{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"《"},{"type":"link","attrs":{"href":"https:\/\/sysdig.com\/blog\/sysdig-2021-container-security-usage-report\/","title":null,"type":null},"content":[{"type":"text","text":"Sysdig 2021容器安全和使用现状报告"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"》强调指出了容器安全左移的趋势。此外,报告中分析的镜像在基本安全设置(provision)上依然存在不足之处。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Sysdig报告所收集的数据,来自于对其客户日常使用的数百万容器的分析。其中包括一些基于Nginx、Go、PostgreSQL的容器,以及其它许多可用的容器镜像。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"在安全领域中,左移(shift left)意味着团队在开发周期的早期就考虑了架构选取和设计选项中的安全隐患。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分析报告强调的一个趋势是许多公司的安全左移已经扩展到了Kubernetes的安全方面,有四分之三组织在CI\/CD中,会在部署的构建阶段之前就对其容器映像进行安全扫描。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Sysdig报告指出,对镜像进行扫描是确保任何来源镜像都能安全的关键。事实上,该报告所扫描的镜像中,约有55%至少发现了一种高危甚至更严重的漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"不幸的是,不当的镜像配置,会抵消安全左移这一积极趋势。Sysdig报告具体指出,58%的容器仍以root用户身份运行,尽管其中只有少数几个容器的运行的确需要root特权。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"随着容器环境的成熟,组织意识到仅做镜像扫描是不够的。为应对持续变化的威胁,还需要考虑运行时安全性。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"除了以root用户身份运行容器,Sysdig报告还发现了其他一些违反运行时策略的行为,包括写入“\/etc”和“\/”目录下的文件、使用Shell终端作为容器的入口点、修改敏感系统文件等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"对于运行时安全工具,Sysdig报告指出CNCF("},{"type":"link","attrs":{"href":"https:\/\/www.cncf.io\/","title":null,"type":null},"content":[{"type":"text","text":"Cloud Native Computing Foundation"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"的"},{"type":"link","attrs":{"href":"https:\/\/falco.org\/","title":null,"type":null},"content":[{"type":"text","text":"Falco"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"项目正得到越来越多的采用。Falco最初是由Sysdig创建的项目,后"},{"type":"link","attrs":{"href":"https:\/\/www.cncf.io\/blog\/2020\/01\/08\/toc-votes-to-move-falco-into-cncf-incubator\/","title":null,"type":null},"content":[{"type":"text","text":"捐赠给CNCF"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"。Falco通过分析Linux系统调用,包括使用特权容器达到特权升级、所有权和模式的更改、对execve和shell及SSH的使用情况等,实现异常行为检测。但是,开展运行时分析是十分困难的,因为许多容器的生命周期非常有限,不足向许多监视工具提供详细的信息。例如,近49%的容器生命周期小于5分钟,其中甚至有21%容器的生命周期小于10秒。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Sysdig报告强调的另一个趋势是,"},{"type":"link","attrs":{"href":"https:\/\/containerd.io\/","title":null,"type":null},"content":[{"type":"text","text":"containerd"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"和"},{"type":"link","attrs":{"href":"https:\/\/cri-o.io\/","title":null,"type":null},"content":[{"type":"text","text":"CRI-O"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"正替代Docker成为首选。考虑到Docker引擎的发展,体现出这一趋势并不意外:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker引擎以前同时提供高层和低层运行时功能,现已分解为单独的containerd和runc项目。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/sdtimes.com\/kubernetes\/kubernetes-to-deprecate-docker-container-runtime-in-v1-22\/","title":null,"type":null},"content":[{"type":"text","text":"Kubernetes正式宣布将于下半年弃用Docker"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":",这也验证了去Docker化的趋势。另一方面,在OpenShift平台上,以Kubernetes做为编排器或可用选项处于遥遥领先的地位。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"《Sysdig 2021容器安全和使用现状报告》还提供了更丰富的内容,不在此一一列出。欢迎查看报告全文。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}},{"type":"strong"}],"text":"原文链接:"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.infoq.com\/news\/2021\/01\/Sysdig-container-security-report\/","title":null,"type":null},"content":[{"type":"text","text":"Sysdig: Container Security Shifting Left, Docker Usage Shrinking"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]}]}]}
