November 4, 2016 | Written by: Ricardo Koller and Alan Dawson
Categorized: Community | Compute Services
Share this post:
We introduced the Vulnerability Advisor (VA) service for IBM® Bluemix Containers and for container images in prior posts. VA provides vulnerability and best practice reports about Docker images hosted in Bluemix. These reports provide a convenient way of quickly knowing if it’s safe to deploy an image in Bluemix. For example, a user would get these tags for each one of his images, indicating if it’s safe to deploy it as a container or not:
To put things in context, the following is a report for an Ubuntu container with 16 vulnerable packages and 3 security related misconfigurations. The rules defining whether a package is vulnerable are derived from distribution security bulletins, such as Ubuntu Security Notices, CVE information from the National Vulnerability Database and by leveraging information from IBM X-Force Exchange.
This is a very useful feature, but it does not capture the fact that a container (even after starting safe) might become malicious or dangerous. The first reason is that the user could log into the container and change the system on the fly. For example, the user does a
docker exec and thinks it would be a good idea to install
sshd-server. The second reason is that Vulnerability Advisor updates some rule (e.g. a package vulnerability was discovered after the container started for the first time). Containers age and become more vulnerable than their newly born image, as security experts discover new malware and vulnerabilities for different distributions.
The missing feature is the ability to live-scan containers before they start (as images) and continuously while they are running, using the same rules as the ones for images. This needed feature helps monitoring the latest configuration of running containers and checks for divergence. It usually means the system has non-tracked changes. Remember: a version control system should track all your changes to the system, and a re-deploy should be the only way to make these changes effective. In any case, it would be very useful to detect when these happen. If the system allows them, it’s still very likely that once in a while a developer will log into their containers for a little harmless change. And then, once in a while, that harmless change will be disastrous.
Vulnerability Advisor Live-scanner
We now introduce the Live-scanner service for running containers in Bluemix (notice the part about running containers).
I know what you’re saying: ‘Where can I get these fine new items?’ Well, that’s the gag. Chances are, you’ve bought ’em already! — The Joker (Batman 1989)
If you want to use this new feature, all you have to do is start a container as you did before. In fact, existing containers already have a Vulnerability report. You should get the same Vulnerability report that you would get for images. VA will generate this report within a couple of minutes of starting a new container. And it will generate it again once every day. You do not have to change your container or image in any way to get these reports. More specifically, you do not have to install an agent in the container, a side-car container, make your image use some special base image. It’s all out of the box. Here is an example of a container without vulnerabilities:
You can then click on the panel and the same detailed report as the one for images will show the containers Vulnerability report:
Try Vulnerability Advisor, it’s free!
VA for running containers is now available to you in production in IBM Bluemix Containers Service. Don’t forget to play with this new feature. It should be easy. Again, all you have to do is take a look at your existing containers in the console.
Sign up for Bluemix. It’s free!