SUSE Neuvector: How to setup neuvector to scan image build from BCI

# SUSE Neuvector: How to setup neuvector to scan image build from BCI ## 目標 1.利用 BCI 的 image 和 centos 的 image 來製作一個簡單 web 2.利用 neuvector 掃描並且比較這兩個 image 的漏洞與風險 ``` $ mkdir ~/gocgi; cd ~/gocgi rancher@lb:~/cgi> cat main.go package main import ( "net/http" "net/http/cgi" ) func cgiHandler(w http.ResponseWriter, r *http.Request) { handler := cgi.Handler{Path: "cgichild.sh"} handler.ServeHTTP(w, r) } func main() { http.HandleFunc("/", cgiHandler) http.ListenAndServe(":8080", nil) } rancher@lb:~/cgi> go mod init gocgi rancher@lb:~/cgi> CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o main rancher@lb:~/cgi> cat cgichild.sh #!/bin/sh echo "Content-type: text/html" echo " █████████████████████████████████████████████████████████████ █░░░░░░░░░░░░░░█░░░░░░██░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░█ █░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█ █░░▄▀░░░░░░░░░░█░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░░░░░█░░▄▀░░░░░░░░░░█ █░░▄▀░░█████████░░▄▀░░██░░▄▀░░█░░▄▀░░█████████░░▄▀░░█████████ █░░▄▀░░░░░░░░░░█░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░░░░░█░░▄▀░░░░░░░░░░█ █░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█ █░░░░░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░█░░░░░░░░░░▄▀░░█░░▄▀░░░░░░░░░░█ █████████░░▄▀░░█░░▄▀░░██░░▄▀░░█████████░░▄▀░░█░░▄▀░░█████████ █░░░░░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░░░░░░░░░▄▀░░█░░▄▀░░░░░░░░░░█ █░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█ █░░░░░░░░░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░█ █████████████████████████████████████████████████████████████" exit 0 rancher@lb:~/cgi> chmod +x cgichild.sh rancher@lb:~/cgi> cat Dockerfile FROM registry.suse.com/bci/bci-base ADD main / ADD cgichild.sh / CMD ["/main"] rancher@lb:~/cgi> ll total 6696 -rwxr-xr-x 1 rancher users 2448 Mar 6 13:00 cgichild.sh -rw-r--r-- 1 rancher users 80 Mar 6 13:02 Dockerfile -rw-r--r-- 1 rancher users 22 Mar 6 11:30 go.mod -rwxr-xr-x 1 rancher users 6837935 Mar 6 11:30 main -rw-r--r-- 1 rancher users 264 Mar 6 11:28 main.go ``` ## 建立 bci & centos ``` rancher@lb:~/cgi> sudo docker build -t bciweb . Sending build context to Docker daemon 6.846MB Step 1/4 : FROM registry.suse.com/bci/bci-base ---> 8c2d6ec9c943 Step 2/4 : ADD main / ---> aab6143383ff Step 3/4 : ADD cgichild.sh / ---> 4dffd037055c Step 4/4 : CMD ["/main"] ---> Running in fb734e8b8805 Removing intermediate container fb734e8b8805 ---> c3e2de10eeeb Successfully built c3e2de10eeeb Successfully tagged bciweb:latest ``` * 製作 centos 為 base 的 image ``` rancher@lb:~/cgi> cat Dockerfile FROM centos ADD main / ADD cgichild.sh / CMD ["/main"] rancher@lb:~/cgi> sudo docker build -t cenweb . Sending build context to Docker daemon 6.846MB Step 1/4 : FROM centos ---> 5d0da3dc9764 Step 2/4 : ADD main / ---> c42a060076ec Step 3/4 : ADD cgichild.sh / ---> 05dcd7c31825 Step 4/4 : CMD ["/main"] ---> Running in c968c98f9513 Removing intermediate container c968c98f9513 ---> 7b964e9f8feb Successfully built 7b964e9f8feb Successfully tagged cenweb:latest ``` ## 部屬 1. 部屬 bciweb ``` rancher@m1:~> cat bciweb.yaml apiVersion: apps/v1 kind: Deployment metadata: creationTimestamp: null labels: app: bciweb name: bciweb spec: replicas: 1 selector: matchLabels: app: bciweb strategy: {} template: metadata: creationTimestamp: null labels: app: bciweb spec: containers: - image: taiwanese/bciweb name: bciweb ports: - containerPort: 8080 resources: {} status: {} --- apiVersion: v1 kind: Service metadata: creationTimestamp: null labels: app: bciweb name: svc-bciweb spec: ports: - port: 80 protocol: TCP targetPort: 8080 selector: app: bciweb type: NodePort ``` ``` rancher@m1:~> kubectl get all NAME READY STATUS RESTARTS AGE pod/bciweb-6cc887f94c-6lfwd 1/1 Running 0 5s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 18d service/svc-bciweb NodePort 10.43.229.218 <none> 80:30750/TCP 5s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/bciweb 1/1 1 1 5s NAME DESIRED CURRENT READY AGE replicaset.apps/bciweb-6cc887f94c 1 1 1 5s rancher@m1:~> curl