本篇簡單介紹一款Docker安全掃描工具Anchore的安裝和使用。
前言
下述過程是在CentOS 7.6的虛擬機上進行的。
[root@localhost ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core)
Docker安裝
安裝步驟如下:參考Docker 學習入門
# yum remove docker docker-common docker-selinux # 如之前安裝,先卸載 # yum install -y yum-utils device-mapper-persistent-data lvm2 # 安裝依賴 # yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo # 配置軟件包源 # yum install docker-ce -y # 安裝docker # systemctl start docker # 啟動docker服務 # systemctl enable docker # 設置開機啟動 # docker -v # 查看docker 版本 # docker info # 查看docker詳細信息
添加dpkg支持
# yum install epel-release -y
# yum install dpkg -y
安裝Anchore
Anchore安裝使用需python支持,CentOS 7.6默認情況下已有python和pip,可能需要先更新一下pip。
# pip install --upgrade pip
Step1:安裝Anchore
# pip install anchore
Step2:設置環境變量(臨時添加)
# export PATH=~/.local/bin:$PATH
Step3:查看anchore版本
# anchore --version
Step4:查看訂閱列表
[root@localhost ~]# anchore feeds list initializing feed metadata: ... Available: nvd: description: Feed record for type nvd nvdv2: description: Feed record for type nvdv2 packages: description: Feed record for type packages Subscribed: vulnerabilities: description: Feed record for type vulnerabilities
默認值訂閱了最后一個。
Step5:同步訂閱內容
[root@localhost ~]# anchore feeds sync syncing data for subscribed feed (vulnerabilities) ... syncing group data: debian:unstable: ... syncing group data: ubuntu:16.04: ... syncing group data: centos:6: ... syncing group data: centos:7: ... syncing group data: centos:5: ... syncing group data: amzn:2: ... syncing group data: ubuntu:14.04: ... syncing group data: centos:8: ... syncing group data: ubuntu:14.10: ... syncing group data: debian:11: ... syncing group data: debian:10: ... syncing group data: ubuntu:15.04: ... syncing group data: debian:9: ... syncing group data: debian:8: ... syncing group data: ubuntu:12.04: ... syncing group data: ubuntu:18.04: ... syncing group data: ubuntu:17.10: ... syncing group data: ubuntu:19.10: ... syncing group data: debian:7: ... syncing group data: ubuntu:16.10: ... syncing group data: alpine:3.3: ... syncing group data: alpine:3.4: ... syncing group data: alpine:3.5: ... syncing group data: alpine:3.6: ... syncing group data: alpine:3.7: ... syncing group data: alpine:3.8: ... syncing group data: alpine:3.9: ... syncing group data: ubuntu:13.04: ... syncing group data: ubuntu:15.10: ... syncing group data: alpine:3.10: ... syncing group data: ubuntu:12.10: ... syncing group data: ubuntu:18.10: ... syncing group data: ubuntu:17.04: ... syncing group data: ol:8: ... syncing group data: ol:7: ... syncing group data: ol:6: ... syncing group data: ol:5: ... syncing group data: ubuntu:19.04: ... skipping data sync for unsubscribed feed (nvd) ... skipping data sync for unsubscribed feed (nvdv2) ... skipping data sync for unsubscribed feed (packages) ...
