Open in app

Sign in

Write

Sign in

Secure your containers and images in IBM Cloud Private with Vulnerability Advisor

SriSudha
IBM Cloud
Published in
4 min readApr 13, 2018

Vulnerability Advisor checks for vulnerable packages in images present in your IBM Cloud Private registry and provides a link to any relevant security notices about the vulnerability. Packages with known vulnerability issues are displayed in the scan results. The Vulnerability Advisor also runs security checks on containers that are running in your environment.

Vulnerability Advisor generates a security status report, suggests fixes and best practices, and provides management to restrict non-secure images from running. Fixing the security and configuration issues that are reported by Vulnerability Advisor can help you secure your IBM Cloud infrastructure.

Why use Vulnerability Advisor?

  • Even the owners of the image may not know everything about the image. It is common that you build your image from other publicly available ones. It is hard to know what’s inside.
  • This leads us that we must rely on the tools to detect vulnerabilities instead of relying on human to do a good job of detecting them.
  • Lastly and most importantly, you should take it seriously if Vulnerability Advisor says there are vulnerabilities in your containers. This helps protect not only your IT assets, but also others and the entire container cloud.

Vulnerability Advisor components

Vulnerability Advisor data collectors, also known as crawlers, inspect running containers, offline images, and extract system and application information that is used by all the Vulnerability Advisor analytics components.

The registry crawlers run as a separate deployment and scan images that are deployed into the IBM Cloud Private image registry.

To enable the Vulnerability Advisor in your IBM Cloud Private cluster

  1. Set up dedicated VA nodes. To set up the dedicated nodes, during installation, provide the node IPs in the [va] section of the hosts file.
  2. Set the disabled_management_services parameter to [""] in the config.yaml file. This setting ensures that all management services are enabled.

Note: Vulnerability Advisor is not available in IBM Cloud Private Community Edition (it’s available as a free download).

Vulnerability Advisor features

  • Scans images for vulnerabilities.
  • Provides an evaluation report that is based on security practices that are specific to IBM Cloud Container Service.
  • Provides recommendations to secure configuration files for a subset of application types.
  • Provides instructions about how to fix a reported vulnerable package or configuration issue in its reports.

Container service best practices

Among best practice rules, these three govern remote container access:

  1. Are Secure Shell (SSH) server packages installed?
  2. Is password authentication enabled for login into the SSH server?
  3. Is the password weak?

We pay attention to these remote-access related vulnerabilities, as they are the root cause of security incidents. Containers who violate the best practices are considered high-risk containers.

The following screenshot, Vulnerability Advisor shows that the Docker image violates 1 of the 3 Organizational Policies, 13 of 309 Vulnerable Packages, and 3 of 26 Container Settings Violations.

Scanned Result of a docker image
Vulnerability Advisor has scanned the container looking for known security vulnerabilities.
Scanned Results of a container

Detecting vulnerable Docker packages

Vulnerability Advisor checks for vulnerable packages in images that are based on supported operating systems and provides a link to any relevant security notices about the vulnerability.

Packages with known vulnerability issues are displayed in the scan results. The possible vulnerabilities are updated daily from published security notices for the Docker image types that are listed in the following table. Typically, for a vulnerable package to pass the scan, a later version of the package is required that includes a fix for the vulnerability.

The following image displays the affected packages, security notice, description and corrective action that Vulnerability Advisor suggests be made to make the package non-vulnerable:

Vulnerable Packages of a docker image

Resolving common problems in images

Review the example fixes for common problems that might be reported by Vulnerability Advisor. Some of the reported problems can be fixed by updating your Dockerfile.

Non Compliant Container Settings

Problem: The above screenshot shows that the docker image has the following vulnerabilities:

  • Maximum password age must be set to 90 days.
  • Minimum password length must be 8.
  • Minimum days that must elapse between user-initiated password changes should be 1.

Fix: Set password compliance by adding the following code to your Dockerfile:

RUN \
sed -i ‘s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/’ /etc/login.defs && \
sed -i ‘s/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/’ /etc/login.defs && \
sed -i ‘s/sha512/sha512 minlen=8/’ /etc/pam.d/common-password

For more information of configuring Vulnerability Advisor on IBM Cloud Private, refer to the Vulnerability Advisor product documentation.

Docker
Containers

--

--

SriSudha
IBM Cloud

Written by SriSudha

23 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams