Contents


Vulnerability scanning of Docker images on OpenPOWER systems

Comments

With increasing use of containers in enterprises, there is an increased focus on container security. One of the aspects of container security is ensuring that the image doesn't contain known vulnerabilities. This is where vulnerability scanners come into picture. Vulnerability scanning of Docker container images is an important part of the overall container workflow.

The New Stack article provides an excellent summary of the available options and is a must read.

This article deals with the configuration and set up of Clair vulnerability scanner on OpenPOWER servers. Note that the vulnerability scanners are not really architecture specific. They usually check for known common vulnerabilities and exposures (CVEs) by correlating the content of container images with a stored database of vulnerability data. The vulnerability data is imported from sources, such as:

The setup instructions in this article are specific to Red Hat Enterprise Linux (RHEL). However, the same instructions should apply to Ubuntu or other distributions with minor changes related to installation and configuration of dependent packages.

Additionally, if you are looking for a hosted solution, refer to the Bluemix Vulnerability Advisor article.

What you'll need to build Clair on RHEL 7 LE

  • Clair requires PostgreSQL server. This is part of the distribution package repository.
  • Golang toolchain is required to build Clair binary.

Golang for RHEL on OpenPOWER servers is available as part of IBM Advance Toolchain.

Following is the direct download link for golang-1.7:

ftp://ftp.unicamp.br/pub/linuxpatch/toolchain/at/redhat/RHEL7/at10.0/advance-toolchain-golang-at-10.0-1.ppc64le.rpm

Ubuntu already includes golang toolchain as part of the distribution package repository. Additionally, you can also download the ppc64le/golang Docker image from DockerHub.

Steps to build and use Clair

Following steps details how to build and use Clair.

Step 1: Building and installing Clair and related tools

Assuming that the go binary is in the system $PATH, the following commands are required to build Clair and related tools:

# mkdir ~/gopath 
# export GOPATH=~/gopath 
# export PATH=$PATH:$GOPATH/bin 
# go get github.com/coreos/clair 
# go install github.com/coreos/clair/cmd/clair 
# go get -u github.com/coreos/clair/contrib/analyze-local-images

The analyze-local-images program will scan local images by calling Clair APIs.

Step 2: Running Clair

Clair needs a configuration file. A sample configuration file is provided with Clair source at: https://github.com/coreos/clair/blob/master/config.example.yaml. At a minimum, the source option for the database needs to be updated to point to the PostgreSQL server. Refer to the following example from my setup:

clair: 
   database: 
       # Database driver 
       type: pgsql 
       options: 
            # PostgreSQL Connection string 
            # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
            source: postgresql://postgres:passw0rd@localhost/postgres?sslmode=disable
          
            # Number of elements kept in the cache
            # Values unlikely to change (e.g. namespaces) are cached in order to save prevent 
              needless roundtrips to the database. 
            cachesize: 16384 
[snip]

Start Clair by running the following command:

# clair -config=<path-to-config.yaml>

After the Clair daemon starts, it will start downloading and importing the vulnerability data. After this process is complete, you can make some API calls to the Clair daemon and check the output to verify that it is working.

The following command shows the operating systems for which a list of vulnerabilities is available.
If you are using a Docker image based on an operating system for which a vulnerability list is not available, then scanning is of no use for that Docker image.

# curl http://localhost:6060/v1/namespaces | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   370  100   370    0     0   222k      0 --:--:-- --:--:-- --:--:--  361k
{
  "Namespaces": [
    {
      "Name": "debian:7"
    },
    {
      "Name": "debian:unstable"
    },
    {
      "Name": "debian:8"
    },
    {
      "Name": "debian:9"
    },
    {
      "Name": "sle:12"
    },
    {
      "Name": "sle:12.1"
    },
    {
      "Name": "sle:12.2"
    },
    {
      "Name": "opensuse:13.2"
    },
    {
      "Name": "opensuse:42.1"
    },
    {
      "Name": "opensuse:13.1"
    },
    {
      "Name": "opensuse:42.2"
    },
    {
      "Name": "centos:7"
    },
    {
      "Name": "centos:5"
    },
    {
      "Name": "centos:6"
    },
    {
      "Name": "ubuntu:16.04"
    },
    {
      "Name": "ubuntu:12.04"
    }
  ]
}

The following command shows the list of vulnerabilities for debian:8.

