A hands on guided lesson for DevOps Playground walking through how to use the Aqua open source tools Trivy, Kube-hunter and Tracee.
docker -v
Part 1 - Trivy (https://github.com/aquasecurity/trivy)
sudo apt-get -y install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get -y install trivy
trivy -h
Note some key paramters are -s to filter on severity and --ignore-unfixed to eliminate reporting any vulnerabilities that do not currently have fixes available
Let's play with Trivy. As an experiment let's take the advice of a recent 2019 article about choosing the best base image for a python application.
https://pythonspeed.com/articles/base-image-python-docker-images/
It recommends NOT using alpine but instead using ubuntu:18.04 or centos:7.6.1810 or debian:10 but let's try debian:10.2-slim to reduce result. Which is the most secure?
trivy ubuntu:18.04 | grep Total
trivy ubuntu:18.04
trivy -s CRITICAL --ignore-unfixed ubuntu:18.04
Try these steps quickly again using the centos:7.6.1810 or debian:10.2-slim in place of ubuntu:18.04. I'll past the commands below to help
trivy centos:7.6.1810 | grep Total
trivy debian:10.2-slim | grep Total
trivy alpine:3.11
or perhaps a dedicate python image based on alpine made by João Ferreira Loff (https://github.com/jfloff/alpine-python)
trivy jfloff/alpine-python:3.8-slim
Be specific on tags!!!
Using the latest tag or non-specific tags can mean trivy could produce misleading results based on local caching of the image.
Part 2 Kube-hunter (remote) (https://github.com/aquasecurity/kube-hunter)
git clone https://github.com/aquasecurity/kube-hunter.git
export KUBECONFIG=~/Desktop/hands-on-trivy-to-tracee/DevopsPGkconfig.yaml
cd ./kube-hunter
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
chmod +x ./kubectl
CHANGE the job’s metadata: name: from “kube-hunter” to something unique to you “$USER-kube-hunter” to avoid collisions
vim job.yaml
metadata:
name: sg-1971-kube-hunter
# ADD a new parameter by CHANGING
args: ["--pod"]
# to
args: ["--pod”,”--quick”]
cat job.yaml | sed 's/\["--pod"\]/\["--pod","--quick"\]/' | sed "s/name: kube-hunter/name: $USER-kubehunter/" > job2.yaml
NOTE: the --quick argument limits the network interface scanning. It can turn a 45 min scan into seconds. Better for demos but not for security.
./kubectl create -f ./job2.yaml
./kubectl describe job “your-job-name”
./kubectl logs “pod name” > myresultspassive.txt
cat myresultspassive.txt
./kubectl delete -f ./job2.yaml
# ADD a new parameter by CHANGING
args: ["--pod"]
# to
args: ["--pod”,”--quick”, “--active”]
cat job.yaml | sed 's/\["--pod"\]/\["--pod","--quick","--active"\]/' | sed "s/name: kube-hunter/name: $USER-3-kubehunter/" > job3.yaml
NOTE: the --active argument extends the test to use finding to test for specific exploits. Better for security. Most effective run within the cluster.
./kubectl create -f ./job3.yaml
./kubectl describe job “your-job-name”
./kubectl logs “pod name” > myresultsactive.txt
cat myresultsactive.txt
diff myresultsactive.txt myresultspassive.txt
Part 3 - Tracee (https://github.com/aquasecurity/tracee)
Tracee and Intro to eBPF (BPF references http://www.brendangregg.com/ebpf.html)
Warning: Don’t install pip install bcc. Bad. This project is not our BCC https://pypi.org/project/bcc/
sudo apt-get -y install libbcc
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys D4284CDD
echo "deb https://repo.iovisor.org/apt/bionic bionic main" | sudo tee /etc/apt/sources.list.d/iovisor.list
sudo apt-get update
sudo apt-get -y install python-bcc
sudo apt-get -y install python3-bcc
#!/usr/bin/python
from bcc import BPF
from time import sleep
program = """
int hello(void *ctx) {
bpf_trace_printk("Hello DevOps Playground\\n");
return 0;
}
"""
b=BPF(text=program)
b.attach_kprobe(event="sys_clone",fn_name="hello")
b.trace_print()
chmod +x ./hello-devops.py
sudo ./hello-devops.py
docker run -it --rm alpine sh
sudo strace ./hello-devops.py
git clone https://github.com/aquasecurity/tracee.git
sudo ./start.py -c
docker run -it --rm alpine sh