這步可能只需要十分鍾,也可能需要更久,目前沒找到什么加速的方法。
添加訂閱feed
通過查詢anchore feeds --help,我們知道有個sub子命令用於訂閱feed。如果想添加nvd訂閱:
[root@localhost ~]# anchore feeds sub nvd # 添加nvd feed,可以通過這種方式訂閱其它的 nvd: subscribed. [root@localhost ~]# anchore feeds list # 查看訂閱的feeds Available: nvdv2: description: Feed record for type nvdv2 packages: description: Feed record for type packages Subscribed: nvd: description: Feed record for type nvd # 已經訂閱了nvd vulnerabilities: description: Feed record for type vulnerabilities [root@localhost ~]# anchore feeds sync # 同步更新 syncing data for subscribed feed (vulnerabilities) ... skipping group data: debian:unstable: already synced skipping group data: alpine:3.8: already synced skipping group data: ubuntu:16.04: already synced skipping group data: centos:6: already synced skipping group data: centos:7: already synced skipping group data: centos:5: already synced skipping group data: amzn:2: already synced skipping group data: ol:6: already synced skipping group data: centos:8: already synced skipping group data: ubuntu:14.10: already synced skipping group data: debian:11: already synced skipping group data: debian:10: already synced skipping group data: ubuntu:15.04: already synced skipping group data: debian:9: already synced skipping group data: debian:8: already synced skipping group data: ubuntu:12.04: already synced skipping group data: ubuntu:18.04: already synced skipping group data: ubuntu:17.10: already synced skipping group data: ubuntu:19.10: already synced skipping group data: debian:7: already synced skipping group data: ubuntu:16.10: already synced skipping group data: alpine:3.3: already synced skipping group data: alpine:3.4: already synced skipping group data: alpine:3.5: already synced skipping group data: alpine:3.6: already synced skipping group data: alpine:3.7: already synced skipping group data: ubuntu:14.04: already synced skipping group data: alpine:3.9: already synced skipping group data: ubuntu:15.10: already synced skipping group data: alpine:3.10: already synced skipping group data: ubuntu:12.10: already synced skipping group data: ubuntu:18.10: already synced skipping group data: ubuntu:17.04: already synced skipping group data: ol:8: already synced skipping group data: ol:7: already synced skipping group data: ubuntu:13.04: already synced skipping group data: ol:5: already synced skipping group data: ubuntu:19.04: already synced syncing data for subscribed feed (nvd) ... # 同步nvd訂閱 syncing group data: nvddb:2007: ... syncing group data: nvddb:2003: ... syncing group data: nvddb:2013: ... syncing group data: nvddb:2012: ... syncing group data: nvddb:2011: ... syncing group data: nvddb:2010: ... syncing group data: nvddb:2017: ... syncing group data: nvddb:2009: ... syncing group data: nvddb:2015: ... syncing group data: nvddb:2014: ... syncing group data: nvddb:2004: ... syncing group data: nvddb:2005: ... syncing group data: nvddb:2006: ... syncing group data: nvddb:2018: ... syncing group data: nvddb:2002: ... syncing group data: nvddb:2019: ... syncing group data: nvddb:2008: ... syncing group data: nvddb:2016: ... skipping data sync for unsubscribed feed (nvdv2) ... skipping data sync for unsubscribed feed (packages) ...
工具測驗
先拉取一個鏡像:mysql
[root@localhost ~]# docker pull mysql
[root@localhost ~]# docker images # 查看所有鏡像列表 REPOSITORY TAG IMAGE ID CREATED SIZE mysql latest c8ee894bd2bd 5 days ago 456MB nginx latest 5a9061639d0a 5 days ago 126MB busybox latest 19485c79a9bb 6 weeks ago 1.22MB
鏡像分析
分析mysql鏡像。
[root@localhost ~]# anchore analyze --image mysql
Analyzing image: mysql
c8ee894bd2bd: analyzing ...
c8ee894bd2bd: analyzed.
生成報告
使用gate命令生成分析報告,默認輸出到控制台。
gate命令沒有看到輸出報告格式,我這將輸出重定向到mysql.html文件。
[root@localhost ~]# anchore gate --image mysql > mysql.html
查看報告
打開mysql.html報告查看具體內容。
關於命令的詳細介紹,請使用--help進行查閱或參考第二個參考鏈接。感覺目前這款工具還不理想。
參考
Docker 學習入門:https://www.cnblogs.com/chiangchou/p/docker.html
Docker安全自動化掃描工具對比測試:https://blog.csdn.net/wutianxu123/article/details/83216219
以上!