Vulnerability Advisor
Use the advisor to get security status for container images in your IBM® Cloud Private private registry. The Vulnerability Advisor also runs security checks on running containers in your environment.
For more information about the Vulnerability Advisor, see the About Vulnerability Advisor section in the IBM Cloud Docs .
The Vulnerability Advisor feature is supported for multi-node clusters of the Cloud Native and Enterprise editions of IBM Cloud Private only.
View the following table for a list of operating systems that the Vulnerability Advisor supports:
Operating system | Version |
---|---|
Ubuntu |
|
Alpine | 2.7-3.8 |
Red Hat Enterprise Linux | all base images |
Centos | all base images |
Debian |
|
Important: VA does not support SLES. Apply the Fix Central patch to enable the support for SLES.
For a list of the Vulnerability Advisor components, see Components.
To enable the Vulnerability Advisor post installation of your cluster, complete the steps in the following sections:
- Enabling and disabling IBM Cloud Private management services
- Configuring Vulnerability Advisor
- Logs and report management
- Viewing security reports
- Managing policies
- Updating security notices for the Vulnerability Advisor components
Configuring Vulnerability Advisor
Configuring the Vulnerability Advisor container crawler
- From the navigation menu, click Configuration > ConfigMaps.
- In the search box type "live-crawler".
- For the
vulnerability-advisor-live-crawler
ConfigMap, select Action > Edit. Thevulnerability-advisor-live-crawler
JSON file displays. - Modify the value of the
enabled
parameter.- To disable crawler, set the
enabled
parameter tofalse
. - To enable crawler, set the
enabled
parameter totrue
.
- To disable crawler, set the
- (Optional) You can also configure the time interval for scanning containers on the host. To configure the time interval, modify the value of the
crawl-interval
parameter. The default value is 86400 (seconds per day). - Click Submit. The crawler container restarts automatically and is deployed as DaemonSets named
vulnerability-advisor-live-crawler
.
Configuring the Vulnerability Advisor image crawler
- From the navigation menu, click Configuration > ConfigMaps.
- In the search box type "registry-crawler".
- For the
vulnerability-advisor-registry-crawler
ConfigMap, select Action > Edit. Thevulnerability-advisor-registry-crawler
JSON file displays. - Modify the value of the
enabled
parameter.- To disable crawler, set the
enabled
parameter tofalse
. - To enable crawler, set the
enabled
parameter totrue
.
- To disable crawler, set the
- Click Submit.
Configuring the Vulnerability Advisor image crawler to rescan images
- From the navigation menu, click Workloads > Deployments.
- In the search box type "registry-crawler".
- For the
vulnerability-advisor-registry-crawler
deployment, select Action > Edit. Thevulnerability-advisor-registry-crawler
JSON file displays. - Modify the value of the following parameters.
- To rescan images that were successfully scanned, set the
RESET_WHITELIST
option totrue
. - To rescan images that failed to scan, set the
RESET_BLACKLIST
option totrue
.
- To rescan images that were successfully scanned, set the
- Click Submit.
Configuring the number of rows for list views of containers and images
- From the navigation menu, click Tools > Vulnerability Advisor.
- Select one namespace from the table. The Vulnerability Advisor (List Containers) window is displayed. Each row in the table includes a report for each container. There are 50 rows that are displayed per page with a maximum of 100 rows.
- To configure the number of rows, add the
max
parameter in the URL of the page. For example, when you add&max=200
parameter in the URL, a maximum of 200 rows in total are displayed. - To increase the number of displayed rows in each page, add the
count
parameter in the URL of the page. For example, when you add the&count=100
parameter to the URL, each page includes a maximum of 100 rows. -
You can configure both
max
andcount
parameters. For example, when you add&max=300&count=100
to the URL, each page displays a maximum of 100 rows, and a maximum of 300 rows (maximum 3 pages) in total.https://xxx.xxx.xxx.xxx:8443/va/ui/list?access_group=kube-system&max=300&count=100
max
andcount
URL parameters are enabled for the following tasks:- Vulnerability Advisor (List Containers)
- Vulnerability Advisor (List Images)
- Mutation Advisor (List Containers)
Logs and report management
The Vulnerability Advisor components, Kafka log and Minio data, consume a large amount of disk space on the VA nodes. By default, Kafka retains 600 minutes (10 hours) of logs, and Minio retains 30 days of data. This data includes container reports.
