- 1【Python配置】no module named '_tkinter'_importerror: no module named tkinter
- 2Flink的Standalone部署实战_flink单机部署
- 3iOS ------ 多线程 GCD
- 4网络基础:OSI七层模型和TCP/IP四层模型_四层网络模型
- 5【大数据学习篇10】Spark项目实战~网站转化率统计
- 6org.springframework.web.multipart.MultipartException处理多部分请求异常的解决方案_case runtimeexception: org.springframework.web.mul
- 7stable diffusion实践操作-大模型介绍-SDXL1大模型_sdxl 1.5模型下载
- 8uniapp 中 uni.navigateTo跳转其他页面 并且带参数_uni.navigateto带参数
- 9docker-compose快速搭建kafka集群_docker-compose kafka集群
- 10anaconda安装jieba
洞态IAST落地实践
赞
踩
转自趣知天下事
刚开始,笔者测试百度OpenRASP的IAST功能(主动式IAST),OpenRASP的IAST通过对agent采集到的流量数据进行重放,根据hook点信息做选择性的扫描;与主动式漏扫相比,这种方式减少了很多请求,但是也会存在少量的脏数据,对测试不是很友好;OpenRASP的扫描器支持配置URL白名单,笔者通过对eidt、add、logout等接口加白,基本上解决了脏数据的问题,但是出现了很多漏报,而且基于重放HTTP请求的检测方式,对存在签名、防重放之类,无法进行HTTP请求重放的接口来说,基本无法进行扫描。
然后,看到火线开源了洞态IAST(被动式IAST),本地化部署及测试之后,发现比较符合预期,于是开始做各业务线的推广,与DevOps流程进行集成,目前已实现了新上线项目的IAST自动化部署。
关于洞态IAST介绍,可以直接查看官方文档,接下来,主要分享一下IAST部署及其与DevOps集成的方案。
一、云端服务介绍及部署
1. 洞态IAST的架构图
2. IAST的基础服务
“火线~洞态IAST”共有五个模块,分别是DongTai-webapi、DongTai-openapi、DongTai-engine、DongTai-web、agent,其中:
- agent为各语言的数据采集端,从安装探针的项目中采集相对应的数据,发送至
DongTai-openapi服务 - DongTai-web 为“火线~洞态IAST”的前端项目,负责页面展示
- DongTai-webapi用于与
DongTai-web交互,负责处理用户相关的API请求 - DongTai-openapi用于与
agent通信,处理agent上报的数据,向agent下发策略,控制agent的运行等 - DongTai-engine用于对
DongTai-openapi接收到的数据进行分析、处理,计算存在的漏洞和可用的污点调用链等
五个服务之间存在依赖关系,部署时,需按照以下顺序进行部署:
- DongTai-webapi
- DongTai-openapi
- DongTai-engine
- DongTai-web
- agent
3. 本地部署洞态IAST的云端服务
服务器信息
1 2 3 4 | 操作系统:CentOS Linux release 7.9.2009 (Core) CPU:4核 内存:8G 硬盘:100G |
拉取洞态项目代码后,执行build.sh脚本,一键部署docker环境(因为网络问题,代码总是拉取失败,根据shell脚本手动部署一下)
1. 拉取5个项目源码
1 2 3 4 5 6 | # 拉取最新的代码 git clone [email protected]:HXSecurity/DongTai.git # DongTai-webapi # DongTai-openapi # DongTai-engine # DongTai-web |
2. 创建虚拟网络
1 2 | docker network rm dongtai-net || true docker network create dongtai-net |
3. 启动MySQL服务
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | # 进入DongTai项目下,使用docker启动mysql cd docker/mysql docker build -t huoxian/dongtai-mysql:5.7 . docker stop dongtai-mysql || true docker rm dongtai-mysql || true docker run -d --network dongtai-net --name dongtai-mysql --restart=always huoxian/dongtai-mysql:5.7 # 或者使用外部mysql,确保版本一致 cd docker/mysql wget https://xxxx.xxxx.xxxx.xxxx/sca.sql wget https://xxxx.xxxx.xxxx.xxxx/rule.sql mysql -uroot -p"dongtai-iast" mysql -uroot -p"dongtai-iast" mysql -uroot -p"dongtai-iast" |
4. 启动redis服务
1 2 3 4 5 6 7 8 9 | # 进入DongTai项目下,使用docker启动redis cd docker/redis docker build -t huoxian/dongtai-redis:latest . docker stop dongtai-redis || true docker rm dongtai-redis || true docker run -d --network dongtai-net --name dongtai-redis --restart=always huoxian/dongtai-redis:latest # 或者使用外部redis redis-server /DongTai/docker/redis/redis.conf |
5. 启动dongtai-webapi服务
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | # 进入DongTai-webapi项目下 cd DongTai-webapi git pull cp conf/config.ini.example conf/config.ini sed -i "s/mysql-server/dongtai-mysql/g" conf/config.ini >/dev/null sed -i "s/mysql-port/3306/g" conf/config.ini >/dev/null sed -i "s/database_name/dongtai_webapi/g" conf/config.ini >/dev/null sed -i "s/mysql_username/root/g" conf/config.ini >/dev/null sed -i "s/mysql_password/dongtai-iast/g" conf/config.ini >/dev/null sed -i "s/redis_server/dongtai-redis/g" conf/config.ini >/dev/null sed -i "s/redis_port/6379/g" conf/config.ini >/dev/null sed -i "s/redis_password/123456/g" conf/config.ini >/dev/null sed -i "s/broker_db/0/g" conf/config.ini >/dev/null sed -i "s/engine_url/dongtai-engine:8000/g" conf/config.ini >/dev/null sed -i "s/api_server_url/dongtai-openapi:8000/g" conf/config.ini >/dev/null # 这里dongtai-openapi需要修改为自己的ip docker build -t huoxian/dongtai-webapi:latest . docker stop dongtai-webapi || true docker rm dongtai-webapi || true docker run -d --network dongtai-net --name dongtai-webapi -e debug=false --restart=always huoxian/dongtai-webapi:latest |
6. 启动dongtai-openapi服务
1 2 3 4 5 6 7 8 9 | cd DongTai-openapi git pull cp DongTai-webapi/conf/config.ini conf/config.ini docker build -t huoxian/dongtai-openapi:latest . docker stop dongtai-openapi || true docker rm dongtai-openapi || true docker run -d --network dongtai-net -p 8000:8000 --name dongtai-openapi --restart=always huoxian/dongtai-openapi:latest |
7. 启动dongtai-engine服务
1 2 3 4 5 6 7 8 | cd DongTai-engine/ git pull cp DongTai-webapi/conf/config.ini conf/config.ini docker build -t huoxian/dongtai-engine:latest . docker stop dongtai-engine || true docker rm dongtai-engine || true docker run -d --network dongtai-net --name dongtai-engine --restart=always huoxian/dongtai-engine:latest |
8. 启动dongtai-engine-task服务
1 2 | cd DongTai-engine/ docker run -d --network dongtai-net --name dongtai-engine-task --restart=always huoxian/dongtai-engine:latest bash /opt/iast/engine/docker/entrypoint.sh task |
9. 启动dongtai-web服务
1 2 3 4 5 6 7 8 9 10 11 12 | cd DongTai-web git pull cp nginx.conf.example nginx.conf sed -i "s/lingzhi-api-svc/dongtai-webapi/g" nginx.conf >/dev/null # 因为npm一直build失败,直接使用项目中的dist docker build -t huoxian/dongtai-web:latest . docker stop dongtai-web || true docker rm dongtai-web || true docker run -d -p 80:80 --network dongtai-net --name dongtai-web --restart=always huoxian/dongtai-web:latest |
4. 登陆管理后台
确保安全组或防火墙开启80、8000端口
浏览器访问:http://x.x.x.x 访问dongtai-web服务(默认用户名/密码:admin、admin),登陆后及时修改密码,在系统配置 - 密码修改处修改密码,然后做好安全组策略,防止恶意扫描
组织管理中,可以新增子部门及普通用户,方便后续分工;子部门用于区分应用所属业务线,每个业务线分别生成属于自己的agent
二、IAST agent部署与测试
管理后台部署完成后,接下来就需要带着分管安全的leader去找每条业务线研发leader、测试、应用运维,去了解一下现有的网络架构,笔者公司的测试服务均跑在K8S上,Java版本为1.8。
1. 生成agent
进入管理后台,右上角部署IAST
选择应用运行环境,目前我们Java的服务都通过maven打包成jar包,通过java -jar 命令的方式启动,项目名称可以保持默认,我们所有的服务均在CD阶段通过传参的方式指定
最后获取下载脚本,这里去掉projectNmae参数,下载agent
1 | curl -X GET "http://x.x.x.x:8000/api/v1/agent/download?url=http://x.x.x.x:8000&jdk.version=Java%201.8" -H 'Authorization: Token xxx' -o agent.jar -k |
2. 本地测试
2.1 启动命令添加配置,启动洞态IAST
1 | java -javaagent:./agent.jar -Dproject.name=test -Diast.server.mode=local -jar app.jar |
2.2 出现Engine opened successfully日志时,表示洞态IAST启动成功
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | [cn.huoxian.dongtai.iast] The engine configuration file is initialized successfully. file is configiast.properties
[cn.huoxian.dongtai.iast] Check if the engine needs to be updated
{"status": 202, "msg": "不需要更新或正在更新中", "data": null}
[cn.huoxian.dongtai.iast] Engine does not exist in local cache, the engine will be downloaded.
