Vulnerability Advisor

Use the advisor to get security status for container images in your IBM® Cloud Private private registry. The Vulnerability Advisor also runs security checks on running containers in your environment.

For more information about the Vulnerability Advisor, see the About Vulnerability Advisor section in the IBM Cloud Docs Opens in a new tab .

The Vulnerability Advisor feature is supported for multi-node clusters of the Cloud Native and Enterprise editions of IBM Cloud Private only.

View the following table for a list of operating systems that the Vulnerability Advisor supports:

Table 1. Operating systems that Vulnerability Advisor supports.
Operating system	Version
Ubuntu	18.04 17.10 16.10 16.04 15.10 15.04 14.04 12.04 13.10 13.04 12.10 11.10 11.04 10.10 10.04
Alpine	2.7-3.8
Red Hat Enterprise Linux	all base images
Centos	all base images
Debian	7 8 9

For a list of the Vulnerability Advisor components, see Components.

Enable the Vulnerability Advisor during or post installation of your IBM Cloud Private cluster. For more information, see Enabling the Vulnerability Advisor.

To enable the Vulnerability Advisor post installation of your cluster, complete the steps in the following sections:

Enabling and disabling IBM Cloud Private management services
Configuring Vulnerability Advisor
Logs and report management
- Configuring data curation interval of VA Minio cleaner
  - Mutation Advisor
- Configuring log clean-up interval of Kafka cluster
Viewing security reports
Managing Policies
Updating security notices for the Vulnerability Advisor components

Configuring Vulnerability Advisor

Configuring the Vulnerability Advisor container crawler

From the navigation menu, click Configuration > ConfigMaps.
In the search box type "live-crawler".
For the vulnerability-advisor-live-crawler ConfigMap, select Action > Edit. The vulnerability-advisor-live-crawler JSON file displays.
Modify the value of the enabled parameter.
- To disable crawler, set the enabled parameter to false.
- To enable crawler, set the enabled parameter to true.
(Optional) You can also configure the time interval for scanning containers on the host. To configure the time interval, modify the value of the crawl-interval parameter. The default value is 86400 (seconds per day).
Click Submit.
You must restart the crawler container. The container crawler is deployed as DaemonSets named vulnerability-advisor-live-crawler. Restart the crawler container by running the following command:
```
 kubectl delete pods -n kube-system $(kubectl get pods -n kube-system |  awk '{print $1}' | grep live-crawler)
```

Configuring the Vulnerability Advisor image crawler

From the navigation menu, click Configuration > ConfigMaps.
In the search box type "registry-crawler".
For the vulnerability-advisor-registry-crawler ConfigMap, select Action > Edit. The vulnerability-advisor-registry-crawler JSON file displays.
Modify the value of the enabled parameter.
- To disable crawler, set the enabled parameter to false.
- To enable crawler, set the enabled parameter to true.
Click Submit.

Configuring the Vulnerability Advisor image crawler to rescan images

From the navigation menu, click Workloads > Deployments.
In the search box type "registry-crawler".
For the vulnerability-advisor-registry-crawler deployment, select Action > Edit. The vulnerability-advisor-registry-crawler JSON file displays.
Modify the value of the following parameters.
- To rescan images that were successfully scanned, set the RESET_WHITELIST option to true.
- To rescan images that failed to scan, set the RESET_BLACKLIST option to true.
Click Submit.

Configuring the number of rows for list views of containers and images

From the navigation menu, click Tools > Vulnerability Advisor.
Select one namespace from the table. The Vulnerability Advisor (List Containers) window is displayed. Each row in the table includes a report for each container. 50 rows are displayed per page with a maximum of 100 rows in total.
To configure the number of rows, add the max parameter in the URL of the page. For example, when you add &max=200 parameter in the URL, a maximum of 200 rows in total are displayed.
To increase the number of displayed rows in each page, add the count parameter in the URL of the page. For example, when you add the &count=100 parameter to the URL, each page includes a maximum of 100 rows.
You can configure both max and count parameters. For example, when you add &max=300&count=100 to the URL, each page displays a maximum of 100 rows, and a maximum of 300 rows (maximum 3 pages) in total.
```
https://xxx.xxx.xxx.xxx:8443/va/ui/list?access_group=kube-system&max=300&count=100
```
max and count URL parameters are enabled for the following tasks:
- Vulnerability Advisor (List Containers)
- Vulnerability Advisor (List Images)
- Mutation Advisor (List Containers)

Logs and report management

The Vulnerability Advisor components, Kafka log and Minio data, consume a large amount of disk space on the VA nodes. By default, Kafka retains 600 minutes (10 hours) of logs, and Minio retains 30 days of data. This data includes container reports.

Configuring data curation interval of VA Minio cleaner

From the navigation menu, click Configuration > ConfigMaps.
For the vulnerability-advisor-minio-cleaner-config ConfigMap, select Action > Edit. The vulnerability-advisor-minio-cleaner-config JSON file displays.
Modify the value of each Minio bucket vacos:30 vacos-hf:5 vacos-ma:30 vacos-summary:30 in the data.clean.sh section. The unit is days.
Click Submit.

Mutation Advisor

You can view the modification alerts of system files, configuration files, content files, or OS process. From the navigation menu, click Tools > Vulnerability Advisor > namespaces. Select the Go to Mutation Advisor button to view alerts.

Configuring the Mutation Advisor process crawler

From the navigation menu, click Configuration > ConfigMaps.
In the search box, type "ma-crawler".
For the vulnerability-advisor-process-ma-crawler ConfigMap, select Action > Edit. The vulnerability-advisor-process-ma-crawler JSON file displays.
Modify the value of the enabled parameter.
- To disable crawler, set the enabled parameter to false.
- To enable crawler, set the enabled parameter to true.
(Optional) You can also configure the time interval for scanning containers on the host. To configure the time interval, modify the value of the crawl-interval parameter. The default value is 300 (seconds per 5 minutes).
Click Submit.
You must restart the crawler container. The crawler container is deployed as DaemonSet named vulnerability-advisor-process-ma-crawler. Restart the crawler container by running the following command:
```
 kubectl delete pods -n kube-system $(kubectl get pods -n kube-system |  awk '{print $1}' | grep ma-crawler)
```

Configuring the Mutation Advisor file crawler

File Mutation is also implemented by the Vulnerability Advisor container crawler. For information, see Configuring the Vulnerability Advisor container crawler.

Configuring log clean-up interval of Kafka cluster

Set up the kubectl CLI. See Accessing your IBM Cloud Private cluster by using the kubectl CLI.

Edit the vulnerability-advisor-kafka StatefulSet object to re-configure Kafka.

 kubectl --namespace=kube-system edit StatefulSet vulnerability-advisor-kafka

Modify the value of the KAFKA_LOG_RETENTION_MINUTES environment variable. The default value is 600 minutes (10 hours).
Save the changes.

Viewing security reports

From the management console, you can view security reports for containers and images organized by namespace. These security reports are generated by using a default policy.

From the navigation menu, click Tools > Vulnerability Advisor.
Select the namespace that you want to view. The Vulnerability Advisor dashboard displays. From this dashboard, you can review the reports for containers and images in the selected namespace. The report details the following information on each container or image:
- Name - name of the container or image
- Owner - the namespace that the image or container belongs to.
- Latest Scan - the timestamp when the image or container was scanned.
- Type - specifies whether the object is a container or image
- Organizational Policies - the security policy that is being used. This is set on the Managing Policies page.
- Vulnerable Packages - current vulnerabilities that are identified for the container or image.
- Container Settings - summary of potential security and compliance issues. Recommendations for security are also presented here.

Managing Policies

From the navigation menu, click Tools > Vulnerability Advisor.
Select the namespace that you want to view reports for. The Vulnerability Advisor dashboard displays.
From the horizontal navigation menu of the Vulnerability Advisor dashboard, select Manage Policies.
On the Manage policies page, select the policy changes that you want to make by toggling the ON/OFF radio buttons.
Click Submit Policy.

Updating security notices for the Vulnerability Advisor components

Security notices for all supported Linux distribution are preloaded in the Elasticsearch cluster for the Vulnerability Advisor. However, security notices for each Linux distribution are updated periodically on the Internet.

IBM publishes security notices by pushing a new usnloader image to Docker Hub at 00:00am E.S.T daily. New usnloader images are tagged with a time stamp. For example, security notices that are released in May 10th 2018 are tagged as cloudviz/usnloader: 20180510. An image tagged latest is also pushed daily when the build completes at 00:00am E.S.T. Each timestamped version of the usnloader image, is available on Docker Hub for 7 days.

Prerequisites

If your environment does not have internet access, you need to manually pull the usnloader image from Docker Hub daily. To set up a manual pull, complete the following steps:

Create a Linux Cron Job on a host that has Internet access. Schedule the Cron Job to pull the usnloader image every day at 5:00pm E.S.T.
Push the latest usnloader image to your IBM Cloud Private private registry. See Pushing and pulling images .
Complete the procedure for updating security notices. Ensure to update the image specification in the Kubernetes CronJob usnloader.yaml to point to the image in the IBM Cloud Private private registry. For example image: mycluster.icp:8500/services/usnloader:latest.

Procedure

To update the security notices for your IBM Cloud Private cluster, complete the following steps:

Set up the kubectl CLI. See Accessing your IBM Cloud Private cluster by using the kubectl CLI.

Create a Kubernetes CronJob usnloader.yaml by using the following specifications.

