Jar 組件自動化風險監測和升級實踐

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"horizontalrule","attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/14/149c8e4bebff2b41168322fa65040fe8.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"曾兆祜","attrs":{}}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2018年5月加入去哪兒網,現負責基礎安全攻防平臺的開發建設以及日常的安全運營工作","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"horizontalrule","attrs":{}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"背景","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 以 Xstream、Jackson、Fasjson 等爲代表的 Jar 組件高危漏洞層出不窮，安全組每年 N 次推動業務線進行第三方 Jar 組件升級，每次升級動輒涉及成百上千個應用服務，給雙方都帶來了沉重的負擔。爲了降低安全組在 Jar 組件升級期間的工作量，同時儘量給業務線減負，Qunar 安全組在 Jar 組件自動化風險監測和升級上進行了大量實踐，並總結形成了一套相對完善的解決方案。本主主要聊一下 Qunar 安全組在 Jar 組件自動化風險監測和升級方面的探索和實踐。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"horizontalrule","attrs":{}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"流程介紹","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Jar 組件風險監測和升級本質是由風險情報驅動的一個工作流，主要包括外部安全通告監控、Jar 組件資產收集、受影響資產分析、通知業務線升級等流程。在之前一段時期，Jar 組件漏洞升級依靠安全運營人員人工的方式來串聯每個流程，這樣效率低下，甚至容易出錯。隨着 SOAR（安全編排自動化與響應）近年來的備受關注，Qunar 安全組也在 SOAR 項目上進行了建設，依託 SOAR 對事件的整合和安全服務串聯能力，我們針對 Jar 組件風險監測和升級場景進行了合理編排，達到了自動化的效果，極大提升了安全運營效率。除此之外基礎架構的同事，提供了 TCDEV 自動升級服務，爲業務線升級操作提供了極大便利。事件流程如下圖所示：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/85/85bd1deeca20aaea2b727e9ca685d262.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"horizontalrule","attrs":{}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"技術實現","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本部分主要介紹 SOAR 串聯的每部分安全工具、服務的技術實現。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"1. 安全通告監控","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全運營人員第一時間獲取漏洞通告，對漏洞的評估研判、迅速響應和有序推動至關重要。早在19年，安全組藉助應屆生項目，實現了“安全漏洞智能感知系統”。系統主要功能爲：","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CVE、CNVD 以及知名廠商漏洞風險告警抓取","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"漏洞信息去重整合","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對存在 POC 的漏洞抓取 POC","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"漏洞信息模糊匹配關聯 Jar 組件資產庫（SecDB），IM 預警安全運營人員","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該系統關鍵點在於會通過模糊匹配的方式關聯 Jar 組件資產庫，關聯到資產後 IM 發送預警信息給安全運營人員，進行進一步的風險評估以及後續的 Jar 組件升級流程。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"系統流程圖如下：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/eb/ebfa42f4ddca17e5e461b80699e47664.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"漏洞感知平臺，以 Xstream 爲例抓取效果圖：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a3/a32ca2ca872473a74b3643ed49b9ec00.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2. Jar資產收集","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全資產收集是安全運營的必備基礎能力之一，Qunar 安全組歷來都把資產收集做到了業內最好的水準。當前我們採用以 HIDS 爲主要平臺，通過在 Agent 端調度資產收集插件的方式，高效的對主機的資產進行定時、實時的採集。Agent 調度示意圖：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a4/a4892e7a189fc38383ef9dd79bc1e004.jpeg","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Jar 組件資產收集插件的主要實現思路如下：","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"查找 cataline.base 列表","attrs":{}}]}]}],"attrs":{}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"items=$(ps aux | grep catalina.base | grep -v grep)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"獲取 catalina.home、catalina.base 等路徑信息","attrs":{}}]}]}],"attrs":{}},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"catalina_home=$(echo \"$item\" | tr ' ' '\\n' | grep catalina.home | cut -d= -f2 | sort | uniq)\ncatalina_base=$(echo \"$item\" | tr ' ' '\\n' | grep catalina.base | cut -d= -f2 | sort | uniq)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據 server.xml 獲取 以及 信息","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據 