Tools for Vulnerability Analysis
Clair
Clair provides a JSON API that extracts all layers of the image and can be executed to inspect container images, for example, as part of continuous integration and continuous delivery process.
We can install Clair through the Docker Compose tool and the repository https://github.com/quay/clair#docker-compose. These are the commands for installing it in your local machine:
curl -LO https://raw.githubusercontent.com/coreos/clair/05cbf328aa6b00a167124dbdbec229e348d97c04/contrib/compose/docker-compose.yml
The Clair configuration defines how images should be scanned. You can download it with the following command:
mkdir clair_config && curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o clair_config/config.yaml
Next, we need to update the Clair configuration, setting the version of Clair to the last stable release and the default database password:
sed 's/clair-git:latest/clair:v2.0.1/' -i docker-compose.yml &&
sed 's/host=localhost/host=postgres password=password/' -i clair_config/config.yaml
Use the following command to deploy only the Postgres container from the compose file
docker-compose up -d postgres
Next, we can download and load the CVE details for Clair to use:
curl -LO https://gist.githubusercontent.com/BenHall/34ae4e6129d81f871e353c63b6a869a7/raw/5818fba954b0b00352d07771fabab6b9daba5510/clair.sql
And then push this data in the Postgres container using
docker run -it -v $(pwd):/sql/ --network "${USER}_default" --link clair_postgres:clair_postgres postgres:latest bash -c "PGPASSWORD=password psql -h clair_postgres -U postgres < /sql/clair.sql"
Now the database is ready to be used and we can deploy the Clair container using the below-mentioned command
docker-compose up -d clair
We can now send Docker Images to scan and return which vulnerabilities it contains. To scan all the layers from a Docker image we can use tools like Klar https://github.com/optiopay/klar. This tool allows analyzing images stored in a private or public Docker registry for security vulnerabilities using Clair container service. We can use the following command to download the latest release from GitHub:
curl -L https://github.com/optiopay/klar/releases/download/v1.5/klar-1.5-linux-amd64 -o /usr/local/bin/klar && chmod +x $_
We can use the following command to analyze vulnerabilities in a Docker image, where CLAIR_ADDR is the server address where Clair has been hosted:
CLAIR_ADDR=<clair_server> klar <Docker_image>
Anchore
Anchore is an open source tool that inspects, analyzes, and certifies Docker images. This analysis is done against a proprietary database (Postgres) formed by the collection of information on vulnerabilities and security problems (CVE) from operating system distributions.It also collects the same information from the logs of popular packages like Node.JS, NPM, and Ruby.
Anchore can download any image from a registry compatible with Docker V2. And with the result of the analysis, it generates a report with the details of the image, a list of artifacts (npm, gem, Python, and Java), a list of operating system packages, the list of image files, and a list of vulnerabilities.
Anchore engine architecture consists of five components that can be implemented in a single container or in a Kubernetes cluster:
Anchore Engine CLI: It is the main command line interface provided by the Anchore suite to be able to rule the solution. It is mainly responsible for interpreting and sending the commands passed to the Anchore Engine API.
Anchore Engine API: This service allows you to orchestrate the entire solution. It is also used to analyze images and obtain policy evaluations and govern the solution completely.
Anchore Policy Engine: The policy engine is responsible for scanning for vulnerabilities in the artifacts found in the image and providing a quick assessment of the policies on that data.
Anchore Engine Analyzer: This component is responsible for the downloading of images and their analysis.
Anchore Engine Database: Anchore is built around a PostgreSQL database that contains tables for all the necessary services that are communicated through API calls.
Deploying Anchore engine
You can use the following command to download the latest version of anchore-engine:
git clone https://github.com/anchore/anchore-engine
cd anchore-engine
The first step is to download the configuration files (docker-compose.yaml and config.yaml) from the GitHub project.
curl https://raw.githubusercontent.com/anchore/anchore-engine/master/docker-compose-dev.yaml > docker-compose.yaml
curl https://raw.githubusercontent.com/anchore/anchore-engine/master/conf/default_config.yaml > config.yaml
The config.yaml file is a configuration file with the basic configuration the Anchore Engine requires to run. It has several parameters, including defaults, log level, listening port, username, and password, that you can adjust to meet specific requirements. We can execute the following docker-compose command using the same path where we have downloaded the docker-compose.yaml file to start Anchore Engine:
docker-compose up -d
docker ps
The preceding command will extract the Anchore image and automatically create the Anchore engine and database. Once completed, the command will start the Anchore engine. Wait till all container state is healthy.
