Vulnerability scanning of Docker images on OpenPOWER systems
With increasing use of containers in enterprises, there is an increased focus on container security. One of the aspects of container security is ensuring that the image doesn't contain known vulnerabilities. This is where vulnerability scanners come into picture. Vulnerability scanning of Docker container images is an important part of the overall container workflow.
The New Stack article provides an excellent summary of the available options and is a must read.
This article deals with the configuration and set up of Clair vulnerability scanner on OpenPOWER servers. Note that the vulnerability scanners are not really architecture specific. They usually check for known common vulnerabilities and exposures (CVEs) by correlating the content of container images with a stored database of vulnerability data. The vulnerability data is imported from sources, such as:
The setup instructions in this article are specific to Red Hat Enterprise Linux (RHEL). However, the same instructions should apply to Ubuntu or other distributions with minor changes related to installation and configuration of dependent packages.
Additionally, if you are looking for a hosted solution, refer to the Bluemix Vulnerability Advisor article.
What you'll need to build Clair on RHEL 7 LE
- Clair requires PostgreSQL server. This is part of the distribution package repository.
- Golang toolchain is required to build Clair binary.
Golang for RHEL on OpenPOWER servers is available as part of IBM Advance Toolchain.
Following is the direct download link for golang-1.7:
Ubuntu already includes golang toolchain as part of the distribution package repository. Additionally, you can also download the ppc64le/golang Docker image from DockerHub.
Steps to build and use Clair
Following steps details how to build and use Clair.
Step 1: Building and installing Clair and related tools
Assuming that the go binary is in the system $PATH, the following commands are required to build Clair and related tools:
# mkdir ~/gopath # export GOPATH=~/gopath # export PATH=$PATH:$GOPATH/bin # go get github.com/coreos/clair # go install github.com/coreos/clair/cmd/clair # go get -u github.com/coreos/clair/contrib/analyze-local-images
The analyze-local-images program will scan local images by calling Clair APIs.
Step 2: Running Clair
Clair needs a configuration file. A sample configuration file is provided with Clair source
at: https://github.com/coreos/clair/blob/master/config.example.yaml. At a minimum, the
source option for the database needs to be updated to point to the PostgreSQL
server. Refer to the following example from my setup:
clair:
database:
# Database driver
type: pgsql
options:
# PostgreSQL Connection string
# https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
source: postgresql://postgres:passw0rd@localhost/postgres?sslmode=disable
# Number of elements kept in the cache
# Values unlikely to change (e.g. namespaces) are cached in order to save prevent
needless roundtrips to the database.
cachesize: 16384
[snip]Start Clair by running the following command:
# clair -config=<path-to-config.yaml>
After the Clair daemon starts, it will start downloading and importing the vulnerability data. After this process is complete, you can make some API calls to the Clair daemon and check the output to verify that it is working.
The following command shows the operating systems for which a list of vulnerabilities is
available.
If you are using a Docker image based on an operating system for which a
vulnerability list is not available, then scanning is of no use for that Docker image.
# curl http://localhost:6060/v1/namespaces | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 370 100 370 0 0 222k 0 --:--:-- --:--:-- --:--:-- 361k
{
"Namespaces": [
{
"Name": "debian:7"
},
{
"Name": "debian:unstable"
},
{
"Name": "debian:8"
},
{
"Name": "debian:9"
},
{
"Name": "sle:12"
},
{
"Name": "sle:12.1"
},
{
"Name": "sle:12.2"
},
{
"Name": "opensuse:13.2"
},
{
"Name": "opensuse:42.1"
},
{
"Name": "opensuse:13.1"
},
{
"Name": "opensuse:42.2"
},
{
"Name": "centos:7"
},
{
"Name": "centos:5"
},
{
"Name": "centos:6"
},
{
"Name": "ubuntu:16.04"
},
{
"Name": "ubuntu:12.04"
}
]
}The following command shows the list of vulnerabilities for debian:8.
