本篇简单介绍一款Docker安全扫描工具Anchore的安装和使用。
前言
下述过程是在CentOS 7.6的虚拟机上进行的。
[root@localhost ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core)
Docker安装
安装步骤如下:参考Docker 学习入门
# yum remove docker docker-common docker-selinux # 如之前安装,先卸载 # yum install -y yum-utils device-mapper-persistent-data lvm2 # 安装依赖 # yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo # 配置软件包源 # yum install docker-ce -y # 安装docker # systemctl start docker # 启动docker服务 # systemctl enable docker # 设置开机启动 # docker -v # 查看docker 版本 # docker info # 查看docker详细信息
添加dpkg支持
# yum install epel-release -y
# yum install dpkg -y
安装Anchore
Anchore安装使用需python支持,CentOS 7.6默认情况下已有python和pip,可能需要先更新一下pip。
# pip install --upgrade pip
Step1:安装Anchore
# pip install anchore
Step2:设置环境变量(临时添加)
# export PATH=~/.local/bin:$PATH
Step3:查看anchore版本
# anchore --version
Step4:查看订阅列表
[root@localhost ~]# anchore feeds list initializing feed metadata: ... Available: nvd: description: Feed record for type nvd nvdv2: description: Feed record for type nvdv2 packages: description: Feed record for type packages Subscribed: vulnerabilities: description: Feed record for type vulnerabilities
默认值订阅了最后一个。
Step5:同步订阅内容
[root@localhost ~]# anchore feeds sync syncing data for subscribed feed (vulnerabilities) ... syncing group data: debian:unstable: ... syncing group data: ubuntu:16.04: ... syncing group data: centos:6: ... syncing group data: centos:7: ... syncing group data: centos:5: ... syncing group data: amzn:2: ... syncing group data: ubuntu:14.04: ... syncing group data: centos:8: ... syncing group data: ubuntu:14.10: ... syncing group data: debian:11: ... syncing group data: debian:10: ... syncing group data: ubuntu:15.04: ... syncing group data: debian:9: ... syncing group data: debian:8: ... syncing group data: ubuntu:12.04: ... syncing group data: ubuntu:18.04: ... syncing group data: ubuntu:17.10: ... syncing group data: ubuntu:19.10: ... syncing group data: debian:7: ... syncing group data: ubuntu:16.10: ... syncing group data: alpine:3.3: ... syncing group data: alpine:3.4: ... syncing group data: alpine:3.5: ... syncing group data: alpine:3.6: ... syncing group data: alpine:3.7: ... syncing group data: alpine:3.8: ... syncing group data: alpine:3.9: ... syncing group data: ubuntu:13.04: ... syncing group data: ubuntu:15.10: ... syncing group data: alpine:3.10: ... syncing group data: ubuntu:12.10: ... syncing group data: ubuntu:18.10: ... syncing group data: ubuntu:17.04: ... syncing group data: ol:8: ... syncing group data: ol:7: ... syncing group data: ol:6: ... syncing group data: ol:5: ... syncing group data: ubuntu:19.04: ... skipping data sync for unsubscribed feed (nvd) ... skipping data sync for unsubscribed feed (nvdv2) ... skipping data sync for unsubscribed feed (packages) ...
