Vulnerability Advisor

Use the advisor to get security status for container images in your IBM® Cloud Private private registry. The Vulnerability Advisor also runs security checks on running containers in your environment.

For more information about the Vulnerability Advisor, see the About Vulnerability Advisor section in the IBM Cloud Docs Opens in a new tab.

The Vulnerability Advisor feature is supported for multi-node clusters of the Cloud Native and Enterprise editions of IBM Cloud Private only.

View the following table for a list of operating systems that the Vulnerability Advisor supports:

Table 1. Operating systems that Vulnerability Advisor supports.
Operating system Version
Ubuntu
  • 18.04
  • 17.10
  • 16.10
  • 16.04
  • 15.10
  • 15.04
  • 14.04
  • 12.04
  • 13.10
  • 13.04
  • 12.10
  • 11.10
  • 11.04
  • 10.10
  • 10.04
Alpine 2.7-3.8
Red Hat Enterprise Linux all base images
Centos all base images
Debian
  • 7
  • 8
  • 9

Important: VA does not support SLES. Apply the Fix Central patch Opens in a new tab to enable the support for SLES.

For a list of the Vulnerability Advisor components, see Components.

To enable the Vulnerability Advisor post installation of your cluster, complete the steps in the following sections:

Configuring Vulnerability Advisor

Configuring the Vulnerability Advisor container crawler

  1. From the navigation menu, click Configuration > ConfigMaps.
  2. In the search box type "live-crawler".
  3. For the vulnerability-advisor-live-crawler ConfigMap, select Action > Edit. The vulnerability-advisor-live-crawler JSON file displays.
  4. Modify the value of the enabled parameter.
    • To disable crawler, set the enabled parameter to false.
    • To enable crawler, set the enabled parameter to true.
  5. (Optional) You can also configure the time interval for scanning containers on the host. To configure the time interval, modify the value of the crawl-interval parameter. The default value is 86400 (seconds per day).
  6. Click Submit. The crawler container restarts automatically and is deployed as DaemonSets named vulnerability-advisor-live-crawler.

Configuring the Vulnerability Advisor image crawler

  1. From the navigation menu, click Configuration > ConfigMaps.
  2. In the search box type "registry-crawler".
  3. For the vulnerability-advisor-registry-crawler ConfigMap, select Action > Edit. The vulnerability-advisor-registry-crawler JSON file displays.
  4. Modify the value of the enabled parameter.
    • To disable crawler, set the enabled parameter to false.
    • To enable crawler, set the enabled parameter to true.
  5. Click Submit.

Configuring the Vulnerability Advisor image crawler to rescan images

  1. From the navigation menu, click Workloads > Deployments.
  2. In the search box type "registry-crawler".
  3. For the vulnerability-advisor-registry-crawler deployment, select Action > Edit. The vulnerability-advisor-registry-crawler JSON file displays.
  4. Modify the value of the following parameters.
    • To rescan images that were successfully scanned, set the RESET_WHITELIST option to true.
    • To rescan images that failed to scan, set the RESET_BLACKLIST option to true.
  5. Click Submit.

Configuring the number of rows for list views of containers and images

  1. From the navigation menu, click Tools > Vulnerability Advisor.
  2. Select one namespace from the table. The Vulnerability Advisor (List Containers) window is displayed. Each row in the table includes a report for each container. There are 50 rows that are displayed per page with a maximum of 100 rows.
  3. To configure the number of rows, add the max parameter in the URL of the page. For example, when you add &max=200 parameter in the URL, a maximum of 200 rows in total are displayed.
  4. To increase the number of displayed rows in each page, add the count parameter in the URL of the page. For example, when you add the &count=100 parameter to the URL, each page includes a maximum of 100 rows.
  5. You can configure both max and count parameters. For example, when you add &max=300&count=100 to the URL, each page displays a maximum of 100 rows, and a maximum of 300 rows (maximum 3 pages) in total.

    https://xxx.xxx.xxx.xxx:8443/va/ui/list?access_group=kube-system&max=300&count=100
    

    max and count URL parameters are enabled for the following tasks:

    • Vulnerability Advisor (List Containers)
    • Vulnerability Advisor (List Images)
    • Mutation Advisor (List Containers)

Logs and report management

The Vulnerability Advisor components, Kafka log and Minio data, consume a large amount of disk space on the VA nodes. By default, Kafka retains 600 minutes (10 hours) of logs, and Minio retains 30 days of data. This data includes container reports.

