Vulnerability Advisor

Use the advisor to get security status for container images in your IBM® Cloud Private private registry. The Vulnerability Advisor also runs security checks on running containers in your environment.

For more information about the Vulnerability Advisor, see the About Vulnerability Advisor section in the IBM Cloud Docs Opens in a new tab.

The Vulnerability Advisor feature is supported for multi-node clusters of the Cloud Native and Enterprise editions of IBM Cloud Private only.

Vulnerability Advisor supports the following operating systems:

For a list of the Vulnerability Advisor components, see Components.

The Vulnerability Advisor can be enabled during or post installation of your IBM Cloud Private cluster.

To enable the Vulnerability Advisor during installation, see Enabling the Vulnerability Advisor.

To enable the Vulnerability Advisor post installation of your cluster, complete the steps in the following sections:

Configuring Vulnerability Advisor

Configuring the Vulnerability Advisor container crawler

  1. From the navigation menu, click Configuration > ConfigMaps.
  2. In the search box type "live-crawler".
  3. For the vulnerability-advisor-live-crawler ConfigMap, select Action > Edit. The vulnerability-advisor-live-crawler JSON file displays.
  4. Modify the value of the enabled parameter.
    • To disable crawler, set the enabled parameter to false.
    • To enable crawler, set the enabled parameter to true.
  5. (Optional) You can also configure the time interval for scanning containers on the host. To configure the time interval, modify the value of the crawl-interval parameter. The default value is 86400 (seconds per day). If you update this parameter, you must restart the crawler container. The container crawler is deployed as DaemonSets named either live-crawler-amd64 or live-crawler-ppc64le. You can restart the DaemonSet from the Workloads > DaemonSet page.
  6. Click Submit.

Configuring the Vulnerability Advisor image crawler

  1. From the navigation menu, click Configuration > ConfigMaps.
  2. In the search box type "registry-crawler".
  3. For the vulnerability-advisor-registry-crawler ConfigMap, select Action > Edit. The vulnerability-advisor-registry-crawler JSON file displays.
  4. Modify the value of the enabled parameter.
    • To disable crawler, set the enabled parameter to false.
    • To enable crawler, set the enabled parameter to true.
  5. Click Submit.

Configuring the Vulnerability Advisor image crawler to rescan images

  1. From the navigation menu, click Workloads > Deployments.
  2. In the search box type "registry-crawler".
  3. For the vulnerability-advisor-registry-crawler deployment, select Action > Edit. The vulnerability-advisor-registry-crawler JSON file displays.
  4. Modify the value of the following parameters.

    • To rescan images that were successfully scanned, set the RESET_WHITELIST option to true.
    • To rescan images that failed to scan, set the RESET_BLACKLIST option to true.
  5. Click Submit.

Logs and report management

The Vulnerability Advisor components, Kafka log and Elasticsearch indexes, consumes a lot of disk space on the VA nodes. By default Kafka retains 600 minutes (10 hours) of logs, and Elasticsearch retains 7 days of data. This data includes containers and image reports.

Configuring data curation interval of Elasticsearch cluster

  1. From the navigation menu, click Configuration > ConfigMaps.
  2. In the search box type "elasticsearch-curator".
  3. For the vulnerability-advisor-elasticsearch-curator ConfigMap, select Action > Edit. The vulnerability-advisor-elasticsearch-curator JSON file displays.
  4. Modify the value of the unit_count parameter. The unit is days. The default value is 7 days.
  5. Click Submit.

For more information about the VA curator, see Vulnerability Advisor curator fails to clean VA Elasticsearch indexes.

Configuring log clean-up interval of Kafka cluster

  1. Set up the kubectl CLI. See Accessing your IBM Cloud Private cluster by using the kubectl CLI.
  2. Edit the vulnerability-advisor-kafka StatefulSet object to re-configure Kafka.

     kubectl --namespace=kube-system edit StatefulSet vulnerability-advisor-kafka
    
  3. Modify the value of the KAFKA_LOG_RETENTION_MINUTES environment variable. The default value is 600 minutes (10 hours).

  4. Save the changes.

Viewing security reports

From the management console, you can view security reports for containers and images organized by namespace. These security reports are generated by using a default policy.

  1. From the navigation menu, click Platform > Vulnerability Advisor.
  2. Select the namespace that you want to view. The Vulnerability Advisor dashboard displays. From this dashboard, you can review the reports for containers and images in the selected namespace. The report details the following information on each container or image:
    • Name - name of the container or image
    • Owner - the namespace that the image or container belongs to.
    • Crawled Time - the timestamp when the image or container was scanned.
    • Type - specifies whether the object is a container or image
    • Organizational Policies - the security policy that is being used. This is set on the Managing Policies page.
    • Vulnerable Packages - current vulnerabilities that are identified for the container or image.
    • Container Settings - summary of potential security and compliance issues. Recommendations for security are also presented here.

Managing Policies

  1. From the navigation menu, click Platform > Vulnerability Advisor.
  2. Select the namespace that you want to view reports for. The Vulnerability Advisor dashboard displays.
  3. From the horizontal navigation menu of the Vulnerability Advisor dashboard, select Manage Policies.
  4. On the Manage policies page, select the policy changes that you want to make by toggling the ON/OFF radio buttons.
  5. Click Submit Policy.

Updating security notices for the Vulnerability Advisor components

Security notices for all supported Linux distribution are preloaded in the Elasticsearch cluster for the Vulnerability Advisor. However, security notices for each Linux distribution are updated periodically on the Internet.