 ---
 apiVersion: batch/v1beta1
 kind: CronJob
 metadata:
  labels:
    app: usnloader
    component: vulnerability-advisor
  name: usnloader
  namespace: kube-system
 spec:
  concurrencyPolicy: Replace
  failedJobsHistoryLimit: 1
  successfulJobsHistoryLimit: 3
  schedule: '0 6 * * *'
  suspend: false
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - command: ["python2.7", "/opt/usnloader/usnloader.py",
                      "--elasticsearch-urls", "https://elasticsearch:9200", "--ca-file", "/tls/ca.crt",
                      "--client-cert", "/tls/curator.crt", "--client-key", "/tls/curator.key"]
            image: cloudviz/usnloader:latest
            imagePullPolicy: Always
            name: usnloader
            volumeMounts:
            - mountPath: /var/log/cloudsight/
              name: log
            - mountPath: /tls
              name: certs
              readOnly: true
          nodeSelector:
            va: "true"
          restartPolicy: OnFailure
          tolerations:
          - effect: NoSchedule
            key: "dedicated"
            operator: "Exists"
          - key: "CriticalAddonsOnly"
            operator: "Exists"
          volumes:
          - name: certs
            secret:
              defaultMode: 420
              secretName: logging-elk-certs
          - emptyDir: {}
            name: log

To load security notices for a specific date, you can create a Kubernetes batch job usnloader.yaml and specify the image for the desired date. The batch job might resemble the following code:

 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
   name: usnloader
   namespace: kube-system
   labels:
     app: usnloader
     component: vulnerability-advisor
 spec:
   template:
     metadata:
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ""
       name: vulnerability-advisor-usncrawler
     spec:
       containers:
       - command:
         - python2.7
         - /opt/usnloader/usnloader.py
         - --elasticsearch-urls
         - https://elasticsearch:9200
         - --ca-file
         - /tls/ca.crt
         - --client-cert
         - /tls/curator.crt
         - --client-key
         - /tls/curator.key
         image: "cloudviz/usnloader:latest"
         imagePullPolicy: Always
         name: usnloader
         volumeMounts:
         - mountPath: /var/log/cloudsight/
           name: log
         - mountPath: /tls
           name: certs
           readOnly: true
       dnsPolicy: ClusterFirst
       nodeSelector:
         va: "true"
       priorityClassName: system-cluster-critical
       restartPolicy: OnFailure
       terminationGracePeriodSeconds: 30
       tolerations:
       - effect: NoSchedule
         key: dedicated
         operator: Exists
       volumes:
       - name: certs
         secret:
           defaultMode: 420
           secretName: logging-elk-certs
       - emptyDir: {}
         name: log

Launch the usnloader Job.
```
 kubectl apply -f usnloader.yaml
```

Check the job.

 kubectl -n kube-system get cronjob | grep usnloader

The output resembles the following code:

 NAME                                          SCHEDULE      SUSPEND   ACTIVE    LAST SCHEDULE   AGE
 usnloader                                     0 6 * * *     False     1         29s             4m

The CronJob pulls the latest image from Docker Hub, and loads the latest security notices into the Elasticsearch component of your Vulnerability Advisor.

 kubectl -n kube-system get job | grep usnloader

The output resembles the following code:

 usnloader-1526436600                                     1         0            33s

 kubectl -n kube-system get pods --show-all | grep usnloader

The output resembles the following code:

 apiVersion: batch/v1beta1
 usnloader-1526436600-846nf                                       0/1       Completed   0          59s

 kubectl -n kube-system logs -f usnloader-1526436600-846nf

The output resembles the following code:

 2018-05-16 02:10:20,581 INFO 63 usnloader: Arguments received from the command line
 2018-05-16 02:10:20,582 INFO 66 usnloader: {'elastic_search': 'vulnerability-advisor-elasticsearch:9200', 'elastic_search_password': '**********'}
 2018-05-16 02:10:42,731 INFO 79 usnloader: No new usns
 2018-05-16 02:10:42,744 INFO 58 log_update_status: [
   {
     "latest_advisory": "deb-2018-msg00126.html",
     "index_load_time": "2018-05-16T02:10:07.866827",
     "distro": "debian"
   },
   {
     "latest_advisory": "alpine_git_commit:",
     "index_load_time": "2018-05-15T03:02:11.375949",
     "distro": "alpine"
   },
   {
     "latest_advisory": "RHSA-2018:0998",
     "index_load_time": "2018-05-16T02:10:07.744258",
     "distro": "redhat"
   },
   {
     "latest_advisory": "centos-2018-May.txt.gz",
     "index_load_time": "2018-05-16T02:10:07.832857",
     "distro": "centos"
   },
   {
     "latest_advisory": "FEDORA-2018-05",
     "index_load_time": "2018-05-16T02:10:07.656827",
     "distro": "fedora"
   },
   {
     "latest_advisory": "ubuntu-2018-May.txt.gz",
     "index_load_time": "2018-05-16T02:10:07.551024",
     "distro": "ubuntu"
   }
 ]

You are now ready to use the Vulnerability Advisor with updated security notices.