Install anchore cli using pip
#Install anchore cli using pip
python3 -m pip install --upgrade pip
pip install anchorecli
git clone https://github.com/anchore/anchore-cli
cd anchore-cli
pip install --user –upgrade.
python setup.py install
Configure anchore username and password.
mkdir $HOME/.anchore
vi $HOME/.anchore/credentials.yaml
Add below lines in .anchore/credentials.yaml file.
default:
ANCHORE_CLI_USER: 'admin'
ANCHORE_CLI_PASS: 'anchorepassword'
ANCHORE_CLI_URL: 'http://localhost:8228/v1'
Replace anchorepassword with the value of ANCHORE_ADMIN_PASSWORD environment variable which was set in docker-compose.yaml file
scan images using below command. Run this command till analysis status changes to analysed.
docker pull django:latest
anchore-cli --u admin --p PASSWORD image add django:latest
We can execute the following command to check the results of the vulnerability analysis in the django:latest
image.
docker-compose exec api anchore-cli image vuln django:latest all
AWS ECR(Amazon Elastic Container Registry)
Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable. Amazon ECR supports private repositories with resource-based permissions using AWS IAM. This is so that specified users or Amazon EC2 instances can access your container repositories and images.
Install the AWS CLI
sudo apt-get install awscli
Create an IAM User
Create an IAM user, assignAdministratorAccess
, Create and download access key.csv
file.
Configure AWS CLI on your machine
Configure AWS using access key available in .csv file.
#configure aws and use access key specified in .csv file
aws configure
Create an ECR repository
Create AWS ECR repository with ScanOnPush
option enabled using AWS Management Console.
Build docker image using AWS ECR
In AWS Management Console ,Go to Created ECR repository and select View Push Commands
.Follow instructions and commands.
After pushing image to ECR , you can see scanning and vulnerabilities using AWS Management Console.
Trivy
Trivy https://github.com/aquasecurity/trivy is an open source tool that focuses on detecting vulnerabilities in packages at the operating system level and dependency files of different languages. Trivy provides installers for most Linux and macOS systems. We can use the following commands to install Trivy in a Debian based distribution. Read more https://aquasecurity.github.io/trivy/v0.18.3/quickstart/
sudo apt-get -y install wget apt-transport-https gnupg lsbrelease
wget -qO - https://aquasecurity.github.io/trivyrepo/ deb/public.key | sudo apt-key add
echo deb https://aquasecurity.github.io/trivy-repo/deb
(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get -y install trivy
Once installed, we can see the options it offers with the -h option:
trivy -h
Scan image using trivy
When analyzing the image, we see the vulnerabilities that have been detected and the information related to the vulnerable packages and libraries, organized by level of criticality:
trivy image ubuntu:18.04
Dagda
Dagda is a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities.
The project can be found in the GitHub repository at https://github.com/eliasgranderubio/dagda.
git clone https://github.com/eliasgranderubio/dagda.git
cd dagda
pip3 install -r requirements.txt
Installation of MongoDb
docker pull mongo
docker run -d -p 27017:27017 mongo
Installation of kernel headers in the host OS
You must have installed the kernel headers in the host OS because Dagda is integrated with Falco for monitoring running docker containers to detect anomalous activities.
apt-get -y install linux-headers-$(uname -r)
Usage
You must run python3 dagda.py start
for starting the Dagda server. See the start sub-command in the wiki page for details.
After the Dagda server started and before the Dagda CLI usage, you must set the next environment variables as you need:
export DAGDA_HOST='127.0.0.1'
export DAGDA_PORT=5000
Although in this usage documentation only the CLI usage is shown, Dagda has a REST API for using it. See REST API documentation page for details.
Populating the database
For the initial run, you need to populate the vulnerabilities and the exploits in the database by running:
python3 dagda.py vuln --init
Analyzing docker images/containers
python3 dagda.py check --docker_image django:latest