Heus Habr!
In re moderna, ob crescentem munus continentiae in processibus evolutionis, exitus ut securitatem variarum rerum ac entitatum cum vasis coniungentium non minimi momenti est exitus. Exsequi manualia compescit tempus consumens, ideo utilem esset ut saltem initiales gradus ad hunc processum automandum accederet.
In hoc articulo, parata scripta communicabo ad exsequendam plures utilitates securitatis Docker et instructiones quomodo ad explicandam parvam demom stent ad hoc processum probandum. Materia uti potes ad experimentum quo modo ordinare processum probandi securitatem imaginum et instructionum Dockerfile. Patet omnes progressus et exsecutionem infrastructuram esse diversam, ideo infra plures optiones possibiles providebo.
Securitas reprehendo utilitates
Plures sunt diversarum applicationum auxiliatorum et scriptorum, qui varias rationes docker infrastructuras compescunt. Eorum quaedam iam in superiori articulo descripta sunt.) et in hac materia tres inspicere velim, quae molem requiruntur securitatis pro imaginibus Docker in processu evolutionis constructis. Praeterea exemplum etiam ostendam quomodo hae tres utilitates in unum pipelineum coniungi possint ad securitatem retardationem praestandam.
Hadolint
Satis simplex utilitas consolatur quae adiuvat, ut primum approximatio, rectitudinem et salutem praeceptorum Dockerfile aestimare (exempli gratia, auctoritate tantum imaginis registrie vel sudo utens).
Dockle
Consolatorium utilitas quae operatur cum imagine (vel in archivo imaginis bitumen servatae), quae rectitudinem et securitatem imaginis particularis qua talis sistit, laminis et configuratione eius dividendo - quae utentes creantur, quae instructiones adhibentur, qua. volumina conscendit, tesseram inanem praesentiam, etc. d. Hactenus numerus cohibitionum non est valde magnus et pluribus innititur nostris inhibitionibus et commendationibus nostris. pro Docker.
Trivy
Haec utilitas intenditur ad duo genera vulnerabilium invenienda - problemata cum OS aedificat (auxilia Alpina, RedHat (EL), CentOS, Debian GNU, Ubuntu) et problemata cum clientela (Gemfile.lock, Pipfile.lock, composer.lock, sarcina -lock.json, yarn.lock, cargo.lock). Trivy scan tum imaginem in repositorio tum in imagine locali potest, tum etiam scandere secundum tabulam tabulam translatam cum Docker imagine.
Options ad exsequendam utilitates
Ut applicationes in ambitu solitario descriptas experiar, instructiones praebebo ad omnes utilitates in processu faciliori instituendo.
Praecipua notio est demonstrare quomodo latis contentae probationes efficere possis de Dockerfiles et imaginibus Docker quae in evolutione creatae sunt.
Perscriptio ipsa consistit in gradibus sequentibus:
- Reprehendo rectitudinem salutemque Dockerfile instructiones per linter utilitatem Hadolint
- Reperiens rectitudinem et salutem ultimae et mediae imaginum utens utilitate Dockle
- Reperiens praesentia vulnerabilities palam nota (CVE) in basi imaginis et plurium clientium - utilitate utens Trivy
Postea in articulo tres optiones dabo ad hos gradus exsequendos:
Prima est, utendo GitLab in exemplo figurando CI/CD pipelines (cum descriptione processus exempli movendi experimentum).
Secunda scriptura concha utitur.
Tertia est imago fabricandi Docker ad imagines photographicas Docker.
Optionem eligere potes quae tibi maxime competit, eam ad infrastructuram tuam transfer et ad necessitates tuas accommoda.
Omnes fasciculi necessarii et instructiones adiectae etiam in promptuario collocantur:
Integratio in GitLab CI/CD
In optione prima, videbimus quomodo securitatem cohibere potes efficere utens ratio repositorii GitLab in exemplum. Hic per gradus et figuram ibimus quomodo testam environment cum GitLab ex scabere instituimus, processus scanning et utilitates deducimus ad reprimendum experimentum Dockerfile et temere imaginis - JuiceShop applicationis.
installing GitLab
1. Docker install:
sudo apt-get update && sudo apt-get install docker.io2. Usorem currentem ad catervam docularium adde ut sine sudo opus facere possis:
sudo addgroup <username> docker3. Reperio vestri IP:
ip addr4. Instrue et GitLab in vase detrude, locum IP in hostname cum tuo proprio repone;
docker run --detach
--hostname 192.168.1.112
--publish 443:443 --publish 80:80
--name gitlab
--restart always
--volume /srv/gitlab/config:/etc/gitlab
--volume /srv/gitlab/logs:/var/log/gitlab
--volume /srv/gitlab/data:/var/opt/gitlab
gitlab/gitlab-ce:latestExspectamus donec GitLab omnes rationes institutionis necessarias perficiat (potes monitorem processus per tabellam stipendii output: docker acta -f gitlab).
5. IP locum tuum aperi in navigatro et vide paginam rogantem te ut tesseram mutes pro usore radicem:
Tesseram novam constitue et ire ad GitLab.
6. Novam inceptam crea, exempli gratia cicd test et initialize eam cum fasciculi ineuntis README.md:
7. Nunc opus est ut GitLab Cursor instituat: agens qui curret omnes operationes necessarias ad petitionem.
Novam versionem (in hoc casu, pro Linux 64-bit);
sudo curl -L --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd648. Fac illud exsecutabile;
sudo chmod +x /usr/local/bin/gitlab-runner9. Adde OS usorem pro Cursor et officium incipias:
sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
sudo gitlab-runner startVidere debet aliquid simile hoc;
local@osboxes:~$ sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
Runtime platform arch=amd64 os=linux pid=8438 revision=0e5417a3 version=12.0.1
local@osboxes:~$ sudo gitlab-runner start
Runtime platform arch=amd64 os=linux pid=8518 revision=0e5417a3 version=12.0.1
10. Nunc Cursorem mandamus ut cum exemplo nostro GitLab agere possit.
Ad hoc fac, pagina Occasus-CI/CD aperi (http://OUR_IP_ADDRESS/root/cicd-test/-/settings/ci_cd) et in Cursoribus tab invenio domicilium ac tesseram Registration:
11. Register Cursor substituendo URL et Registration indicium:
sudo gitlab-runner register
--non-interactive
--url "http://<URL>/"
--registration-token "<Registration Token>"
--executor "docker"
--docker-privileged
--docker-image alpine:latest
--description "docker-runner"
--tag-list "docker,privileged"
--run-untagged="true"
--locked="false"
--access-level="not_protected"Quam ob rem GitLab promptum opus efficimus, cui mandata addere necesse est ut utilitates nostras incipiamus. In hoc demo non habemus gradus applicationis et continentis ad aedificandum, sed in reali ambitu ipsae antecedunt gradus intuens et generant imagines et Dockerfile ad analysin.
pipeline configuratione
1. Add files in conditorio mydockerfile.df * (Dockerfile hoc est experimentum quod nos reprehendo) et GitLab CI/CD processus configurationis fasciculi .gitlab-cicd.yml, qui instructiones pro scanneribus enumerat (nota tabella in nomine).
Fasciculus configurationis YAML instructiones tres continet utilitates (Hadolint, Dockle, et Trivy) quae delectos Dockerfile resolvere et imaginem in DOCKERFILE variabilem definire. Omnia documenta necessaria e conditorio sumi possunt:
Excerpere mydockerfile.df * (scilicet fasciculus abstractus est cum praecepto arbitrariae instructionis solum ad operationem utilitatis demonstrandam). Dirige nexus tabellae:
Contenta mydockerfile.df
FROM amd64/node:10.16.0-alpine@sha256:f59303fb3248e5d992586c76cc83e1d3700f641cbcd7c0067bc7ad5bb2e5b489 AS tsbuild
COPY package.json .
COPY yarn.lock .
RUN yarn install
COPY lib lib
COPY tsconfig.json tsconfig.json
COPY tsconfig.app.json tsconfig.app.json
RUN yarn build
FROM amd64/ubuntu:18.04@sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395
LABEL maintainer="Rhys Arkins <[email protected]>"
LABEL name="renovate"
...
COPY php.ini /usr/local/etc/php/php.ini
RUN cp -a /tmp/piik/* /var/www/html/
RUN rm -rf /tmp/piwik
RUN chown -R www-data /var/www/html
ADD piwik-cli-setup /piwik-cli-setup
ADD reset.php /var/www/html/
## ENTRYPOINT ##
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
USER rootConfiguratio YAML hoc simile spectat (ipsa tabella reperiri potest per nexum directum hic: ):
Contents of .gitlab-ci.yml
variables:
DOCKER_HOST: "tcp://docker:2375/"
DOCKERFILE: "mydockerfile.df" # name of the Dockerfile to analyse
DOCKERIMAGE: "bkimminich/juice-shop" # name of the Docker image to analyse
# DOCKERIMAGE: "knqyf263/cve-2018-11235" # test Docker image with several CRITICAL CVE
SHOWSTOPPER_PRIORITY: "CRITICAL" # what level of criticality will fail Trivy job
TRIVYCACHE: "$CI_PROJECT_DIR/.cache" # where to cache Trivy database of vulnerabilities for faster reuse
ARTIFACT_FOLDER: "$CI_PROJECT_DIR"
services:
- docker:dind # to be able to build docker images inside the Runner
stages:
- scan
- report
- publish
HadoLint:
# Basic lint analysis of Dockerfile instructions
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/hadolint_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/hadolint/hadolint/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 && chmod +x hadolint-Linux-x86_64
# NB: hadolint will always exit with 0 exit code
- ./hadolint-Linux-x86_64 -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/hadolint_results.json
Dockle:
# Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/dockle_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
- ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/dockle_results.json
Trivy:
# Analysing docker image and package dependencies against several CVE bases
stage: scan
image: docker:git
script:
# getting the latest Trivy
- apk add rpm
- export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz
# displaying all vulnerabilities w/o failing the build
- ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE
# write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE
# failing the build if the SHOWSTOPPER priority is found
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/trivy_results.json
cache:
paths:
- .cache
Report:
# combining tools outputs into one HTML
stage: report
when: always
image: python:3.5
script:
- mkdir json
- cp $ARTIFACT_FOLDER/*.json ./json/
- pip install json2html
- wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
- python ./convert_json_results.py
artifacts:
paths:
- results.htmlSi opus est, etiam imagines photographicas in specie archivi .tar (tamen necesse est mutare parametros initus mutare pro utilitatibus in fasciculo YAML)
NB: Trivy requirit installed rPM и ad. Alioquin errores generabit cum imagines RedHat-fundatae intuens et updates recipiens ad datorum vulnerabilitatem.
2. His additamentis repositorio additis, secundum instructiones in fasciculi nostri configuratione, GitLab ipso facto processus aedificare et scandere incipiet. In CI/CD → Pipelines tab in progressione instructionum videre potes.
Quam ob rem quattuor operas habemus. Tres ex illis directe perspicientes agunt, et ultimum (Report) simplex rumorem e fasciculis dispersis cum eventuum inspectantium colligit.
Defalta Trivy currit si vulnerabilities critica in imagine vel clientela deprehenduntur. Eodem tempore Hadolint semper redit codicem Successum quia semper in commentis consequitur, quod aedificare prohibet.
Secundum in peculiaribus exigentiis tuis, codicem exitialem configurare potes ut, cum hae utilitates difficultates cuiusdam criticae deprehendant, etiam processus aedificandi desinant. In casu nostro, constructum non subsistet nisi Trivy detegit vulnerabilitatem cum critica quam denominavimus in SHOWSTOPPER variabilis .gitlab-ci.yml.
Uniuscuiusque utilitatis effectus considerari potest in stipes cuiusque operis intuentis, directe in imaginum jsonarum sectione artificialium, vel in simplici relatione HTML (infra plura);
3. Ut utilitas relationum in forma paulo humaniore exhibeat, scriptum Python parvum tria tabularum JSON in unum HTML fasciculum cum tabula vitiorum convertendi adhibetur.
Hoc scriptum a singulari Report munere immittitur, eiusque artificium finale fasciculus cum relatione HTML est. Fons script us est etiam in reposito et adaptari potest ad necessitates tuas, colores, etc.
Testa script
Secunda optio casibus apta est cum opus est imagines Docker extra CI/CD ratiocinari vel omnes instructiones habere in forma quae directe in exercitu exsecutioni mandari potest. Haec optio operitur scripto scripto prompto testaceo quod in pura machina virtuali (vel etiam reali) currere potest. Scriptum eadem mandata exequitur sicut cursor de quo supra.
Ut scriptum ut bene currendum sit, Docker in systemate institui debet et usor hodiernus in caterva decurrere debet.