        # curl http://localhost:6060/v1/namespaces/debian%3A8/vulnerabilities?limit=2 | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1276  100  1276    0     0   174k      0 --:--:-- --:--:-- --:--:--  207k
{
  "Vulnerabilities": [
    {
      "Name": "CVE-2016-0756",
      "NamespaceName": "debian:8",
      "Description": "The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.",
      "Link": "https://security-tracker.debian.org/tracker/CVE-2016-0756",
      "Severity": "Medium",
      "Metadata": {
        "NVD": {
          "CVSSv2": {
            "Score": 5,
            "Vectors": "AV:N/AC:L/Au:N/C:N/I:P"
          }
        }
      }
    },
    {
      "Name": "CVE-2012-0885",
      "NamespaceName": "debian:8",
      "Description": "chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, when the res_srtp module is used and media support is improperly configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted SDP message with a crypto attribute and a (1) video or (2) text media type, as demonstrated by CSipSimple.",
      "Link": "https://security-tracker.debian.org/tracker/CVE-2012-0885",
      "Severity": "Medium",
      "Metadata": {
        "NVD": {
          "CVSSv2": {
            "Score": 4.3,
            "Vectors": "AV:N/AC:M/Au:N/C:N/I:N"
          }
        }
      }
    }
  ],
  "NextPage": "gAAAAABYNnBwJKIStOuJOBkHlIFzTp89ba2_dDcMvNS-cjNhdzPy1ri9GZKNHNO5wsBp_CIjrVLEebkY_Us8Tef49olWy6nLjQ=="
}

Step 3: Scanning Docker images

Let us see some examples of scanning Docker images using the analyze-local-image program. The analyze-local-image program makes use of Clair APIs for vulnerability scanning of locally stored Docker images.

          # docker images 
          ppc64le/debian   jessie    cfc916508345  2 weeks ago   127.6 MB
          ppc64le/debian   latest    cfc916508345  2 weeks ago   127.6 MB

Scanning the Debian image displays the following report:

# analyze-local-images cfc916508345

2016-11-23 23:28:57.568615 I | Saving cfc916508345 to local disk (this may take some time)
2016-11-23 23:29:07.023871 I | Retrieving image history
2016-11-23 23:29:07.024066 I | Analyzing 1 layers...
2016-11-23 23:29:07.024075 I | Analyzing 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
2016-11-23 23:29:07.137814 I | Retrieving image's vulnerabilities
Clair report for image cfc916508345 (2016-11-24 05:29:07.150283539 +0000 UTC)
CVE-2014-9761 (High)
        Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6)
        before 2.23 allow context-dependent attackers to cause a denial of service
        (application crash) or possibly execute arbitrary code via a long argument to
        the (1) nan, (2) nanf, or (3) nanl function.

        Package:       glibc @ 2.19-18+deb8u6
        Link:          https://security-tracker.debian.org/tracker/CVE-2014-9761
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2015-5276 (Medium)
        The std::random_device class in libstdc++ in the GNU Compiler Collection (aka
        GCC) before 4.9.4 does not properly handle short reads from blocking sources,
        which makes it easier for context-dependent attackers to predict the random
        values via unspecified vectors.

        Package:       gcc-4.9 @ 4.9.2-10
        Link:          https://security-tracker.debian.org/tracker/CVE-2015-5276
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-7796 (Medium)
        The manager_dispatch_notify_fd function in systemd allows local users to cause a
        denial of service (system hang) via a zero-length message received over a notify
        socket, which causes an error to be returned and the notification handler to be
        disabled.

        Package:       systemd @ 215-17+deb8u5
        Link:          https://security-tracker.debian.org/tracker/CVE-2016-7796
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-3189 (Low)
        Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote
        attackers to cause a denial of service (crash) via a crafted bzip2 file, related
        to block ends set to before the start of the block.

        Package:       bzip2 @ 1.0.6-7
        Link:          https://security-tracker.debian.org/tracker/CVE-2016-3189
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2015-5180 (Low)
        Package:       glibc @ 2.19-18+deb8u6
        Link:          https://security-tracker.debian.org/tracker/CVE-2015-5180
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2005-2541 (Negligible)
        Tar 1.15.1 does not properly warn the user when extracting setuid or setgid
        files, which may allow local users or remote attackers to gain privileges.

        Package:       tar @ 1.27.1-2+deb8u1
        Link:          https://security-tracker.debian.org/tracker/CVE-2005-2541
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2015-5218 (Negligible)
        Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27
        allows local users to cause a denial of service (crash) via a crafted file,
        related to the page global variable.

