{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"《"},{"type":"link","attrs":{"href":"https:\/\/sysdig.com\/blog\/sysdig-2021-container-security-usage-report\/","title":null,"type":null},"content":[{"type":"text","text":"Sysdig 2021容器安全和使用現狀報告"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"》強調指出了容器安全左移的趨勢。此外,報告中分析的鏡像在基本安全設置(provision)上依然存在不足之處。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Sysdig報告所收集的數據,來自於對其客戶日常使用的數百萬容器的分析。其中包括一些基於Nginx、Go、PostgreSQL的容器,以及其它許多可用的容器鏡像。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"在安全領域中,左移(shift left)意味着團隊在開發週期的早期就考慮了架構選取和設計選項中的安全隱患。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分析報告強調的一個趨勢是許多公司的安全左移已經擴展到了Kubernetes的安全方面,有四分之三組織在CI\/CD中,會在部署的構建階段之前就對其容器映像進行安全掃描。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Sysdig報告指出,對鏡像進行掃描是確保任何來源鏡像都能安全的關鍵。事實上,該報告所掃描的鏡像中,約有55%至少發現了一種高危甚至更嚴重的漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"不幸的是,不當的鏡像配置,會抵消安全左移這一積極趨勢。Sysdig報告具體指出,58%的容器仍以root用戶身份運行,儘管其中只有少數幾個容器的運行的確需要root特權。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着容器環境的成熟,組織意識到僅做鏡像掃描是不夠的。爲應對持續變化的威脅,還需要考慮運行時安全性。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"除了以root用戶身份運行容器,Sysdig報告還發現了其他一些違反運行時策略的行爲,包括寫入“\/etc”和“\/”目錄下的文件、使用Shell終端作爲容器的入口點、修改敏感系統文件等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"對於運行時安全工具,Sysdig報告指出CNCF("},{"type":"link","attrs":{"href":"https:\/\/www.cncf.io\/","title":null,"type":null},"content":[{"type":"text","text":"Cloud Native Computing Foundation"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"的"},{"type":"link","attrs":{"href":"https:\/\/falco.org\/","title":null,"type":null},"content":[{"type":"text","text":"Falco"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"項目正得到越來越多的採用。Falco最初是由Sysdig創建的項目,後"},{"type":"link","attrs":{"href":"https:\/\/www.cncf.io\/blog\/2020\/01\/08\/toc-votes-to-move-falco-into-cncf-incubator\/","title":null,"type":null},"content":[{"type":"text","text":"捐贈給CNCF"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"。Falco通過分析Linux系統調用,包括使用特權容器達到特權升級、所有權和模式的更改、對execve和shell及SSH的使用情況等,實現異常行爲檢測。但是,開展運行時分析是十分困難的,因爲許多容器的生命週期非常有限,不足向許多監視工具提供詳細的信息。例如,近49%的容器生命週期小於5分鐘,其中甚至有21%容器的生命週期小於10秒。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Sysdig報告強調的另一個趨勢是,"},{"type":"link","attrs":{"href":"https:\/\/containerd.io\/","title":null,"type":null},"content":[{"type":"text","text":"containerd"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"和"},{"type":"link","attrs":{"href":"https:\/\/cri-o.io\/","title":null,"type":null},"content":[{"type":"text","text":"CRI-O"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"正替代Docker成爲首選。考慮到Docker引擎的發展,體現出這一趨勢並不意外:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker引擎以前同時提供高層和低層運行時功能,現已分解爲單獨的containerd和runc項目。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/sdtimes.com\/kubernetes\/kubernetes-to-deprecate-docker-container-runtime-in-v1-22\/","title":null,"type":null},"content":[{"type":"text","text":"Kubernetes正式宣佈將於下半年棄用Docker"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":",這也驗證了去Docker化的趨勢。另一方面,在OpenShift平臺上,以Kubernetes做爲編排器或可用選項處於遙遙領先的地位。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"《Sysdig 2021容器安全和使用現狀報告》還提供了更豐富的內容,不在此一一列出。歡迎查看報告全文。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}},{"type":"strong"}],"text":"原文鏈接:"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.infoq.com\/news\/2021\/01\/Sysdig-container-security-report\/","title":null,"type":null},"content":[{"type":"text","text":"Sysdig: Container Security Shifting Left, Docker Usage Shrinking"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]}]}]}