current jdk version is : 1.8.0_251
[cn.huoxian.dongtai.iast] The remote file http://x.x.x.x:8000/api/v1/engine/download?package_name=iast-inject&jdk.version=1 was successfully written to the local cache.
[cn.huoxian.dongtai.iast] The remote file http://x.x.x.x:8000/api/v1/engine/download?package_name=iast-core&jdk.version=1 was successfully written to the local cache.
2021-05-12 14:13:33.089 [cn.huoxian.dongtai.engine] INFO The engine is about to be installed, the installation mode is agent
2021-05-12 14:13:33.147 [cn.huoxian.dongtai.engine] INFO Initialize the core configuration of the engine
2021-05-12 14:13:33.603 [cn.huoxian.dongtai.engine] INFO The engine's core configuration is initialized successfully.
2021-05-12 14:13:33.606 [cn.huoxian.dongtai.engine] INFO WebServer [ name=Tomcat/8.x, path=apache-tomcat-8.5.12bin ]
2021-05-12 14:13:33.607 [cn.huoxian.dongtai.engine] INFO Start the data reporting submodule
2021-05-12 14:13:33.608 [cn.huoxian.dongtai.engine] INFO The data reporting submodule started successfully
2021-05-12 14:13:33.608 [cn.huoxian.dongtai.engine] INFO Register spy submodule
2021-05-12 14:13:33.615 [cn.huoxian.dongtai.engine] INFO Spy sub-module registered successfully
2021-05-12 14:13:33.616 [cn.huoxian.dongtai.engine] INFO Install data acquisition and analysis sub-modules
2021-05-12 14:13:35.856 [cn.huoxian.dongtai.engine] INFO The sub-module of data acquisition and analysis is successfully installed
2021-05-12 14:13:35.861 [cn.huoxian.dongtai.engine] INFO The engine is successfully installed to the JVM, and it takes 2773ms
2021-05-12 14:13:46.476 [cn.huoxian.dongtai.engine] INFO Turn on the engine
2021-05-12 14:13:46.480 [cn.huoxian.dongtai.engine] INFO Engine opened successfully
[cn.huoxian.dongtai.iast] Successfully opened the engine, and it takes 22s
{"status": 202, "msg": "不需要更新或正在更新中", "data": null} |
2.3 打开管理后台,选择项目配置 - 新建项目,配置项目名称为test,添加扫描策略
Note: 启动服务时,配置了参数-Dproject.name=test,所以,``agent会自动关联至test`项目中,不需要人工配置
3. 与CI/CD集成
目前IAST项目是以业务线进行分组,在管理后台 - 项目配置 - 新建项目,添加项目,项目名称对应各个业务线简称,在启动服务时,通过配置-Dproject.name=$业务线 将agent自动关联至项目中
3.1 配置jenkins
将agent打包到公共基础镜像,按照jenkins原来的基础镜像进行选择即可
基础镜像 java:1.8-sec-agent
Dockerfile = "FROM reg.xx.com/base/java:1.8-sec-agent”
3.2 配置启动命令
1 2 3 4 | cd /data/build/k8s/test/$业务线/ vim $appid.yml # 增加以下这段commad参数: "-javaagent:/agent.jar","-Dproject.name=$业务线","-Diast.server.mode=local" |
3.3 重新构建jenkins
3.4 测试服务功能是否正常
经测试,服务运行均正常
5. 针对增量服务
笔者与运维开发沟通后,修改自动化发布流程及脚本,对测试环境中新增的Java服务,将自动集成洞态IAST,确保agent覆盖率,目前已基本实现测试服务的覆盖。
转载请注明出处:https://www.qztxs.com/archives/science/technology/12120
