Docker安全扫描工具之Anchore
本篇简单介绍一款Docker安全扫描工具Anchore的安装和使用。
前言
下述过程是在CentOS 7.6的虚拟机上进行的。
- [root@localhost ~]# cat /etc/redhat-release
- CentOS Linux release 7.6. (Core)
Docker安装
安装步骤如下:参考Docker 学习入门
- # yum remove docker docker-common docker-selinux # 如之前安装,先卸载
- # yum install -y yum-utils device-mapper-persistent-data lvm2 # 安装依赖
- # yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo # 配置软件包源
- # yum install docker-ce -y # 安装docker
- # systemctl start docker # 启动docker服务
- # systemctl enable docker # 设置开机启动
- # docker -v # 查看docker 版本
- # docker info # 查看docker详细信息
添加dpkg支持
- # yum install epel-release -y
- # yum install dpkg -y
安装Anchore
Anchore安装使用需python支持,CentOS 7.6默认情况下已有python和pip,可能需要先更新一下pip。
- # pip install --upgrade pip
Step1:安装Anchore
- # pip install anchore
Step2:设置环境变量(临时添加)
- # export PATH=~/.local/bin:$PATH
Step3:查看anchore版本
- # anchore --version
Step4:查看订阅列表
- [root@localhost ~]# anchore feeds list
- initializing feed metadata: ...
- Available:
- nvd:
- description: Feed record for type nvd
- nvdv2:
- description: Feed record for type nvdv2
- packages:
- description: Feed record for type packages
- Subscribed:
- vulnerabilities:
- description: Feed record for type vulnerabilities
默认值订阅了最后一个。
Step5:同步订阅内容
- [root@localhost ~]# anchore feeds sync
- syncing data for subscribed feed (vulnerabilities) ...
- syncing group data: debian:unstable: ...
- syncing group data: ubuntu:16.04: ...
- syncing group data: centos:: ...
- syncing group data: centos:: ...
- syncing group data: centos:: ...
- syncing group data: amzn:: ...
- syncing group data: ubuntu:14.04: ...
- syncing group data: centos:: ...
- syncing group data: ubuntu:14.10: ...
- syncing group data: debian:: ...
- syncing group data: debian:: ...
- syncing group data: ubuntu:15.04: ...
- syncing group data: debian:: ...
- syncing group data: debian:: ...
- syncing group data: ubuntu:12.04: ...
- syncing group data: ubuntu:18.04: ...
- syncing group data: ubuntu:17.10: ...
- syncing group data: ubuntu:19.10: ...
- syncing group data: debian:: ...
- syncing group data: ubuntu:16.10: ...
- syncing group data: alpine:3.3: ...
- syncing group data: alpine:3.4: ...
- syncing group data: alpine:3.5: ...
- syncing group data: alpine:3.6: ...
- syncing group data: alpine:3.7: ...
- syncing group data: alpine:3.8: ...
- syncing group data: alpine:3.9: ...
- syncing group data: ubuntu:13.04: ...
- syncing group data: ubuntu:15.10: ...
- syncing group data: alpine:3.10: ...
- syncing group data: ubuntu:12.10: ...
- syncing group data: ubuntu:18.10: ...
- syncing group data: ubuntu:17.04: ...
- syncing group data: ol:: ...
- syncing group data: ol:: ...
- syncing group data: ol:: ...
- syncing group data: ol:: ...
- syncing group data: ubuntu:19.04: ...
- skipping data sync for unsubscribed feed (nvd) ...
- skipping data sync for unsubscribed feed (nvdv2) ...
- skipping data sync for unsubscribed feed (packages) ...
这步可能只需要十分钟,也可能需要更久,目前没找到什么加速的方法。
添加订阅feed
通过查询anchore feeds --help,我们知道有个sub子命令用于订阅feed。如果想添加nvd订阅:
- [root@localhost ~]# anchore feeds sub nvd # 添加nvd feed,可以通过这种方式订阅其它的
- nvd: subscribed.
- [root@localhost ~]# anchore feeds list # 查看订阅的feeds
- Available:
- nvdv2:
- description: Feed record for type nvdv2
- packages:
- description: Feed record for type packages
- Subscribed:
- nvd:
- description: Feed record for type nvd # 已经订阅了nvd
- vulnerabilities:
- description: Feed record for type vulnerabilities
- [root@localhost ~]# anchore feeds sync # 同步更新
- syncing data for subscribed feed (vulnerabilities) ...
