生活_傻大方

  1. 首页 > 人文 > >

FreeBuf|Terrier:一款功能强大的镜像&容器安全分析工具


【FreeBuf|Terrier:一款功能强大的镜像&容器安全分析工具】

FreeBuf|Terrier:一款功能强大的镜像&容器安全分析工具
本文插图
Terrier是一款针对OCI镜像和容器的安全分析工具 , Terrier可以帮助研究人员扫描OCI镜像和容器文件 , 并根据哈希来识别和验证特定文件是否存在 。
工具安装源代码:如需了解源代码安装步骤 , 请参考项目的Releases页面 。
通过Go安装:$go get github.com/heroku/terrier源构建通过Go:$go build
$make all工具使用$ ./terrier -hUsageof./terrier:-cfg stringLoad configfromprovided yaml file (default"cfg.yml")工具使用必须扫描镜像的OCI TAR , 这个值需要通过cfg.yml文件提供给Terrier 。
下列Docker命令可以用来将一个Docker镜像转换成一个TAR文件 , 并提供给Terrier扫描:
# docker save imageid -o image.tar$ ./terrier[+] Loading config: cfg.yml[+] Analysing Image[+] Docker Image Source: image.tar[*] Inspecting Layer: 05c3c2c60920f68***6d3c66e0f6148b81a8b0831388c2d61be5ef02190bcd1f[!] All components were identified and verified: (493/493)样本YML配置Terrier会对YAML文件进行解析 , 下列给出的是样本配置文件:
#THIS IS AN EXAMPLE CONFIG, MODIFY TO YOUR NEEDSmode: imageimage: image.tar# mode: container# path: merged# verbose: true# veryverbose: truefiles:- name:'/usr/bin/curl'hashes:-hash:'2353cbb7b47d0782ba8cdd9c7438b053c982eaaea6fbef8620c31a58d1e276e8'-hash:'22e88c7d6da9b73fbb515ed6a8f6d133c680527a799e3069ca7ce346d90649b2aaa'-hash:'9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96'-hash:'8b7c559b8cccca0d30d01bc4b5dc944766208a53d18a03aa8afe97252207521faa'- name:'/usr/bin/go'hashes:-hash:#UNCOMMENT TO ANALYZE HASHES# hashes:#- hash: '8b7c559b8cccca0d30d01bc4b5dc944766208a53d18a03aa8afe97252207521faa'#- hash: '22e88c7d6da9b73fbb515ed6a8f6d133c680527a799e3069ca7ce346d90649b2aa'#- hash: '60a2c86db4523e5d3eb41a247b4e7042a21d5c9d483d59053159d9ed50c8aa41aa'Terrier会做什么?Terrier提供了一个命令行工具 , 可以允许我们:
1、扫描一个OCI镜像中一个或多个目标文件是否存在 , 需提供目标文件的SHA256哈希;
2、扫描一个正在运行的容器中一个或多个目标文件是否存在 , 需提供目标文件的SHA256哈希;
场景1Terrier可以用来验证特定OCI镜像是否包含特定代码 , 这个功能可以使用在供应链验证场景中 。 比如说 , 我们可能需要检查特定Docker镜像是否由特定版本的代码构成的 , 此时就可以使用Terrier了 。 此时 , 我们需要提供特定代码的SHA256哈希 。
此场景下的样本YAML文件如下所示:
mode: image# verbose:true# veryverbose: trueimage: golang1131.tarfiles:- name:'/usr/local/bin/analysis.sh'hashes:- hash:'9adc0bf7362bb66b98005aebec36691a62c80d54755e361788c776367d11b105'- name:'/usr/bin/curl'hashes:- hash:'23afbfab4f35ac90d9841a6e05f0d1487b6e0c3a914ea8dab3676c6dde612495'- name:'/usr/local/bin/staticcheck'hashes:- hash:'73f89162bacda8dd2354021dc56dc2f3dba136e873e372312843cd895dde24a2'场景2Terrier可以用来验证一个OCI镜像中是否存在特定文件 , 需提供目标文件的SHA256哈希 。 这个给功能可以帮助我们检查OCI镜像中是否存在恶意文件 。
mode: image# verbose:true# veryverbose: trueimage: alpinetest.tarhashes:- hash:'8b7c559b8cccca0d30d01bc4b5dc944766208a53d18a03aa8afe97252207521f'- hash:'22e88c7d6da9b73fbb515ed6a8f6d133c680527a799e3069ca7ce346d90649b2'- hash:'60a2c86db4523e5d3eb41a247b4e7042a21d5c9d483d59053159d9ed50c8aa41'- hash:'9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96'分页标题场景3Terrier可以用来在运行时对容器组件进行验证 , 并分析其中内容 。
mode: containerverbose:true# veryverbose:true# image: latestgo13.tarpath: mergedfiles:- name:'/usr/local/bin/analysis.sh'hashes:- hash:'9adc0bf7362bb66b98005aebec36691a62c80d54755e361788c776367d11b105'- name:'/usr/local/go/bin/go'hashes:- hash:'23afbfab4f35ac90d9841a6e05f0d1487b6e0c3a914ea8dab3676c6dde612495'- name:'/usr/local/bin/staticcheck'hashes:- hash:'73f89162bacda8dd2354021dc56dc2f3dba136e873e372312843cd895dde24a2'- name:'/usr/local/bin/gosec'hashes:- hash:'e7cb8304e032ccde8e342a7f85ba0ba5cb0b8383a09a77ca282793ad7e9f8c1f'- name:'/usr/local/bin/errcheck'hashes:- hash:'41f725d7a872cad4ce1f403938937822572e0a38a51e8a1b29707f5884a2f0d7'- name:'/var/lib/dpkg/info/apt.postrm'hashes:- hash:'6a8f9af3abcfb8c6e35887d11d41a83782***f5766d42bd1e32a38781cba0b1c'工具使用样例1Terrier提供了一个命令行接口 , 并使用了YAML 。 样本YAML配置如下:
