本篇简单介绍一款Docker安全扫描工具Anchore的安装和使用

前言

  下述过程是在CentOS 7.6的虚拟机上进行的。

SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。
[root@localhost ~]# cat /etc/redhat-release                                                                                     
CentOS Linux release 7.6.1810 (Core)   

Docker安装

  安装步骤如下:参考Docker 学习入门

# yum remove docker docker-common docker-selinux                                            # 如之前安装,先卸载
# yum install -y yum-utils device-mapper-persistent-data lvm2                   # 安装依赖
# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo     # 配置软件包源
# yum install docker-ce -y                                        # 安装docker
# systemctl start docker                                         # 启动docker服务 
# systemctl enable docker                                          # 设置开机启动
# docker -v                                                 # 查看docker 版本
# docker info                                                # 查看docker详细信息

添加dpkg支持

# yum install epel-release -y
# yum install dpkg -y

安装Anchore

  Anchore安装使用需python支持,CentOS 7.6默认情况下已有python和pip,可能需要先更新一下pip。

# pip install --upgrade pip

  Step1:安装Anchore

# pip install anchore

  Step2:设置环境变量(临时添加)

# export PATH=~/.local/bin:$PATH

  Step3:查看anchore版本

# anchore --version        

  Step4:查看订阅列表

[root@localhost ~]# anchore feeds list
initializing feed metadata: ...
Available:
  nvd:
    description: Feed record for type nvd
  nvdv2:
    description: Feed record for type nvdv2
  packages:
    description: Feed record for type packages
Subscribed:
  vulnerabilities:
    description: Feed record for type vulnerabilities

  默认值订阅了最后一个。

  Step5:同步订阅内容

[root@localhost ~]# anchore feeds sync
syncing data for subscribed feed (vulnerabilities) ...
        syncing group data: debian:unstable: ...
        syncing group data: ubuntu:16.04: ...
        syncing group data: centos:6: ...
        syncing group data: centos:7: ...
        syncing group data: centos:5: ...
        syncing group data: amzn:2: ...
        syncing group data: ubuntu:14.04: ...
        syncing group data: centos:8: ...
        syncing group data: ubuntu:14.10: ...
        syncing group data: debian:11: ...
        syncing group data: debian:10: ...
        syncing group data: ubuntu:15.04: ...
        syncing group data: debian:9: ...
        syncing group data: debian:8: ...
        syncing group data: ubuntu:12.04: ...
        syncing group data: ubuntu:18.04: ...
        syncing group data: ubuntu:17.10: ...
        syncing group data: ubuntu:19.10: ...
        syncing group data: debian:7: ...
        syncing group data: ubuntu:16.10: ...
        syncing group data: alpine:3.3: ...
        syncing group data: alpine:3.4: ...
        syncing group data: alpine:3.5: ...
        syncing group data: alpine:3.6: ...
        syncing group data: alpine:3.7: ...
        syncing group data: alpine:3.8: ...
        syncing group data: alpine:3.9: ...
        syncing group data: ubuntu:13.04: ...
        syncing group data: ubuntu:15.10: ...
        syncing group data: alpine:3.10: ...
        syncing group data: ubuntu:12.10: ...
        syncing group data: ubuntu:18.10: ...
        syncing group data: ubuntu:17.04: ...
        syncing group data: ol:8: ...
        syncing group data: ol:7: ...
        syncing group data: ol:6: ...
        syncing group data: ol:5: ...
        syncing group data: ubuntu:19.04: ...
skipping data sync for unsubscribed feed (nvd) ...
skipping data sync for unsubscribed feed (nvdv2) ...
skipping data sync for unsubscribed feed (packages) ...

  这步可能只需要十分钟,也可能需要更久,目前没找到什么加速的方法。

添加订阅feed

  通过查询anchore feeds --help,我们知道有个sub子命令用于订阅feed。如果想添加nvd订阅:

[root@localhost ~]# anchore feeds sub nvd # 添加nvd feed,可以通过这种方式订阅其它的
nvd: subscribed.
[root@localhost ~]# anchore feeds list # 查看订阅的feeds
Available:
  nvdv2:
    description: Feed record for type nvdv2
  packages:
    description: Feed record for type packages
Subscribed:
  nvd:
    description: Feed record for type nvd      # 已经订阅了nvd
  vulnerabilities:
    description: Feed record for type vulnerabilities

