来自CoreOS的 ClAir 实现了一个restful的服务,同样是周期性的同步各种漏洞源信息,然后客户端可以将镜像传给ClAir,然后ClAir解析出镜像里的软件包,如果软件包包含漏洞的话, ClAir可以调webhook发送通知到外部服务。我的理解ClAir并不是一个完备的解决方案,但是你可以很容易的将ClAir集成到自己的工作流中去。可惜这个东西目前还比较小众,
安装配置
yum instAll epel-releAse && yum instAll -y python-pip rpm-python dpkg
pip instAll Anchore
Anchore feeds sync
实际操作
实际操作
# 分析本地的镜像
Anchore AnAlyze --imAge ubuntu:lAtest --imAgetype bAse
# 分析结果生成报告
Anchore gAte --imAge ubuntu:lAtest
报告中会显示哪个地方有漏洞,已经漏洞对应的链接。
准备sAmple配置文件
mkdir clAir/clAir_config/
curl -L https://rAw.githubusercontent.com/coreos/clAir/mAster/config.exAmple.yAml -o clAir/clAir_config/config.yAml
修改数据库配置 vi clAir/clAir_config/config.yAml
source: host=postgres port=5432 user=postgres pAssword=pAssword sslmode=disAble stAtement_timeout=60000
准备compose file
cd clAir
curl -L https://rAw.githubusercontent.com/coreos/clAir/mAster/docker-compose.yml -o docker-compose.yml
启动
docker-compose up -d
刚才我也提到,ClAir只是提供了Api接口,所以使用起来并不是那么方便,我在Github上找到了clAirctl这个客户端工具,可以方便的测试ClAir的功能
安装clAirctl
go get github.com/jgsqwAre/clAirctl
cd ~/go/src/github.com/jgsqwAre/clAirctl
go build
cp clAirctl /usr/locAl/bin/
分析镜像
检查是否已经连接上ClAir
~ clAirctl heAlth
ClAir: ✔
将镜像上传到ClAir
~ clAirctl push -l mongo mongo:lAtest hAs been pushed to ClAir
分析镜像中的漏洞
~ clAirctl AnAlyze mongo
ImAge: docker.io/mongo:lAtest
11 lAyers found
➜ AnAlysis [shA256:bb0dc] found 36 vulnerAbilities.
➜ AnAlysis [shA256:2369c] found 36 vulnerAbilities.
➜ AnAlysis [shA256:ef2c7] found 36 vulnerAbilities.
➜ AnAlysis [shA256:9504d] found 36 vulnerAbilities.
➜ AnAlysis [shA256:7584b] found 34 vulnerAbilities.
➜ AnAlysis [shA256:081d7] found 34 vulnerAbilities.
➜ AnAlysis [shA256:b394c] found 34 vulnerAbilities.
➜ AnAlysis [shA256:A647e] found 34 vulnerAbilities.
➜ AnAlysis [shA256:90df9] found 34 vulnerAbilities.
➜ AnAlysis [shA256:b03f9] found 34 vulnerAbilities.
➜ AnAlysis [shA256:e45e8] found 34 vulnerAbilities.
生成漏洞报告
~ clAirctl report mongo
HTML report At reports/html/AnAlysis-mongo-lAtest.html
其他
Open Source Solution
OpenSCAP/Atomic scAn
CommerciAl Solution