        Package:       util-linux @ 2.25.2-6
        Link:          https://security-tracker.debian.org/tracker/CVE-2015-5218
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2015-5224 (Negligible)
        Package:       util-linux @ 2.25.2-6
        Link:          https://security-tracker.debian.org/tracker/CVE-2015-5224
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-2779 (Negligible)
        Package:       util-linux @ 2.25.2-6
        Link:          https://security-tracker.debian.org/tracker/CVE-2016-2779
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-6251 (Negligible)
        Package:       shadow @ 1:4.2-3+deb8u1
        Link:          https://security-tracker.debian.org/tracker/CVE-2016-6251
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2010-4756 (Negligible)
        The glob implementation in the GNU C Library (aka glibc or libc6) allows remote
        authenticated users to cause a denial of service (CPU and memory consumption)
        via crafted glob expressions that do not match any pathnames, as demonstrated
        by glob expressions in STAT commands to an FTP daemon, a different vulnerability
        than CVE-2010-2632.

        Package:       glibc @ 2.19-18+deb8u6
        Link:          https://security-tracker.debian.org/tracker/CVE-2010-4756
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2015-5186 (Negligible)
        Package:       audit @ 1:2.4-1
        Link:          https://security-tracker.debian.org/tracker/CVE-2015-5186
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2013-4392 (Negligible)
        systemd, when updating file permissions, allows local users to change the
        permissions and SELinux security contexts for arbitrary files via a symlink
        attack on unspecified files.

        Package:       systemd @ 215-17+deb8u5
        Link:          https://security-tracker.debian.org/tracker/CVE-2013-4392
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2007-5686 (Negligible)
        initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp
        file, which allows local users to obtain sensitive information regarding
        authentication attempts.  NOTE: because sshd detects the insecure permissions
        and does not log certain events, this also prevents sshd from logging failed
        authentication attempts by remote attackers.

        Package:       shadow @ 1:4.2-3+deb8u1
        Link:          https://security-tracker.debian.org/tracker/CVE-2007-5686
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2013-4235 (Negligible)
        Package:       shadow @ 1:4.2-3+deb8u1
        Link:          https://security-tracker.debian.org/tracker/CVE-2013-4235
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-6252 (Negligible)
        Package:       shadow @ 1:4.2-3+deb8u1
        Link:          https://security-tracker.debian.org/tracker/CVE-2016-6252
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2010-4052 (Negligible)
        Stack consumption vulnerability in the regcomp implementation in the GNU C
        Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows
        context-dependent attackers to cause a denial of service (resource exhaustion)
        via a regular expression containing adjacent repetition operators, as
        demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for
        ProFTPD.

        Package:       glibc @ 2.19-18+deb8u6
        Link:          https://security-tracker.debian.org/tracker/CVE-2010-4052
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-4484 (Negligible)
        Package:       cryptsetup @ 2:1.6.6-5
        Link:          https://security-tracker.debian.org/tracker/CVE-2016-4484
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2011-4116 (Negligible)
        Package:       perl @ 5.20.2-3+deb8u6
        Link:          https://security-tracker.debian.org/tracker/CVE-2011-4116
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2011-3374 (Negligible)
        Package:       apt @ 1.0.9.8.3
        Link:          https://security-tracker.debian.org/tracker/CVE-2011-3374
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2010-4051 (Negligible)
        The regcomp implementation in the GNU C Library (aka glibc or libc6) through
        2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause
        a denial of service (application crash) via a regular expression containing
        adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation,
        as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c
        exploit for ProFTPD, related to a "RE_DUP_MAX overflow."

        Package:       glibc @ 2.19-18+deb8u6
        Link:          https://security-tracker.debian.org/tracker/CVE-2010-4051
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2012-3878 (Negligible)
        Package:       perl @ 5.20.2-3+deb8u6
        Link:          https://security-tracker.debian.org/tracker/CVE-2012-3878
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

CVE-2016-0634 (Negligible)
        Package:       bash @ 4.3-11
        Link:          https://security-tracker.debian.org/tracker/CVE-2016-0634
        Layer:         2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9

Conclusion

Installing and running the Clair vulnerability scanner is a very straight forward process. Hope this helps you to get started with vulnerability scanning of Docker images.


Downloadable resources


Comments

Sign in or register to add and subscribe to comments.

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Linux
ArticleID=1041317
ArticleTitle=Vulnerability scanning of Docker images on OpenPOWER systems
publish-date=12212016