Vesta: 一个 Docker 和 Kubernetes 配置安全的快速检查工具
christa · 2022-12-17 00:48:36 +08:00 · 1267 次点击这是一个创建于 648 天前的主题,其中的信息可能已经有所发展或是发生改变。
Vesta 可以做什么
伴随着容器技术的快速发展,容器安全问题也逐渐成为企业所关注的话题,越来越多的公司以及个人开发着选择将他们的服务迁移到云上。目前市面上的容器扫描或容器配置检查的产品大部门都需要进行繁琐的环境配置,同时对机器性能也有着比较高的要求,而开发者或安全测试者或许只是需要扫描少数的镜像或者配置,繁琐的配置和高昂的机器费用对他们来说难以承担,导致安全检查的效率不佳。Vesta 是一款集容器扫描,Docker 和 Kubernetes 配置基线检查于一身的工具。检查内容包括镜像或容器中包含漏洞版本的组件,Docker 以及 Kubernetes 的危险配置。同时也是一个灵活,快速的工具,能够在各种系统上运行,包括但不限于 Windows ,Linux 以及 MacOS
Vesta 为开发者和安全测试者提供了方便、快速的解决方案。整个程序由 golang 编写,只需要使用go build或者从 releases 下载,无需配置任何环境和数据库,并且在 1 vCPU, 2G Memory 的机器上就可运行,最大化方便使用者们。
项目地址
功能介绍
Vesta 包含两大模块
- scan: 扫描容器和镜像的组件信息,检测是否包含 CVE 漏洞版本
- analyze: 检查 Docker 和 Kubernetes 配置,是否包含危险配置。后续考虑附加攻击方法
检查列表
Docker 检查
| Supported | Check Item | Description | Severity |
|---|---|---|---|
| ✔ | PrivilegeAllowed | 危险的特权模式 | critical |
| ✔ | Capabilities | 危险 capabilities 被设置 | critical |
| ✔ | Volume Mount | 敏感或危险目录被挂载 | critical |
| ✔ | Docker Unauthorized | 2375 端口打开并且未授权 | critical |
| ✔ | Kernel version | 当前内核版本存在逃逸漏洞 | critical |
| ✔ | Network Module | Net 模式为host模式并且在特定 containerd 版本下 |
critical |
| ✔ | Docker Server version | Docker Server 版本存在漏洞 | critical/high/medium/low |
| ✔ | Docker env password check | Docker env 是否存在弱密码 | high/medium |
| ✔ | Image tag check | Image 没有被打 tag 或为默认 latest | low |
| 待定 | Container env | 检查数据库是否未设置密码, 包括但不限于MySQL, Redis, Memcache |
- |
| 待定 | IaC scan | IaC 扫描 | - |
Kubernetes 检查
| Supported | Check Item | Description | Severity |
|---|---|---|---|
| ✔ | PrivilegeAllowed | 危险的特权模式 | critical |
| ✔ | Capabilities | 危险 capabilities 被设置 | critical |
| ✔ | PV and PVC | PV 被挂载到敏感目录并且状态为 active | critical/medium |
| ✔ | ClusterRoleBinding | 默认账户被赋予了权限 | high/medium |
| ✔ | Kubernetes-dashborad | 检查 -enable-skip-login以及 dashborad 的账户权限 |
critical/high/low |
| ✔ | Kernel version (k8s versions is less than v1.24) | 当前内核版本存在逃逸漏洞 | critical |
| ✔ | Docker Server version (k8s versions is less than v1.24) | Docker Server 版本存在漏洞 | critical/high/medium/low |
| ✔ | Kubernetes certification expiration | 证书到期时间小于 30 天 | medium |
| ✔ | ConfigMap and Secret check | ConfigMap 或者 Secret 是否存在弱密码 | high/medium |
| ✔ | Auto Mount ServiceAccount Token | Pod 默认挂载了 /var/run/secrets/kubernetes.io/serviceaccount/token. |
low |
| ✔ | NoResourceLimits | 没有限制资源的使用,例如 CPU,Memory, 存储 | low |
| ✔ | Job and Cronjob | Job 或 CronJob 没有设置 seccomp 或 seLinux 安全策略 | low |
| 待定 | CVE-2022-29179 | 检测 CVE-2022-29179 是否存在 | critical |
| 待定 | Envoy admin | Envoy admin 被配置以及监听0.0.0.0. |
- |
| 待定 | Kubelet 10255 and Kubectl proxy | 10255 port 打开或 Kubectl proxy 开启 | - |
| 待定 | Trampoline attack | RBAC 权限不安全,容易遭受 Trampoline 攻击 | - |
| 待定 | IaC scan | Iac 扫描 | - |
使用样例
检查 k8s 的基础配置
$./vesta analyze k8s
2022/11/29 23:15:59 Start analysing
2022/11/29 23:15:59 Geting docker server version
2022/11/29 23:15:59 Geting kernel version
Detected 4 vulnerabilities
Pods:
+----+--------------------+------------------------------+-------------------+-----------------------+----------+--------------------------------+
| ID | POD DETAIL | PARAM | VALUE | TYPE | SEVERITY | DESCRIPTION |
+----+--------------------+------------------------------+-------------------+-----------------------+----------+--------------------------------+
| 1 | Name: vulntest | test-volume | /etc | Directory | critical | Mounting '/etc' is suffer |
| | Namespace: default | | | | | vulnerable of container |
| | | | | | | escape. |
+ + +------------------------------+-------------------+-----------------------+----------+--------------------------------+
| | | Privileged | true | Pod | critical | There has a potential |
| | | | | | | container escape in privileged |
| | | | | | | module. |
+ + +------------------------------+-------------------+-----------------------+----------+--------------------------------+
| | | AllowPrivilegeEscalation | true | Pod | critical | There has a potential |
| | | | | | | container escape in privileged |
| | | | | | | module. |
+ + +------------------------------+-------------------+-----------------------+----------+--------------------------------+
| | | Resource | memory, cpu, | Pod | low | None of resources is be |
| | | | ephemeral-storage | | | limited. |
+----+--------------------+------------------------------+-------------------+-----------------------+----------+--------------------------------+
Configures:
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| ID | TYPEL | PARAM | VALUE | SEVERITY | DESCRIPTION |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 1 | K8s version less than v1.24 | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering |
| | | | | | the CVE-2022-0185 with |
| | | | | | CAP_SYS_ADMIN vulnerablility, |
| | | | | | has a potential container |
| | | | | | escape. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 2 | ConfigMap | data: db.string | db.string:mysql+pymysql://dbapp:Password123@db:3306/db | high | ConfigMap has found weak |
| | | | | | password: 'Password123'. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 3 | Secret | data: password | password:Password123 | high | Secret has found weak |
| | | | | | password: 'Password123'. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 4 | ClusterRoleBinding | binding name: | verbs: | high | Key permission are given to |
| | | vuln-clusterrolebinding | | get,watch,list,create,update | | | the default service account |
| | | rolename: vuln-clusterrole | | resources: pods,services | | which will cause a potential |
| | | namespace: default | | | container escape. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
展望
Vesta 希望能够最大化方便开发者们排查日常配置中的一些基线安全问题,并且也希望云上环境更加安全
目前尚无回复
Select Language