1. 程式人生 > >安全防護工具之:Anchore

安全防護工具之:Anchore

安全性對任何產品來說都非常重要,比如著名的HeartBleed就曾經給很多忽視安全問題的企業帶來了很大的影響。而隨著容器化的推進,早在2015年的一次調查中,研究者就曾發現取樣的Dockerhub上有30%-40%的映象存在安全性的問題。Anchore正是這樣一款針對容器的安全掃描的工具,類似於Docker在其收費版中提供的功能那樣,能對應用容器的脆弱性進行靜態掃描,同時支援whitelist/blacklist以及評估策略的設定。

專案地址

為什麼使用Anchore

隨著容器化的逐漸推進,使用的安全性也受到越來越多地重視。在很多場景下,都需要對容器的脆弱性進行掃描,比如

專案 詳細
映象來源不明 在網際網路上下載的映象,可以直接使用,非常的方便,但是是否真正安全還非常難說
生產環境的實踐 容器上到生產環境之後,生產環境對容器的安全性要求一般較高,此時需要容器的安全性得到保證

依賴條件

以下列出本文安裝Anchore所需的依賴

依賴 詳細
CentOS版本 CentOS 7
Docker版本 >1.10
epel-release yum install epel-release
rpm-python yum install rpm-python
dpkg yum install dpkg
python-pip yum install python-pip

工作原理

通過對容器的layer進行掃描,發現漏洞並進行預警,其使用資料是基於Common Vulnerabilities and Exposures資料庫(簡稱CVE), 各Linux發行版一般都有自己的CVE源,而Anchore則是與其進行匹配以判斷漏洞的存在與否,比如HeartBleed的CVE為:CVE-2014-0160, Anchore通過query 命令的 cve-scan選項可以對映象的CVE進行掃描。

執行方式

Anchore支援兩種方式

項番 方式
映象方式 使用Anchore的映象
普通安裝 使用yum或者apt等直接安裝

事前準備

docker版本

[[email protected] ~]# docker version
Client:
 Version:         1.12.6
 API version:     1.24
 Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64
 Go version:      go1.7.4
 Git commit:      88a4867/1.12.6
 Built:           Mon Jul  3 16:02:02 2017
 OS/Arch:         linux/amd64

Server:
 Version:         1.12.6
 API version:     1.24
 Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64
 Go version:      go1.7.4
 Git commit:      88a4867/1.12.6
 Built:           Mon Jul  3 16:02:02 2017
 OS/Arch:         linux/amd64
[[email protected] ~]#
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19

執行Clair

Step 1: 使用pip安裝Anchore

[[email protected] ~]# pip install anchore
Collecting anchore
  Downloading anchore-1.1.3-py2-none-any.whl (184kB)
    100% |████████████████████████████████| 194kB 45kB/s 
Collecting click (from anchore)
  Downloading click-6.7-py2.py3-none-any.whl (71kB)
    100% |████████████████████████████████| 71kB 51kB/s 
Requirement already satisfied (use --upgrade to upgrade): pyyaml in /usr/lib64/python2.7/site-packages (from anchore)
Collecting docker-py (from anchore)
  Downloading docker_py-1.10.6-py2.py3-none-any.whl (50kB)
    100% |████████████████████████████████| 51kB 63kB/s 
Collecting requests<2.11 (from anchore)
  Downloading requests-2.10.0-py2.py3-none-any.whl (506kB)
    100% |████████████████████████████████| 512kB 44kB/s 
Collecting clint (from anchore)
  Downloading clint-0.5.1.tar.gz
Collecting prettytable (from anchore)
  Downloading prettytable-0.7.2.zip
Requirement already satisfied (use --upgrade to upgrade): websocket-client>=0.32.0 in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Requirement already satisfied (use --upgrade to upgrade): backports.ssl-match-hostname>=3.5; python_version < "3.5" in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Requirement already satisfied (use --upgrade to upgrade): ipaddress>=1.0.16; python_version < "3.3" in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Requirement already satisfied (use --upgrade to upgrade): six>=1.4.0 in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Requirement already satisfied (use --upgrade to upgrade): docker-pycreds>=0.2.1 in /usr/lib/python2.7/site-packages (from docker-py->anchore)
Collecting args (from clint->anchore)
  Downloading args-0.1.0.tar.gz
Installing collected packages: click, requests, docker-py, args, clint, prettytable, anchore
  Found existing installation: requests 2.11.1
    Uninstalling requests-2.11.1:
      Successfully uninstalled requests-2.11.1
  Running setup.py install for args ... done
  Running setup.py install for clint ... done
  Running setup.py install for prettytable ... done
Successfully installed anchore-1.1.3 args-0.1.0 click-6.7 clint-0.5.1 docker-py-1.10.6 prettytable-0.7.2 requests-2.10.0
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
[[email protected] ~]#
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36

