维斯塔 正在参加 2021 年度 OSC 中国开源项目评选,请投票支持!
维斯塔 在 2021 年度 OSC 中国开源项目评选 中已获得 {{ projectVoteCount }} 票,请投票支持!
2021 年度 OSC 中国开源项目评选 正在火热进行中,快来投票支持你喜欢的开源项目!
2021 年度 OSC 中国开源项目评选 >>> 中场回顾
维斯塔 获得 2021 年度 OSC 中国开源项目评选「最佳人气项目」 !
授权协议 Apache
开发语言 Google Go
操作系统 跨平台
软件类型 开源软件
所属分类 云计算云原生
开源组织
地区 国产
投 递 者 christa
适用人群 未知
收录时间 2022-12-29

软件简介

vesta 是一款集容器扫描,Docker和Kubernetes配置基线检查于一身的工具。检查内容包括镜像或容器中包含漏洞版本的组件,Docker以及Kubernetes的危险配置。vesta同时也是一个灵活,方便的工具,能够在各种系统上运行,机器内1 vCPU, 2G Memory即可,包括但不限于Windows,Linux以及MacOS


Vesta能够检查的内容

vest scan扫描内容项

  • 已知的CVE漏洞
  • 混淆的第三方恶意包 

Docker检查

Supported Check Item Description Severity
PrivilegeAllowed 危险的特权模式 critical
Capabilities 危险capabilities被设置 critical
Volume Mount 敏感或危险目录被挂载 critical
Docker Unauthorized 2375端口打开并且未授权 critical
Kernel version 当前内核版本存在逃逸漏洞 critical
Network Module Net模式为host模式并且在特定containerd版本下 critical
Docker Server version Docker Server版本存在漏洞 critical/high/medium/low
Docker env password check Docker env是否存在弱密码 high/medium
Image tag check Image没有被打tag或为默认latest low
Docker history Docker layers 存在不安全的命令 high/medium
待定 IaC scan IaC 扫描 -

Kubernetes检查

Supported Check Item Description Severity
PrivilegeAllowed 危险的特权模式 critical
Capabilities 危险capabilities被设置 critical
PV and PVC PV 被挂载到敏感目录并且状态为active critical/medium
RBAC K8s 权限存在危险配置 high/medium/low/warning
Kubernetes-dashborad 检查 -enable-skip-login以及 dashborad的账户权限 critical/high/low
Kernel version 当前内核版本存在逃逸漏洞 critical
Docker Server version (k8s versions is less than v1.24) Docker Server版本存在漏洞 critical/high/medium/low
Kubernetes certification expiration 证书到期时间小于30天 medium
ConfigMap and Secret check ConfigMap 或者 Secret是否存在弱密码 high/medium
Auto Mount ServiceAccount Token Pod默认挂载了 /var/run/secrets/kubernetes.io/serviceaccount/token. critical/high/medium/low
NoResourceLimits 没有限制资源的使用,例如CPU,Memory, 存储 low
Job and Cronjob Job或CronJob没有设置seccomp或seLinux安全策略 low
Envoy admin Envoy admin被配置以及监听0.0.0.0. high/medium
Cilium version Cilium 存在漏洞版本 critical/high/medium/low
Istio configurations Istio 存在漏洞版本以及安全配置检查 critical/high/medium/low
Kubelet 10255 and Kubectl proxy 10255 port 打开或 Kubectl proxy开启 high/medium/low
Etcd configuration Etcd 安全配置检查 high/medium
Sidecar configurations Sidecar 安全配置检查以及Env环境检查 critical/high/medium/low
Pod annotation Pod annotation 存在不安全配置 high/medium/low/warning
待定 IaC scan Iac扫描 -

编译并使用vesta

  1. 编译vesta
  • 使用go build 进行编译
  • Releases上下载可执行文件
  1. 使用vesta检查镜像过容器中的漏洞组件版本(使用镜像ID,镜像标签或使用-f文件输入均可)
$./vesta scan image -f example.tar

2022/11/29 22:50:00 Searching for image
2022/11/29 22:50:19 Begin upgrading vulnerability database
2022/11/29 22:50:19 Vulnerability Database is already initialized
2022/11/29 22:50:19 Begin to analyze the layer
2022/11/29 22:50:35 Begin to scan the layer

