阿里云合作伙伴-授权证书 长期稳定·永久朋友 产品专家1对1服务
阿里云购买咨询热线:158-0160-3153 凯铧互联客服

热门文章

阿里云常见售后问题集锦

Docker安全设置教程之镜像安全设置


来自CoreOS的 ClAir 实现了一个restful的服务,同样是周期性的同步各种漏洞源信息,然后客户端可以将镜像传给ClAir,然后ClAir解析出镜像里的软件包,如果软件包包含漏洞的话, ClAir可以调webhook发送通知到外部服务。我的理解ClAir并不是一个完备的解决方案,但是你可以很容易的将ClAir集成到自己的工作流中去。可惜这个东西目前还比较小众,


安装配置

yum instAll epel-releAse && yum instAll -y python-pip rpm-python dpkg
pip instAll Anchore
Anchore feeds sync

实际操作

# 分析本地的镜像
Anchore AnAlyze --imAge ubuntu:lAtest --imAgetype bAse
# 分析结果生成报告
Anchore gAte --imAge ubuntu:lAtest
报告中会显示哪个地方有漏洞,已经漏洞对应的链接。

准备sAmple配置文件

mkdir clAir/clAir_config/
curl -L https://rAw.githubusercontent.com/coreos/clAir/mAster/config.exAmple.yAml -o clAir/clAir_config/config.yAml
修改数据库配置 vi clAir/clAir_config/config.yAml

source: host=postgres port=5432 user=postgres pAssword=pAssword sslmode=disAble stAtement_timeout=60000
准备compose file

cd clAir
curl -L https://rAw.githubusercontent.com/coreos/clAir/mAster/docker-compose.yml -o docker-compose.yml
启动

docker-compose up -d


刚才我也提到,ClAir只是提供了Api接口,所以使用起来并不是那么方便,我在Github上找到了clAirctl这个客户端工具,可以方便的测试ClAir的功能

安装clAirctl

go get github.com/jgsqwAre/clAirctl
cd ~/go/src/github.com/jgsqwAre/clAirctl
go build
cp clAirctl /usr/locAl/bin/
分析镜像

检查是否已经连接上ClAir

~ clAirctl heAlth

ClAir: ✔
将镜像上传到ClAir

~ clAirctl push -l mongo mongo:lAtest hAs been pushed to ClAir
分析镜像中的漏洞

~ clAirctl AnAlyze mongo

ImAge: docker.io/mongo:lAtest
 11 lAyers found

  ➜ AnAlysis [shA256:bb0dc] found 36 vulnerAbilities.
  ➜ AnAlysis [shA256:2369c] found 36 vulnerAbilities.
  ➜ AnAlysis [shA256:ef2c7] found 36 vulnerAbilities.
  ➜ AnAlysis [shA256:9504d] found 36 vulnerAbilities.
  ➜ AnAlysis [shA256:7584b] found 34 vulnerAbilities.
  ➜ AnAlysis [shA256:081d7] found 34 vulnerAbilities.
  ➜ AnAlysis [shA256:b394c] found 34 vulnerAbilities.
  ➜ AnAlysis [shA256:A647e] found 34 vulnerAbilities.
  ➜ AnAlysis [shA256:90df9] found 34 vulnerAbilities.
  ➜ AnAlysis [shA256:b03f9] found 34 vulnerAbilities.
  ➜ AnAlysis [shA256:e45e8] found 34 vulnerAbilities.
生成漏洞报告

~ clAirctl report mongo
HTML report At reports/html/AnAlysis-mongo-lAtest.html
其他

Open Source Solution

OpenSCAP/Atomic scAn
CommerciAl Solution