- skipping group data: debian:unstable: already synced
- skipping group data: alpine:3.8: already synced
- skipping group data: ubuntu:16.04: already synced
- skipping group data: centos:: already synced
- skipping group data: centos:: already synced
- skipping group data: centos:: already synced
- skipping group data: amzn:: already synced
- skipping group data: ol:: already synced
- skipping group data: centos:: already synced
- skipping group data: ubuntu:14.10: already synced
- skipping group data: debian:: already synced
- skipping group data: debian:: already synced
- skipping group data: ubuntu:15.04: already synced
- skipping group data: debian:: already synced
- skipping group data: debian:: already synced
- skipping group data: ubuntu:12.04: already synced
- skipping group data: ubuntu:18.04: already synced
- skipping group data: ubuntu:17.10: already synced
- skipping group data: ubuntu:19.10: already synced
- skipping group data: debian:: already synced
- skipping group data: ubuntu:16.10: already synced
- skipping group data: alpine:3.3: already synced
- skipping group data: alpine:3.4: already synced
- skipping group data: alpine:3.5: already synced
- skipping group data: alpine:3.6: already synced
- skipping group data: alpine:3.7: already synced
- skipping group data: ubuntu:14.04: already synced
- skipping group data: alpine:3.9: already synced
- skipping group data: ubuntu:15.10: already synced
- skipping group data: alpine:3.10: already synced
- skipping group data: ubuntu:12.10: already synced
- skipping group data: ubuntu:18.10: already synced
- skipping group data: ubuntu:17.04: already synced
- skipping group data: ol:: already synced
- skipping group data: ol:: already synced
- skipping group data: ubuntu:13.04: already synced
- skipping group data: ol:: already synced
- skipping group data: ubuntu:19.04: already synced
- syncing data for subscribed feed (nvd) ... # 同步nvd订阅
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- syncing group data: nvddb:: ...
- skipping data sync for unsubscribed feed (nvdv2) ...
- skipping data sync for unsubscribed feed (packages) ...
工具测验
先拉取一个镜像:mysql
- [root@localhost ~]# docker pull mysql
- [root@localhost ~]# docker images # 查看所有镜像列表
- REPOSITORY TAG IMAGE ID CREATED SIZE
- mysql latest c8ee894bd2bd days ago 456MB
- nginx latest 5a9061639d0a days ago 126MB
- busybox latest 19485c79a9bb weeks ago .22MB
镜像分析
分析mysql镜像。
- [root@localhost ~]# anchore analyze --image mysql
- Analyzing image: mysql
- c8ee894bd2bd: analyzing ...
- c8ee894bd2bd: analyzed.
生成报告
使用gate命令生成分析报告,默认输出到控制台。
gate命令没有看到输出报告格式,我这将输出重定向到mysql.html文件。
- [root@localhost ~]# anchore gate --image mysql > mysql.html
查看报告
打开mysql.html报告查看具体内容。
关于命令的详细介绍,请使用--help进行查阅或参考第二个参考链接。感觉目前这款工具还不理想。
参考
Docker 学习入门:https://www.cnblogs.com/chiangchou/p/docker.html
Docker安全自动化扫描工具对比测试:https://blog.csdn.net/wutianxu123/article/details/83216219
以上!
Docker安全扫描工具之Anchore的更多相关文章
- Docker安全扫描工具之DockerScan
前言 本篇简单介绍Docker扫描工具DockerScan的安装使用.下述过程是在CentOS 7.6的虚拟机上进行的. [root@localhost ~]# cat /etc/redhat-rel ...
- Docker安全扫描工具之docker-bench-security
简介 Docker Bench for Security检查关于在生产环境中部署Docker容器的几十个常见最佳实践.这些测试都是自动化的,其灵感来自CIS Docker基准1.2.0版. 这种安全扫 ...
- Trivy 容器镜像扫描工具学习
简介 官方地址:https://github.com/aquasecurity/trivy Trivy是aqua(专注云原生场景下的安全)公司的一款开源工具,之前历史文章也有对aqua的一些介绍. T ...
