本文共 8140 字,大约阅读时间需要 27 分钟。
docker容器内漏洞
Containerization allows engineering teams to create a sandbox environment in which to run and test applications. Containers are mostly made up of open-source images pulled in from docker hub or other public image repositories.
容器化允许工程团队创建沙盒环境,以在其中运行和测试应用程序。 容器主要由从docker hub或其他公共映像存储库中提取的开源映像组成。
But these open-source images may sometimes contain vulnerabilities which can jeopardise the safety of containers and in turn its host computer/server.
但是这些开源映像有时可能包含一些漏洞,这些漏洞可能会危害容器的安全性,进而损害其主机/服务器的安全性。
Since these containers run on a host machine, it is possible to hijack containers in production if they’re left unprotected.
由于这些容器在主机上运行,因此如果容器不受保护,就可以劫持生产中的容器。
A good example of such a hack is on an unprotected Kubernetes cluster. In this attack, the attackers were able to download and run a malicious script for mining crypto using GPUs provided by Tesla’s K8s (Kubernetes) cluster. They were able to keep this attack under the radar by keeping CPU usage to a minimum and also running the script at specific time intervals.
此类黑客攻击的一个很好的例子是对未受保护的Kubernetes集群 。 在此攻击中,攻击者能够使用特斯拉的K8s(Kubernetes)集群提供的GPU下载并运行恶意脚本来挖掘加密货币。 通过将CPU使用率保持在最低水平,并且还可以在特定的时间间隔运行脚本,他们能够将这种攻击控制在雷达之下。
In the course of this article, we will take a look at common container vulnerabilities and possible ways to fix them.
在本文的过程中,我们将研究常见的容器漏洞以及修复它们的可能方法。
Containers are used by ops engineers to package and deploy a software/application in a closed and controlled environment.
运维工程师使用容器在封闭和受控的环境中打包和部署软件/应用程序。
In a bid to avoid re-inventing the wheel and speed up time to market, already existing open-source images are pulled in to satisfy the dependencies needed to run the software. These images often contain certain vulnerabilities which make the entire container and its host vulnerable to malicious attacks.
为了避免重新发明轮子并加快上市时间,引入了现有的开源图像,以满足运行该软件所需的依赖性。 这些映像通常包含某些漏洞,这些漏洞使整个容器及其主机容易受到恶意攻击。
Listed below are some common container vulnerabilities and exposures as well as how to mitigate them.
下面列出了一些常见的容器漏洞和风险以及如何缓解它们。
Cryptojacking is a type of attack where a malicious script is used to steal a device’s computational resources for mining cryptocurrencies.
加密劫持是一种攻击,其中使用恶意脚本窃取设备的计算资源来挖掘加密货币。
Recently, a vulnerability was discovered on Docker with dictionary entry . This vulnerability makes it possible for attackers to gain root access to a host’s machine.
最近,在Docker上发现了字典条目为 。 此漏洞使攻击者有可能获得对主机计算机的root访问权限。
Aside from being able to use the host’s machine’s CPU and GPU resources to mine crypto, attackers can also steal sensitive credentials, carry out DoS attacks, launch phishing campaigns, and more.
除了能够使用主机计算机的CPU和GPU资源来挖掘加密货币之外,攻击者还可以窃取敏感凭据,进行DoS攻击,发起网络钓鱼活动等。
Containers can be susceptible to cryptojacking if they contain malicious images which give attackers root access to the entire container. They're also vulnerable if the docker container API endpoints are publicly accessible on the internet without passwords or security firewalls, like in the case of Tesla.
如果容器包含恶意图像,这些容器会给攻击者提供对整个容器的根访问权限,则它们可能容易受到密码劫持的攻击。 如果Docker容器API终结点可以在Internet上公开访问而无需密码或安全防火墙,例如Tesla,它们也很容易受到攻击。
A vulnerability which makes it possible to overwrite the host’s runc binary gives attackers the leeway to execute commands with root access. Docker engines which predate v18.09.2 make containers with attacker-controlled images susceptible to the vulnerability.
可以覆盖主机的runc二进制文件的漏洞使攻击者可以通过root用户访问权限来执行命令。 早于v18.09.2的Docker引擎使带有攻击者控制图像的容器容易受到漏洞的影响。
Engineers are advised as much as possible to make use of official Docker images provided by docker. After all, there’s even a Docker sponsored team which works closely with software maintainers/publishers and security experts to ensure the security of official Docker images.