# curl http://localhost:6060/v1/namespaces/debian%3A8/vulnerabilities?limit=2 | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1276 100 1276 0 0 174k 0 --:--:-- --:--:-- --:--:-- 207k
{
"Vulnerabilities": [
{
"Name": "CVE-2016-0756",
"NamespaceName": "debian:8",
"Description": "The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.",
"Link": "https://security-tracker.debian.org/tracker/CVE-2016-0756",
"Severity": "Medium",
"Metadata": {
"NVD": {
"CVSSv2": {
"Score": 5,
"Vectors": "AV:N/AC:L/Au:N/C:N/I:P"
}
}
}
},
{
"Name": "CVE-2012-0885",
"NamespaceName": "debian:8",
"Description": "chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, when the res_srtp module is used and media support is improperly configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted SDP message with a crypto attribute and a (1) video or (2) text media type, as demonstrated by CSipSimple.",
"Link": "https://security-tracker.debian.org/tracker/CVE-2012-0885",
"Severity": "Medium",
"Metadata": {
"NVD": {
"CVSSv2": {
"Score": 4.3,
"Vectors": "AV:N/AC:M/Au:N/C:N/I:N"
}
}
}
}
],
"NextPage": "gAAAAABYNnBwJKIStOuJOBkHlIFzTp89ba2_dDcMvNS-cjNhdzPy1ri9GZKNHNO5wsBp_CIjrVLEebkY_Us8Tef49olWy6nLjQ=="
}Step 3: Scanning Docker images
Let us see some examples of scanning Docker images using the analyze-local-image program. The analyze-local-image program makes use of Clair APIs for vulnerability scanning of locally stored Docker images.
# docker images
ppc64le/debian jessie cfc916508345 2 weeks ago 127.6 MB
ppc64le/debian latest cfc916508345 2 weeks ago 127.6 MBScanning the Debian image displays the following report:
# analyze-local-images cfc916508345
2016-11-23 23:28:57.568615 I | Saving cfc916508345 to local disk (this may take some time)
2016-11-23 23:29:07.023871 I | Retrieving image history
2016-11-23 23:29:07.024066 I | Analyzing 1 layers...
2016-11-23 23:29:07.024075 I | Analyzing 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
2016-11-23 23:29:07.137814 I | Retrieving image's vulnerabilities
Clair report for image cfc916508345 (2016-11-24 05:29:07.150283539 +0000 UTC)
CVE-2014-9761 (High)
Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6)
before 2.23 allow context-dependent attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a long argument to
the (1) nan, (2) nanf, or (3) nanl function.
Package: glibc @ 2.19-18+deb8u6
Link: https://security-tracker.debian.org/tracker/CVE-2014-9761
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2015-5276 (Medium)
The std::random_device class in libstdc++ in the GNU Compiler Collection (aka
GCC) before 4.9.4 does not properly handle short reads from blocking sources,
which makes it easier for context-dependent attackers to predict the random
values via unspecified vectors.
Package: gcc-4.9 @ 4.9.2-10
Link: https://security-tracker.debian.org/tracker/CVE-2015-5276
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2016-7796 (Medium)
The manager_dispatch_notify_fd function in systemd allows local users to cause a
denial of service (system hang) via a zero-length message received over a notify
socket, which causes an error to be returned and the notification handler to be
disabled.
Package: systemd @ 215-17+deb8u5
Link: https://security-tracker.debian.org/tracker/CVE-2016-7796
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2016-3189 (Low)
Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote
attackers to cause a denial of service (crash) via a crafted bzip2 file, related
to block ends set to before the start of the block.
Package: bzip2 @ 1.0.6-7
Link: https://security-tracker.debian.org/tracker/CVE-2016-3189
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2015-5180 (Low)
Package: glibc @ 2.19-18+deb8u6
Link: https://security-tracker.debian.org/tracker/CVE-2015-5180
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2005-2541 (Negligible)
Tar 1.15.1 does not properly warn the user when extracting setuid or setgid
files, which may allow local users or remote attackers to gain privileges.
Package: tar @ 1.27.1-2+deb8u1
Link: https://security-tracker.debian.org/tracker/CVE-2005-2541
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2015-5218 (Negligible)
Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27
allows local users to cause a denial of service (crash) via a crafted file,
related to the page global variable.