mode: image# verbose:true# veryverbose: trueimage: alpinetest.tarfiles:- name:'/usr/local/go/bin/go'hashes:- hash:'8b7c559b8cccca0d30d01bc4b5dc944766208a53d18a03aa8afe97252207521f'- hash:'22e88c7d6da9b73fbb515ed6a8f6d133c680527a799e3069ca7ce346d90649b2aaa'- hash:'60a2c86db4523e5d3eb41a247b4e7042a21d5c9d483d59053159d9ed50c8aa41aaa'- hash:'8b7c559b8cccca0d30d01bc4b5dc944766208a53d18a03aa8afe97252207521faa'- name:'/usr/bin/delpart'hashes:- hash:'9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96aaa'- name:'/usr/bin/stdbuf'hashes:- hash:- hash:'22e88c7d6da9b73fbb515ed6a8f6d133c680527a799e3069ca7ce346d90649b2aa'- hash:'60a2c86db4523e5d3eb41a247b4e7042a21d5c9d483d59053159d9ed50c8aa41aa'在下面的样例中 , 我们通过上述YAML来让Terrier验证多个文件是否存在:
$./terrier [+] Loading config: cfg.yml[+] Analysing Image[+] Docker Image Source: alpinetest.tar[*] Inspecting Layer:05c3c2c60920f68***6d3c66e0f6148b81a8b0831388c2d61be5ef02190bcd1f[*] Inspecting Layer:09c25a178d8a6f8b984f3e72ca5ec966215b24a700ed135dc062ad925aa5eb23[*] Inspecting Layer:36351e8e1da92268d40245cfbcd499a1173eeacc23be428386c8fc0a16f0b10a[*] Inspecting Layer:7224ca1e886eeb7e63a9e978b1a811ed52f4a53ccb65f7c510fa04a0d1103fdf[*] Inspecting Layer:7a2e464d80c7a1d89dab4321145491fb94865099c59975cfc840c2b8e7065014[*] Inspecting Layer:88a583fe02f250344f89242f88309c666671042b032411630de870a111bea971[*] Inspecting Layer:8db14b6fdd2cf8b4c122824531a4d85e07f1fecd6f7f43eab7f2d0a90d8c4bf2[*] Inspecting Layer:9196e3376d1ed69a647e728a444662c10ed21feed4ef7aaca0d10f452240a09a[*] Inspecting Layer:92db9b9e59a64cdf486203189d02acff79c3360788b62214a49d2263874ee811[*] Inspecting Layer: bc4bb4a45da628724c9f93400a9149b2dd8a5d437272cb4e572cfaec64512d98[*] Inspecting Layer: be7d600e4e8ed3000e342ef6482211350069d935a14aeff4d9fc3289e1426ed3[*] Inspecting Layer: c4cec85dfa44f0a8856064922cff1c39b872***6dd002e33664d11a80f75a149[*] Inspecting Layer: c998d6f023b7b9e3c186af19bcd1c2574f0d01b943077281ac5bd32e02dc57a5[!] All components were identified and verified: (493/493)样例2验证镜像中是否存在任意文件 , 需提供目标文件的SHA256哈希:
分页标题mode: image# verbose:true# veryverbose: trueimage:1070caa1a8d89440829fd35d9356143a9d6185fe7f7a015b992ec1d8aa81c78a.tarhashes:- hash:'8b7c559b8cccca0d30d01bc4b5dc944766208a53d18a03aa8afe97252207521f'- hash:'22e88c7d6da9b73fbb515ed6a8f6d133c680527a799e3069ca7ce346d90649b2'- hash:'60a2c86db4523e5d3eb41a247b4e7042a21d5c9d483d59053159d9ed50c8aa41'- hash:'9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96'运行Terrier:
./terrier [+] Loading config: cfg.yml[+] Docker Image Source: golang.tar[*] Inspecting Layer: 1070caa1a8d89440829fd35d9356143a9d6185fe7f7a015b992ec1d8aa81c78a[*] Inspecting Layer: 414833cdb33683ab8607565da5f40d3dc3f721e9a59e14e373fce206580ed40d[*] Inspecting Layer: 6bd93c6873c822f793f770fdf3973d8a02254a5a0d60d67827480797f76858aa[*] Inspecting Layer: c40c240ae37a2d2982ebcc3a58e67bf07aeaebe0796b5c5687045083ac6295ed[*] Inspecting Layer: d2850df0b6795c00bdce32eb9c1ad9afc0640c2b9a3e53ec5437fc5539b1d71a[*] Inspecting Layer: f0c2fe7dbe3336c8ba06258935c8dae37dbecd404d2d9cd74c3587391a11b1af[!] Found file 'f0c2fe7dbe3336c8ba06258935c8dae37dbecd404d2d9cd74c3587391a11b1af/usr/bin/curl' with hash: 9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96[*] Inspecting Layer: f2d913644763b53196cfd2597f21b9739535ef9d5bf9250b9fa21ed223fc29e3echo $?1项目地址Terrier:https://github.com/heroku/terrier
*参考来源:heroku , FB小编Alpha_h4ck编译 , 转载请注明来自FreeBuf.COM
精彩推荐

FreeBuf|Terrier:一款功能强大的镜像&容器安全分析工具
本文插图



    上一篇:何享健|美的创始人何享健昨日遭劫持,已抓获5人,无人员受伤

    下一篇:五棵松北京五棵松华熙“沦陷”?谣言!