建议工程师尽可能利用docker提供的官方Docker映像。 毕竟,甚至还有一个由Docker赞助的团队,他们与软件维护者/发布者和安全专家紧密合作,以确保官方Docker映像的安全性。
One of the principles of containers is that an image is immutable. This means when an image is built, its content is unchangeable. That in itself gives rise to vulnerabilities which result from outdated packages/libraries/images contained in an image.
容器的原理之一是图像是不可变的。 这意味着在构建映像时,其内容不可更改。 这本身会导致漏洞,这是由映像中包含的过时程序包/库/映像导致的。
Therefore, it's a good idea to incorporate vulnerability scanners in CI/CD processes in order to identify vulnerable container images. Since images are immutable, rolling out a newly built container with updated dependencies will help curb the security vulnerabilities as is discouraged.
因此,将漏洞扫描程序合并到CI / CD流程中是一个好主意,以便识别易受攻击的容器映像。 由于图像是不可变的,因此在不建议使用情况下,推出具有更新依赖关系的新建容器将有助于遏制安全漏洞。
In the previous section, we took a look at the possible ways vulnerabilities can creep into docker containers.
在上一节中,我们研究了漏洞可能渗透到Docker容器中的可能方式。
Finding vulnerabilities in our containers before it gets to production will help avoid possible security breaches and keep malicious .
在生产之前在我们的容器中发现漏洞将有助于避免可能的安全漏洞,并使恶意 。
As they say - an ounce of prevention is worth a pound of cure.
正如他们所说-一盎司的预防值得一磅的治疗。
In this section, we will take a look at the possible ways you can stay ahead of container vulnerabilities.
在本节中,我们将研究可能领先于容器漏洞的方法。
for security is a script that tests all docker containers on the host computer/server for best practices for deploying containers in production. These tests are based on the .
安全是一个脚本,用于测试主机/服务器上的所有容器,以获取在生产中部署容器的最佳实践。 这些测试基于 。
For a test run, you can pull the docker/docker-bench-security image and test existing containers on your local machine like so:
为了进行测试,您可以提取docker/docker-bench-security映像并测试本地计算机上的现有容器,如下所示:
docker run -it --net host --pid host --userns host --cap-add audit_control \ -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /etc:/etc:ro \ -v /usr/bin/docker-containerd:/usr/bin/docker-containerd:ro \ -v /usr/bin/docker-runc:/usr/bin/docker-runc:ro \ -v /usr/lib/systemd:/usr/lib/systemd:ro \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --label docker_bench_security \ docker/docker-bench-security
Note: this command doesn’t work well in OSX. See this for details.
注意 :此命令在OSX中无法正常工作。 有关详细信息,请参 。
Docker image repositories (for example, ) make it possible for engineers to run vulnerability scans for images in the container registry.
Docker映像存储库(例如 )使工程师可以对容器注册表中的映像运行漏洞扫描。
To enable vulnerability scanning in GCR (Google container registry), head over to the on the Google cloud console and click on "enable vulnerability scanning" like so:
要在GCR(Google容器注册表)中启用漏洞扫描,请转到Google云控制台上的 ,然后单击“启用漏洞扫描”,如下所示:
When a vulnerability scan is complete, you’ll see a result like in the image below if vulnerabilities exist:
漏洞扫描完成后,如果存在漏洞,您将在下图中看到类似结果:
is an enterprise-grade containerisation security suite which manages vulnerabilities and enforces deployment policies throughout a container's lifecycle.
是企业级容器化安全套件,可管理漏洞并在容器的整个生命周期内实施部署策略。
In addition, this product suite also integrates seamlessly with popular CI/CD tools and container registries. This allows it to provide risk-free deployments as well as end-to-end container management from deployment to production.
此外,该产品套件还与流行的CI / CD工具和容器注册表无缝集成。 这使其可以提供无风险的部署以及从部署到生产的端到端容器管理。
Containers make it possible for engineering teams to roll out software seamlessly. However, this ease comes at the cost of security.
容器使工程团队可以无缝地部署软件。 但是,这种轻松性是以安全为代价的。
There are a couple of CVEs (common vulnerability exposures) in docker containers recorded in recent years. Some of them have been resolved in recent docker-engine updates with the remainder promised in future .
近年来,在docker容器中记录了几个CVE(常见漏洞暴露)。 其中一些已在最近的docker-engine更新中得到解决,其余部分已在将来的承诺。
Engineering teams should have security in mind when building and deploying containers. They should also enforce container security policies in their DevOps lifecycles.
在构建和部署容器时,工程团队应牢记安全性。 他们还应在DevOps生命周期中实施容器安全策略。
翻译自:
docker容器内漏洞
转载地址:http://gchwd.baihongyu.com/