appBase 或者 docBase 定位 WEB-INF/lib 路徑","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"枚舉 WEB-INF/lib 路徑下 Jar 包，提取每個 Jar 包的 pom.properties 信息，這樣就可以進行資產收集了，例如：","attrs":{}}]}]}],"attrs":{}},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"jar_version=$(echo \"$pom_properties\" | grep -m 1 -E '^version=' | awk -F'=' '{print $NF}' | tr -d '\\n\\r')\njar_groupid=$(echo \"$pom_properties\" | grep -m 1 -E '^groupId=' | awk -F'=' '{print $NF}' | tr -d '\\n\\r')\njar_artifactid=$(echo \"$pom_properties\" | grep -m 1 -E '^artifactId=' | awk -F'=' '{print $NF}' | tr -d '\\n\\r')","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過以上手段的就可以獲取主機上存活 Java 項目依賴的 Jar 包信息，一旦爆發漏洞根據以上信息，關聯應用以及 Owner 快速響應。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以 Xstream 爲例，收集的資產信息如下：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/92/92d1a27bfa7171c40d57caaefd96c013.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"3. SOAR","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SOAR 全稱 Security Orchestration, Automation and Response，即安全編排自動化與響應，該技術主要聚焦於安全運營領域。Qunar 安全組基於 StackStorm 工作流引擎二次開發打造了 SOAR 項目，安全組件和劇本通過 python 和 yaml 實現。在 Jar 組件自動化風險監測和升級場景中流程如下圖所示：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/e4/e4bc6a24563fc997927e5c35cd501f75.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從工作流流程圖，我們可以看出：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"① 安全通告監控服務發出預警信息後，需要人工干預。安全運營人員會研判是否啓動升級流程，如果是，則填寫配置漏洞信息，啓動升級流程；否則，忽略該告警信息","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"② 啓動升級流程後，首先需要關聯信息生成受影響資產清單 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"a) 資產列表生成：根據配置的版本信息進行邏輯過濾，生成受影響資產的列表，同時標記內外網，以執行不同的優先級策略","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"b) 關聯 Appcode：通過 Portal API 獲取受影響主機對應的 Appcode","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"c) 關聯 Owner：通過  Portal API 獲取受影響主機對應的 Owner","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"d) 關聯技術 TL：通過 ISAPI 員工信息關聯 Owner 的技術 TL（技術 TL 充當安全對接人的角色，執行自上而下的漏洞升級推動工作）","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"③ 接下來會將資產清單提供給 tcdev，tcdev 會接管可自動化升級的應用，剩餘部分繼續由安全負責通知業務線技術 TL 升級","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Xstream 漏洞升級示例，配置漏洞信息，啓動自動關聯信息升級通知流程：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/e2/e235a2f4062151406da6309b397915f0.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Xstream 安全通知示例，通過內部 IM 通知技術 TL 執行升級任務：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/43/435aa0a6c1a99a8f54c7698db1771357.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"4. TCDEV自動升級服務","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一般的公司，將風險事件通知負責人後整個事件流程就結束了，然後執行週期性的通知升級。但是在 Qunar 內部，基於 TCDEV 開發的自動升級服務，可以極大解放業務線的風險組件升級壓力。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"TCDEV 自動升級服務可以幫助業務線自動進行 Jar 組件升級，當前 50% 的應用可以自動化升級， 30% 的應用可以通過 TCDEV 提供的一鍵升級服務進行一鍵升級（需業務線開發評估風險），另外 20% 應用執行安全組傳統的升級策略。TCDEV 自動升級詳情如下：","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"應用已經升級 tcdev 4.x，且已接入滅霸自動化測試的應用，tcdev 接管升級，屆時會聯繫業務確認（應用佔比 50%）","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"應用已升級 tcdev 4.x，但自動化測試未覆蓋的應用，可在 portal 上點擊 “tcbom升級” 快速完成（應用佔比30%）","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"尚未升級 tcdev 4.x 的應用，建議手動升級 tcdev 至 4.0.x （應用佔比20%）","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"horizontalrule","attrs":{}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"總結","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以上就是 Jar 組件自動化風險監測和升級實踐中涉及的方方面面。整體流程還有優化提升的空間，比如在漏洞評估和 TCDEV 自動升級服務還需要人工介入等。另外，TCDEV 自動升級服務價值極大，由於資料較少，沒有觸及原理實現，希望基礎架構的同學可以寫一篇文章介紹一下。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於水平有限，文章多有紕漏不足，也懇請大家指正。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}