Detected 216 vulnerabilities

+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 208 | python3.6 - Django | 2.2.3           | CVE-2019-14232   |   7.5 | high     | An issue was discovered                                          |
|     |                    |                 |                  |       |          | in Django 1.11.x before                                          |
|     |                    |                 |                  |       |          | 1.11.23, 2.1.x before 2.1.11,                                    |
|     |                    |                 |                  |       |          | and 2.2.x before 2.2.4. If                                       |
|     |                    |                 |                  |       |          | django.utils.text.Truncator's                                    |
|     |                    |                 |                  |       |          | chars() and words() methods                                      |
|     |                    |                 |                  |       |          | were passed the html=True                                        |
|     |                    |                 |                  |       |          | argument, t ...                                                  |
+-----+                    +-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 209 |                    | 2.2.3           | CVE-2019-14233   |   7.5 | high     | An issue was discovered                                          |
|     |                    |                 |                  |       |          | in Django 1.11.x before                                          |
|     |                    |                 |                  |       |          | 1.11.23, 2.1.x before 2.1.11,                                    |
|     |                    |                 |                  |       |          | and 2.2.x before 2.2.4.                                          |
|     |                    |                 |                  |       |          | Due to the behaviour of                                          |
|     |                    |                 |                  |       |          | the underlying HTMLParser,                                       |
|     |                    |                 |                  |       |          | django.utils.html.strip_tags                                     |
|     |                    |                 |                  |       |          | would be extremely ...                                           |
+-----+                    +-----------------+------------------+-------+----------+------------------------------------------------------------------+
| 210 |                    | 2.2.3           | CVE-2019-14234   |   9.8 | critical | An issue was discovered in                                       |
|     |                    |                 |                  |       |          | Django 1.11.x before 1.11.23,                                    |
|     |                    |                 |                  |       |          | 2.1.x before 2.1.11, and 2.2.x                                   |
|     |                    |                 |                  |       |          | before 2.2.4. Due to an error                                    |
|     |                    |                 |                  |       |          | in shallow key transformation,                                   |
|     |                    |                 |                  |       |          | key and index lookups for                                        |
|     |                    |                 |                  |       |          | django.contrib.postgres.f ...                                    |
+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+

  1. 使用vesta检查Docker的基线配置
$./vesta analyze docker

2022/11/29 23:06:32 Start analysing
2022/11/29 23:06:32 Geting engine version
2022/11/29 23:06:32 Geting docker server version
2022/11/29 23:06:32 Geting kernel version

Detected 3 vulnerabilities

+----+----------------------+----------------+---------------------------+----------+--------------------------------+
| ID |   CONTAINER DETAIL   |     PARAM      |           VALUE           | SEVERITY |          DESCRIPTION           |
+----+----------------------+----------------+---------------------------+----------+--------------------------------+
|  1 | Name: Kernel         | kernel version | 5.10.104-linuxkit         | critical | Kernel version is suffering    |
|    |  ID: None            |                |                           |          | the CVE-2022-0185 with         |
|    |                      |                |                           |          | CAP_SYS_ADMIN vulnerablility,  |
|    |                      |                |                           |          | has a potential container      |
|    |                      |                |                           |          | escape.                        |
+----+----------------------+----------------+---------------------------+----------+--------------------------------+
|    | Name: Image Tag      | Image Name     | nginx:latest              | low      | Using the latest tag will      |
|    |  ID: None            |                |                           |          | be suffered potential image    |
|    |                      |                |                           |          | hijack.                        |
+----+----------------------+----------------+---------------------------+----------+--------------------------------+
|  3 | Name: vesta_vuln_test| Privileged     | true                      | critical | There has a potential          |
|    |  ID: 207cf8842b15    |                |                           |          | container escape in privileged |
|    |                      |                |                           |          | module.                        |
+----+----------------------+----------------+---------------------------+----------+--------------------------------+
  1. 使用vesta检查Kubernetes的基线配置
$./vesta analyze k8s

2022/11/29 23:15:59 Start analysing
2022/11/29 23:15:59 Geting docker server version
2022/11/29 23:15:59 Geting kernel version

Detected 4 vulnerabilities

Pods:
+----+--------------------+------------------------------+-------------------+-----------------------+----------+--------------------------------+
| ID |     POD DETAIL     |            PARAM             |       VALUE       |         TYPE          | SEVERITY |          DESCRIPTION           |
+----+--------------------+------------------------------+-------------------+-----------------------+----------+--------------------------------+
|  1 | Name: vulntest     | test-volume                  | /etc              | Directory             | critical | Mounting '/etc' is suffer      |
|    | Namespace: default |                              |                   |                       |          | vulnerable of container        |
|    |                    |                              |                   |                       |          | escape.                        |
+    +                    +------------------------------+-------------------+-----------------------+----------+--------------------------------+
|    |                    | Privileged                   | true              | Pod                   | critical | There has a potential          |
|    |                    |                              |                   |                       |          | container escape in privileged |
|    |                    |                              |                   |                       |          | module.                        |
+    +                    +------------------------------+-------------------+-----------------------+----------+--------------------------------+
|    |                    | AllowPrivilegeEscalation     | true              | Pod                   | critical | There has a potential          |
|    |                    |                              |                   |                       |          | container escape in privileged |
|    |                    |                              |                   |                       |          | module.                        |
+    +                    +------------------------------+-------------------+-----------------------+----------+--------------------------------+
|    |                    | Resource                     | memory, cpu,      | Pod                   | low      | None of resources is be        |
|    |                    |                              | ephemeral-storage |                       |          | limited.                       |
+----+--------------------+------------------------------+-------------------+-----------------------+----------+--------------------------------+