Package: util-linux @ 2.25.2-6
Link: https://security-tracker.debian.org/tracker/CVE-2015-5218
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2015-5224 (Negligible)
Package: util-linux @ 2.25.2-6
Link: https://security-tracker.debian.org/tracker/CVE-2015-5224
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2016-2779 (Negligible)
Package: util-linux @ 2.25.2-6
Link: https://security-tracker.debian.org/tracker/CVE-2016-2779
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2016-6251 (Negligible)
Package: shadow @ 1:4.2-3+deb8u1
Link: https://security-tracker.debian.org/tracker/CVE-2016-6251
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2010-4756 (Negligible)
The glob implementation in the GNU C Library (aka glibc or libc6) allows remote
authenticated users to cause a denial of service (CPU and memory consumption)
via crafted glob expressions that do not match any pathnames, as demonstrated
by glob expressions in STAT commands to an FTP daemon, a different vulnerability
than CVE-2010-2632.
Package: glibc @ 2.19-18+deb8u6
Link: https://security-tracker.debian.org/tracker/CVE-2010-4756
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2015-5186 (Negligible)
Package: audit @ 1:2.4-1
Link: https://security-tracker.debian.org/tracker/CVE-2015-5186
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2013-4392 (Negligible)
systemd, when updating file permissions, allows local users to change the
permissions and SELinux security contexts for arbitrary files via a symlink
attack on unspecified files.
Package: systemd @ 215-17+deb8u5
Link: https://security-tracker.debian.org/tracker/CVE-2013-4392
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2007-5686 (Negligible)
initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp
file, which allows local users to obtain sensitive information regarding
authentication attempts. NOTE: because sshd detects the insecure permissions
and does not log certain events, this also prevents sshd from logging failed
authentication attempts by remote attackers.
Package: shadow @ 1:4.2-3+deb8u1
Link: https://security-tracker.debian.org/tracker/CVE-2007-5686
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2013-4235 (Negligible)
Package: shadow @ 1:4.2-3+deb8u1
Link: https://security-tracker.debian.org/tracker/CVE-2013-4235
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2016-6252 (Negligible)
Package: shadow @ 1:4.2-3+deb8u1
Link: https://security-tracker.debian.org/tracker/CVE-2016-6252
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2010-4052 (Negligible)
Stack consumption vulnerability in the regcomp implementation in the GNU C
Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows
context-dependent attackers to cause a denial of service (resource exhaustion)
via a regular expression containing adjacent repetition operators, as
demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for
ProFTPD.
Package: glibc @ 2.19-18+deb8u6
Link: https://security-tracker.debian.org/tracker/CVE-2010-4052
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2016-4484 (Negligible)
Package: cryptsetup @ 2:1.6.6-5
Link: https://security-tracker.debian.org/tracker/CVE-2016-4484
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2011-4116 (Negligible)
Package: perl @ 5.20.2-3+deb8u6
Link: https://security-tracker.debian.org/tracker/CVE-2011-4116
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2011-3374 (Negligible)
Package: apt @ 1.0.9.8.3
Link: https://security-tracker.debian.org/tracker/CVE-2011-3374
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2010-4051 (Negligible)
The regcomp implementation in the GNU C Library (aka glibc or libc6) through
2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause
a denial of service (application crash) via a regular expression containing
adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation,
as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c
exploit for ProFTPD, related to a "RE_DUP_MAX overflow."
Package: glibc @ 2.19-18+deb8u6
Link: https://security-tracker.debian.org/tracker/CVE-2010-4051
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2012-3878 (Negligible)
Package: perl @ 5.20.2-3+deb8u6
Link: https://security-tracker.debian.org/tracker/CVE-2012-3878
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
CVE-2016-0634 (Negligible)
Package: bash @ 4.3-11
Link: https://security-tracker.debian.org/tracker/CVE-2016-0634
Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9Conclusion
Installing and running the Clair vulnerability scanner is a very straight forward process. Hope this helps you to get started with vulnerability scanning of Docker images.