Step 2:安裝後版本確認

[root@liumiaocn ~]# anchore --version
anchore, version 1.1.3
[root@liumiaocn ~]# 
  • 1
  • 2
  • 3

Step 3:初期化Anchore的Database

使用feeds sync命令,可以看出Anchore從不同的Linux發行版中取出相應的CVE等的資訊存到其Database的過程如下:

[[email protected] ~]# anchore feeds sync
syncing data for subscribed feed (vulnerabilities) ...
    syncing group data: debian:unstable: ...
    skipping group data: ubuntu:16.04: ...
    skipping group data: centos:6: ...
    skipping group data: centos:7: ...
    skipping group data: centos:5: ...
    skipping group data: ubuntu:14.10: ...
    skipping group data: ubuntu:15.04: ...
    skipping group data: debian:9: ...
    syncing group data: debian:8: ...
    syncing group data: ubuntu:12.04: ...
    syncing group data: debian:7: ...
    syncing group data: ubuntu:16.10: ...
    syncing group data: alpine:3.3: ...
    syncing group data: alpine:3.4: ...
    syncing group data: alpine:3.5: ...
    syncing group data: alpine:3.6: ...
    syncing group data: ol:6: ...
    syncing group data: ubuntu:14.04: ...
    syncing group data: ubuntu:15.10: ...
    syncing group data: ubuntu:12.10: ...
    syncing group data: ubuntu:17.04: ...
    syncing group data: ol:7: ...
    syncing group data: ubuntu:13.04: ...
    syncing group data: ol:5: ...
skipping data sync for unsubscribed feed (packages) ...
[[email protected] ~]#
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29

映象準備

隨便找一個映象,作為用來進行掃描的物件,本次掃描使用Clair中使用的Database的映象源。

[root@liumiaocn ~]# docker images
REPOSITORY           TAG                 IMAGE ID            CREATED             SIZE
docker.io/postgres   latest              33b13ed6b80a        5 days ago          268.8 MB
[root@liumiaocn ~]#
  • 1
  • 2
  • 3
  • 4

對映象進行分析

[root@liumiaocn ~]# anchore analyze --image docker.io/postgres:latest --imagetype base
Analyzing image: docker.io/postgres:latest
33b13ed6b80a: analyzed.
[root@liumiaocn ~]# 
  • 1
  • 2
  • 3
  • 4