Keep the data size of your log minimal with retention policies. For more information, see Modifying the data retention policy for logging services.

Configuring data curation interval of VA Minio cleaner

  1. From the navigation menu, click Configuration > ConfigMaps.
  2. For the vulnerability-advisor-minio-cleaner-config ConfigMap, select Action > Edit. The vulnerability-advisor-minio-cleaner-config JSON file displays.
  3. Modify the value of each Minio bucket vacos:30 vacos-hf:5 vacos-ma:30 vacos-summary:30 in the data.clean.sh section. The unit is days.
  4. Click Submit.

Mutation Advisor

You can view the modification alerts of system files, configuration files, content files, or the operating system process. From the navigation menu, click Tools > Vulnerability Advisor > namespaces. Select the Go to Mutation Advisor button to view alerts.

Configuring the Mutation Advisor process crawler

  1. From the navigation menu, click Configuration > ConfigMaps.
  2. In the search box, type "ma-crawler".
  3. For the vulnerability-advisor-process-ma-crawler ConfigMap, select Action > Edit. The vulnerability-advisor-process-ma-crawler JSON file displays.
  4. Modify the value of the enabled parameter.
    • To disable crawler, set the enabled parameter to false.
    • To enable crawler, set the enabled parameter to true.
  5. (Optional) You can also configure the time interval for scanning containers on the host. To configure the time interval, modify the value of the crawl-interval parameter. The default value is 300 (seconds per 5 minutes).
  6. Click Submit. The crawler container is deployed as DaemonSets named vulnerability-advisor-process-ma-crawler.

Configuring the Mutation Advisor file crawler

File Mutation is also implemented by the Vulnerability Advisor container crawler. For information, see Configuring the Vulnerability Advisor container crawler.

Configuring Mutation Advisor whitelists

Mutation Advisor supports configuring whitelists of common file and process mutations to reduce false alarms. The system generates candidate whitelists that can be either enabled or disabled in the management console.

Complete the following steps to configure the Mutation Advisor whitelists.

  1. From the Mutation Advisor page, click Manage Whitelist.
  2. Decide whether you want a whitelist for file mutation or process mutation. In the Scope section, select File or Process from the drop-down menu.
  3. Associate containers with a whitelist in one of the following ways:
    • Select All containers in the current namespace.
    • Select Only containers created using the image below and provide the full image name as defined in the Kubernetes .yaml spec.
    • Select an image from the drop-down list to use an image with an existing whitelist.
  4. Update the rules. In the Rules section, click New rule. In the pop-up window, enter a Patten name, and select an Action for the match rules. Click Create.
  5. Your new rule is added to the Rules table.
  6. Enable or disable a rule by toggling the ON/OFF radio buttons.
  7. You can remove a rule. In the Delete column, check the box associated with the rule that you want to remove.
  8. Click Save Whitelist to save configurations.

Configuring log clean-up interval of Kafka cluster

  1. Set up the kubectl CLI. See Accessing your IBM Cloud Private cluster by using the kubectl CLI.
  2. Edit the vulnerability-advisor-kafka StatefulSet object to re-configure Kafka.

     kubectl --namespace=kube-system edit StatefulSet vulnerability-advisor-kafka
    
  3. Modify the value of the KAFKA_LOG_RETENTION_MINUTES environment variable. The default value is 600 minutes (10 hours).

  4. Save the changes.

Viewing security reports

From the management console, you can view security reports for containers and images organized by namespace. These security reports are generated by using a default policy.

  1. From the navigation menu, click Add-ons > Vulnerability Advisor.
  2. Select the namespace that you want to view. The Vulnerability Advisor dashboard displays. From this dashboard, you can review the reports for containers and images in the selected namespace. The report details the following information on each container or image:
    • Name - name of the container or image
    • Owner - the namespace that the image or container belongs to.
    • Latest Scan - the timestamp when the image or container was scanned.
    • Type - specifies whether the object is a container or image
    • Organizational Policies - the security policy that is being used. This is set in the Managing policies section.
    • Vulnerable Packages - current vulnerabilities that are identified for the container or image.
    • Container Settings - summary of potential security and compliance issues. Recommendations for security are also presented here.

Use the VA API commands to manage security reports. For more information, see Vulnerability Advisor API.