Configures:
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
| ID |            TYPEL            |             PARAM              |                         VALUE                          | SEVERITY |          DESCRIPTION           |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  1 | K8s version less than v1.24 | kernel version                 | 5.10.104-linuxkit                                      | critical | Kernel version is suffering    |
|    |                             |                                |                                                        |          | the CVE-2022-0185 with         |
|    |                             |                                |                                                        |          | CAP_SYS_ADMIN vulnerablility,  |
|    |                             |                                |                                                        |          | has a potential container      |
|    |                             |                                |                                                        |          | escape.                        |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  2 | ConfigMap                   | ConfigMap Name: vulnconfig     | db.string:mysql+pymysql://dbapp:Password123@db:3306/db | high     | ConfigMap has found weak       |
|    |                             | Namespace: default             |                                                        |          | password: 'Password123'.       |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  3 | Secret                      | Secret Name: vulnsecret-auth   | password:Password123                                   | high     | Secret has found weak          |
|    |                             | Namespace: default             |                                                        |          | password: 'Password123'.       |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+
|  4 | ClusterRoleBinding          | binding name:                  | verbs:                                                 | high     | Key permission are given to    |
|    |                             | vuln-clusterrolebinding |      | get,watch,list,create,update |                         |          | the default service account    |
|    |                             | rolename: vuln-clusterrole |   | resources: pods,services                               |          | which will cause a potential   |
|    |                             | namespace: default             |                                                        |          | container escape.              |
+----+-----------------------------+--------------------------------+--------------------------------------------------------+---
展开阅读全文

代码

的 Gitee 指数为
超过 的项目

评论

点击加入讨论🔥(1)
发表了资讯
02/27 14:18

Vesta v1.0.5 云原生安全检测工具发布:增加大量 Python 模块的安全检测

Vesta 是一款高效、方便的容器扫描以及 Docker、Kubernetes 基线安全检查工具。 致力检查因 Docker 或 Kubernetes 错误配置以及镜像软件安全问题而导致的各种潜在危害的发生。 Vesta v1.0.5 更新内容如下: 新功能 增加Python poetry包管理安装包检测以及Python venv虚拟环境包检测 增加部分Docker安全配置检测规则 改进 将下载漏洞库的最低年份从2002年提高到2010年,检测初始化下载所消耗的时间 Docker History命令检查增加对$...

0
2
发表了资讯
02/06 23:27

Vesta v1.04 云原生安全检测工具发布:增加供应链投毒检测

Vesta 是一款实用、方便的镜像扫描以及 Docker、Kubernetes 基线安全检查工具。 致力检查因 Docker 或 Kubernetes 错误配置而导致的各种潜在安全问题的发生。 Vesta v1.0.4 更新内容如下: 新功能 增加sidecar中Env以及EnvFrom中变量检查,并且定位到具体的ConfigMap或Secret 增加Pod annotation检测 增加供应链投毒检测 改进 更改了的rpm检测的方法 更改了containerd内核检测方法 upgrade命令更换为update vesta 收集了网上用量...

0
2
发表了资讯
01/15 17:08

Vesta v1.0.3 云原生安全检测工具 发布:增加大量RBAC检测规则

Vesta 是一款实用、方便的镜像扫描以及 Docker、Kubernetes 基线安全检查工具。 致力检查因 Docker 或 Kubernetes 错误配置而导致的各种潜在安全问题的发生。 Vesta v1.0.3 更新内容如下: 新功能 镜像检查增加对Java,PHP,Rust依赖的版本检查支持 增加istio的检查,包括istio版本检查,以及istio header请求过度敏感信息检查,参考issue 增加Docker history命令行检查,检查是否存在echo 弱密码的命令出现 改进 npm检查方法改进...

0
5
发表了资讯
01/02 01:21

Vesta v1.0.2 发布,一款实用的云原生基线安全检查工具

Vesta是一款实用、方便的镜像扫描以及Docker、Kubernetes基线安全检查工具。 致力检查因为Docker或Kubernetes错误配置而导致的各种潜在安全问题的发生。 Vesta v1.0.2更新内容如下: 新功能 增加cilium版本漏洞检测 增加kubelet read-only-port参数以及kubectl proxy的错误使用的检测 增加etcd安全配置的检测 增加RoleBinding安全配置的检测 镜像扫描增加go二进制检测 改进 优化Layers整合的方法,镜像扫描速度加快 目前vesta支持...

0
1
没有更多内容
加载失败,请刷新页面
点击加载更多
加载中
下一页
发表了博客
{{o.pubDate | formatDate}}

{{formatAllHtml(o.title)}}

{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
没有更多内容
暂无内容
发表了问答
{{o.pubDate | formatDate}}

{{formatAllHtml(o.title)}}

{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
没有更多内容
暂无内容
暂无内容
1 评论
10 收藏
分享
OSCHINA
登录后可查看更多优质内容
返回顶部
顶部