Keep the data size of your log minimal with retention policies. For more information, see Modifying the data retention policy for logging services.
Configuring data curation interval of VA Minio cleaner
- From the navigation menu, click Configuration > ConfigMaps.
- For the
vulnerability-advisor-minio-cleaner-config
ConfigMap, select Action > Edit. Thevulnerability-advisor-minio-cleaner-config
JSON file displays. - Modify the value of each Minio bucket
vacos:30 vacos-hf:5 vacos-ma:30 vacos-summary:30
in thedata.clean.sh
section. The unit is days. - Click Submit.
Mutation Advisor
You can view the modification alerts of system files, configuration files, content files, or the operating system process. From the navigation menu, click Tools > Vulnerability Advisor > namespaces. Select the Go to Mutation Advisor button to view alerts.
Configuring the Mutation Advisor process crawler
- From the navigation menu, click Configuration > ConfigMaps.
- In the search box, type "ma-crawler".
- For the
vulnerability-advisor-process-ma-crawler
ConfigMap, select Action > Edit. Thevulnerability-advisor-process-ma-crawler
JSON file displays. - Modify the value of the
enabled
parameter.- To disable crawler, set the
enabled
parameter tofalse
. - To enable crawler, set the
enabled
parameter totrue
.
- To disable crawler, set the
- (Optional) You can also configure the time interval for scanning containers on the host. To configure the time interval, modify the value of the
crawl-interval
parameter. The default value is 300 (seconds per 5 minutes). - Click Submit. The crawler container is deployed as DaemonSets named
vulnerability-advisor-process-ma-crawler
.
Configuring the Mutation Advisor file crawler
File Mutation is also implemented by the Vulnerability Advisor container crawler. For information, see Configuring the Vulnerability Advisor container crawler.
Configuring Mutation Advisor whitelists
Mutation Advisor supports configuring whitelists of common file and process mutations to reduce false alarms. The system generates candidate whitelists that can be either enabled or disabled in the management console.
Complete the following steps to configure the Mutation Advisor whitelists.
- From the Mutation Advisor page, click Manage Whitelist.
- Decide whether you want a whitelist for file mutation or process mutation. In the Scope section, select File or Process from the drop-down menu.
- Associate containers with a whitelist in one of the following ways:
- Select All containers in the current namespace.
- Select Only containers created using the image below and provide the full image name as defined in the Kubernetes
.yaml spec
. - Select an image from the drop-down list to use an image with an existing whitelist.
- Update the rules. In the Rules section, click New rule. In the pop-up window, enter a Patten name, and select an Action for the match rules. Click Create.
- Your new rule is added to the Rules table.
- Enable or disable a rule by toggling the ON/OFF radio buttons.
- You can remove a rule. In the Delete column, check the box associated with the rule that you want to remove.
- Click Save Whitelist to save configurations.
Configuring log clean-up interval of Kafka cluster
- Set up the
kubectl
CLI. See Accessing your IBM Cloud Private cluster by using the kubectl CLI. -
Edit the
vulnerability-advisor-kafka
StatefulSet object to re-configure Kafka.kubectl --namespace=kube-system edit StatefulSet vulnerability-advisor-kafka
-
Modify the value of the
KAFKA_LOG_RETENTION_MINUTES
environment variable. The default value is 600 minutes (10 hours). - Save the changes.
Viewing security reports
From the management console, you can view security reports for containers and images organized by namespace. These security reports are generated by using a default policy.
- From the navigation menu, click Add-ons > Vulnerability Advisor.
- Select the namespace that you want to view. The Vulnerability Advisor dashboard displays. From this dashboard, you can review the reports for containers and images in the selected namespace. The report details the following information on each
container or image:
- Name - name of the container or image
- Owner - the namespace that the image or container belongs to.
- Latest Scan - the timestamp when the image or container was scanned.
- Type - specifies whether the object is a container or image
- Organizational Policies - the security policy that is being used. This is set in the Managing policies section.
