Vesta 是一款实用、方便的镜像扫描以及 Docker、Kubernetes 基线安全检查工具。 致力检查因 Docker 或 Kubernetes 错误配置而导致的各种潜在安全问题的发生。
Vesta v1.0.3 更新内容如下:
新功能
- 镜像检查增加对Java,PHP,Rust依赖的版本检查支持
- 增加istio的检查,包括istio版本检查,以及istio header请求过度敏感信息检查,参考issue
- 增加Docker history命令行检查,检查是否存在echo 弱密码的命令出现
改进
- npm检查方法改进,采用全局搜索package.json文件进行分析
- 运行的容器检查将挂载的路径加入到检查内容中
- 改进镜像Layer的分析方法
- 修改RBAC的检测规则
- 更加详细的结果打印
在RBAC检测中,我们注意到未知User的高危权限应该被打印出来以供开发者自查。同时RBAC的风险等级被重新化为high,medium,low,warning四个等级,对高风险resources,例如pods,deployments等结合对应的操作权限进行重点检查,未知resources将不再化为高风险范围。增加Group的风险检查,包括system:unauthenticated,system:serviceaccounts: 等类名的检测,并且将rolebinding检测的结果结合/var/run/secrets/kubernetes.io/serviceaccount的挂载情况进行综合评估。用例如下
Pods: +----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ | ID | POD DETAIL | PARAM | VALUE | TYPE | SEVERITY | DESCRIPTION | +----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ | 1 | Name: vulntest | Namespace: | sidecar name: vulntest | | true | Pod | critical | There has a potential | | | default | Status: Running | | Privileged | | | | container escape in privileged | | | Node Name: docker-desktop | | | | | module. | + + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ | | | sidecar name: vulntest | | memory, cpu, ephemeral-storage | Pod | low | None of resources is be | | | | Resource | | | | limited. | | | | | | | | | +----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ | 2 | Name: vulntest2 | Namespace: | sidecar name: vulntest2 | | CAP_SYS_ADMIN | capabilities.add | critical | There has a potential | | | default | Status: Running | | capabilities | | | | container escape in privileged | | | Node Name: docker-desktop | | | | | module. | + + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ | | | sidecar name: vulntest2 | | true | kube-api-access-lcvh8 | critical | Mount service account | | | | automountServiceAccountToken | | | | and key permission are | | | | | | | | given, which will cause a | | | | | | | | potential container escape. | | | | | | | | Reference clsuterRolebind: | | | | | | | | vuln-clusterrolebinding | | | | | | | | | roleBinding: vuln-rolebinding | + + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ | | | sidecar name: vulntest2 | | cpu | Pod | low | CPU usage is not limited. | | | | Resource | | | | | | | | | | | | | +----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+ Configures: +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | ID | TYPEL | PARAM | VALUE | SEVERITY | DESCRIPTION | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | 1 | K8s version less than v1.24 | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering | | | | | | | the CVE-2022-0185 with | | | | | | | CAP_SYS_ADMIN vulnerablility, | | | | | | | has a potential container | | | | | | | escape. | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | 2 | ConfigMap | ConfigMap Name: vulnconfig | db.string:mysql+pymysql://dbapp:Password123@db:3306/db | high | ConfigMap has found weak | | | | Namespace: default | | | password: 'Password123'. | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | 3 | Secret | Secret Name: vulnsecret-auth | password:Password123 | high | Secret has found weak | | | | Namespace: default | | | password: 'Password123'. | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | 4 | ClusterRoleBinding | binding name: | verbs: get, watch, list, | high | Key permissions with key | | | | vuln-clusterrolebinding | | create, update | resources: | | resources given to the | | | | rolename: vuln-clusterrole | | pods, services | | default service account, which | | | | kind: ClusterRole | subject | | | will cause a potential data | | | | kind: Group | subject name: | | | leakage. | | | | system:serviceaccounts:vuln | | | | | | | | namespace: vuln | | | | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | 5 | RoleBinding | binding name: vuln-rolebinding | verbs: get, watch, list, | high | Key permissions with key | | | | | rolename: vuln-role | role | create, update | resources: | | resources given to the | | | | kind: Role | subject kind: | pods, services | | default service account, which | | | | ServiceAccount | subject name: | | | will cause a potential data | | | | default | namespace: default | | | leakage. | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ | 6 | ClusterRoleBinding | binding name: | verbs: get, watch, list, | warning | Key permission are given | | | | vuln-clusterrolebinding2 | | create, update | resources: | | to unknown user 'testUser', | | | | rolename: vuln-clusterrole | | pods, services | | printing it for checking. | | | | subject kind: User | subject | | | | | | | name: testUser | namespace: | | | | | | | all | | | | +----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+ 修复
- 修复版本对比中由于非数字字符串带来的对比失败
还没有评论,来说两句吧...