当前位置:   article > 正文

RHEL 8 - 用OpenSCAP工具对容器镜像进行漏洞安全合规扫描,并修复

openscap

OpenShift 4.x HOL教程汇总
已在 RHEL 8.4 上验证
本文的前置条件:RHEL8 - 配置基于安装 ISO 文件的 YUM Repo

准备环境

  1. 安装scap扫描工具。
$ yum install -y openscap-utils scap-security-guide wget
  • 1
  1. 安装容器工具
$ yum install -y podman buildah
  • 1
  1. 安装其它工具
$ yum install -y wget
  • 1

扫描容器镜像CVE漏洞

下载OVAL文件

$ wget -O - https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2 | bzip2 --decompress > rhel-8.oval.xml
  • 1

扫描容器镜像

  1. 下载2个容器镜像“registry.access.redhat.com/ubi8:latest“和”registry.access.redhat.com/ubi8:8.0-126“
$ TAG-NEW=latest
$ TAG-OLD=8.0-126
$ podman pull registry.access.redhat.com/ubi8:${TAG-NEW}
$ podman pull registry.access.redhat.com/ubi8:${TAG-OLD}
  • 1
  • 2
  • 3
  • 4
  1. 查看下载到本地的容器镜像
$ podman images ubi8
REPOSITORY                             TAG      IMAGE ID      CREATED      SIZE
registry.access.redhat.com/ubi8        latest   272209ff0ae5  9 days ago   234 MB
registry.access.redhat.com/ubi8        8.0-126  7ae69d957d8b  2 years ago  216 MB
  • 1
  • 2
  • 3
  • 4
  1. 根据获得的OVAL文件扫描指定的容器镜像ID。
$ ID=$(podman image inspect ubi8:${TAG-NEW} | jq -r .[0].Id)
$ oscap-podman ${ID} oval eval --report /tmp/oval-report-ubi8:${TAG-NEW}.html rhel-8.oval.xml
Definition oval:com.redhat.rhsa:def:20212238: false
Definition oval:com.redhat.rhsa:def:20212235: false
Definition oval:com.redhat.rhsa:def:20212233: false
Definition oval:com.redhat.rhsa:def:20212170: false
W: oscap:     Requested offline mode is not supported by uname probe.
Definition oval:com.redhat.rhsa:def:20212169: false
Definition oval:com.redhat.rhsa:def:20212168: false
Definition oval:com.redhat.rhsa:def:20212165: false
Definition oval:com.redhat.rhsa:def:20212037: false
Definition oval:com.redhat.rhsa:def:20212036: false
Definition oval:com.redhat.rhsa:def:20212034: false
Definition oval:com.redhat.rhsa:def:20211989: false
。。。
 
$ ID=$(podman image inspect ubi8:${TAG-OLD} | jq -r .[0].Id)
$ oscap-podman ${ID} oval eval --report /tmp/oval-report-ubi8:${TAG-OLD}.html rhel-8.oval.xml
Definition oval:com.redhat.rhsa:def:20212238: false
Definition oval:com.redhat.rhsa:def:20212235: false
Definition oval:com.redhat.rhsa:def:20212233: false
Definition oval:com.redhat.rhsa:def:20212170: true
W: oscap:     Requested offline mode is not supported by uname probe.
Definition oval:com.redhat.rhsa:def:20212169: false
Definition oval:com.redhat.rhsa:def:20212168: false
Definition oval:com.redhat.rhsa:def:20212165: false
Definition oval:com.redhat.rhsa:def:20212037: false
Definition oval:com.redhat.rhsa:def:20212036: false
Definition oval:com.redhat.rhsa:def:20212034: false
Definition oval:com.redhat.rhsa:def:20211989: false
。。。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31

查看容器镜像扫描结果

  1. 查看扫描结果文件。
$ ll /tmp/oval-report-ubi8*
-rw-r--r--. 1 root root 557791 Jun 12 10:24 /tmp/oval-report-ubi8:latest.html
-rw-r--r--. 1 root root 557646 Jun 12 11:52 /tmp/oval-report-ubi8:8.0-126.html
  • 1
  • 2
  • 3
  1. 用浏览器查看扫描结果文件,以下分别是“ubi8:latest”和“ubi8:8.0-126”的扫描结果(内容太多,只截取了一部分)。可以看出,“ubi8:latest”是基于rhel 8.4最新的镜像,“581”项检测全部绿色通过。而由于“ubi8:8.0-126”是基于比较早rhel8.0的镜像,因此有73项没有通过测试,需要通过补丁解决安全风险,可参照对应的RHSA和CVE修复它们。
    “ubi8:latest”镜像扫描
    在这里插入图片描述
    “ubi8:8.0-126”镜像扫描
    在这里插入图片描述

扫描容器镜像合规

扫描镜像符合PCI-DSS规范情况

  1. 基于XCCDF,对"rhel-ubi8:8.0-126"的镜像进行pci-dss规范的扫描。从命令结果可以看出有些扫描项目是pass结果,有些是failed结果,有些是notapplicable结果。
$ ID=$(podman image inspect ubi8:${TAG-OLD} | jq -r .[0].Id)
$ oscap-podman ${ID} xccdf eval --report /tmp/rhel-ubi8:8.0-126-pci-dss.html --profile pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml file which is referenced from XCCDF content
Title   Verify File Hashes with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Ident   CCE-80857-6
Result  pass
  