- Vulnerable Packages - current vulnerabilities that are identified for the container or image.
- Container Settings - summary of potential security and compliance issues. Recommendations for security are also presented here.
Use the VA API commands to manage security reports. For more information, see Vulnerability Advisor API.
Managing policies
- From the navigation menu, click Tools > Vulnerability Advisor.
- Select the namespace that you want to view reports for. The Vulnerability Advisor dashboard displays.
- From the horizontal navigation menu of the Vulnerability Advisor dashboard, select Manage Policies.
- On the Manage policies page, select the policy changes that you want to make by toggling the ON/OFF radio buttons.
- Click Submit Policy.
Timing policy
Create a timing policy to schedule a specific time to scan Vulnerability Advisor (VA) pods, VA images, and the Mutation Advisor (MA) process.
Complete the following steps:
-
Update the YAML file for the VA pod scan by running the following command:
kubectl edit cm vulnerability-advisor-live-crawler -nkube-system
-
Edit the
live-crawler.crontab
parameter in the VA pod YAML file. Your YAML file might resemble the following configuration map:apiVersion: v1 data: enabled: "true" live-crawler.crontab: 59 22 * * * kind: ConfigMap
-
Update the YAML file for the VA image scan by running the following command:
kubectl edit cm vulnerability-advisor-registry-crawler -nkube-system
-
Edit the
reg-crawler.crontab
parameter in the VA image YAML file. Your YAML file might resemble the following configuration map:apiVersion: v1 data: enabled: "true" reg-crawler.crontab: 0 10 * * * kind: ConfigMap metadata:
-
Update the YAML file for the MA process scan by running the following command:
kubectl edit cm vulnerability-advisor-process-ma-crawler -nkube-system
-
Edit the
live-crawler.crontab
parameter in the MA process YAML file. Your YAML file might resemble the following configuration map:apiVersion: v1 data: enabled: "true" live-crawler.crontab: '*/15 * * * *' kind: ConfigMap metadata:
A timing policy is created for the Vulnerability Advisor (VA) pods scan, VA images scan, and the Mutation Advisor (MA) process scan.
Updating security notices for the Vulnerability Advisor components
Security notices for all supported Linux® distribution are preloaded in the Elasticsearch cluster for the Vulnerability Advisor. However, security notices for each Linux distribution are updated periodically on the Internet.
IBM publishes security notices by pushing a new usnloader
image to Docker Hub at 00:00am E.S.T daily. New usnloader
images are tagged with a time stamp. For example, security notices that are released in May 10th 2018 are
tagged as cloudviz/usnloader: 20180510
. An image tagged latest
is also pushed daily when the build completes at 00:00am E.S.T. Each timestamped version of the usnloader
image, is available on Docker Hub for
7 days.
Prerequisites
If your environment does not have Internet access, you need to manually pull the usnloader
image from Docker Hub daily. To set up a manual pull, complete the following steps:
- Create a Linux Cron Job on a host that has Internet access. Schedule the Cron Job to pull the
usnloader
image every day at 5:00pm E.S.T. - Push the latest
usnloader
image to your IBM Cloud Private private registry. See Pushing and pulling images . - Complete the procedure for updating security notices. Ensure to update the
image
specification in the Kubernetes CronJobusnloader.yaml
to point to the image in the IBM Cloud Private private registry. For exampleimage: mycluster.icp:8500/services/usnloader:latest
.
