Vulnerability scanning of Docker images on OpenPOWER systems
With increasing use of containers in enterprises, there is an increased focus on container security. One of the aspects of container security is ensuring that the image doesn't contain known vulnerabilities. This is where vulnerability scanners come into picture. Vulnerability scanning of Docker container images is an important part of the overall container workflow.
The New Stack article provides an excellent summary of the available options and is a must read.
This article deals with the configuration and set up of Clair vulnerability scanner on OpenPOWER servers. Note that the vulnerability scanners are not really architecture specific. They usually check for known common vulnerabilities and exposures (CVEs) by correlating the content of container images with a stored database of vulnerability data. The vulnerability data is imported from sources, such as:
The setup instructions in this article are specific to Red Hat Enterprise Linux (RHEL). However, the same instructions should apply to Ubuntu or other distributions with minor changes related to installation and configuration of dependent packages.
Additionally, if you are looking for a hosted solution, refer to the Bluemix Vulnerability Advisor article.
What you'll need to build Clair on RHEL 7 LE
- Clair requires PostgreSQL server. This is part of the distribution package repository.
- Golang toolchain is required to build Clair binary.
Golang for RHEL on OpenPOWER servers is available as part of IBM Advance Toolchain.
Following is the direct download link for golang-1.7:
Ubuntu already includes golang toolchain as part of the distribution package repository. Additionally, you can also download the ppc64le/golang Docker image from DockerHub.
Steps to build and use Clair
Following steps details how to build and use Clair.
Step 1: Building and installing Clair and related tools
Assuming that the go binary is in the system $PATH, the following commands are required to build Clair and related tools:
# mkdir ~/gopath # export GOPATH=~/gopath # export PATH=$PATH:$GOPATH/bin # go get github.com/coreos/clair # go install github.com/coreos/clair/cmd/clair # go get -u github.com/coreos/clair/contrib/analyze-local-images
The analyze-local-images program will scan local images by calling Clair APIs.
Step 2: Running Clair
Clair needs a configuration file. A sample configuration file is provided with Clair source
at: https://github.com/coreos/clair/blob/master/config.example.yaml. At a minimum, the
source
option for the database needs to be updated to point to the PostgreSQL
server. Refer to the following example from my setup:
clair: database: # Database driver type: pgsql options: # PostgreSQL Connection string # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING source: postgresql://postgres:passw0rd@localhost/postgres?sslmode=disable # Number of elements kept in the cache # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. cachesize: 16384 [snip]
Start Clair by running the following command:
# clair -config=<path-to-config.yaml>
After the Clair daemon starts, it will start downloading and importing the vulnerability data. After this process is complete, you can make some API calls to the Clair daemon and check the output to verify that it is working.
The following command shows the operating systems for which a list of vulnerabilities is
available.
If you are using a Docker image based on an operating system for which a
vulnerability list is not available, then scanning is of no use for that Docker image.
# curl http://localhost:6060/v1/namespaces | jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 370 100 370 0 0 222k 0 --:--:-- --:--:-- --:--:-- 361k { "Namespaces": [ { "Name": "debian:7" }, { "Name": "debian:unstable" }, { "Name": "debian:8" }, { "Name": "debian:9" }, { "Name": "sle:12" }, { "Name": "sle:12.1" }, { "Name": "sle:12.2" }, { "Name": "opensuse:13.2" }, { "Name": "opensuse:42.1" }, { "Name": "opensuse:13.1" }, { "Name": "opensuse:42.2" }, { "Name": "centos:7" }, { "Name": "centos:5" }, { "Name": "centos:6" }, { "Name": "ubuntu:16.04" }, { "Name": "ubuntu:12.04" } ] }
The following command shows the list of vulnerabilities for debian:8.
# curl http://localhost:6060/v1/namespaces/debian%3A8/vulnerabilities?limit=2 | jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1276 100 1276 0 0 174k 0 --:--:-- --:--:-- --:--:-- 207k { "Vulnerabilities": [ { "Name": "CVE-2016-0756", "NamespaceName": "debian:8", "Description": "The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.", "Link": "https://security-tracker.debian.org/tracker/CVE-2016-0756", "Severity": "Medium", "Metadata": { "NVD": { "CVSSv2": { "Score": 5, "Vectors": "AV:N/AC:L/Au:N/C:N/I:P" } } } }, { "Name": "CVE-2012-0885", "NamespaceName": "debian:8", "Description": "chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, when the res_srtp module is used and media support is improperly configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted SDP message with a crypto attribute and a (1) video or (2) text media type, as demonstrated by CSipSimple.", "Link": "https://security-tracker.debian.org/tracker/CVE-2012-0885", "Severity": "Medium", "Metadata": { "NVD": { "CVSSv2": { "Score": 4.3, "Vectors": "AV:N/AC:M/Au:N/C:N/I:N" } } } } ], "NextPage": "gAAAAABYNnBwJKIStOuJOBkHlIFzTp89ba2_dDcMvNS-cjNhdzPy1ri9GZKNHNO5wsBp_CIjrVLEebkY_Us8Tef49olWy6nLjQ==" }
Step 3: Scanning Docker images
Let us see some examples of scanning Docker images using the analyze-local-image program. The analyze-local-image program makes use of Clair APIs for vulnerability scanning of locally stored Docker images.
