Giter VIP home page Giter VIP logo

fiware-security's Introduction

FIWARE Cybersecurity Analysis


Logo

FIWARE Cybersecurity Analysis of the FIWARE Generic Enablers

Report Bug · Request Feature

Overview

Automatically scan a particular local docker image or all local docker containers with Clair Vulnerability Scanner using Clair-Scanner and clair-local-scan together with together with the Docker Bench for Security to check common best-practices around deploying FIWARE Docker containers in production.

The tests are all automated, and are inspired by the CIS Docker Community Edition Benchmark v1.1.0.

Installation

There are two ways to install and execute the code. The first one is installing locally the configuration files and script to execute the docker-compose locally (see README.md) or Ansible to deploy a virtual machine inside FIWARE Lab and preconfigure all the system to launch the scan automatically (see README.md).

Executing FIWARE Docker Security Scan locally

This is the option when you want to execute locally the scan over some FIWARE GE or over the complete list of FIWARE GEs.

Prerequisites

  • Docker version 18.09.1 (or newer)
  • docker-compose version 1.23.2 (or newer)

Configuration

The only things that you have to do is download the scan.py file in your local folder to execute the corresponding security scanner over the selected FIWARE GE or over the predefined set of FIWARE GEs (see enablers.json).

The execution of this script automatically download the following files:

And it will clone as well the Docker Bench Security folder to make the CIS Docker Benchmark nalyse.

Before launching the script, it is needed to configure the credentials to access to the FIWARE Nexus instance. It will be the place in which we store the results of the execution of the scan for historical reasons.

Execution

You can obtain a help description about the execution of the script just executing the following command:

./container-scan.py -h

Which show the following content:

usage: container-scan.py [-h] [-p] [-v] [-d DOCKER_IMAGE]

Perform security analysis of the FIWARE GE docker images.

optional arguments:
  -h, --help            show this help message and exit
  -p, --pull            Pull the docker image from Docker Hub
  -v, --verbose         Verbose screen output
  -d DOCKER_IMAGE, --docker_image DOCKER_IMAGE
                        Name of the Docker Image to be analysed. If it is not
                        provided the Docker images are obtained from the
                        enablers.json file.

The script will produce 2 files for each FIWARE GE in json format with the format:

<name of ge><date>_<time>.json

Inside this folder and into the docker-bench-security folder.

Once that we get the files we can get the numbers of security vulnerabilies issues just executing the following shell commands with the use of the jq program for the CVE vulnerabilities:

for a in Low Medium High; 
do 
  data=$(more more <name of ge><date>_<time>.json | jq ".[].vulnerabilities[].severity | select (.==\"${a}\")" | wc -l)
  echo $a  $data
done

In case of the CIS Docker Benchmark (security best practices) execute the following scripts:

for a in WARN PASS INFO PASS; 
do 
  data=$(more docker-bench-security.sh.log.json | jq ".tests[].results[].result | select (.==\"${a}\")" | wc -l)
  echo $a  $data
done

Last but not least, we have to stop the corresponding container for clair and db.

$ docker ps

CONTAINER ID        IMAGE                            COMMAND                  CREATED             STATUS                  PORTS               NAMES
0ef0d8e240f8        arminc/clair-local-scan:latest   "/clair -config=/con…"   29 hours ago        Up 29 hours (healthy)   6060-6061/tcp       docker_clair_1
3780c4add4a5        arminc/clair-db:latest           "docker-entrypoint.s…"   29 hours ago        Up 29 hours (healthy)   5432/tcp            docker_db_1

$ docker stop 0ef0d8e240f8 3780c4add4a5
0ef0d8e240f8
3780c4add4a5

Adding the Anchore Scan GitHub Action Workflow to a repository directly

Anchore provide a GitHub Action for Vulnerability Scanning. Two sample GitHub Action Workflows have been added to this repository.

For example, to enable an Anchore Scan of a Docker image based on node-slim:

  • Copy the anchore-node-slim.yaml file to `.github/workflows/anchore-node-slim.yml
  • Amend the Dockerfile context location if necessary - the example assumes a folder called docker is used.
  • After committing and pushing the file, run the new GitHub Action manually

A security report will be displayed on https://github.com/<Owner>/<Repository>/security/code-scanning?query=is%3Aopen+branch%3Amaster+severity%3Aerror

Like any GitHub Action Workflow, the creation of additional Docker images to scan can also be added to a repository and creation can be arbitrarily more complex. A second example file shows how to build an alternative base image using --build-arg parameters on the command line to create a container based on Red Hat UBI (Universal Base Image) 8. To scan this alternate image, just copy over anchore-ubi.yaml to .github/workflows/anchore-ubi.yml

Credits

License

These scripts are licensed under Apache License 2.0.

fiware-security's People

Contributors

dependabot[bot] avatar flopezag avatar jason-fox avatar

Stargazers

 avatar

Watchers

 avatar  avatar  avatar  avatar

fiware-security's Issues

Update documentation to run the scans locally

Hi,

I'm trying to run the scans locally but currently facing a bunch of dead references and thus a bit blocked on this:

Change the name of the GE in the summary report

Currently the summary report has the following format:

Orion-LD_20190813_1915_clair.json
CVE Severity
Low: xxx
Medium: xxx
High: xxx

CIS Docker Benchmark
    PASS: xxx
    INFO: xxx
    NOTE: xxx
    WARN: xxx

Should be nice to change the name "Orion-LD_20190813_1915_clair.json" by the correct name of the FIWARE GE "Orion-LD"

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.