Docker 취약점 분석 - trivy(작성중)

* docker container로부터 이미지를 작성, 또는 tar 파일로 출력 
* 추출한 이미지 파일 또는 tar파일에 대한 Hash 값 생성 및 보관
* 분석할 host에서 추출한 이미지를 복사한 후 md5 값 확인
* 이미지를 컨테이너로 동작 시킴
* trivy를 통해 분석 진행

 

참고 URL : https://anchore.freshdesk.com/support/solutions/articles/36000020729-install-with-docker-compose

Install with Docker Compose

Created by: Info

Modified on: Thu, 15 Nov, 2018 at 10:04 AM

---

 

The Anchore Engine can be run using Docker Compose. A sample Docker Compose file is provided that runs both the Anchore Engine and PostgreSQL database as containers.

 

1. Set up a working directory for your configuration and data volumes

   HTML

   # mkdir ~/aevolume

   # mkdir ~/aevolume/config

   # mkdir ~/aevolume/db

   # cd ~/aevolume

    

2. Download the docker-compose.yaml and config.yaml files from the scripts/docker-compose directory of the github project. 

    

   # curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/docker-compose.yaml -o ~/aevolume/docker-compose.yaml

   # curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/config.yaml -o ~/aevolume/config/config.yaml

    

3. Your ~/aevolume directory should now look like this: 

   HTML

   # cd ~/aevolume

   # find .

   .

   ./config

   ./config/config.yaml

   ./db

   ./docker-compose.yaml

    

    

4. (Optional) Review the default docker-compose.yaml and config.yaml files to modify any particular settings for your environment (not necessary for quickstart)

5. Run 'docker-compose pull' to instruct Docker to download the required container images from DockerHub. 

   HTML

   docker-compose pull

    

    

6. Start the Anchore Engine 

   Note: This command should be run from the directory container docker-compose.yaml 

   HTML

   docker-compose up -d

   https://bcho.tistory.com/1309

    

7. Verify that your DB and service containers are up and then run an anchore-cli command to verify system status: 

   HTML

   # docker-compose ps

   Name Command State Ports

   -------------------------------------------------------------------------------------------------------------------

   aevolume_anchore-db_1 docker-entrypoint.sh postgres Up 5432/tcp

   aevolume_anchore-engine_1 /bin/sh -c /usr/bin/anchor ... Up 0.0.0.0:8228->8228/tcp, 0.0.0.0:8338->8338/tcp

    

   # docker-compose exec anchore-engine anchore-cli --u admin --p foobar system status

   Service simplequeue (dockerhostid-anchore-engine, http://anchore-engine:8083): up

   Service apiext (dockerhostid-anchore-engine, http://anchore-engine:8228): up

   Service kubernetes_webhook (dockerhostid-anchore-engine, http://anchore-engine:8338): up

   Service analyzer (dockerhostid-anchore-engine, http://anchore-engine:8084): up

   Service policy_engine (dockerhostid-anchore-engine, http://anchore-engine:8087): up

   Service catalog (dockerhostid-anchore-engine, http://anchore-engine:8082): up

    

   Engine DB Version: 0.0.8

   Engine Code Version: 0.3.0

    

    

8. The first time you run anchore-engine, it will take some time to perform its initial data feed sync (vulnerability data download).  Subsequently, anchore-engine will only sync data changes and thus you will only have to wait the very first time you start the engine.  You can watch the status of your feed sync with anchore-cli:mmand to verify system status: 