- 域名扫描工具Fierce
域名扫描工具Fierce 该工具是一个域名扫描综合性工具.它可以快速获取指定域名的DNS服务器,并检查是否存在区域传输(Zone Transfer)漏洞.如果不存在该漏洞,会自动执行暴力破解,以获 ...
- NMAP分布式扫描工具dnmap
NMAP分布式扫描工具dnmap NMAP是一款知名的网络扫描工具.它提供丰富和强大的网络扫描功能.但很多时候,需要渗透测试人员从多个终端发起扫描任务,以快速扫描大型网络,或规避IP限制等安全策略 ...
- Nikto是一款Web安全扫描工具,可以扫描指定主机的web类型,主机名,特定目录,cookie,特定CGI漏洞,XSS漏洞,SQL注入漏洞等,非常强大滴说。。。
Nikto是一款Web安全扫描工具,可以扫描指定主机的web类型,主机名,特定目录,cookie,特定CGI漏洞,XSS漏洞,SQL注入漏洞等,非常强大滴说... root@xi4ojin:~# cd ...
- 网站安全扫描工具--Netsparker的使用
Netsparker是一款安全简单的web应用安全漏电扫描工具.该软件功能非常强大,使用方便.Netsparker与其他综合 性的web应用安全扫描工具相比的一个特点是它能够更好的检测SQL Inje ...
- 小白日记34:kali渗透测试之Web渗透-扫描工具-Burpsuite(二)
扫描工具-Burpsuite 公共模块 0.Spider 爬网 手动爬网 先禁用截断功能 手动将页面中点击所有连接,对提交数据的地方,都进行提交[无论内容] 自动爬网[参数设置] 指定爬网路径,否则其 ...
- 小白日记32:kali渗透测试之Web渗透-扫描工具-QWASP_ZAP
扫描工具-QWASP_ZAP 十大安全工具之一,集成性工具,功能完善,而且强大.既可做主动扫描,也可做截断代理.开源免费跨平台,简单易用,体验相对混乱,但在主动扫描方面,相对占优.[kali集成] # ...
随机推荐
- Linux机器相互登录
1周第4次课(3月22日)课程内容: 1.16 Linux机器相互登录 Linux相互登录可以分2种方式,一种为ssh +IP地址,然后输入对应的root密码,一种为密钥验证方式,其中一台机器放公钥, ...
- python check excel 文件
Use pip install openpyxl first Every simple example import openpyxl # 打开excel文件,获取工作簿对象 wb = openpyx ...
- APM环境搭建
权限设置 把用户添加到用户组 “dialout”(如果这步没做,会导致很多用户权限问题): sudo usermod -a -G dialout $USER 然后注销后,重新登录,因为重新登录后所 ...
- 《跟唐老师学习云网络》 -第5篇 Ping喂报文
[摘要] 这一章节你的角色是国王,你要派一个小兵去对方打探一下.是站在你的角度看这个小兵.哦,对了,这个小兵的名字叫"喂". 一.Ping命令介绍 ping就是用来检测一下网络能不 ...
- Thymeleaf语法
Thymeleaf 官网:https://www.thymeleaf.org/ 1.入门示例 (1)在controller编写一个请求,放进去一些数据: @RequestMapping("/ ...
- 小白探究UE4网络系列(一)、UE4网络基础类分析
转载请标明出处:http://www.cnblogs.com/zblade/ 一.概要 捣鼓UE4也有两个多月了,从这儿开始,逐步探究UE4中经典的值复制,RPC两种同步方式.想要弄到其复制和调用的原 ...
- Xcode编译引用Framework
需要两步配置 1.在xcode工程的search path下设置要引用的Framework所在路径 2.将Framewoek拖入工程中时 不要选择copy,而选择引用模式.
- ios 在APP内提示更新
http://www.jianshu.com/p/24daf5147bda ios如何在应用内部提示更新 两颗星 http://www.jianshu.com/p/2ba10a58bb02 ...
- POJ2528---Mayor's posters
The citizens of Bytetown, AB, could not stand that the candidates in the mayoral election campaign h ...
- Seata 配置中心实现原理
Seata 可以支持多个第三方配置中心,那么 Seata 是如何同时兼容那么多个配置中心的呢?下面我给大家详细介绍下 Seata 配置中心的实现原理. 配置中心属性加载 在 Seata 配置中心,有两 ...