반응형
trivy는 Aqua Security에서 개발한 Container Image 취약점 스캐너이다.
Scan 대상으로는 아래와 같다.
scan target
- Container Image
- Filesystem
- Git Repository(remote)
- Kubernetes cluster or Resource
Scanners
- 사용중인 OS패키지 및 소프트웨어 종속성이 있는 패키지들(SBOM)
- 표준 취약점들(Vulnerabilities)(CVE)
- IaC 코드 관련 구성오류
위와 같은 Scan 대상들을 Scanner에 대한 취약점 진단을 하게 되면 Low, Medium, High, Critical과 같은 Level로 나타내어 취약점을 Report해준다.
Trivy Install 및 활용 방법
Trivy 설치 페이지: https://aquasecurity.github.io/trivy/v0.18.3/installation/
### Ubuntu ###
root@k8s-m:~# sudo apt-get install wget apt-transport-https gnupg lsb-release
root@k8s-m:~# wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
root@k8s-m:~# echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
root@k8s-m:~# sudo apt-get update
root@k8s-m:~# sudo apt-get install trivy
### 정상설치 여부 확인
root@k8s-m:~# trivy --help
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
Usage:
trivy [global flags] command [flags] target
trivy [command]
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Scan local filesystem
$ trivy fs .
# Run in server mode
$ trivy server
...
...
Image Scan하기 위한 Command는 아래와 같다.
root@k8s-m:~ trivy image [YOUR_IMAGE_NAME]
테스트로 CentOS:7 Image를 Scan진행
root@k8s-m:~# trivy image centos:7
2024-03-27T18:43:33.945+0900 INFO Need to update DB
2024-03-27T18:43:33.945+0900 INFO DB Repository: ghcr.io/aquasecurity/trivy-db:2
2024-03-27T18:43:33.945+0900 INFO Downloading DB...
44.67 MiB / 44.67 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 23.83 MiB p/s 2.1s
2024-03-27T18:43:37.408+0900 INFO Vulnerability scanning is enabled
2024-03-27T18:43:37.408+0900 INFO Secret scanning is enabled
2024-03-27T18:43:37.408+0900 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-27T18:43:37.408+0900 INFO Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-03-27T18:43:37.837+0900 INFO Detected OS: centos
2024-03-27T18:43:37.837+0900 INFO Detecting RHEL/CentOS vulnerabilities...
2024-03-27T18:43:37.892+0900 INFO Number of language-specific files: 0
Total: 1111 (UNKNOWN: 0, LOW: 564, MEDIUM: 507, HIGH: 37, CRITICAL: 3)
Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────┼──────────────────┼──────────┼─────────────────────┼───────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ audit-libs │ CVE-2015-5186 │ MEDIUM │ will_not_fix │ 2.8.5-4.el7 │ │ log terminal emulator escape sequences handling │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2015-5186 │
├─────────────────────────────┼──────────────────┤ │ ├───────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ bash │ CVE-2012-6711 │ │ │ 4.2.46-34.el7 │ │ heap-based buffer overflow during echo of unsupported │
│ │ │ │ │ │ │ characters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2012-6711 │
│ ├──────────────────┼──────────┤ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-18276 │ LOW │ │ │ │ bash: when effective UID is not equal to its real UID the... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-18276 │
├─────────────────────────────┼──────────────────┼──────────┼─────────────────────┼───────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ bind-license │ CVE-2020-8625 │ HIGH │ fixed │ 32:9.11.4-26.P2.el7 │ 32:9.11.4-26.P2.el7_9.4 │ bind: Buffer overflow in the SPNEGO implementation affecting │
│ │ │ │ │ │ │ GSSAPI security policy negotiation... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8625 │
│ ├──────────────────┤ │ │ ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-25215 │ │ │ │ 32:9.11.4-26.P2.el7_9.5 │ bind: An assertion check can fail while answering queries │
│ │ │ │ │ │ │ for DNAME records... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25215
...
...
...Total: 1111 (UNKNOWN: 0, LOW: 564, MEDIUM: 507, HIGH: 37, CRITICAL: 3)
토탈을 보면 위험도별로 발견된 취약점 개수가 확인된다.
Low:564, Medium: 507, High:37, Critical:3
그리고, 우측엔 취약점 항목별로 Report를 해주고 있으며, 해당 링크로 접소하면 보다 상세히 취약점 조치 관련 솔루션을 제시해주고 있다.
반응형
'Kubernetes' 카테고리의 다른 글
| Kubernetes Networkpolicy로 Pod간 트래픽 제어하기 (0) | 2024.03.31 |
|---|---|
| Kubernetes ServiceAccount 관리 (0) | 2024.03.30 |
| Kubernetes에서 App Armor를 활용하여 Container 내부 디렉토리 Write 제한하기 (0) | 2024.03.23 |
| gVisor 및 runsc를 활용한 Host와의 컨테이너 커널 격리 (0) | 2024.03.21 |
| kube-bench 사용법 및 Install (0) | 2024.03.20 |