Managing policies

  1. From the navigation menu, click Tools > Vulnerability Advisor.
  2. Select the namespace that you want to view reports for. The Vulnerability Advisor dashboard displays.
  3. From the horizontal navigation menu of the Vulnerability Advisor dashboard, select Manage Policies.
  4. On the Manage policies page, select the policy changes that you want to make by toggling the ON/OFF radio buttons.
  5. Click Submit Policy.

Timing policy

Create a timing policy to schedule a specific time to scan Vulnerability Advisor (VA) pods, VA images, and the Mutation Advisor (MA) process.

Complete the following steps:

  1. Update the YAML file for the VA pod scan by running the following command:

    kubectl edit cm vulnerability-advisor-live-crawler -nkube-system
    
  2. Edit the live-crawler.crontab parameter in the VA pod YAML file. Your YAML file might resemble the following configuration map:

     apiVersion: v1
     data:
       enabled: "true"
       live-crawler.crontab: 59 22 * * *
       kind: ConfigMap
    
  3. Update the YAML file for the VA image scan by running the following command:

      kubectl edit cm vulnerability-advisor-registry-crawler -nkube-system
    
  4. Edit the reg-crawler.crontab parameter in the VA image YAML file. Your YAML file might resemble the following configuration map:

      apiVersion: v1
      data:
        enabled: "true"
        reg-crawler.crontab: 0 10 * * *
      kind: ConfigMap
      metadata:
    
  5. Update the YAML file for the MA process scan by running the following command:

      kubectl edit cm vulnerability-advisor-process-ma-crawler -nkube-system
    
  6. Edit the live-crawler.crontab parameter in the MA process YAML file. Your YAML file might resemble the following configuration map:

      apiVersion: v1
      data:
        enabled: "true"
        live-crawler.crontab: '*/15 * * * *'
      kind: ConfigMap
      metadata:
    

A timing policy is created for the Vulnerability Advisor (VA) pods scan, VA images scan, and the Mutation Advisor (MA) process scan.

Updating security notices for the Vulnerability Advisor components

Security notices for all supported Linux® distribution are preloaded in the Elasticsearch cluster for the Vulnerability Advisor. However, security notices for each Linux distribution are updated periodically on the Internet.

IBM publishes security notices by pushing a new usnloader image to Docker Hub at 00:00am E.S.T daily. New usnloader images are tagged with a time stamp. For example, security notices that are released in May 10th 2018 are tagged as cloudviz/usnloader: 20180510. An image tagged latest is also pushed daily when the build completes at 00:00am E.S.T. Each timestamped version of the usnloader image, is available on Docker Hub for 7 days.

Prerequisites

If your environment does not have Internet access, you need to manually pull the usnloader image from Docker Hub daily. To set up a manual pull, complete the following steps:

  1. Create a Linux Cron Job on a host that has Internet access. Schedule the Cron Job to pull the usnloader image every day at 5:00pm E.S.T.
  2. Push the latest usnloader image to your IBM Cloud Private private registry. See Pushing and pulling images .
  3. Complete the procedure for updating security notices. Ensure to update the image specification in the Kubernetes CronJob usnloader.yaml to point to the image in the IBM Cloud Private private registry. For example image: mycluster.icp:8500/services/usnloader:latest.

Procedure

To update the security notices for your IBM Cloud Private cluster, complete the following steps:

  1. Set up the kubectl CLI. See Accessing your IBM Cloud Private cluster by using the kubectl CLI.
  2. Create a Kubernetes CronJob usnloader.yaml by using the following specifications.

     ---
     apiVersion: batch/v1beta1
     kind: CronJob
     metadata:
      labels:
        app: usnloader
        component: vulnerability-advisor
      name: usnloader
      namespace: kube-system
     spec:
      concurrencyPolicy: Replace
      failedJobsHistoryLimit: 1
      successfulJobsHistoryLimit: 3
      schedule: '0 6 * * *'
      suspend: false
      jobTemplate:
        spec:
          template:
            spec:
              containers:
              - command: ["python2.7", "/opt/usnloader/usnloader.py",
                          "--elasticsearch-urls", "https://elasticsearch:9200", "--ca-file", "/tls/ca.crt",
                          "--client-cert", "/tls/curator.crt", "--client-key", "/tls/curator.key"]
                image: cloudviz/usnloader:latest
                imagePullPolicy: Always
                name: usnloader
                volumeMounts:
                - mountPath: /var/log/cloudsight/
                  name: log
                - mountPath: /tls
                  name: certs
                  readOnly: true
              nodeSelector:
                va: "true"
              restartPolicy: OnFailure
              tolerations:
              - effect: NoSchedule
                key: "dedicated"
                operator: "Exists"
              - key: "CriticalAddonsOnly"
                operator: "Exists"
              volumes:
              - name: certs
                secret:
                  defaultMode: 420
                  secretName: logging-elk-certs
              - emptyDir: {}
                name: log
    

