OpenShift 4 - DevSecOps Workshop (14) - 镜像合规扫描
2024-05-03 07:12:39
《OpenShift 4.x HOL教程汇总》
说明:本文已经在OpenShift 4.8环境中验证
《OpenShift 4 - DevSecOps Workshop 系列视频 》
本节向Pipeline增加一个Task来实现对镜像的合规扫描,合规扫描使用的是基于OpenSCAP的容器完成的。
- 执行命令创建合规扫描任务“oscap-image-scan”。合规扫描任务先下载需要扫描的Image,然后使用“xccdf_org.ssgproject.content_profile_standard”合规规范对其扫描,最后将扫描结果推送到Nexus对应用户下。
$ NEXUS_URL=$(oc get route nexus -n devsecops -ojsonpath={.spec.host})
$ oc apply -f - << EOF
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:name: oscap-image-scannamespace: ${CICD}
securityContext:privileged: true
spec:params:- name: xccdfProfiledescription: The oscap xccdf profile to use when calling the oscap-chroot commanddefault: xccdf_org.ssgproject.content_profile_standard- name: oscapProfilePathdescription: The full path to the oscap content filedefault: /usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml- name: container-imagetagtype: stringdefault: latest- name: container-image-urltype: stringdefault: >-image-registry.openshift-image-registry.svc.cluster.local:5000/${CICD}/taskssteps:- name: scan-imageimage: quay.io/redhatgov/image-scanner:latestscript: >#!/bin/shecho "Pulling image \$(params.container-image-url)" buildah from --tls-verify=false --storage-driver vfs "docker://\$(params.container-image-url):\$(params.container-imagetag)" container_id=\$(buildah --storage-driver vfs containers -q) echo "Container ID: \$container_id" echo "Mounting the container..." mount_point=\$(buildah mount --storage-driver vfs \$container_id | cut -d' ' -f2) echo "Running oscap-chroot scan" oscap-chroot "\$mount_point" xccdf eval --fetch-remote-resources --profile "\$(params.xccdfProfile)" --report /tmp/report.html "\$(params.oscapProfilePath)"# echo "Displaying contents of /tmp/report.html"# echo "********** START OF report.html **********" # cat /tmp/report.html # echo "********** END OF report.html ************" echo "Uploading report.html to https://${NEXUS_URL}/repository/oscap-reports/${USER}/report.html"curl -k --user 'deployment:deployment123' --upload-file /tmp/report.html https://${NEXUS_URL}/repository/oscap-reports/${USER}/report.html
EOF
- 为名为pipeline的ServiceAccount增加privileged类型的SCC(Security Context Container)。
$ oc adm policy add-scc-to-user privileged -z pipeline -n ${USER}
- 执行命令测试oscap-image-scan任务。
$ tkn task start oscap-image-scan --showlog -n ${CICD} \--param xccdfProfile=xccdf_org.ssgproject.content_profile_standard \--param oscapProfilePath=/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml \--param container-image-url=image-registry.openshift-image-registry.svc.cluster.local:5000/${DEV}/tekton-tasks \--param container-imagetag=latest
TaskRun started: oscap-image-scan-run-g76tz
Waiting for logs to be available...
[scan-image] Pulling image image-registry.openshift-image-registry.svc.cluster.local:5000/user1-dev/tekton-tasks
[scan-image] Getting image source signatures
[scan-image] Copying blob sha256:3daa086d507c054341d9980d84f236e721560ce925004630866944a0f621328e
[scan-image] Copying blob sha256:31114e120ca0c7dc51e01721c5a689a614edb6c86de11301d503c72be1540c79
[scan-image] Copying blob sha256:2dff5290dc62e78b13a15f22e433d076e59ae6e1f25b1b0b14882ac25457c176
[scan-image] Copying blob sha256:c9281c141a1bfec06e291d2ad29bfdedfd10a99d583fc0f48d3c26723ebe0761
[scan-image] Copying config sha256:60263c74f94a0f00d680c6d1a2c5584f5eaaba301765e6265b578d11129de64e
[scan-image] Writing manifest to image destination
[scan-image] Storing signatures
[scan-image] image-registry.openshift-image-registry.svc.cluster.local-working-container
[scan-image] Container ID: 0f3b0f54f9600ac2b88ec92cf5e77a7b268856d914acbaeb2e742976088ccea4
[scan-image] Mounting the container...