生成結果報告

[[email protected] ~]# anchore gate --image docker.io/postgres:latest
33b13ed6b80a: evaluating policies ...
+--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+
| Image Id     | Repo Tag                  | Gate            | Trigger     | Check Output                        | Gate Action |
+--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+
| 33b13ed6b80a | docker.io/postgres:latest | DOCKERFILECHECK | FROMSCRATCH | 'FROM' container is 'scratch' -     | GO          |
|              |                           |                 |             | (scratch)                           |             |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC      | VULNLOW     | Low Vulnerability found in package  | GO          |
|              |                           |                 |             | - coreutils (CVE-2016-2781 - https  |             |
|              |                           |                 |             | ://security-tracker.debian.org/trac |             |
|              |                           |                 |             | ker/CVE-2016-2781)                  |             |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC      | VULNUNKNOWN | Negligible Vulnerability found in   | GO          |
|              |                           |                 |             | package - login (CVE-2007-5686 -    |             |
|              |                           |                 |             | https://security-tracker.debian.org |             |
|              |                           |                 |             | /tracker/CVE-2007-5686)             |             |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC      | VULNUNKNOWN | Negligible Vulnerability found in   | GO          |
|              |                           |                 |             | package - passwd (CVE-2007-5686 -   |             |
|              |                           |                 |             | https://security-tracker.debian.org |             |
|              |                           |                 |             | /tracker/CVE-2007-5686)             |             |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC      | VULNMEDIUM  | Medium Vulnerability found in       | WARN        |
|              |                           |                 |             | package - libxml2 (CVE-2017-9048 -  |             |
|              |                           |                 |             | https://security-tracker.debian.org |             |
|              |                           |                 |             | /tracker/CVE-2017-9048)             |             |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC      | VULNMEDIUM  | Medium Vulnerability found in       | WARN        |
|              |                           |                 |             | package - libxml2 (CVE-2017-9049 -  |             |
|              |                           |                 |             | https://security-tracker.debian.org |             |
|              |                           |                 |             | /tracker/CVE-2017-9049)             |             |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC      | VULNUNKNOWN | Negligible Vulnerability found in   | GO          |
|              |                           |                 |             | package - python2.7 (CVE-2013-7040  |             |
|              |                           |                 |             | - https://security-tracker.debian.o |             |
|              |                           |                 |             | rg/tracker/CVE-2013-7040)           |             |
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC      | VULNHIGH    | High Vulnerability found in package | STOP        |
|              |                           |                 |             | - libsqlite3-0 (CVE-2017-10989 -    |             |
|              |                           |                 |             | https://security-tracker.debian.org |             |
|              |                           |                 |             | /tracker/CVE-2017-10989)            |             |
...
| 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC      | VULNUNKNOWN | Unknown Vulnerability found in      | GO          |
|              |                           |                 |             | package - locales (CVE-2017-12132 - |             |
|              |                           |                 |             | https://security-tracker.debian.org |             |
|              |                           |                 |             | /tracker/CVE-2017-12132)            |             |
| 33b13ed6b80a | docker.io/postgres:latest | FINAL           | FINAL       |                                     | STOP        |
+--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42

確認CVE

[[email protected] ~]# anchore query --image docker.io/postgres:latest cve-scan all
+------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+
| CVE ID           | Severity   | *Total Affected | Vulnerable Package         | Fix Available | Fix Images                 | Rebuild Images | URL                        |
+------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+
| CVE-2017-9525    | Medium     | 1               | cron-3.0pl1-127+deb8u1     | None          | 33b13ed6b80a(docker.io/pos | None           | https://security-tracker.d |
|                  |            |                 |                            |               | tgres:latest)              |                | ebian.org/tracker/CVE-2017 |
|                  |            |                 |                            |               |                            |                | -9525                      |
| CVE-2017-9050    | Medium     | 1               | libxml2-2.9.1+dfsg1-5+deb8 | None          | 33b13ed6b80a(docker.io/pos | None           | https://security-tracker.d |
|                  |            |                 | u4                         |               | tgres:latest)              |                | ebian.org/tracker/CVE-2017 |
|                  |            |                 |                            |               |                            |                | -9050                      |
| CVE-2017-9049    | Medium     | 1               | libxml2-2.9.1+dfsg1-5+deb8 | None          | 33b13ed6b80a(docker.io/pos | None           | https://security-tracker.d |
|                  |            |                 | u4                         |               | tgres:latest)              |                | ebian.org/tracker/CVE-2017 |
|                  |            |                 |                            |               |                            |                | -9049                      |
...
| CVE-2004-0971    | Negligible | 1               | krb5-locales-1.12.1+dfsg-1 | None          | 33b13ed6b80a(docker.io/pos | None           | https://security-tracker.d |
|                  |            |                 | 9+deb8u2                   |               | tgres:latest)              |                | ebian.org/tracker/CVE-2004 |
|                  |            |                 |                            |               |                            |                | -0971                      |
+------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19

總結

本文簡單介紹了Anchore這款針對於映象的安全工具的安裝到使用方法,而Anchore的功能不僅限於此,在DevOps落地的時候引入Anchore作為其中的一環對映象的安全保駕護航不算是一個壞的注意。