{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器安全涉及問題很多,有許多“唾手可得”的方案能用來降低風險。不過,一個好的開始是編寫Dockerfile文件時遵循一些規則。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在本文,我列出了一些常見的安全問題和如何規避它們。對於每一個問題,我還寫了一個開放策略代理("},{"type":"link","attrs":{"href":"https:\/\/www.openpolicyagent.org\/","title":"","type":null},"content":[{"type":"text","text":"Open Policy Agent"}]},{"type":"text","text":",OPA)規則來使用"},{"type":"link","attrs":{"href":"https:\/\/conftest.dev\/","title":"","type":null},"content":[{"type":"text","text":"conftest"}]},{"type":"text","text":"靜態分析你的Dockerfile文件。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"你可以在"},{"type":"link","attrs":{"href":"https:\/\/github.com\/gbrindisi\/dockerfile-security","title":"","type":null},"content":[{"type":"text","text":"這個庫"}]},{"type":"text","text":"找到"},{"type":"codeinline","content":[{"type":"text","text":".rego"}]},{"type":"text","text":"規則集。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"不要在環境變量中存放密鑰"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"密鑰部署是一個很棘手的問題,而且很容易出錯。對於容器化的應用程序,可以通過掛載卷從文件系統中顯示它們,也可以更方便地通過環境變量顯示。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用"},{"type":"codeinline","content":[{"type":"text","text":"ENV"}]},{"type":"text","text":"來存儲密鑰通常是不好的,因爲Dockerfile文件通常與應用程序一起部署,因此這與在代碼中硬編碼密鑰沒有什麼差別。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如何檢測這一點:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"secrets_env = [\n \"passwd\",\n \"password\",\n \"pass\",\n # \"pwd\", can't use this one \n \"secret\",\n \"key\",\n \"access\",\n \"api_key\",\n \"apikey\",\n \"token\",\n \"tkn\"\n]\n\ndeny[msg] { \n input[i].Cmd == \"env\"\n val := input[i].Value\n contains(lower(val[_]), secrets_env[_])\n msg = sprintf(\"Line %d: Potential secret in ENV key found: %s\", [i, val])\n}"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"只使用信任的根鏡像"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對容器化應用程序的攻擊鏈也來自構建容器本身所使用的層次結構。其中,主要的罪魁禍首明顯是使用的根鏡像。不受信的根鏡像是一個高風險,任何時候都應該避免使用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker爲大多數使用的操作系統和應用程序提供了"},{"type":"link","attrs":{"href":"https:\/\/docs.docker.com\/docker-hub\/official_images\/","title":"","type":null},"content":[{"type":"text","text":"一組官方根鏡像"}]},{"type":"text","text":"。使用這些鏡像,我們通過Docker自身分擔的一些責任降低了協議風險。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如何檢測這一點:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"deny[msg] {\n input[i].Cmd == \"from\"\n val := split(input[i].Value[0], \"\/\")\n count(val) > 1\n msg = sprintf(\"Line %d: use a trusted base image\", [i])\n}"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這條規則針對的是DockerHub的官方鏡像。由於我只檢測到了namespace的缺失,這是非常愚蠢的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
Dockerfile安全最佳實踐
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器安全涉及問題很多,有許多“唾手可得”的方案能用來降低風險。不過,一個好的開始是編寫Dockerfile文件時遵循一些規則。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在本文,我列出了一些常見的安全問題和如何規避它們。對於每一個問題,我還寫了一個開放策略代理("},{"type":"link","attrs":{"href":"https:\/\/www.openpolicyagent.org\/","title":"","type":null},"content":[{"type":"text","text":"Open Policy Agent"}]},{"type":"text","text":",OPA)規則來使用"},{"type":"link","attrs":{"href":"https:\/\/conftest.dev\/","title":"","type":null},"content":[{"type":"text","text":"conftest"}]},{"type":"text","text":"靜態分析你的Dockerfile文件。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"你可以在"},{"type":"link","attrs":{"href":"https:\/\/github.com\/gbrindisi\/dockerfile-security","title":"","type":null},"content":[{"type":"text","text":"這個庫"}]},{"type":"text","text":"找到"},{"type":"codeinline","content":[{"type":"text","text":".rego"}]},{"type":"text","text":"規則集。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"不要在環境變量中存放密鑰"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"密鑰部署是一個很棘手的問題,而且很容易出錯。對於容器化的應用程序,可以通過掛載卷從文件系統中顯示它們,也可以更方便地通過環境變量顯示。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用"},{"type":"codeinline","content":[{"type":"text","text":"ENV"}]},{"type":"text","text":"來存儲密鑰通常是不好的,因爲Dockerfile文件通常與應用程序一起部署,因此這與在代碼中硬編碼密鑰沒有什麼差別。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如何檢測這一點:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"secrets_env = [\n \"passwd\",\n \"password\",\n \"pass\",\n # \"pwd\", can't use this one \n \"secret\",\n \"key\",\n \"access\",\n \"api_key\",\n \"apikey\",\n \"token\",\n \"tkn\"\n]\n\ndeny[msg] { \n input[i].Cmd == \"env\"\n val := input[i].Value\n contains(lower(val[_]), secrets_env[_])\n msg = sprintf(\"Line %d: Potential secret in ENV key found: %s\", [i, val])\n}"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"只使用信任的根鏡像"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對容器化應用程序的攻擊鏈也來自構建容器本身所使用的層次結構。其中,主要的罪魁禍首明顯是使用的根鏡像。不受信的根鏡像是一個高風險,任何時候都應該避免使用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker爲大多數使用的操作系統和應用程序提供了"},{"type":"link","attrs":{"href":"https:\/\/docs.docker.com\/docker-hub\/official_images\/","title":"","type":null},"content":[{"type":"text","text":"一組官方根鏡像"}]},{"type":"text","text":"。使用這些鏡像,我們通過Docker自身分擔的一些責任降低了協議風險。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如何檢測這一點:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"deny[msg] {\n input[i].Cmd == \"from\"\n val := split(input[i].Value[0], \"\/\")\n count(val) > 1\n msg = sprintf(\"Line %d: use a trusted base image\", [i])\n}"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這條規則針對的是DockerHub的官方鏡像。由於我只檢測到了namespace的缺失,這是非常愚蠢的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章