Sysdig报告给出容器安全左移和去Docker化趋势
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"《"},{"type":"link","attrs":{"href":"https:\/\/sysdig.com\/blog\/sysdig-2021-container-security-usage-report\/","title":null,"type":null},"content":[{"type":"text","text":"Sysdig 2021容器安全和使用现状报告"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"》强调指出了容器安全左移的趋势。此外,报告中分析的镜像在基本安全设置(provision)上依然存在不足之处。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Sysdig报告所收集的数据,来自于对其客户日常使用的数百万容器的分析。其中包括一些基于Nginx、Go、PostgreSQL的容器,以及其它许多可用的容器镜像。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"在安全领域中,左移(shift left)意味着团队在开发周期的早期就考虑了架构选取和设计选项中的安全隐患。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分析报告强调的一个趋势是许多公司的安全左移已经扩展到了Kubernetes的安全方面,有四分之三组织在CI\/CD中,会在部署的构建阶段之前就对其容器映像进行安全扫描。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Sysdig报告指出,对镜像进行扫描是确保任何来源镜像都能安全的关键。事实上,该报告所扫描的镜像中,约有55%至少发现了一种高危甚至更严重的漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"不幸的是,不当的镜像配置,会抵消安全左移这一积极趋势。Sysdig报告具体指出,58%的容器仍以root用户身份运行,尽管其中只有少数几个容器的运行的确需要root特权。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"随着容器环境的成熟,组织意识到仅做镜像扫描是不够的。为应对持续变化的威胁,还需要考虑运行时安全性。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"除了以root用户身份运行容器,Sysdig报告还发现了其他一些违反运行时策略的行为,包括写入“\/etc”和“\/”目录下的文件、使用Shell终端作为容器的入口点、修改敏感系统文件等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"对于运行时安全工具,Sysdig报告指出CNCF("},{"type":"link","attrs":{"href":"https:\/\/www.cncf.io\/","title":null,"type":null},"content":[{"type":"text","text":"Cloud Native Computing Foundation"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"的"},{"type":"link","attrs":{"href":"https:\/\/falco.org\/","title":null,"type":null},"content":[{"type":"text","text":"Falco"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"项目正得到越来越多的采用。Falco最初是由Sysdig创建的项目,后"},{"type":"link","attrs":{"href":"https:\/\/www.cncf.io\/blog\/2020\/01\/08\/toc-votes-to-move-falco-into-cncf-incubator\/","title":null,"type":null},"content":[{"type":"text","text":"捐赠给CNCF"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"。Falco通过分析Linux系统调用,包括使用特权容器达到特权升级、所有权和模式的更改、对execve和shell及SSH的使用情况等,实现异常行为检测。但是,开展运行时分析是十分困难的,因为许多容器的生命周期非常有限,不足向许多监视工具提供详细的信息。例如,近49%的容器生命周期小于5分钟,其中甚至有21%容器的生命周期小于10秒。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Sysdig报告强调的另一个趋势是,"},{"type":"link","attrs":{"href":"https:\/\/containerd.io\/","title":null,"type":null},"content":[{"type":"text","text":"containerd"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"和"},{"type":"link","attrs":{"href":"https:\/\/cri-o.io\/","title":null,"type":null},"content":[{"type":"text","text":"CRI-O"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"正替代Docker成为首选。考虑到Docker引擎的发展,体现出这一趋势并不意外:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker引擎以前同时提供高层和低层运行时功能,现已分解为单独的containerd和runc项目。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/sdtimes.com\/kubernetes\/kubernetes-to-deprecate-docker-container-runtime-in-v1-22\/","title":null,"type":null},"content":[{"type":"text","text":"Kubernetes正式宣布将于下半年弃用Docker"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":",这也验证了去Docker化的趋势。另一方面,在OpenShift平台上,以Kubernetes做为编排器或可用选项处于遥遥领先的地位。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"《Sysdig 2021容器安全和使用现状报告》还提供了更丰富的内容,不在此一一列出。欢迎查看报告全文。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}},{"type":"strong"}],"text":"原文链接:"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.infoq.com\/news\/2021\/01\/Sysdig-container-security-report\/","title":null,"type":null},"content":[{"type":"text","text":"Sysdig: Container Security Shifting Left, Docker Usage Shrinking"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章