   HTML

   # docker-compose exec anchore-engine anchore-cli --u admin --p foobar system feeds list

   Feed Group LastSync RecordCount

   vulnerabilities alpine:3.3 2018-11-06T22:41:32.151772Z 457

   vulnerabilities alpine:3.4 2018-11-06T22:41:38.110987Z 594

   vulnerabilities alpine:3.5 2018-11-06T22:41:46.316811Z 857

   vulnerabilities alpine:3.6 2018-11-06T22:41:55.170845Z 871

   vulnerabilities alpine:3.7 2018-11-06T22:42:04.039058Z 889

   vulnerabilities alpine:3.8 2018-11-06T22:42:13.644172Z 972

   vulnerabilities centos:5 2018-11-06T22:42:43.967110Z 1322

   vulnerabilities centos:6 2018-11-06T22:43:15.459474Z 1307

   vulnerabilities centos:7 2018-11-06T22:43:43.976151Z 726

   vulnerabilities debian:10 None 0

   vulnerabilities debian:7 None 0

   vulnerabilities debian:8 None 0

   vulnerabilities debian:9 None 0

   vulnerabilities debian:unstable None 0

   vulnerabilities ol:5 None 0

   vulnerabilities ol:6 None 0

   vulnerabilities ol:7 None 0

   vulnerabilities ubuntu:12.04 None 0

   vulnerabilities ubuntu:12.10 None 0

   vulnerabilities ubuntu:13.04 None 0

   vulnerabilities ubuntu:14.04 None 0

   vulnerabilities ubuntu:14.10 None 0

   vulnerabilities ubuntu:15.04 None 0

   vulnerabilities ubuntu:15.10 None 0

   vulnerabilities ubuntu:16.04 None 0

   vulnerabilities ubuntu:16.10 None 0

   vulnerabilities ubuntu:17.04 None 0

   vulnerabilities ubuntu:17.10 None 0

   vulnerabilities ubuntu:18.04 None 0

    

   As soon as all the feeds show a non-zero RecordCount , then the feeds are all synced and the system is ready to generate vulnerability reports.  You can add images right away, but you will not see any vulnerability scan resultsuntil the vulnerability data feeds are synced.

1. Start using the anchore-engine service to analyze images - a short example follows 

HTML

 

1) 컨테이너 이미지를 anchore에 추가 (docker-compose.yml이 있는 경로에 가서 실행)

# docker-compose exec anchore-engine anchore-cli --u admin --p foobar image add

docker.io/library/debian:7

 

• 컨테이너 이미지를 추가하여 스캔필요

 

 

2) anchore는 등록된 이미지를 자동으로 스캔

# docker-compose exec anchore-engine anchore-cli --u admin --p foobar image get docker.io/library/debian:7 | grep 'Analysis Status'

Analysis Status: analyzing

 

# docker-compose exec anchore-engine anchore-cli --u admin --p foobar image get docker.io/library/debian:7 | grep 'Analysis Status'

Analysis Status: analyzing

 

# docker-compose exec anchore-engine anchore-cli --u admin --p foobar image get docker.io/library/debian:7 | grep 'Analysis Status'

Analysis Status: analyzed

 

3) 스캔이 끝나면, 발견된 보안취약점과 상세 내용을 확인할 수 있음

# docker-compose exec anchore-engine anchore-cli --u admin --p foobar image vuln docker.io/library/debian:7 all

Vulnerability ID Package Severity Fix Vulnerability URL

CVE-2005-2541 tar-1.26+dfsg-0.1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2005-2541

CVE-2007-5686 login-1:4.1.5.1-1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-5686

CVE-2007-5686 passwd-1:4.1.5.1-1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-5686

CVE-2007-6755 libssl1.0.0-1.0.1t-1+deb7u4 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-6755

...

...

...

 

# docker-compose exec anchore-engine anchore-cli --u admin --p foobar evaluate check docker.io/library/debian:7

Image Digest: sha256:92d507d81bd3b0459b121215f6f9d8249bb154c8b65e041942745dcc6309a7b5

Full Tag: docker.io/library/debian:7

Status: pass

Last Eval: 2018-11-06T22:51:47Z

Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060

 

 

Stopping the Anchore Engine 

Note: This command should be run from the directory containing docker-compose.yaml 

HTML

docker-compose down --volumes