Sysdig報告給出容器安全左移和去Docker化趨勢
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"《"},{"type":"link","attrs":{"href":"https:\/\/sysdig.com\/blog\/sysdig-2021-container-security-usage-report\/","title":null,"type":null},"content":[{"type":"text","text":"Sysdig 2021容器安全和使用現狀報告"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"》強調指出了容器安全左移的趨勢。此外,報告中分析的鏡像在基本安全設置(provision)上依然存在不足之處。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Sysdig報告所收集的數據,來自於對其客戶日常使用的數百萬容器的分析。其中包括一些基於Nginx、Go、PostgreSQL的容器,以及其它許多可用的容器鏡像。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"在安全領域中,左移(shift left)意味着團隊在開發週期的早期就考慮了架構選取和設計選項中的安全隱患。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分析報告強調的一個趨勢是許多公司的安全左移已經擴展到了Kubernetes的安全方面,有四分之三組織在CI\/CD中,會在部署的構建階段之前就對其容器映像進行安全掃描。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Sysdig報告指出,對鏡像進行掃描是確保任何來源鏡像都能安全的關鍵。事實上,該報告所掃描的鏡像中,約有55%至少發現了一種高危甚至更嚴重的漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"不幸的是,不當的鏡像配置,會抵消安全左移這一積極趨勢。Sysdig報告具體指出,58%的容器仍以root用戶身份運行,儘管其中只有少數幾個容器的運行的確需要root特權。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着容器環境的成熟,組織意識到僅做鏡像掃描是不夠的。爲應對持續變化的威脅,還需要考慮運行時安全性。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"除了以root用戶身份運行容器,Sysdig報告還發現了其他一些違反運行時策略的行爲,包括寫入“\/etc”和“\/”目錄下的文件、使用Shell終端作爲容器的入口點、修改敏感系統文件等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"對於運行時安全工具,Sysdig報告指出CNCF("},{"type":"link","attrs":{"href":"https:\/\/www.cncf.io\/","title":null,"type":null},"content":[{"type":"text","text":"Cloud Native Computing Foundation"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"的"},{"type":"link","attrs":{"href":"https:\/\/falco.org\/","title":null,"type":null},"content":[{"type":"text","text":"Falco"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"項目正得到越來越多的採用。Falco最初是由Sysdig創建的項目,後"},{"type":"link","attrs":{"href":"https:\/\/www.cncf.io\/blog\/2020\/01\/08\/toc-votes-to-move-falco-into-cncf-incubator\/","title":null,"type":null},"content":[{"type":"text","text":"捐贈給CNCF"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"。Falco通過分析Linux系統調用,包括使用特權容器達到特權升級、所有權和模式的更改、對execve和shell及SSH的使用情況等,實現異常行爲檢測。但是,開展運行時分析是十分困難的,因爲許多容器的生命週期非常有限,不足向許多監視工具提供詳細的信息。例如,近49%的容器生命週期小於5分鐘,其中甚至有21%容器的生命週期小於10秒。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Sysdig報告強調的另一個趨勢是,"},{"type":"link","attrs":{"href":"https:\/\/containerd.io\/","title":null,"type":null},"content":[{"type":"text","text":"containerd"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"和"},{"type":"link","attrs":{"href":"https:\/\/cri-o.io\/","title":null,"type":null},"content":[{"type":"text","text":"CRI-O"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"正替代Docker成爲首選。考慮到Docker引擎的發展,體現出這一趨勢並不意外:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker引擎以前同時提供高層和低層運行時功能,現已分解爲單獨的containerd和runc項目。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/sdtimes.com\/kubernetes\/kubernetes-to-deprecate-docker-container-runtime-in-v1-22\/","title":null,"type":null},"content":[{"type":"text","text":"Kubernetes正式宣佈將於下半年棄用Docker"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":",這也驗證了去Docker化的趨勢。另一方面,在OpenShift平臺上,以Kubernetes做爲編排器或可用選項處於遙遙領先的地位。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"《Sysdig 2021容器安全和使用現狀報告》還提供了更豐富的內容,不在此一一列出。歡迎查看報告全文。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}},{"type":"strong"}],"text":"原文鏈接:"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.infoq.com\/news\/2021\/01\/Sysdig-container-security-report\/","title":null,"type":null},"content":[{"type":"text","text":"Sysdig: Container Security Shifting Left, Docker Usage Shrinking"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章