本篇简单介绍一款Docker安全扫描工具Anchore的安装和使用

前言

  下述过程是在CentOS 7.6的虚拟机上进行的。

[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.6. (Core)

Docker安装

  安装步骤如下:参考Docker 学习入门

# yum remove docker docker-common docker-selinux                                            # 如之前安装,先卸载
# yum install -y yum-utils device-mapper-persistent-data lvm2                   # 安装依赖
# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo # 配置软件包源
# yum install docker-ce -y                                        # 安装docker
# systemctl start docker                                         # 启动docker服务 
# systemctl enable docker                                        # 设置开机启动
# docker -v                                                 # 查看docker 版本
# docker info                                                # 查看docker详细信息

添加dpkg支持

# yum install epel-release -y
# yum install dpkg -y

安装Anchore

  Anchore安装使用需python支持,CentOS 7.6默认情况下已有python和pip,可能需要先更新一下pip。

# pip install --upgrade pip

  Step1:安装Anchore

# pip install anchore

  Step2:设置环境变量(临时添加)

# export PATH=~/.local/bin:$PATH

  Step3:查看anchore版本

# anchore --version        

  Step4:查看订阅列表

[root@localhost ~]# anchore feeds list
initializing feed metadata: ...
Available:
nvd:
description: Feed record for type nvd
nvdv2:
description: Feed record for type nvdv2
packages:
description: Feed record for type packages
Subscribed:
vulnerabilities:
description: Feed record for type vulnerabilities

  默认值订阅了最后一个。

  Step5:同步订阅内容

[root@localhost ~]# anchore feeds sync
syncing data for subscribed feed (vulnerabilities) ...
syncing group data: debian:unstable: ...
syncing group data: ubuntu:16.04: ...
syncing group data: centos:: ...
syncing group data: centos:: ...
syncing group data: centos:: ...
syncing group data: amzn:: ...
syncing group data: ubuntu:14.04: ...
syncing group data: centos:: ...
syncing group data: ubuntu:14.10: ...
syncing group data: debian:: ...
syncing group data: debian:: ...
syncing group data: ubuntu:15.04: ...
syncing group data: debian:: ...
syncing group data: debian:: ...
syncing group data: ubuntu:12.04: ...
syncing group data: ubuntu:18.04: ...
syncing group data: ubuntu:17.10: ...
syncing group data: ubuntu:19.10: ...
syncing group data: debian:: ...
syncing group data: ubuntu:16.10: ...
syncing group data: alpine:3.3: ...
syncing group data: alpine:3.4: ...
syncing group data: alpine:3.5: ...
syncing group data: alpine:3.6: ...
syncing group data: alpine:3.7: ...
syncing group data: alpine:3.8: ...
syncing group data: alpine:3.9: ...
syncing group data: ubuntu:13.04: ...
syncing group data: ubuntu:15.10: ...
syncing group data: alpine:3.10: ...
syncing group data: ubuntu:12.10: ...
syncing group data: ubuntu:18.10: ...
syncing group data: ubuntu:17.04: ...
syncing group data: ol:: ...
syncing group data: ol:: ...
syncing group data: ol:: ...
syncing group data: ol:: ...
syncing group data: ubuntu:19.04: ...
skipping data sync for unsubscribed feed (nvd) ...
skipping data sync for unsubscribed feed (nvdv2) ...
skipping data sync for unsubscribed feed (packages) ...

  这步可能只需要十分钟,也可能需要更久,目前没找到什么加速的方法。

添加订阅feed

  通过查询anchore feeds --help,我们知道有个sub子命令用于订阅feed。如果想添加nvd订阅:

[root@localhost ~]# anchore feeds sub nvd         # 添加nvd feed,可以通过这种方式订阅其它的
nvd: subscribed.
[root@localhost ~]# anchore feeds list # 查看订阅的feeds
Available:
nvdv2:
description: Feed record for type nvdv2
packages:
description: Feed record for type packages
Subscribed:
nvd:
description: Feed record for type nvd      # 已经订阅了nvd
vulnerabilities:
description: Feed record for type vulnerabilities [root@localhost ~]# anchore feeds sync        # 同步更新
syncing data for subscribed feed (vulnerabilities) ...
skipping group data: debian:unstable: already synced
skipping group data: alpine:3.8: already synced
skipping group data: ubuntu:16.04: already synced
skipping group data: centos:: already synced
skipping group data: centos:: already synced
skipping group data: centos:: already synced
skipping group data: amzn:: already synced
skipping group data: ol:: already synced
skipping group data: centos:: already synced
skipping group data: ubuntu:14.10: already synced
skipping group data: debian:: already synced
skipping group data: debian:: already synced
skipping group data: ubuntu:15.04: already synced
skipping group data: debian:: already synced
skipping group data: debian:: already synced
skipping group data: ubuntu:12.04: already synced
skipping group data: ubuntu:18.04: already synced
skipping group data: ubuntu:17.10: already synced
skipping group data: ubuntu:19.10: already synced
skipping group data: debian:: already synced
skipping group data: ubuntu:16.10: already synced
skipping group data: alpine:3.3: already synced
skipping group data: alpine:3.4: already synced
skipping group data: alpine:3.5: already synced
skipping group data: alpine:3.6: already synced
skipping group data: alpine:3.7: already synced
skipping group data: ubuntu:14.04: already synced
skipping group data: alpine:3.9: already synced
skipping group data: ubuntu:15.10: already synced
skipping group data: alpine:3.10: already synced
skipping group data: ubuntu:12.10: already synced
skipping group data: ubuntu:18.10: already synced
skipping group data: ubuntu:17.04: already synced
skipping group data: ol:: already synced
skipping group data: ol:: already synced
skipping group data: ubuntu:13.04: already synced
skipping group data: ol:: already synced
skipping group data: ubuntu:19.04: already synced
syncing data for subscribed feed (nvd) ...            # 同步nvd订阅
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
syncing group data: nvddb:: ...
skipping data sync for unsubscribed feed (nvdv2) ...
skipping data sync for unsubscribed feed (packages) ...

工具测验

  先拉取一个镜像:mysql

[root@localhost ~]# docker pull mysql
[root@localhost ~]# docker images       # 查看所有镜像列表
REPOSITORY TAG IMAGE ID CREATED SIZE
mysql latest c8ee894bd2bd days ago 456MB
nginx latest 5a9061639d0a days ago 126MB
busybox latest 19485c79a9bb weeks ago .22MB

镜像分析

  分析mysql镜像。

[root@localhost ~]# anchore analyze --image mysql
Analyzing image: mysql
c8ee894bd2bd: analyzing ...
c8ee894bd2bd: analyzed.

生成报告

  使用gate命令生成分析报告,默认输出到控制台。

  gate命令没有看到输出报告格式,我这将输出重定向到mysql.html文件。

[root@localhost ~]# anchore gate --image mysql > mysql.html

查看报告

  打开mysql.html报告查看具体内容。

  关于命令的详细介绍,请使用--help进行查阅或参考第二个参考链接。感觉目前这款工具还不理想。

参考

  Docker 学习入门:https://www.cnblogs.com/chiangchou/p/docker.html

  Docker安全自动化扫描工具对比测试:https://blog.csdn.net/wutianxu123/article/details/83216219

以上!

Docker安全扫描工具之Anchore的更多相关文章

  1. Docker安全扫描工具之DockerScan

    前言 本篇简单介绍Docker扫描工具DockerScan的安装使用.下述过程是在CentOS 7.6的虚拟机上进行的. [root@localhost ~]# cat /etc/redhat-rel ...

  2. Docker安全扫描工具之docker-bench-security

    简介 Docker Bench for Security检查关于在生产环境中部署Docker容器的几十个常见最佳实践.这些测试都是自动化的,其灵感来自CIS Docker基准1.2.0版. 这种安全扫 ...

  3. Trivy 容器镜像扫描工具学习

    简介 官方地址:https://github.com/aquasecurity/trivy Trivy是aqua(专注云原生场景下的安全)公司的一款开源工具,之前历史文章也有对aqua的一些介绍. T ...

  4. 域名扫描工具Fierce

    域名扫描工具Fierce   该工具是一个域名扫描综合性工具.它可以快速获取指定域名的DNS服务器,并检查是否存在区域传输(Zone Transfer)漏洞.如果不存在该漏洞,会自动执行暴力破解,以获 ...

  5. NMAP分布式扫描工具dnmap

    NMAP分布式扫描工具dnmap   NMAP是一款知名的网络扫描工具.它提供丰富和强大的网络扫描功能.但很多时候,需要渗透测试人员从多个终端发起扫描任务,以快速扫描大型网络,或规避IP限制等安全策略 ...

