2:安装后版本确认
[root@liumiaocn ~]# anchore --version
anchore, version 1.1.3
[root@liumiaocn ~]# Step 3:初期化Anchore的Database
使用feeds sync命令,可以看出Anchore从不同的Linux发行版中取出相应的CVE等的信息存到其Database的过程如下:
[root@liumiaocn ~]# anchore feeds sync
syncing data for subscribed feed (vulnerabilities) ...
syncing group data: debian:unstable: ...
skipping group data: ubuntu:16.04: ...
skipping group data: centos:6: ...
skipping group data: centos:7: ...
skipping group data: centos:5: ...
skipping group data: ubuntu:14.10: ...
skipping group data: ubuntu:15.04: ...
skipping group data: debian:9: ...
syncing group data: debian:8: ...
syncing group data: ubuntu:12.04: ...
syncing group data: debian:7: ...
syncing group data: ubuntu:16.10: ...
syncing group data: alpine:3.3: ...
syncing group data: alpine:3.4: ...
syncing group data: alpine:3.5: ...
syncing group data: alpine:3.6: ...
syncing group data: ol:6: ...
syncing group data: ubuntu:14.04: ...
syncing group data: ubuntu:15.10: ...
syncing group data: ubuntu:12.10: ...
syncing group data: ubuntu:17.04: ...
syncing group data: ol:7: ...
syncing group data: ubuntu:13.04: ...
syncing group data: ol:5: ...
skipping data sync for unsubscribed feed (packages) ...
[root@liumiaocn ~]#
镜像准备
随便找一个镜像,作为用来进行扫描的对象,本次扫描使用Clair中使用的Database的镜像源。
[root@liumiaocn ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/postgres latest 33b13ed6b80a 5 days ago 268.8 MB
[root@liumiaocn ~]#对镜像进行分析
[root@liumiaocn ~]# anchore analyze --image docker.io/postgres:latest --imagetype base
Analyzing image: docker.io/postgres:latest
33b13ed6b80a: analyzed.
[root@liumiaocn ~]# 生成结果报告
[root@liumiaocn ~]# anchore gate --image docker.io/postgres:latest
33b13ed6b80a: evaluating policies ...
+--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+
| Image Id | Repo Tag | Gate | Trigger | Check Output | Gate Action |
+--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+
| 33b13ed6b80a | docker.io/postgres:latest | DOCKERFILECHECK | FROMSCRATCH | 'FROM' container is 'scratch' - | GO |
| | | | | (scratch) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNLOW | Low Vulnerability found in package | GO |
| | | | | - coreutils (CVE-2016-2781 - https | |
| | | | | ://security-tracker.debian.org/trac | |
| | | | | ker/CVE-2016-2781) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Negligible Vulnerability found in | GO |
| | | | | package - login (CVE-2007-5686 - | |
| | | | | https://security-tracker.debian.org | |
| | | | | /tracker/CVE-2007-5686) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Negligible Vulnerability found in | GO |
| | | | | package - passwd (CVE-2007-5686 - | |
| | | | | https://security-tracker.debian.org | |
| | | | | /tracker/CVE-2007-5686) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNMEDIUM | Medium Vulnerability found in | WARN |
| | | | | package - libxml2 (CVE-2017-9048 - | |
| | | | | https://security-tracker.debian.org | |
| | | | | /tracker/CVE-2017-9048) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNMEDIUM | Medium Vulnerability found in | WARN |
| | | | | package - libxml2 (CVE-2017-9049 - | |
| | | | | https://security-tracker.debian.org | |
| | | | | /tracker/CVE-2017-9049) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Negligible Vulnerability found in | GO |
| | | | | package - python2.7 (CVE-2013-7040 | |
| | | | | - https://security-tracker.debian.o | |
| | | | | rg/tracker/CVE-2013-7040) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNHIGH | High Vulnerability found in package | STOP |
| | | | | - libsqlite3-0 (CVE-2017-10989 - | |
| | | | | https://security-tracker.debian.org | |
| | | | | /tracker/CVE-2017-10989) | |
...
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Unknown Vulnerability found in | GO |
| | | | | package - locales (CVE-2017-12132 - | |
| | | | | https://security-tracker.debian.org | |
| | | | | /tracker/CVE-2017-12132) | |
| 33b13ed6b80a | docker.io/postgres:latest | FINAL | FINAL | | STOP |
+--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+确认CVE
[root@liumiaocn ~]# anchore query --image docker.io/postgres:latest cve-scan all
+------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+
| CVE ID | Severity | *Total Affected | Vulnerable Package | Fix Available | Fix Images | Rebuild Images | URL |
+------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+
| CVE-2017-9525 | Medium | 1 | cron-3.0pl1-127+deb8u1 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d |
| | | | | | tgres:latest) | | ebian.org/tracker/CVE-2017 |
| | | | | | | | -9525 |
| CVE-2017-9050 | Medium | 1 | libxml2-2.9.1+dfsg1-5+deb8 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d |
| | | | u4 | | tgres:latest) | | ebian.org/tracker/CVE-2017 |
| | | | | | | | -9050 |
| CVE-2017-9049 | Medium | 1 | libxml2-2.9.1+dfsg1-5+deb8 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d |
| | | | u4 | | tgres:latest) | | ebian.org/tracker/CVE-2017 |
| | | | | | | | -9049 |
...
| CVE-2004-0971 | Negligible | 1 | krb5-locales-1.12.1+dfsg-1 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d |
| | | | 9+deb8u2 | | tgres:latest) | | ebian.org/tracker/CVE-2004 |
| | | | | | | | -0971 |
+------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+
总结
本文简单介绍了Anchore这款针对于镜像的安全工具的安装到使用方法,而Anchore的功能不仅限于此,在DevOps落地的时候引入Anchore作为其中的一环对镜像的安全保驾护航不算是一个坏的注意。
权威|前沿|技术|干货|国内首个API全生命周期开发者社区
更多推荐
5
0- 0
已为社区贡献51条内容
所有评论(0)