这步可能只需要十分钟,也可能需要更久,目前没找到什么加速的方法。
添加订阅feed
通过查询anchore feeds --help,我们知道有个sub子命令用于订阅feed。如果想添加nvd订阅:
[root@localhost ~]# anchore feeds sub nvd # 添加nvd feed,可以通过这种方式订阅其它的 nvd: subscribed. [root@localhost ~]# anchore feeds list # 查看订阅的feeds Available: nvdv2: description: Feed record for type nvdv2 packages: description: Feed record for type packages Subscribed: nvd: description: Feed record for type nvd # 已经订阅了nvd vulnerabilities: description: Feed record for type vulnerabilities [root@localhost ~]# anchore feeds sync # 同步更新 syncing data for subscribed feed (vulnerabilities) ... skipping group data: debian:unstable: already synced skipping group data: alpine:3.8: already synced skipping group data: ubuntu:16.04: already synced skipping group data: centos:6: already synced skipping group data: centos:7: already synced skipping group data: centos:5: already synced skipping group data: amzn:2: already synced skipping group data: ol:6: already synced skipping group data: centos:8: already synced skipping group data: ubuntu:14.10: already synced skipping group data: debian:11: already synced skipping group data: debian:10: already synced skipping group data: ubuntu:15.04: already synced skipping group data: debian:9: already synced skipping group data: debian:8: already synced skipping group data: ubuntu:12.04: already synced skipping group data: ubuntu:18.04: already synced skipping group data: ubuntu:17.10: already synced skipping group data: ubuntu:19.10: already synced skipping group data: debian:7: already synced skipping group data: ubuntu:16.10: already synced skipping group data: alpine:3.3: already synced skipping group data: alpine:3.4: already synced skipping group data: alpine:3.5: already synced skipping group data: alpine:3.6: already synced skipping group data: alpine:3.7: already synced skipping group data: ubuntu:14.04: already synced skipping group data: alpine:3.9: already synced skipping group data: ubuntu:15.10: already synced skipping group data: alpine:3.10: already synced skipping group data: ubuntu:12.10: already synced skipping group data: ubuntu:18.10: already synced skipping group data: ubuntu:17.04: already synced skipping group data: ol:8: already synced skipping group data: ol:7: already synced skipping group data: ubuntu:13.04: already synced skipping group data: ol:5: already synced skipping group data: ubuntu:19.04: already synced syncing data for subscribed feed (nvd) ... # 同步nvd订阅 syncing group data: nvddb:2007: ... syncing group data: nvddb:2003: ... syncing group data: nvddb:2013: ... syncing group data: nvddb:2012: ... syncing group data: nvddb:2011: ... syncing group data: nvddb:2010: ... syncing group data: nvddb:2017: ... syncing group data: nvddb:2009: ... syncing group data: nvddb:2015: ... syncing group data: nvddb:2014: ... syncing group data: nvddb:2004: ... syncing group data: nvddb:2005: ... syncing group data: nvddb:2006: ... syncing group data: nvddb:2018: ... syncing group data: nvddb:2002: ... syncing group data: nvddb:2019: ... syncing group data: nvddb:2008: ... syncing group data: nvddb:2016: ... skipping data sync for unsubscribed feed (nvdv2) ... skipping data sync for unsubscribed feed (packages) ...
工具测验
先拉取一个镜像:mysql
[root@localhost ~]# docker pull mysql
[root@localhost ~]# docker images # 查看所有镜像列表 REPOSITORY TAG IMAGE ID CREATED SIZE mysql latest c8ee894bd2bd 5 days ago 456MB nginx latest 5a9061639d0a 5 days ago 126MB busybox latest 19485c79a9bb 6 weeks ago 1.22MB
镜像分析
分析mysql镜像。
[root@localhost ~]# anchore analyze --image mysql
Analyzing image: mysql
c8ee894bd2bd: analyzing ...
c8ee894bd2bd: analyzed.
生成报告
使用gate命令生成分析报告,默认输出到控制台。
gate命令没有看到输出报告格式,我这将输出重定向到mysql.html文件。
[root@localhost ~]# anchore gate --image mysql > mysql.html
查看报告
打开mysql.html报告查看具体内容。
关于命令的详细介绍,请使用--help进行查阅或参考第二个参考链接。感觉目前这款工具还不理想。
参考
Docker 学习入门:https://www.cnblogs.com/chiangchou/p/docker.html
Docker安全自动化扫描工具对比测试:https://blog.csdn.net/wutianxu123/article/details/83216219
以上!