# docker images ppc64le/debian jessie cfc916508345 2 weeks ago 127.6 MB ppc64le/debian latest cfc916508345 2 weeks ago 127.6 MB
Scanning the Debian image displays the following report:
# analyze-local-images cfc916508345 2016-11-23 23:28:57.568615 I | Saving cfc916508345 to local disk (this may take some time) 2016-11-23 23:29:07.023871 I | Retrieving image history 2016-11-23 23:29:07.024066 I | Analyzing 1 layers... 2016-11-23 23:29:07.024075 I | Analyzing 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 2016-11-23 23:29:07.137814 I | Retrieving image's vulnerabilities Clair report for image cfc916508345 (2016-11-24 05:29:07.150283539 +0000 UTC) CVE-2014-9761 (High) Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function. Package: glibc @ 2.19-18+deb8u6 Link: https://security-tracker.debian.org/tracker/CVE-2014-9761 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2015-5276 (Medium) The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors. Package: gcc-4.9 @ 4.9.2-10 Link: https://security-tracker.debian.org/tracker/CVE-2015-5276 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2016-7796 (Medium) The manager_dispatch_notify_fd function in systemd allows local users to cause a denial of service (system hang) via a zero-length message received over a notify socket, which causes an error to be returned and the notification handler to be disabled. Package: systemd @ 215-17+deb8u5 Link: https://security-tracker.debian.org/tracker/CVE-2016-7796 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2016-3189 (Low) Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block. Package: bzip2 @ 1.0.6-7 Link: https://security-tracker.debian.org/tracker/CVE-2016-3189 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2015-5180 (Low) Package: glibc @ 2.19-18+deb8u6 Link: https://security-tracker.debian.org/tracker/CVE-2015-5180 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2005-2541 (Negligible) Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. Package: tar @ 1.27.1-2+deb8u1 Link: https://security-tracker.debian.org/tracker/CVE-2005-2541 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2015-5218 (Negligible) Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable. Package: util-linux @ 2.25.2-6 Link: https://security-tracker.debian.org/tracker/CVE-2015-5218 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2015-5224 (Negligible) Package: util-linux @ 2.25.2-6 Link: https://security-tracker.debian.org/tracker/CVE-2015-5224 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2016-2779 (Negligible) Package: util-linux @ 2.25.2-6 Link: https://security-tracker.debian.org/tracker/CVE-2016-2779 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2016-6251 (Negligible) Package: shadow @ 1:4.2-3+deb8u1 Link: https://security-tracker.debian.org/tracker/CVE-2016-6251 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2010-4756 (Negligible) The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. Package: glibc @ 2.19-18+deb8u6 Link: https://security-tracker.debian.org/tracker/CVE-2010-4756 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2015-5186 (Negligible) Package: audit @ 1:2.4-1 Link: https://security-tracker.debian.org/tracker/CVE-2015-5186 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2013-4392 (Negligible) systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. Package: systemd @ 215-17+deb8u5 Link: https://security-tracker.debian.org/tracker/CVE-2013-4392 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2007-5686 (Negligible) initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. Package: shadow @ 1:4.2-3+deb8u1 Link: https://security-tracker.debian.org/tracker/CVE-2007-5686 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2013-4235 (Negligible) Package: shadow @ 1:4.2-3+deb8u1 Link: https://security-tracker.debian.org/tracker/CVE-2013-4235 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2016-6252 (Negligible) Package: shadow @ 1:4.2-3+deb8u1 Link: https://security-tracker.debian.org/tracker/CVE-2016-6252 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2010-4052 (Negligible) Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD. Package: glibc @ 2.19-18+deb8u6 Link: https://security-tracker.debian.org/tracker/CVE-2010-4052 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2016-4484 (Negligible) Package: cryptsetup @ 2:1.6.6-5 Link: https://security-tracker.debian.org/tracker/CVE-2016-4484 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2011-4116 (Negligible) Package: perl @ 5.20.2-3+deb8u6 Link: https://security-tracker.debian.org/tracker/CVE-2011-4116 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2011-3374 (Negligible) Package: apt @ 1.0.9.8.3 Link: https://security-tracker.debian.org/tracker/CVE-2011-3374 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2010-4051 (Negligible) The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a "RE_DUP_MAX overflow." Package: glibc @ 2.19-18+deb8u6 Link: https://security-tracker.debian.org/tracker/CVE-2010-4051 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2012-3878 (Negligible) Package: perl @ 5.20.2-3+deb8u6 Link: https://security-tracker.debian.org/tracker/CVE-2012-3878 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9 CVE-2016-0634 (Negligible) Package: bash @ 4.3-11 Link: https://security-tracker.debian.org/tracker/CVE-2016-0634 Layer: 2617abb98179a940f2799802eb6054f5d5ac560dbb1b9a9b9bf8c6c1ad819ad9
Conclusion
Installing and running the Clair vulnerability scanner is a very straight forward process. Hope this helps you to get started with vulnerability scanning of Docker images.