  6. Nikto是一款Web安全扫描工具,可以扫描指定主机的web类型,主机名,特定目录,cookie,特定CGI漏洞,XSS漏洞,SQL注入漏洞等,非常强大滴说。。。

    Nikto是一款Web安全扫描工具,可以扫描指定主机的web类型,主机名,特定目录,cookie,特定CGI漏洞,XSS漏洞,SQL注入漏洞等,非常强大滴说... root@xi4ojin:~# cd ...

  7. 网站安全扫描工具--Netsparker的使用

    Netsparker是一款安全简单的web应用安全漏电扫描工具.该软件功能非常强大,使用方便.Netsparker与其他综合 性的web应用安全扫描工具相比的一个特点是它能够更好的检测SQL Inje ...

  8. 小白日记34:kali渗透测试之Web渗透-扫描工具-Burpsuite(二)

    扫描工具-Burpsuite 公共模块 0.Spider 爬网 手动爬网 先禁用截断功能 手动将页面中点击所有连接,对提交数据的地方,都进行提交[无论内容] 自动爬网[参数设置] 指定爬网路径,否则其 ...

  9. 小白日记32:kali渗透测试之Web渗透-扫描工具-QWASP_ZAP

    扫描工具-QWASP_ZAP 十大安全工具之一,集成性工具,功能完善,而且强大.既可做主动扫描,也可做截断代理.开源免费跨平台,简单易用,体验相对混乱,但在主动扫描方面,相对占优.[kali集成] # ...

随机推荐

  1. Vue各种配置

    小知识 Vue.prototype和Vue.use的区别 这个是全局可以通过Vue对象获取serring的值 Vue.prototype.$settings = settings; 这个是配置全局环境 ...

  2. 源码安装php7.2

    `# 安装依赖包 yum install -y gcc gcc-c++ make zlib zlib-devel pcre pcre-devel \ libjpeg libjpeg-devel lib ...

  3. c语言l博客作业02

    问题 答案 这个作业属于哪个课程 C语言程序设计l 这个作业要求在哪里 https://edu.cnblogs.com/campus/zswxy/SE2019-2/homework/8687 我在这个 ...

  4. ubuntu16.04 安装cuda9.0+cudnn7.0.5+tensorflow+nvidia-docker配置GPU服务

    [摘要] docker很好用,但是在GPU服务器上使用docker却比较复杂,需要一些技巧,下面将介绍一下在ubuntu16.04环境下的GPU-docker环境搭建过程. 第一步: 删除之前的nvi ...

  5. luogu P3913 车的攻击 |数学

    题目描述 N×N 的国际象棋棋盘上有KK 个车,第ii个车位于第R_i行,第C_i列.求至少被一个车攻击的格子数量. 车可以攻击所有同一行或者同一列的地方. 输入格式 第1 行,2 个整数N,K. 接 ...

  6. Python超简单的爬取网站中图片

    1.首先导入相关库 import requests import bs4 import threading #用于多线程爬虫,爬取速度快,可以完成多页爬取 import os 2.使用bs4获取htm ...

  7. [ch05-02] 用神经网络解决多变量线性回归问题

    系列博客,原文在笔者所维护的github上:https://aka.ms/beginnerAI, 点击star加星不要吝啬,星越多笔者越努力 5.2 神经网络解法 与单特征值的线性回归问题类似,多变量 ...

  8. 爬虫学习(二)--爬取360应用市场app信息

    欢迎加入python学习交流群 667279387 爬虫学习 爬虫学习(一)-爬取电影天堂下载链接 爬虫学习(二)–爬取360应用市场app信息 代码环境:windows10, python 3.5 ...

  9. Spring Data初步--整合Hibernate

    Spring Data课程中的技术介绍 Hibernate: Hibernate 是一个开放源代码的对象关系映射框架,它对 JDBC 进行了非常轻量级的对象封装,它将 pojo 与数据库表建立映射关系 ...

  10. MyBatis—resultMap 的关联方式实现多表查询(多 对一)

    mapper 层 a)在 StudentMapper.xml 中定义多表连接查询 SQL 语句, 一次性查到需要的所有数据, 包括对应班级的信息. b)通过<resultMap>定义映射关 ...