Procedure
To update the security notices for your IBM Cloud Private cluster, complete the following steps:
- Set up the
kubectl
CLI. See Accessing your IBM Cloud Private cluster by using the kubectl CLI. -
Create a Kubernetes CronJob
usnloader.yaml
by using the following specifications.--- apiVersion: batch/v1beta1 kind: CronJob metadata: labels: app: usnloader component: vulnerability-advisor name: usnloader namespace: kube-system spec: concurrencyPolicy: Replace failedJobsHistoryLimit: 1 successfulJobsHistoryLimit: 3 schedule: '0 6 * * *' suspend: false jobTemplate: spec: template: spec: containers: - command: ["python2.7", "/opt/usnloader/usnloader.py", "--elasticsearch-urls", "https://elasticsearch:9200", "--ca-file", "/tls/ca.crt", "--client-cert", "/tls/curator.crt", "--client-key", "/tls/curator.key"] image: cloudviz/usnloader:latest imagePullPolicy: Always name: usnloader volumeMounts: - mountPath: /var/log/cloudsight/ name: log - mountPath: /tls name: certs readOnly: true nodeSelector: va: "true" restartPolicy: OnFailure tolerations: - effect: NoSchedule key: "dedicated" operator: "Exists" - key: "CriticalAddonsOnly" operator: "Exists" volumes: - name: certs secret: defaultMode: 420 secretName: logging-elk-certs - emptyDir: {} name: log
To load security notices for a specific date, you can create a Kubernetes batch job
usnloader.yaml
and specify the image for the desired date. The batch job might resemble the following code:--- apiVersion: batch/v1 kind: Job metadata: name: usnloader namespace: kube-system labels: app: usnloader component: vulnerability-advisor spec: template: metadata: annotations: scheduler.alpha.kubernetes.io/critical-pod: "" name: vulnerability-advisor-usncrawler spec: containers: - command: - python2.7 - /opt/usnloader/usnloader.py - --elasticsearch-urls - https://elasticsearch:9200 - --ca-file - /tls/ca.crt - --client-cert - /tls/curator.crt - --client-key - /tls/curator.key image: "cloudviz/usnloader:latest" imagePullPolicy: Always name: usnloader volumeMounts: - mountPath: /var/log/cloudsight/ name: log - mountPath: /tls name: certs readOnly: true dnsPolicy: ClusterFirst nodeSelector: va: "true" priorityClassName: system-cluster-critical restartPolicy: OnFailure terminationGracePeriodSeconds: 30 tolerations: - effect: NoSchedule key: dedicated operator: Exists volumes: - name: certs secret: defaultMode: 420 secretName: logging-elk-certs - emptyDir: {} name: log
-
Launch the usnloader Job.
kubectl apply -f usnloader.yaml
-
Check the job.
kubectl -n kube-system get cronjob | grep usnloader
The output resembles the following code:
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE usnloader 0 6 * * * False 1 29s 4m
The CronJob pulls the latest image from Docker Hub, and loads the latest security notices into the Elasticsearch component of your Vulnerability Advisor.
kubectl -n kube-system get job | grep usnloader
The output resembles the following code:
usnloader-1526436600 1 0 33s
kubectl -n kube-system get pods --show-all | grep usnloader
The output resembles the following code:
apiVersion: batch/v1beta1 usnloader-1526436600-846nf 0/1 Completed 0 59s
kubectl -n kube-system logs -f usnloader-1526436600-846nf
The output resembles the following code:
2018-05-16 02:10:20,581 INFO 63 usnloader: Arguments received from the command line 2018-05-16 02:10:20,582 INFO 66 usnloader: {'elastic_search': 'vulnerability-advisor-elasticsearch:9200', 'elastic_search_password': '**********'} 2018-05-16 02:10:42,731 INFO 79 usnloader: No new usns 2018-05-16 02:10:42,744 INFO 58 log_update_status: [ { "latest_advisory": "deb-2018-msg00126.html", "index_load_time": "2018-05-16T02:10:07.866827", "distro": "debian" }, { "latest_advisory": "alpine_git_commit:", "index_load_time": "2018-05-15T03:02:11.375949", "distro": "alpine" }, { "latest_advisory": "RHSA-2018:0998", "index_load_time": "2018-05-16T02:10:07.744258", "distro": "redhat" }, { "latest_advisory": "centos-2018-May.txt.gz", "index_load_time": "2018-05-16T02:10:07.832857", "distro": "centos" }, { "latest_advisory": "FEDORA-2018-05", "index_load_time": "2018-05-16T02:10:07.656827", "distro": "fedora" }, { "latest_advisory": "ubuntu-2018-May.txt.gz", "index_load_time": "2018-05-16T02:10:07.551024", "distro": "ubuntu" } ]
You are now ready to use the Vulnerability Advisor with updated security notices. You can also scan external image registries with the Vulnerability Advisor. See Scanning external registries with Vulnerability Advisor (VA) for more details.