kkamagi's story

IT, 정보보안, 포렌식, 일상 공유

Docker

Docker 취약점 분석 - trivy(작성중)

까마기 2020. 1. 10. 10:49
728x90
반응형

* docker container로부터 이미지를 작성, 또는 tar 파일로 출력 
* 추출한 이미지 파일 또는 tar파일에 대한 Hash 값 생성 및 보관
* 분석할 host에서 추출한 이미지를 복사한 후 md5 값 확인
* 이미지를 컨테이너로 동작 시킴
* trivy를 통해 분석 진행

 

참고 URL : https://anchore.freshdesk.com/support/solutions/articles/36000020729-install-with-docker-compose

Install with Docker Compose

Created by: Info

Modified on: Thu, 15 Nov, 2018 at 10:04 AM

 

The Anchore Engine can be run using Docker Compose. A sample Docker Compose file is provided that runs both the Anchore Engine and PostgreSQL database as containers.

 

  1. Set up a working directory for your configuration and data volumes

    HTML

    # mkdir ~/aevolume

    # mkdir ~/aevolume/config

    # mkdir ~/aevolume/db

    # cd ~/aevolume

     

  2. Download the docker-compose.yaml and config.yaml files from the scripts/docker-compose directory of the github project. 

     

    # curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/docker-compose.yaml -o ~/aevolume/docker-compose.yaml

    # curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/config.yaml -o ~/aevolume/config/config.yaml

     

  3. Your ~/aevolume directory should now look like this: 

    HTML

    # cd ~/aevolume

    # find .

    .

    ./config

    ./config/config.yaml

    ./db

    ./docker-compose.yaml

     

     

  4. (Optional) Review the default docker-compose.yaml and config.yaml files to modify any particular settings for your environment (not necessary for quickstart)

  5. Run 'docker-compose pull' to instruct Docker to download the required container images from DockerHub. 

    HTML

    docker-compose pull

     

     

  6. Start the Anchore Engine 

    Note: This command should be run from the directory container docker-compose.yaml 

    HTML

    docker-compose up -d

    https://bcho.tistory.com/1309

     

  7. Verify that your DB and service containers are up and then run an anchore-cli command to verify system status: 

    HTML

    # docker-compose ps

    Name Command State Ports

    -------------------------------------------------------------------------------------------------------------------

    aevolume_anchore-db_1 docker-entrypoint.sh postgres Up 5432/tcp

    aevolume_anchore-engine_1 /bin/sh -c /usr/bin/anchor ... Up 0.0.0.0:8228->8228/tcp, 0.0.0.0:8338->8338/tcp

     

    # docker-compose exec anchore-engine anchore-cli --u admin --p foobar system status

    Service simplequeue (dockerhostid-anchore-engine, http://anchore-engine:8083): up

    Service apiext (dockerhostid-anchore-engine, http://anchore-engine:8228): up

    Service kubernetes_webhook (dockerhostid-anchore-engine, http://anchore-engine:8338): up

    Service analyzer (dockerhostid-anchore-engine, http://anchore-engine:8084): up

    Service policy_engine (dockerhostid-anchore-engine, http://anchore-engine:8087): up

    Service catalog (dockerhostid-anchore-engine, http://anchore-engine:8082): up

     

    Engine DB Version: 0.0.8

    Engine Code Version: 0.3.0

     

     

  8. The first time you run anchore-engine, it will take some time to perform its initial data feed sync (vulnerability data download).  Subsequently, anchore-engine will only sync data changes and thus you will only have to wait the very first time you start the engine.  You can watch the status of your feed sync with anchore-cli:mmand to verify system status: 

