安全防護工具之:Anchore
阿新 • • 發佈:2018-12-14
安全性對任何產品來說都非常重要,比如著名的HeartBleed就曾經給很多忽視安全問題的企業帶來了很大的影響。而隨著容器化的推進,早在2015年的一次調查中,研究者就曾發現取樣的Dockerhub上有30%-40%的映象存在安全性的問題。Anchore正是這樣一款針對容器的安全掃描的工具,類似於Docker在其收費版中提供的功能那樣,能對應用容器的脆弱性進行靜態掃描,同時支援whitelist/blacklist以及評估策略的設定。
專案地址
為什麼使用Anchore
隨著容器化的逐漸推進,使用的安全性也受到越來越多地重視。在很多場景下,都需要對容器的脆弱性進行掃描,比如
| 專案 | 詳細 |
|---|---|
| 映象來源不明 | 在網際網路上下載的映象,可以直接使用,非常的方便,但是是否真正安全還非常難說 |
| 生產環境的實踐 | 容器上到生產環境之後,生產環境對容器的安全性要求一般較高,此時需要容器的安全性得到保證 |
依賴條件
以下列出本文安裝Anchore所需的依賴
| 依賴 | 詳細 |
|---|---|
| CentOS版本 | CentOS 7 |
| Docker版本 | >1.10 |
| epel-release | yum install epel-release |
| rpm-python | yum install rpm-python |
| dpkg | yum install dpkg |
| python-pip | yum install python-pip |
工作原理
通過對容器的layer進行掃描,發現漏洞並進行預警,其使用資料是基於Common Vulnerabilities and Exposures資料庫(簡稱CVE), 各Linux發行版一般都有自己的CVE源,而Anchore則是與其進行匹配以判斷漏洞的存在與否,比如HeartBleed的CVE為:CVE-2014-0160, Anchore通過query 命令的 cve-scan選項可以對映象的CVE進行掃描。
執行方式
Anchore支援兩種方式
| 項番 | 方式 |
|---|---|
| 映象方式 | 使用Anchore的映象 |
| 普通安裝 | 使用yum或者apt等直接安裝 |
事前準備
docker版本
[[email protected] ~]# docker version
Client:
Version: 1.12.6
API version: 1.24
Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64
Go version: go1.7.4
Git commit: 88a4867/1.12.6
Built: Mon Jul 3 16:02:02 2017
OS/Arch: linux/amd64
Server:
Version: 1.12.6
API version: 1.24
Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64
Go version: go1.7.4
Git commit: 88a4867/1.12.6
Built: Mon Jul 3 16:02:02 2017
OS/Arch: linux/amd64
[[email protected] ~]#- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
執行Clair
Step 1: 使用pip安裝Anchore
[[email protected] ~]# pip install anchore
Collecting anchore
Downloading anchore-1.1.3-py2-none-any.whl (184kB)
100% |████████████████████████████████| 194kB 45kB/s
Collecting click (from anchore)
Downloading click-6.7-py2.py3-none-any.whl (71kB)
100% |████████████████████████████████| 71kB 51kB/s
Requirement already satisfied (use --upgrade to upgrade): pyyaml in /usr/lib64/python2.7/site-packages (from anchore)
Collecting docker-py (from anchore)
Downloading docker_py-1.10.6-py2.py3-none-any.whl (50kB)
100% |████████████████████████████████| 51kB 63kB/s
Collecting requests<2.11 (from anchore)
Downloading requests-2.10.0-py2.py3-none-any.whl (506kB)
100% |████████████████████████████████| 512kB 44kB/s
Collecting clint (from anchore)
Downloading clint-0.5.1.tar.gz
Collecting prettytable (from anchore)
Downloading prettytable-0.7.2.zip
Requirement already satisfied (use --upgrade to upgrade): websocket-client>=0.32.0 in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Requirement already satisfied (use --upgrade to upgrade): backports.ssl-match-hostname>=3.5; python_version < "3.5" in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Requirement already satisfied (use --upgrade to upgrade): ipaddress>=1.0.16; python_version < "3.3" in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Requirement already satisfied (use --upgrade to upgrade): six>=1.4.0 in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Requirement already satisfied (use --upgrade to upgrade): docker-pycreds>=0.2.1 in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Collecting args (from clint->anchore)
Downloading args-0.1.0.tar.gz
Installing collected packages: click, requests, docker-py, args, clint, prettytable, anchore
Found existing installation: requests 2.11.1
Uninstalling requests-2.11.1:
Successfully uninstalled requests-2.11.1
Running setup.py install for args ... done
Running setup.py install for clint ... done
Running setup.py install for prettytable ... done
Successfully installed anchore-1.1.3 args-0.1.0 click-6.7 clint-0.5.1 docker-py-1.10.6 prettytable-0.7.2 requests-2.10.0
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
[[email protected] ~]#- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
Step 2:安裝後版本確認
[root@liumiaocn ~]# anchore --version
anchore, version 1.1.3
[root@liumiaocn ~]# - 1
- 2
- 3
Step 3:初期化Anchore的Database
使用feeds sync命令,可以看出Anchore從不同的Linux發行版中取出相應的CVE等的資訊存到其Database的過程如下:
[[email protected] ~]# anchore feeds sync
syncing data for subscribed feed (vulnerabilities) ...
syncing group data: debian:unstable: ...
skipping group data: ubuntu:16.04: ...