Title   Verify and Correct File Permissions with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Ident   CCE-80858-4
Result  fail
  
Title   Install AIDE
Rule    xccdf_org.ssgproject.content_rule_package_aide_installed
Ident   CCE-80844-4
Result  notapplicable
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  1. 用浏览器打开上一步扫描的结果文件,可以看到该镜像整体有12个规则没有通过。
    在这里插入图片描述

修复违规风险

  1. 在页面中找到"Prevent Login to Accounts With Empty Password",确认该验证没有通过,存在一个高危漏洞。
  2. 进入对应的链接,此时可以看到以下的描述页面。其中下方提供了针对该风险的三种修复方法。
    在这里插入图片描述
  3. 将“registry.access.redhat.com/ubi8:8.0-126“镜像获取到本地。
$ buildah from registry.access.redhat.com/ubi8:8.0-126
ubi8-working-container
  • 1
  • 2
  1. 确认本地已有”ubi8-working-container“
$ buildah containers
CONTAINER ID  BUILDER  IMAGE ID     IMAGE NAME                       CONTAINER NAME
5cb411f02b99     *     7ae69d957d8b registry.access.redhat.com/ub... ubi8-working-container
  • 1
  • 2
  • 3
  1. 挂载该容器
$ buildah mount ubi8-working-container
/var/lib/containers/storage/overlay/d0ba6f84fe8e3a06bc26b88baa928f2adac1cb6b7a032600f6f9f6daccce4be5/merged
  • 1
  • 2
  1. 查看该容器中的目录。
$ ll
total 0
lrwxrwxrwx.  1 root root   7 Aug 12  2018 bin -> usr/bin
dr-xr-xr-x.  2 root root   6 Aug 12  2018 boot
drwxr-xr-x.  2 root root   6 Jun 11  2019 dev
drwxr-xr-x.  1 root root  25 Jun 11  2019 etc
drwxr-xr-x.  2 root root   6 Aug 12  2018 home
lrwxrwxrwx.  1 root root   7 Aug 12  2018 lib -> usr/lib
lrwxrwxrwx.  1 root root   9 Aug 12  2018 lib64 -> usr/lib64
drwx------.  2 root root   6 Jun 11  2019 lost+found
drwxr-xr-x.  2 root root   6 Aug 12  2018 media
drwxr-xr-x.  2 root root   6 Aug 12  2018 mnt
drwxr-xr-x.  2 root root   6 Aug 12  2018 opt
drwxr-xr-x.  2 root root   6 Jun 11  2019 proc
dr-xr-x---.  1 root root  23 Jun 11  2019 root
drwxr-xr-x.  1 root root  21 Jun 11  2019 run
lrwxrwxrwx.  1 root root   8 Aug 12  2018 sbin -> usr/sbin
drwxr-xr-x.  2 root root   6 Aug 12  2018 srv
drwxr-xr-x.  2 root root   6 Jun 11  2019 sys
drwxrwxrwt.  1 root root   6 Jun 11  2019 tmp
drwxr-xr-x. 12 root root 144 Jun 11  2019 usr
drwxr-xr-x.  1 root root  17 Jun 11  2019 var
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  1. 根据风险漏洞的修复说明,执行以下命令。注意:由于容器的根目录不是当前系统的根目录,因此需要将建议命令中的“/etc/…”改为“etc/…”。
$ sed --follow-symlinks -i 's/\<nullok\>//g' etc/pam.d/system-auth
$ sed --follow-symlinks -i 's/\<nullok\>//g' etc/pam.d/password-auth
  • 1
  • 2
  1. 提交本地镜像为新的镜像名“ubi8-my”。
$ buildah commit ubi8-working-container ubi8-my
Getting image source signatures
Copying blob 4144b1ae544b skipped: already exists
Copying blob 77ba31c86fd4 skipped: already exists
Copying blob 0cad3bd8dd71 done
Copying config d6ba863211 done
Writing manifest to image destination
Storing signatures
d6ba86321137604485e693f25cf8d47b2edc865fcb845b602a454bedd350eca8 
 
$ podman images ubi8-my
REPOSITORY         TAG     IMAGE ID      CREATED         SIZE
localhost/ubi8-my  latest  d6ba86321137  41 seconds ago  216 MB
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  1. 对新的“ubi8-my”进行进行pci-dss扫描,然后查看生成的报告。
$ ID=$(podman image inspect ubi8-my:latest | jq -r .[0].Id)
$ oscap-podman ${ID} xccdf eval --report /tmp/rhel-ubi8-my:latest-pci-dss.html --profile pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
  • 1
  • 2
  1. 确认新的镜像已经通过“Prevent Login to Accounts With Empty Password”扫描检查。
    在这里插入图片描述

参考

https://www.youtube.com/watch?v=nQmIcK1vvYc

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小舞很执着/article/detail/818060
推荐阅读
相关标签
  

闽ICP备14008679号