Scriptum ipsum hic invenitur:
Initio tabellae variabiles denotant quae imago lustranda sit et quae defectus critices efficiet Trivy utilitatem exeundi cum certo errore codice.
In executione scripto, omnes utilitates in indicem receptae erunt docker_toolseventus laboris eorum sunt in indicem docker_tools/jsonac HTML cum relatione in tabella results.html.
Exemplum scriptum output
~/docker_cicd$ ./docker_sec_check.sh
[+] Setting environment variables
[+] Installing required packages
[+] Preparing necessary directories
[+] Fetching sample Dockerfile
2020-10-20 10:40:00 (45.3 MB/s) - ‘Dockerfile’ saved [8071/8071]
[+] Pulling image to scan
latest: Pulling from bkimminich/juice-shop
[+] Running Hadolint
...
Dockerfile:205 DL3015 Avoid additional packages by specifying `--no-install-recommends`
Dockerfile:248 DL3002 Last USER should not be root
...
[+] Running Dockle
...
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
...
[+] Running Trivy
juice-shop/frontend/package-lock.json
=====================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+---------+-------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | VERSION | TITLE |
+---------------------+------------------+----------+---------+-------------------------+
| object-path | CVE-2020-15256 | HIGH | 0.11.4 | Prototype pollution in |
| | | | | object-path |
+---------------------+------------------+ +---------+-------------------------+
| tree-kill | CVE-2019-15599 | | 1.2.2 | Code Injection |
+---------------------+------------------+----------+---------+-------------------------+
| webpack-subresource | CVE-2020-15262 | LOW | 1.4.1 | Unprotected dynamically |
| | | | | loaded chunks |
+---------------------+------------------+----------+---------+-------------------------+
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
juice-shop/package-lock.json
============================
Total: 5 (CRITICAL: 5)
...
[+] Removing left-overs
[+] Making the output look pretty
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.htmlDocker imaginem cum omnibus utilitatibus
Ut tertio modo, duos simplices Dockerfiles compilavit ut imaginem securitatis cum utilitatibus crearem. Una Dockerfile statutum ad imaginem photographicam e repositorio aedificabit, alter (Dockerfile_tar) institutum adiuvabit ad scanning tabellae cum imagine aedificandum.
1. Sume correspondentes Docker lima et scripta e conditorio .
2. Ad ecclesiam deducimus;
docker build -t dscan:image -f docker_security.df .
3. Peracta ecclesia, vas ex imagine creamus. Eodem tempore, DOCKERIMAGE ambitus variabilis cum imaginis nomine, quaerimus et conscendimus Dockerfile transimus, quod ex machina ad tabellam resolvere volumus. /Dockerfile (nota absolutam huius fasciculi viam requiri);
docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security.df:/Dockerfile -e DOCKERIMAGE="bkimminich/juice-shop" dscan:image
[+] Setting environment variables
[+] Running Hadolint
/Dockerfile:3 DL3006 Always tag the version of an image explicitly
[+] Running Dockle
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
INFO - DKL-LI-0003: Only put necessary files
* unnecessary file : juice-shop/node_modules/sqlite3/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm64/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm/Dockerfile
[+] Running Trivy
...
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
[+] Making the output look pretty
[+] Starting the main module ============================================================
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.htmlРезультаты
Inspeximus unam tantum fundamentalem utilitatum copiam ad artificia Docker perscrutandi, quae, mea sententia, efficacissime honestam partem imaginis securitatis requisitorum operit. Sunt etiam in magna pecuniarum et liberorum instrumentorum numerus quae idem compescere possunt, speciosas relationes hauriunt vel operantur pure in modo consolandi, involucrum systematis administrandi, etc. horum instrumentorum inspectio et quomodo eas integrare paulo post apparebit. .
Bona res de instrumentorum statuto in hoc articulo descriptorum est quia omnia aperta sunt et potes experiri cum eis et aliis similibus instrumentis ad inveniendum quid necessitatibus tuis et infrastructuris conveniat. Utique omnes vulnerabilitates quae inventae sunt, ad applicabilitatem in condicionibus specificis quaerenda sunt, sed haec est thema futuri magni articuli.
Spero hunc ducem, scripta et utilitates adiuvabunt et initium fiet ad infrastructuram tutiorem in ambitu continentisationis.
Source: www.habr.com