skipping group data: centos:6: ...
skipping group data: centos:7: ...
skipping group data: centos:5: ...
skipping group data: ubuntu:14.10: ...
skipping group data: ubuntu:15.04: ...
skipping group data: debian:9: ...
syncing group data: debian:8: ...
syncing group data: ubuntu:12.04: ...
syncing group data: debian:7: ...
syncing group data: ubuntu:16.10: ...
syncing group data: alpine:3.3: ...
syncing group data: alpine:3.4: ...
syncing group data: alpine:3.5: ...
syncing group data: alpine:3.6: ...
syncing group data: ol:6: ...
syncing group data: ubuntu:14.04: ...
syncing group data: ubuntu:15.10: ...
syncing group data: ubuntu:12.10: ...
syncing group data: ubuntu:17.04: ...
syncing group data: ol:7: ...
syncing group data: ubuntu:13.04: ...
syncing group data: ol:5: ...
skipping data sync for unsubscribed feed (packages) ...
[[email protected] ~]#
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
映象準備
隨便找一個映象,作為用來進行掃描的物件,本次掃描使用Clair中使用的Database的映象源。
[root@liumiaocn ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/postgres latest 33b13ed6b80a 5 days ago 268.8 MB
[root@liumiaocn ~]#- 1
- 2
- 3
- 4
對映象進行分析
[root@liumiaocn ~]# anchore analyze --image docker.io/postgres:latest --imagetype base
Analyzing image: docker.io/postgres:latest
33b13ed6b80a: analyzed.
[root@liumiaocn ~]# - 1
- 2
- 3
- 4
生成結果報告
[[email protected] ~]# anchore gate --image docker.io/postgres:latest
33b13ed6b80a: evaluating policies ...
+--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+
| Image Id | Repo Tag | Gate | Trigger | Check Output | Gate Action |
+--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+
| 33b13ed6b80a | docker.io/postgres:latest | DOCKERFILECHECK | FROMSCRATCH | 'FROM' container is 'scratch' - | GO |
| | | | | (scratch) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNLOW | Low Vulnerability found in package | GO |
| | | | | - coreutils (CVE-2016-2781 - https | |
| | | | | ://security-tracker.debian.org/trac | |
| | | | | ker/CVE-2016-2781) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Negligible Vulnerability found in | GO |
| | | | | package - login (CVE-2007-5686 - | |
| | | | | https://security-tracker.debian.org | |
| | | | | /tracker/CVE-2007-5686) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Negligible Vulnerability found in | GO |
| | | | | package - passwd (CVE-2007-5686 - | |
| | | | | https://security-tracker.debian.org | |
| | | | | /tracker/CVE-2007-5686) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNMEDIUM | Medium Vulnerability found in | WARN |
| | | | | package - libxml2 (CVE-2017-9048 - | |
| | | | | https://security-tracker.debian.org | |
| | | | | /tracker/CVE-2017-9048) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNMEDIUM | Medium Vulnerability found in | WARN |
| | | | | package - libxml2 (CVE-2017-9049 - | |
| | | | | https://security-tracker.debian.org | |
| | | | | /tracker/CVE-2017-9049) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Negligible Vulnerability found in | GO |
| | | | | package - python2.7 (CVE-2013-7040 | |
| | | | | - https://security-tracker.debian.o | |
| | | | | rg/tracker/CVE-2013-7040) | |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNHIGH | High Vulnerability found in package | STOP |
| | | | | - libsqlite3-0 (CVE-2017-10989 - | |
| | | | | https://security-tracker.debian.org | |
| | | | | /tracker/CVE-2017-10989) | |
...
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Unknown Vulnerability found in | GO |
| | | | | package - locales (CVE-2017-12132 - | |
| | | | | https://security-tracker.debian.org | |
| | | | | /tracker/CVE-2017-12132) | |
| 33b13ed6b80a | docker.io/postgres:latest | FINAL | FINAL | | STOP |
+--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
確認CVE
[[email protected] ~]# anchore query --image docker.io/postgres:latest cve-scan all
+------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+
| CVE ID | Severity | *Total Affected | Vulnerable Package | Fix Available | Fix Images | Rebuild Images | URL |
+------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+
| CVE-2017-9525 | Medium | 1 | cron-3.0pl1-127+deb8u1 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d |
| | | | | | tgres:latest) | | ebian.org/tracker/CVE-2017 |
| | | | | | | | -9525 |
| CVE-2017-9050 | Medium | 1 | libxml2-2.9.1+dfsg1-5+deb8 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d |
| | | | u4 | | tgres:latest) | | ebian.org/tracker/CVE-2017 |
| | | | | | | | -9050 |
| CVE-2017-9049 | Medium | 1 | libxml2-2.9.1+dfsg1-5+deb8 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d |
| | | | u4 | | tgres:latest) | | ebian.org/tracker/CVE-2017 |
| | | | | | | | -9049 |
...
| CVE-2004-0971 | Negligible | 1 | krb5-locales-1.12.1+dfsg-1 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d |
| | | | 9+deb8u2 | | tgres:latest) | | ebian.org/tracker/CVE-2004 |
| | | | | | | | -0971 |
+------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
總結
本文簡單介紹了Anchore這款針對於映象的安全工具的安裝到使用方法,而Anchore的功能不僅限於此,在DevOps落地的時候引入Anchore作為其中的一環對映象的安全保駕護航不算是一個壞的注意。