Vesta: 一个 Docker 和 Kubernetes 配置安全的快速检查工具

2022-12-17 00:48:36 +08:00
 christa

Vesta 可以做什么

伴随着容器技术的快速发展,容器安全问题也逐渐成为企业所关注的话题,越来越多的公司以及个人开发着选择将他们的服务迁移到云上。目前市面上的容器扫描或容器配置检查的产品大部门都需要进行繁琐的环境配置,同时对机器性能也有着比较高的要求,而开发者或安全测试者或许只是需要扫描少数的镜像或者配置,繁琐的配置和高昂的机器费用对他们来说难以承担,导致安全检查的效率不佳。Vesta 是一款集容器扫描,Docker 和 Kubernetes 配置基线检查于一身的工具。检查内容包括镜像或容器中包含漏洞版本的组件,Docker 以及 Kubernetes 的危险配置。同时也是一个灵活,快速的工具,能够在各种系统上运行,包括但不限于 Windows ,Linux 以及 MacOS

Vesta 为开发者和安全测试者提供了方便、快速的解决方案。整个程序由 golang 编写,只需要使用go build或者从 releases 下载,无需配置任何环境和数据库,并且在 1 vCPU, 2G Memory 的机器上就可运行,最大化方便使用者们。

项目地址

功能介绍

Vesta 包含两大模块

检查列表

Docker 检查

Supported Check Item Description Severity
PrivilegeAllowed 危险的特权模式 critical
Capabilities 危险 capabilities 被设置 critical
Volume Mount 敏感或危险目录被挂载 critical
Docker Unauthorized 2375 端口打开并且未授权 critical
Kernel version 当前内核版本存在逃逸漏洞 critical
Network Module Net 模式为host模式并且在特定 containerd 版本下 critical
Docker Server version Docker Server 版本存在漏洞 critical/high/medium/low
Docker env password check Docker env 是否存在弱密码 high/medium
Image tag check Image 没有被打 tag 或为默认 latest low
待定 Container env 检查数据库是否未设置密码, 包括但不限于MySQL, Redis, Memcache -
待定 IaC scan IaC 扫描 -

Kubernetes 检查

Supported Check Item Description Severity
PrivilegeAllowed 危险的特权模式 critical
Capabilities 危险 capabilities 被设置 critical
PV and PVC PV 被挂载到敏感目录并且状态为 active critical/medium
ClusterRoleBinding 默认账户被赋予了权限 high/medium
Kubernetes-dashborad 检查 -enable-skip-login以及 dashborad 的账户权限 critical/high/low
Kernel version (k8s versions is less than v1.24) 当前内核版本存在逃逸漏洞 critical
Docker Server version (k8s versions is less than v1.24) Docker Server 版本存在漏洞 critical/high/medium/low
Kubernetes certification expiration 证书到期时间小于 30 天 medium
ConfigMap and Secret check ConfigMap 或者 Secret 是否存在弱密码 high/medium
Auto Mount ServiceAccount Token Pod 默认挂载了 /var/run/secrets/kubernetes.io/serviceaccount/token. low
NoResourceLimits 没有限制资源的使用,例如 CPU,Memory, 存储 low
Job and Cronjob Job 或 CronJob 没有设置 seccomp 或 seLinux 安全策略 low
待定 CVE-2022-29179 检测 CVE-2022-29179 是否存在 critical
待定 Envoy admin Envoy admin 被配置以及监听0.0.0.0. -
待定 Kubelet 10255 and Kubectl proxy 10255 port 打开或 Kubectl proxy 开启 -
待定 Trampoline attack RBAC 权限不安全,容易遭受 Trampoline 攻击 -
待定 IaC scan Iac 扫描 -

使用样例

检查 k8s 的基础配置

$./vesta analyze k8s

2022/11/29 23:15:59 Start analysing
2022/11/29 23:15:59 Geting docker server version
2022/11/29 23:15:59 Geting kernel version

Detected 4 vulnerabilities

Pods:
+----+--------------------+------------------------------+-------------------+-----------------------+----------+--------------------------------+
| ID |     POD DETAIL     |            PARAM             |       VALUE       |         TYPE          | SEVERITY |          DESCRIPTION           |
+----+--------------------+------------------------------+-------------------+-----------------------+----------+--------------------------------+
|  1 | Name: vulntest     | test-volume                  | /etc              | Directory             | critical | Mounting '/etc' is suffer      |
|    | Namespace: default |                              |                   |                       |          | vulnerable of container        |
|    |                    |                              |                   |                       |          | escape.                        |
+    +                    +------------------------------+-------------------+-----------------------+----------+--------------------------------+
|    |                    | Privileged                   | true              | Pod                   | critical | There has a potential          |
|    |                    |                              |                   |                       |          | container escape in privileged |
|    |                    |                              |                   |                       |          | module.                        |
+    +                    +------------------------------+-------------------+-----------------------+----------+--------------------------------+
|    |                    | AllowPrivilegeEscalation     | true              | Pod                   | critical | There has a potential          |
|    |                    |                              |                   |                       |          | container escape in privileged |
|    |                    |                              |                   |                       |          | module.                        |
+    +                    +------------------------------+-------------------+-----------------------+----------+--------------------------------+
|    |                    | Resource                     | memory, cpu,      | Pod                   | low      | None of resources is be        |
|    |                    |                              | ephemeral-storage |                       |          | limited.                       |
+----+--------------------+------------------------------+-------------------+-----------------------+----------+--------------------------------+

Configures:
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| ID |            TYPEL            |             PARAM              |                         VALUE                          | SEVERITY |          DESCRIPTION           |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  1 | K8s version less than v1.24 | kernel version                 | 5.10.104-linuxkit                                      | critical | Kernel version is suffering    |
|    |                             |                                |                                                        |          | the CVE-2022-0185 with         |
|    |                             |                                |                                                        |          | CAP_SYS_ADMIN vulnerablility,  |
|    |                             |                                |                                                        |          | has a potential container      |
|    |                             |                                |                                                        |          | escape.                        |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  2 | ConfigMap                   | data: db.string                | db.string:mysql+pymysql://dbapp:Password123@db:3306/db | high     | ConfigMap has found weak       |
|    |                             |                                |                                                        |          | password: 'Password123'.       |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  3 | Secret                      | data: password                 | password:Password123                                   | high     | Secret has found weak          |
|    |                             |                                |                                                        |          | password: 'Password123'.       |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  4 | ClusterRoleBinding          | binding name:                  | verbs:                                                 | high     | Key permission are given to    |
|    |                             | vuln-clusterrolebinding |      | get,watch,list,create,update |                         |          | the default service account    |
|    |                             | rolename: vuln-clusterrole |   | resources: pods,services                               |          | which will cause a potential   |
|    |                             | namespace: default             |                                                        |          | container escape.              |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+

展望

Vesta 希望能够最大化方便开发者们排查日常配置中的一些基线安全问题,并且也希望云上环境更加安全

1308 次点击
所在节点    分享创造
0 条回复

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/903074

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX