--- tags: Kubernetes, Security description: Kubernetes Administrator robots: index, follow --- <style> html, body, .ui-content { background-color: #333; color: #ddd; } .markdown-body h1, .markdown-body h2, .markdown-body h3, .markdown-body h4, .markdown-body h5, .markdown-body h6 { color: #ddd; } .markdown-body h1, .markdown-body h2 { border-bottom-color: #ffffff69; } .markdown-body h1 .octicon-link, .markdown-body h2 .octicon-link, .markdown-body h3 .octicon-link, .markdown-body h4 .octicon-link, .markdown-body h5 .octicon-link, .markdown-body h6 .octicon-link { color: #fff; } .markdown-body img { background-color: transparent; } .ui-toc-dropdown .nav>.active:focus>a, .ui-toc-dropdown .nav>.active:hover>a, .ui-toc-dropdown .nav>.active>a { color: white; border-left: 2px solid white; } .expand-toggle:hover, .expand-toggle:focus, .back-to-top:hover, .back-to-top:focus, .go-to-bottom:hover, .go-to-bottom:focus { color: white; } .ui-toc-dropdown { background-color: #333; } .ui-toc-label.btn { background-color: #191919; color: white; } .ui-toc-dropdown .nav>li>a:focus, .ui-toc-dropdown .nav>li>a:hover { color: white; border-left: 1px solid white; } .markdown-body blockquote { color: #bcbcbc; } .markdown-body table tr { background-color: #5f5f5f; } .markdown-body table tr:nth-child(2n) { background-color: #4f4f4f; } .markdown-body code, .markdown-body tt { color: #eee; background-color: rgba(230, 230, 230, 0.36); } a, .open-files-container li.selected a { color: #5EB7E0; } </style> # Trivy - Vulnerability Scanner 本文將介紹Trivy工具如何進行容器中的函式庫(Libs)進行漏洞掃描，與此同時。我們將利用一個簡單的顯示來源IP的應用作為完整介紹，將包含以下內容： 1. 環境介紹 2. 應用容器化 3. Trivy安裝 4. 漏洞掃描與建議 5. 參考資料 ## 1. 環境介紹 1. OS: Ubuntu 20.04 2. Docer Version: Docker version 20.10.7, build f0df350 ## 2. 應用容器化 我們將在這裡示範php轉為容器的做法。 ### 2.1. clone一份sample code ```shell= inwin@inwin:~$ git clone https://github.com/yansheng133/hpa-showip Cloning into 'hpa-showip'... remote: Enumerating objects: 16, done. remote: Counting objects: 100% (16/16), done. remote: Compressing objects: 100% (11/11), done. remote: Total 16 (delta 4), reused 12 (delta 4), pack-reused 0 Unpacking objects: 100% (16/16), 6.01 KiB | 1.50 MiB/s, done. inwin@inwin:~$ cd hpa-showip/ inwin@inwin:~/hpa-showip$ ll total 36 drwxrwxr-x 3 inwin inwin 4096 Jul 22 02:37 ./ drwxr-xr-x 4 inwin inwin 4096 Jul 22 02:37 ../ drwxrwxr-x 8 inwin inwin 4096 Jul 22 02:36 .git/ -rw-rw-r-- 1 inwin inwin 82 Jul 22 02:36 Dockerfile -rw-rw-r-- 1 inwin inwin 11357 Jul 22 02:36 LICENSE -rw-rw-r-- 1 inwin inwin 385 Jul 22 02:36 README.md -rw-rw-r-- 1 inwin inwin 472 Jul 22 02:36 index.php ``` ### 2.2. sample code說明 以下是一個php show ip的sample code, line 2-5是為了驗證Kubernetes HPA(Horizontal Pod Autoscaler)才會用到，如果不想在這個時候用到他，可以刪除。 ```php= <?php $x = 0.0001; for ($i = 0; $i <= 1000000; $i++) { $x += sqrt($x); } if (!empty($_SERVER["HTTP_CLIENT_IP"])){ $ip = $_SERVER["HTTP_CLIENT_IP"]; }elseif(!empty($_SERVER["HTTP_X_FORWARDED_FOR"])){ $ip = $_SERVER["HTTP_X_FORWARDED_FOR"]; }else{ $ip = $_SERVER["REMOTE_ADDR"]; } date_default_timezone_set('Asia/Taipei'); echo "Source IP:" . $ip . ", Response by: " . gethostname() . " -- " . date('Y/m/d H:i:s'); echo "\n"; ?> ``` ### 2.3. 打包php成container image ```dockerfile= FROM php:5-apache COPY index.php /var/www/html/index.php RUN chmod a+rx index.php ``` ### 2.4. build image，存放在本機中 ```shell= inwin@inwin:~/hpa-showip$ sudo docker build -t hpa-php5:0.1 . Sending build context to Docker daemon 93.18kB Step 1/3 : FROM php:5-apache ---> 24c791995c1e Step 2/3 : COPY index.php /var/www/html/index.php ---> ce063009b554 Step 3/3 : RUN chmod a+rx index.php ---> Running in a24201213b64 Removing intermediate container a24201213b64 ---> 14b9dab05937 Successfully built 14b9dab05937 Successfully tagged hpa-php5:0.1 inwin@inwin:~$ sudo docker image list REPOSITORY TAG IMAGE ID CREATED SIZE hpa-php5 0.1 14b9dab05937 49 minutes ago 355MB php 5-apache 24c791995c1e 2 years ago 355MB ``` ## 3. Trivy安裝 ### 3.1. install trivy ```shell= sudo apt-get install wget apt-transport-https gnupg lsb-release wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update sudo apt-get install trivy ``` ### 3.2. 