[root@localhost ~]# anchore feeds sync        # 同步更新
syncing data for subscribed feed (vulnerabilities) ...
        skipping group data: debian:unstable: already synced
        skipping group data: alpine:3.8: already synced
        skipping group data: ubuntu:16.04: already synced
        skipping group data: centos:6: already synced
        skipping group data: centos:7: already synced
        skipping group data: centos:5: already synced
        skipping group data: amzn:2: already synced
        skipping group data: ol:6: already synced
        skipping group data: centos:8: already synced
        skipping group data: ubuntu:14.10: already synced
        skipping group data: debian:11: already synced
        skipping group data: debian:10: already synced
        skipping group data: ubuntu:15.04: already synced
        skipping group data: debian:9: already synced
        skipping group data: debian:8: already synced
        skipping group data: ubuntu:12.04: already synced
        skipping group data: ubuntu:18.04: already synced
        skipping group data: ubuntu:17.10: already synced
        skipping group data: ubuntu:19.10: already synced
        skipping group data: debian:7: already synced
        skipping group data: ubuntu:16.10: already synced
        skipping group data: alpine:3.3: already synced
        skipping group data: alpine:3.4: already synced
        skipping group data: alpine:3.5: already synced
        skipping group data: alpine:3.6: already synced
        skipping group data: alpine:3.7: already synced
        skipping group data: ubuntu:14.04: already synced
        skipping group data: alpine:3.9: already synced
        skipping group data: ubuntu:15.10: already synced
        skipping group data: alpine:3.10: already synced
        skipping group data: ubuntu:12.10: already synced
        skipping group data: ubuntu:18.10: already synced
        skipping group data: ubuntu:17.04: already synced
        skipping group data: ol:8: already synced
        skipping group data: ol:7: already synced
        skipping group data: ubuntu:13.04: already synced
        skipping group data: ol:5: already synced
        skipping group data: ubuntu:19.04: already synced
syncing data for subscribed feed (nvd) ...            # 同步nvd订阅
        syncing group data: nvddb:2007: ...
        syncing group data: nvddb:2003: ...
        syncing group data: nvddb:2013: ...
        syncing group data: nvddb:2012: ...
        syncing group data: nvddb:2011: ...
        syncing group data: nvddb:2010: ...
        syncing group data: nvddb:2017: ...
        syncing group data: nvddb:2009: ...                                                                                     
        syncing group data: nvddb:2015: ...                                                                                     
        syncing group data: nvddb:2014: ...                                                                                     
        syncing group data: nvddb:2004: ...                                                                                     
        syncing group data: nvddb:2005: ...                                                                                     
        syncing group data: nvddb:2006: ...                                                                                     
        syncing group data: nvddb:2018: ...                                                                                     
        syncing group data: nvddb:2002: ...                                                                                     
        syncing group data: nvddb:2019: ...                                                                                     
        syncing group data: nvddb:2008: ...                                                                                     
        syncing group data: nvddb:2016: ...                                                                                     
skipping data sync for unsubscribed feed (nvdv2) ...                                                                            
skipping data sync for unsubscribed feed (packages) ...  

工具测验

  先拉取一个镜像:mysql

[root@localhost ~]# docker pull mysql
[root@localhost ~]# docker images       # 查看所有镜像列表
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
mysql               latest              c8ee894bd2bd        5 days ago          456MB
nginx               latest              5a9061639d0a        5 days ago          126MB
busybox             latest              19485c79a9bb        6 weeks ago         1.22MB

镜像分析

  分析mysql镜像。

[root@localhost ~]# anchore analyze --image mysql
Analyzing image: mysql
c8ee894bd2bd: analyzing ...
c8ee894bd2bd: analyzed.

生成报告

   使用gate命令生成分析报告,默认输出到控制台。

  gate命令没有看到输出报告格式,我这将输出重定向到mysql.html文件。

[root@localhost ~]# anchore gate --image mysql > mysql.html

查看报告

   打开mysql.html报告查看具体内容。 Docker安全扫描工具之Anchore Safe

  关于命令的详细介绍,请使用--help进行查阅或参考第二个参考链接。感觉目前这款工具还不理想。

参考

  Docker 学习入门:https://www.cnblogs.com/chiangchou/p/docker.html

  Docker安全自动化扫描工具对比测试:https://blog.csdn.net/wutianxu123/article/details/83216219

以上!

扫码关注我们
微信号:SRE实战
拒绝背锅 运筹帷幄