Vesta 是一款实用、方便的镜像扫描以及 Docker、Kubernetes 基线安全检查工具。 致力检查因 Docker 或 Kubernetes 错误配置而导致的各种潜在安全问题的发生。
Vesta v1.0.3 更新内容如下:
新功能
- 镜像检查增加对Java,PHP,Rust依赖的版本检查支持
- 增加istio的检查,包括istio版本检查,以及istio header请求过度敏感信息检查,参考issue
- 增加Docker history命令行检查,检查是否存在echo 弱密码的命令出现
改进
- npm检查方法改进,采用全局搜索package.json文件进行分析
- 运行的容器检查将挂载的路径加入到检查内容中
- 改进镜像Layer的分析方法
- 修改RBAC的检测规则
- 更加详细的结果打印
在RBAC检测中,我们注意到未知User的高危权限应该被打印出来以供开发者自查。同时RBAC的风险等级被重新化为high,medium,low,warning四个等级,对高风险resources,例如pods,deployments等结合对应的操作权限进行重点检查,未知resources将不再化为高风险范围。增加Group的风险检查,包括system:unauthenticated,system:serviceaccounts: 等类名的检测,并且将rolebinding检测的结果结合/var/run/secrets/kubernetes.io/serviceaccount的挂载情况进行综合评估。用例如下
Pods:
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| ID | POD DETAIL | PARAM| VALUE| TYPE| SEVERITY |DESCRIPTION |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|1 | Name: vulntest | Namespace:| sidecar name: vulntest | | true | Pod | critical | There has a potential|
|| default | Status: Running || Privileged || || container escape in privileged |
|| Node Name: docker-desktop||| || module.|
+++--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
||| sidecar name: vulntest | | memory, cpu, ephemeral-storage | Pod | low| None of resources is be|
||| Resource || || limited. |
||||| |||
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|2 | Name: vulntest2 | Namespace: | sidecar name: vulntest2 || CAP_SYS_ADMIN| capabilities.add| critical | There has a potential|
|| default | Status: Running || capabilities || || container escape in privileged |
|| Node Name: docker-desktop||| || module.|
+++--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
||| sidecar name: vulntest2 || true | kube-api-access-lcvh8 | critical | Mount service account|
||| automountServiceAccountToken || || and key permission are |
||||| || given, which will cause a|
||||| || potential container escape.|
||||| || Reference clsuterRolebind: |
||||| || vuln-clusterrolebinding ||
||||| || roleBinding: vuln-rolebinding|
+++--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
||| sidecar name: vulntest2 || cpu| Pod | low| CPU usage is not limited.|
||| Resource || |||
||||| |||
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
Configures:
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| ID |TYPEL| PARAM| VALUE| SEVERITY |DESCRIPTION |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|1 | K8s version less than v1.24 | kernel version | 5.10.104-linuxkit| critical | Kernel version is suffering|
|| |||| the CVE-2022-0185 with |
|| |||| CAP_SYS_ADMIN vulnerablility,|
|| |||| has a potential container|
|| |||| escape.|
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|2 | ConfigMap | ConfigMap Name: vulnconfig | db.string:mysql+pymysql://dbapp:Password123@db:3306/db | high | ConfigMap has found weak |
|| | Namespace: default ||| password: 'Password123'. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|3 | Secret| Secret Name: vulnsecret-auth | password:Password123 | high | Secret has found weak|
|| | Namespace: default ||| password: 'Password123'. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|4 | ClusterRoleBinding| binding name:| verbs: get, watch, list, | high | Key permissions with key |
|| | vuln-clusterrolebinding || create, update | resources:|| resources given to the |
|| | rolename: vuln-clusterrole | | pods, services || default service account, which |
|| | kind: ClusterRole | subject||| will cause a potential data|
|| | kind: Group | subject name:||| leakage. |
|| | system:serviceaccounts:vuln |||||
|| | namespace: vuln||||
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|5 | RoleBinding | binding name: vuln-rolebinding | verbs: get, watch, list, | high | Key permissions with key |
|| | | rolename: vuln-role | role | create, update | resources:|| resources given to the |
|| | kind: Role | subject kind: | pods, services || default service account, which |
|| | ServiceAccount | subject name: ||| will cause a potential data|
|| | default | namespace: default ||| leakage. |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|6 | ClusterRoleBinding| binding name:| verbs: get, watch, list, | warning| Key permission are given |
|| | vuln-clusterrolebinding2 | | create, update | resources:|| to unknown user 'testUser',|
|| | rolename: vuln-clusterrole | | pods, services || printing it for checking.|
|| | subject kind: User | subject ||||
|| | name: testUser | namespace:||||
|| | all||||
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
修复
- 修复版本对比中由于非数字字符串带来的对比失败