IBM publishes security notices by pushing a new usnloader image to Docker Hub at 00:00am E.S.T daily. New usnloader images are tagged with a time stamp. For example, security notices that are released in May 10th 2018 are tagged as cloudviz/usnloader: 20180510. An image tagged latest is also pushed daily when the build completes at 00:00am E.S.T. Each timestamped version of the usnloader image, is available on Docker Hub for 7 days.

Prerequisites

If your environment does not have internet access, you need to manually pull the usnloader image from Docker Hub daily. To set up a manual pull, complete the following steps:

  1. Create a linux cron job on a host that has internet access. Schedule the cron job to pull the usnloader image every day at 5:00pm E.S.T.
  2. Push the latest usnloader image to your IBM Cloud Private private registry. See Pushing and pulling images .
  3. Complete the procedure for updating security notices. Ensure to update the image specification in the Kubernetes CronJob usnloader.yaml to point to the image in the IBM Cloud Private private registry. For example image: mycluster.icp:8500/services/usnloader:latest.

Procedure

To update the security notices for your IBM Cloud Private cluster, complete the following steps:

  1. Set up the kubectl CLI. See Accessing your IBM Cloud Private cluster by using the kubectl CLI.
  2. Create a Kubernetes CronJob usnloader.yaml by using the following specifications.

     ---
      apiVersion: batch/v1beta1
      kind: CronJob
      metadata:
        labels:
          app: usnloader
          component: vulnerability-advisor
        name: usnloader
        namespace: kube-system
      spec:
        concurrencyPolicy: Replace
        failedJobsHistoryLimit: 1
        successfulJobsHistoryLimit: 3
        schedule: '0 6 * * *'
        suspend: false
        jobTemplate:
          spec:
            template:
              spec:
                containers:
                - command: ["python2.7", "/opt/usnloader/usnloader.py",
                            "-elasticsearch-urls", "http://vulnerability-advisor-elasticsearch:9200"]
                  image: cloudviz/usnloader:latest
                  imagePullPolicy: Always
                  name: usnloader
                nodeSelector:
                  va: "true"
                restartPolicy: OnFailure
                tolerations:
                - effect: NoSchedule
                  key: "dedicated"
                  operator: "Exists"
                - key: "CriticalAddonsOnly"
                  operator: "Exists"
    

    To load security notices for a specific date, you can create a Kubernetes batch job usnloader.yaml and specify the image for the desired date. The batch job might resemble the following code:

     ---
     apiVersion: batch/v1
     kind: Job
     metadata:
     name: usnloader
     namespace: kube-system
     labels:
       app: usnloader
       component: vulnerability-advisor
     spec:
     template:
       metadata:
         name: usnloader
         annotations:
           scheduler.alpha.kubernetes.io/critical-pod: ''
       spec:
         restartPolicy: OnFailure
         containers:
         - name: usnloader
           image: "cloudviz/usnloader:20180510"
           imagePullPolicy: Always
           command: ["python2.7", "/opt/usnloader/usnloader.py",
                               "-elasticsearch-urls", "http://vulnerability-advisor-elasticsearch:9200"]
         nodeSelector:
           va: 'true'
         tolerations:
         - effect: NoSchedule
           key: dedicated
           operator: Exists
         - key: "CriticalAddonsOnly"
           operator: "Exists"
    
  3. Launch the usnloader Job.

     kubectl apply -f usnloader.yaml
    
  4. Check the job.

     kubectl -n kube-system get cronjob | grep usnloader
    

    The output resembles the following code:

     NAME                                          SCHEDULE      SUSPEND   ACTIVE    LAST SCHEDULE   AGE
     usnloader                                     0 6 * * *     False     1         29s             4m
    

    The CronJob pulls the latest image from Docker Hub, and loads the latest security notices into the Elasticsearch component of your Vulnerability Advisor.

     kubectl -n kube-system get job | grep usnloader
    

    The output resembles the following code:

     usnloader-1526436600                                     1         0            33s
    
     kubectl -n kube-system get pods --show-all | grep usnloader
    

    The output resembles the following code:

     apiVersion: batch/v1beta1
     usnloader-1526436600-846nf                                       0/1       Completed   0          59s
    
     kubectl -n kube-system logs -f usnloader-1526436600-846nf
    

    The output resembles the following code:

     2018-05-16 02:10:20,581 INFO 63 usnloader: Arguments received from the command line
     2018-05-16 02:10:20,582 INFO 66 usnloader: {'elastic_search': 'vulnerability-advisor-elasticsearch:9200', 'elastic_search_password': '**********'}
     2018-05-16 02:10:42,731 INFO 79 usnloader: No new usns
     2018-05-16 02:10:42,744 INFO 58 log_update_status: [
       {
         "latest_advisory": "deb-2018-msg00126.html",
         "index_load_time": "2018-05-16T02:10:07.866827",
         "distro": "debian"
       },
       {
         "latest_advisory": "alpine_git_commit:",
         "index_load_time": "2018-05-15T03:02:11.375949",
         "distro": "alpine"
       },
       {
         "latest_advisory": "RHSA-2018:0998",
         "index_load_time": "2018-05-16T02:10:07.744258",
         "distro": "redhat"
       },
       {
         "latest_advisory": "centos-2018-May.txt.gz",
         "index_load_time": "2018-05-16T02:10:07.832857",
         "distro": "centos"
       },
       {
         "latest_advisory": "FEDORA-2018-05",
         "index_load_time": "2018-05-16T02:10:07.656827",
         "distro": "fedora"
       },
       {
         "latest_advisory": "ubuntu-2018-May.txt.gz",
         "index_load_time": "2018-05-16T02:10:07.551024",
         "distro": "ubuntu"
       }
     ]
    

You are now ready to use the Vulnerability Advisor with updated security notices.