    To load security notices for a specific date, you can create a Kubernetes batch job usnloader.yaml and specify the image for the desired date. The batch job might resemble the following code:

     ---
     apiVersion: batch/v1
     kind: Job
     metadata:
       name: usnloader
       namespace: kube-system
       labels:
         app: usnloader
         component: vulnerability-advisor
     spec:
       template:
         metadata:
           annotations:
             scheduler.alpha.kubernetes.io/critical-pod: ""
           name: vulnerability-advisor-usncrawler
         spec:
           containers:
           - command:
             - python2.7
             - /opt/usnloader/usnloader.py
             - --elasticsearch-urls
             - https://elasticsearch:9200
             - --ca-file
             - /tls/ca.crt
             - --client-cert
             - /tls/curator.crt
             - --client-key
             - /tls/curator.key
             image: "cloudviz/usnloader:latest"
             imagePullPolicy: Always
             name: usnloader
             volumeMounts:
             - mountPath: /var/log/cloudsight/
               name: log
             - mountPath: /tls
               name: certs
               readOnly: true
           dnsPolicy: ClusterFirst
           nodeSelector:
             va: "true"
           priorityClassName: system-cluster-critical
           restartPolicy: OnFailure
           terminationGracePeriodSeconds: 30
           tolerations:
           - effect: NoSchedule
             key: dedicated
             operator: Exists
           volumes:
           - name: certs
             secret:
               defaultMode: 420
               secretName: logging-elk-certs
           - emptyDir: {}
             name: log
    
  3. Launch the usnloader Job.

     kubectl apply -f usnloader.yaml
    
  4. Check the job.

     kubectl -n kube-system get cronjob | grep usnloader
    

    The output resembles the following code:

     NAME                                          SCHEDULE      SUSPEND   ACTIVE    LAST SCHEDULE   AGE
     usnloader                                     0 6 * * *     False     1         29s             4m
    

    The CronJob pulls the latest image from Docker Hub, and loads the latest security notices into the Elasticsearch component of your Vulnerability Advisor.

     kubectl -n kube-system get job | grep usnloader
    

    The output resembles the following code:

     usnloader-1526436600                                     1         0            33s
    
     kubectl -n kube-system get pods --show-all | grep usnloader
    

    The output resembles the following code:

     apiVersion: batch/v1beta1
     usnloader-1526436600-846nf                                       0/1       Completed   0          59s
    
     kubectl -n kube-system logs -f usnloader-1526436600-846nf
    

    The output resembles the following code:

     2018-05-16 02:10:20,581 INFO 63 usnloader: Arguments received from the command line
     2018-05-16 02:10:20,582 INFO 66 usnloader: {'elastic_search': 'vulnerability-advisor-elasticsearch:9200', 'elastic_search_password': '**********'}
     2018-05-16 02:10:42,731 INFO 79 usnloader: No new usns
     2018-05-16 02:10:42,744 INFO 58 log_update_status: [
       {
         "latest_advisory": "deb-2018-msg00126.html",
         "index_load_time": "2018-05-16T02:10:07.866827",
         "distro": "debian"
       },
       {
         "latest_advisory": "alpine_git_commit:",
         "index_load_time": "2018-05-15T03:02:11.375949",
         "distro": "alpine"
       },
       {
         "latest_advisory": "RHSA-2018:0998",
         "index_load_time": "2018-05-16T02:10:07.744258",
         "distro": "redhat"
       },
       {
         "latest_advisory": "centos-2018-May.txt.gz",
         "index_load_time": "2018-05-16T02:10:07.832857",
         "distro": "centos"
       },
       {
         "latest_advisory": "FEDORA-2018-05",
         "index_load_time": "2018-05-16T02:10:07.656827",
         "distro": "fedora"
       },
       {
         "latest_advisory": "ubuntu-2018-May.txt.gz",
         "index_load_time": "2018-05-16T02:10:07.551024",
         "distro": "ubuntu"
       }
     ]
    

You are now ready to use the Vulnerability Advisor with updated security notices. You can also scan external image registries with the Vulnerability Advisor. See Scanning external registries with Vulnerability Advisor (VA) for more details.