[scan-image] Running oscap-chroot scan
[scan-image] Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok
[scan-image] Prevent Login to Accounts With Empty Password
[scan-image] xccdf_org.ssgproject.content_rule_no_empty_passwords
[scan-imfail Result
[scan-image]
[scan-image] Ensure that Roots Path Does Not Include World or Group-Writable Directories
[scan-image] xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write
[scan-impass Result
[scan-image]
[scan-image] Record Events that Modify the Systems Mandatory Access Controls
[scan-image] xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
[scan-image] notapplicable
。。。
[scan-image]
[scan-image] Uploading report.html to https://nexus-devsecops.apps.cluster-394c.394c.sandbox1709.opentlc.com/repository/oscap-reports/user1/report.html
[scan-image] % Total % Received % Xferd Average Speed Time Time Time Current
[scan-image] Dload Upload Total Spent Left Speed
100 1003k 0 0 100 1003k 0 17.8M --:--:-- --:--:-- --:--:-- 17.8M
- 向Pipeline追加oscap-image-scan任务。
$ TASKS="$(oc get pipelines tasks-dev-pipeline -n ${CICD} -o yaml | yq r - 'spec.tasks' | yq p - 'spec.tasks')"
$ oc patch pipelines tasks-dev-pipeline -n ${CICD} --type=merge -p "$(cat << EOF
$TASKS- name: oscap-image-scantaskRef:kind: Taskname: oscap-image-scanparams:- name: xccdfProfilevalue: xccdf_org.ssgproject.content_profile_standard- name: oscapProfilePathvalue: /usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml- name: container-imagetagvalue: latest- name: container-image-urlvalue: image-registry.openshift-image-registry.svc.cluster.local:5000/${USER}-dev/tekton-tasksrunAfter:- create-image
EOF
)"
或在OpenShift控制台上向名为tasks-dev-pipeline的Pipeline添加oscap-image-scan任务。
- 在OpenShift控制台上运行名为tasks-dev-pipeline的Pipeline,或执行以下命令执行Pipeline。
$ tkn pipeline start tasks-dev-pipeline -n ${CICD} --showlog \--resource pipeline-source=tasks-source-code \--workspace name=local-maven-repo,claimName=maven-repo-pvc
- 确认Pipeline执行成功。
- 用相应用户登录进入Nexus控制台,在Browse中可以看到oscap-reports。
- 在report.html说明野种进入Path后面的链接,即可看到合规扫描结果报告。
OpenShift 4 - DevSecOps Workshop (14) - 镜像合规扫描相关推荐
- OpenShift 4 - 对镜像进行合规扫描,加固应用镜像安全
<OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.8环境中验证 文章目录 环境说明 构建应用镜像并加固镜像安全漏洞 镜像合规扫描 环境说明 OpenS ...
- RHEL 8 - 用OpenSCAP工具对容器镜像进行漏洞安全合规扫描,并修复
<OpenShift 4.x HOL教程汇总> 已在 RHEL 8.4 上验证 本文的前置条件:RHEL8 - 配置基于安装 ISO 文件的 YUM Repo 文章目录 准备环境 扫描容器 ...
- OpenShift 4 - DevSecOps Workshop (13) - 将镜像推送到Quay,并进行漏洞扫描
<OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.8环境中验证 <OpenShift 4 - DevSecOps Workshop 系列视频 & ...
- OpenShift 4 - DevSecOps Workshop (10) - 向Stage环境部署应用镜像
<OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.8环境中验证 <OpenShift 4 - DevSecOps Workshop 系列视频 & ...
- OpenShift 4 - DevSecOps Workshop (9) - 向Dev环境部署应用镜像
<OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.8环境中验证 <OpenShift 4 - DevSecOps Workshop 系列视频 & ...
- OpenShift 4 - DevSecOps Workshop (15) - 利用OpenShift GitOps向多个目标部署应用
<OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.8环境中验证 <OpenShift 4 - DevSecOps Workshop 系列视频 & ...
- OpenShift 4 - DevSecOps Workshop (11) - 通过Trigger启动Pipeline运行
<OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.8环境中验证 <OpenShift 4 - DevSecOps Workshop 系列视频 & ...
- OpenShift 4 - DevSecOps Workshop (3) - 从PipelineResource、Task到一个简单的Pipeline
<OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.8环境中验证 <OpenShift 4 - DevSecOps Workshop 系列视频 & ...
- [OpenShift 4 - DevSecOps Workshop (16) - 使用 VSCode 编辑运行 Tekton Pipeline 资源
<OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.8环境中验证 <OpenShift 4 - DevSecOps Workshop 系列视频 & ...
最新文章
- 北京交通大学计算机科学与技术研究生导师,熊轲_北京交通大学研究生导师信息...
- signature=bb45d44ceab9b6563988c6c1a9b5e667,Bookbinding signature comb and spine device
- 'utf-8' codec can't decode byte 0xff in position 0
- Java 接口实现计算器加减乘除(字符交互界面)
- 【JavaSE02】Java基本语法-注意点
- 什么是Kubernetes的CRI - 容器运行时接口
- MRAppMaster详细分析
- 使用JAVASCRIPT进行全屏显示页面,就像触摸屏显示效果
- Java初学者需掌握的30个概念
- 托福试卷真题_历年托福考试阅读真题汇总含答案
- matlab中asix off_遗传算符MATLAB程序-入门必看
- 2. JavaScript Boolean 对象
- 基础知识巩固五(问题)
- ocs边缘服务器部署规划简要说明
- 3.自编码器(变分自编码器,VAE)
- weui 开发文档
- drupal 7 ajax,【漏洞分析】CVE-2018-7600 Drupal 7.x 版本代码执行
- (5/300)常微分方程之一阶齐次方程
- 第二届SLAM暑期学校和全国技术论坛有感
- 深度神经网络:WX+b-vs-XW+b