    HTML

    # docker-compose exec anchore-engine anchore-cli --u admin --p foobar system feeds list

    Feed Group LastSync RecordCount

    vulnerabilities alpine:3.3 2018-11-06T22:41:32.151772Z 457

    vulnerabilities alpine:3.4 2018-11-06T22:41:38.110987Z 594

    vulnerabilities alpine:3.5 2018-11-06T22:41:46.316811Z 857

    vulnerabilities alpine:3.6 2018-11-06T22:41:55.170845Z 871

    vulnerabilities alpine:3.7 2018-11-06T22:42:04.039058Z 889

    vulnerabilities alpine:3.8 2018-11-06T22:42:13.644172Z 972

    vulnerabilities centos:5 2018-11-06T22:42:43.967110Z 1322

    vulnerabilities centos:6 2018-11-06T22:43:15.459474Z 1307

    vulnerabilities centos:7 2018-11-06T22:43:43.976151Z 726

    vulnerabilities debian:10 None 0

    vulnerabilities debian:7 None 0

    vulnerabilities debian:8 None 0

    vulnerabilities debian:9 None 0

    vulnerabilities debian:unstable None 0

    vulnerabilities ol:5 None 0

    vulnerabilities ol:6 None 0

    vulnerabilities ol:7 None 0

    vulnerabilities ubuntu:12.04 None 0

    vulnerabilities ubuntu:12.10 None 0

    vulnerabilities ubuntu:13.04 None 0

    vulnerabilities ubuntu:14.04 None 0

    vulnerabilities ubuntu:14.10 None 0

    vulnerabilities ubuntu:15.04 None 0

    vulnerabilities ubuntu:15.10 None 0

    vulnerabilities ubuntu:16.04 None 0

    vulnerabilities ubuntu:16.10 None 0

    vulnerabilities ubuntu:17.04 None 0

    vulnerabilities ubuntu:17.10 None 0

    vulnerabilities ubuntu:18.04 None 0

     

    As soon as all the feeds show a non-zero RecordCount , then the feeds are all synced and the system is ready to generate vulnerability reports.  You can add images right away, but you will not see any vulnerability scan resultsuntil the vulnerability data feeds are synced.

  1. Start using the anchore-engine service to analyze images - a short example follows 

HTML

 

1) 컨테이너 이미지를 anchore에 추가 (docker-compose.yml이 있는 경로에 가서 실행)

# docker-compose exec anchore-engine anchore-cli --u admin --p foobar image add

docker.io/library/debian:7

 

  • 컨테이너 이미지를 추가하여 스캔필요

 

 

2) anchore는 등록된 이미지를 자동으로 스캔

# docker-compose exec anchore-engine anchore-cli --u admin --p foobar image get docker.io/library/debian:7 | grep 'Analysis Status'

Analysis Status: analyzing

 

# docker-compose exec anchore-engine anchore-cli --u admin --p foobar image get docker.io/library/debian:7 | grep 'Analysis Status'

Analysis Status: analyzing

 

# docker-compose exec anchore-engine anchore-cli --u admin --p foobar image get docker.io/library/debian:7 | grep 'Analysis Status'

Analysis Status: analyzed

 

3) 스캔이 끝나면, 발견된 보안취약점과 상세 내용을 확인할 수 있음

# docker-compose exec anchore-engine anchore-cli --u admin --p foobar image vuln docker.io/library/debian:7 all

Vulnerability ID Package Severity Fix Vulnerability URL

CVE-2005-2541 tar-1.26+dfsg-0.1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2005-2541

CVE-2007-5686 login-1:4.1.5.1-1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-5686

CVE-2007-5686 passwd-1:4.1.5.1-1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-5686

CVE-2007-6755 libssl1.0.0-1.0.1t-1+deb7u4 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-6755

...

...

...

 

# docker-compose exec anchore-engine anchore-cli --u admin --p foobar evaluate check docker.io/library/debian:7

Image Digest: sha256:92d507d81bd3b0459b121215f6f9d8249bb154c8b65e041942745dcc6309a7b5

Full Tag: docker.io/library/debian:7

Status: pass

Last Eval: 2018-11-06T22:51:47Z

Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060

 

 

Stopping the Anchore Engine 

Note: This command should be run from the directory containing docker-compose.yaml 

HTML

docker-compose down --volumes

 

 

 

 

 

 

 

반응형
저작자표시 비영리 변경금지

'Docker' 카테고리의 다른 글

docker mariadb 설치하고 접속해보기  (0) 2020.01.30
[Docker] GUI 모드로 Image 설치 및 Docker Container 실행-Kitematic  (0) 2020.01.19
gogs docker 백업 및 복원하기(작성중)  (0) 2020.01.09
Docker Image 관리에 대한 모든 것  (0) 2020.01.09
ELK Docker 설치  (0) 2020.01.07

'Docker'의 다른글

  • 현재글Docker 취약점 분석 - trivy(작성중)

관련글

댓글

티스토리툴바