http://192.168.11.55:30750 █████████████████████████████████████████████████████████████ █░░░░░░░░░░░░░░█░░░░░░██░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░█ █░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█ █░░▄▀░░░░░░░░░░█░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░░░░░█░░▄▀░░░░░░░░░░█ █░░▄▀░░█████████░░▄▀░░██░░▄▀░░█░░▄▀░░█████████░░▄▀░░█████████ █░░▄▀░░░░░░░░░░█░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░░░░░█░░▄▀░░░░░░░░░░█ █░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█ █░░░░░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░█░░░░░░░░░░▄▀░░█░░▄▀░░░░░░░░░░█ █████████░░▄▀░░█░░▄▀░░██░░▄▀░░█████████░░▄▀░░█░░▄▀░░█████████ █░░░░░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░░░░░░░░░▄▀░░█░░▄▀░░░░░░░░░░█ █░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█ █░░░░░░░░░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░█ █████████████████████████████████████████████████████████████ ``` 2. 部屬 cenweb ``` rancher@m1:~> cat cenweb.yaml apiVersion: apps/v1 kind: Deployment metadata: creationTimestamp: null labels: app: cenweb name: cenweb spec: replicas: 1 selector: matchLabels: app: cenweb strategy: {} template: metadata: creationTimestamp: null labels: app: cenweb spec: containers: - image: taiwanese/cenweb name: cenweb ports: - containerPort: 8080 resources: {} status: {} --- apiVersion: v1 kind: Service metadata: creationTimestamp: null labels: app: cenweb name: svc-cenweb spec: ports: - port: 80 protocol: TCP targetPort: 8080 selector: app: cenweb type: NodePort ``` ``` rancher@m1:~> kubectl get all NAME READY STATUS RESTARTS AGE pod/bciweb-6cc887f94c-6lfwd 1/1 Running 0 19m pod/cenweb-db8cfc679-bpvk6 1/1 Running 0 38s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 18d service/svc-bciweb NodePort 10.43.229.218 <none> 80:30750/TCP 19m service/svc-cenweb NodePort 10.43.235.232 <none> 80:32388/TCP 38s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/bciweb 1/1 1 1 19m deployment.apps/cenweb 1/1 1 1 38s NAME DESIRED CURRENT READY AGE replicaset.apps/bciweb-6cc887f94c 1 1 1 19m replicaset.apps/cenweb-db8cfc679 1 1 1 38s rancher@m1:~> curl http://192.168.11.55:32388 █████████████████████████████████████████████████████████████ █░░░░░░░░░░░░░░█░░░░░░██░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░█ █░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█ █░░▄▀░░░░░░░░░░█░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░░░░░█░░▄▀░░░░░░░░░░█ █░░▄▀░░█████████░░▄▀░░██░░▄▀░░█░░▄▀░░█████████░░▄▀░░█████████ █░░▄▀░░░░░░░░░░█░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░░░░░█░░▄▀░░░░░░░░░░█ █░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█ █░░░░░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░█░░░░░░░░░░▄▀░░█░░▄▀░░░░░░░░░░█ █████████░░▄▀░░█░░▄▀░░██░░▄▀░░█████████░░▄▀░░█░░▄▀░░█████████ █░░░░░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░░░░░░░░░▄▀░░█░░▄▀░░░░░░░░░░█ █░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█ █░░░░░░░░░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░█ █████████████████████████████████████████████████████████████ ``` ## 掃描 * scan image * 可以發現使用 bci 做的 image 沒有漏洞 ![](https://i.imgur.com/dkLYIUz.png) * 而使用 centos 總共有 147 個高風險與 79 個中風險的漏洞 ![](https://i.imgur.com/6r2oRBY.png) ![](https://i.imgur.com/LViKQEA.png) * scan container * scan cenweb ![](https://i.imgur.com/uQamMc6.png) * scan bciweb ![](https://i.imgur.com/JcAKNLV.png) ## 使用 Neuvector 限制漏洞高的 image * 先刪除 cenweb deploy ``` rancher@m1:~> kubectl delete -f cenweb.yaml deployment.apps "cenweb" deleted service "svc-cenweb" deleted ``` * 設定 image 所在 registry 位置 ![](https://i.imgur.com/5aFaUjS.png) * 設定 Neuvector 一天前回報超過三個高風險 CEV 就進行阻擋 ![](https://i.imgur.com/0qEEiRR.png) * 切換到保護模式 ![](https://i.imgur.com/nE4ulY3.png) * 這時再部屬 cenweb deploy 會發現已被 Neuvector 阻擋 ![](https://i.imgur.com/p26ojFg.png) * 在 Neuvector 上可以看到 Risk Reports ![](https://i.imgur.com/i0ILBxY.png) ## 總結 1. BCI 是經過測試、認證和企業就緒的 image ，並且定時更新最新的 security patches ，是一個可信的 image 來源，因此使用 BCI 製作 image 可以在一定程度上大大幫我們降低資安與漏洞的風險。 2. 使用 Neuvector 可以幫我們輕鬆並且快度的偵測 image 的漏洞與風險，並且可以自定義限制有風險的 image 部屬到我們的環境。 ###### tags: `work`