安裝過程輸出 ```shell= inwin@inwin:~$ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - OK inwin@inwin:~$ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list deb https://aquasecurity.github.io/trivy-repo/deb focal main inwin@inwin:~$ sudo apt-get update Hit:1 http://tw.archive.ubuntu.com/ubuntu focal InRelease Hit:2 http://tw.archive.ubuntu.com/ubuntu focal-updates InRelease Hit:3 http://tw.archive.ubuntu.com/ubuntu focal-backports InRelease Hit:4 http://tw.archive.ubuntu.com/ubuntu focal-security InRelease Hit:5 https://download.docker.com/linux/ubuntu focal InRelease Get:6 https://aquasecurity.github.io/trivy-repo/deb focal InRelease [2336 B] Get:7 https://aquasecurity.github.io/trivy-repo/deb focal/main amd64 Packages [372 B] Fetched 2708 B in 1s (3720 B/s) Reading package lists... Done inwin@inwin:~$ sudo apt-get install trivy Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: trivy 0 upgraded, 1 newly installed, 0 to remove and 59 not upgraded. Need to get 12.6 MB of archives. After this operation, 37.9 MB of additional disk space will be used. Get:1 https://aquasecurity.github.io/trivy-repo/deb focal/main amd64 trivy amd64 0.19.2 [12.6 MB] Fetched 12.6 MB in 1s (9428 kB/s) Selecting previously unselected package trivy. (Reading database ... 71607 files and directories currently installed.) Preparing to unpack .../trivy_0.19.2_amd64.deb ... Unpacking trivy (0.19.2) ... Setting up trivy (0.19.2) ... ``` ### 3.3. 安裝結果確認 確認Vulnerability tool版本為0.19.2 ```shell= inwin@inwin:~$ sudo trivy --version Version: 0.19.2 ``` ## 4. 弱點掃描與建議 ### 4.1. 開始進行掃描 我們可以從最上面的Total欄位看到有多少漏洞。 ```shell= inwin@inwin:~$ sudo trivy image hpa-php5:0.1 2021-07-22T02:54:36.078Z Detected OS: debian 2021-07-22T02:54:36.078Z Detecting Debian vulnerabilities... 2021-07-22T02:54:36.107Z Number of language-specific files: 0 hpa-php5:0.1 (debian 9.6) ========================= Total: 1319 (UNKNOWN: 0, LOW: 439, MEDIUM: 395, HIGH: 400, CRITICAL: 85) ...... ``` ### 4.2. 再次進行掃描，並將結果存到result.txt檔案中。 ```shell= inwin@inwin:~$ sudo trivy image hpa-php5:0.1 |tee > result.txt ``` ### 4.3. 僅擷取特定等級的漏洞，在Trivy工具中，漏洞分為以下幾點： Vulnerability Level: 1. UNKNOWN 2. LOW 3. MEDIUM 4. CRITICAL 找出Vulnerability Level為CRITICAL等級的漏洞 ```shell= inwin@inwin:~$ sudo trivy image --severity CRITICAL hpa-php5:0.1 2021-07-22T03:02:06.196Z INFO Detected OS: debian 2021-07-22T03:02:06.196Z INFO Detecting Debian vulnerabilities... 2021-07-22T03:02:06.231Z INFO Number of language-specific files: 0 hpa-php5:0.1 (debian 9.6) ========================= Total: 85 (CRITICAL: 85) ``` ### 4.4. 掃描下載好的image :::info 若是想要在image放到環境前先進行檢查，可以直接進行image file scan。 以下示範另存image為hpa.img後，利用trivy進行image file掃描，並且列出CRITICAL等級的漏洞。 ::: ```shell= inwin@inwin:~$ sudo docker save hpa-php5:0.1 -o hpa.img inwin@inwin:~$ ls hpa-showip hpa.img result.txt inwin@inwin:~$ sudo trivy image --severity CRITICAL --input hpa.img 2021-07-22T03:09:12.561Z INFO Detected OS: debian 2021-07-22T03:09:12.561Z INFO Detecting Debian vulnerabilities... 2021-07-22T03:09:12.590Z INFO Number of language-specific files: 0 hpa.img (debian 9.6) ==================== Total: 85 (CRITICAL: 85) ``` ### 4.5. 建議 :::success 1. 程式碼跟image所使用的函式庫是切開的，每一個"C"都是不同的層級，要分開處理。 2. Build Image時，先確認能夠使用的image是不是達到可用等級，未達標就看要不要進行修補或更換。 3. 使用image時，不要使用latest版本，很容易遭遇使用的latest版本已經改成特定的版號，但目前的"Latest"已經不是原本的"Latest"了。 4. Trivy還有相當多的功能，是個值得一用的好工具，在進行Scan前，還會自動更新，挺棒的。 * C: The 4C's of Cloud Native security(Code, Container, Cluster, Cloud) ::: ## 5. 參考資料 1. [Docker install](https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository "install-using-the-repository") 2. [Kubernetes HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ "HPA") 3. [install trivy](https://aquasecurity.github.io/trivy/v0.18.3/installation/ "install trivy") 4. [Trivy Github](https://github.com/aquasecurity/trivy "Trivy") 5. [Sample Code from author](https://github.com/yansheng133/hpa-showip "Yansheng133 github") 6. [The 4C's of Cloud Native security](https://kubernetes.io/docs/concepts/security/overview/ "The 4C's of Cloud Native security")