Vulnerability Advisor
Use the advisor to get security status for container images in your IBM® Cloud Private private registry. The Vulnerability Advisor also runs security checks on running containers in your environment.
For more information about the Vulnerability Advisor, see the About Vulnerability Advisor section in the IBM Cloud Docs .
The Vulnerability Advisor feature is supported for multi-node clusters of the Cloud Native and Enterprise editions of IBM Cloud Private only.
View the following table for a list of operating systems that the Vulnerability Advisor supports:
Operating system | Version |
---|---|
Ubuntu |
|
Alpine | 2.7-3.8 |
Red Hat Enterprise Linux | all base images |
Centos | all base images |
Debian |
|
For a list of the Vulnerability Advisor components, see Components.
Enable the Vulnerability Advisor during or post installation of your IBM Cloud Private cluster. For more information, see Enabling the Vulnerability Advisor.
To enable the Vulnerability Advisor post installation of your cluster, complete the steps in the following sections:
- Enabling and disabling IBM Cloud Private management services
- Configuring Vulnerability Advisor
- Logs and report management
- Viewing security reports
- Managing Policies
- Updating security notices for the Vulnerability Advisor components
Configuring Vulnerability Advisor
Configuring the Vulnerability Advisor container crawler
- From the navigation menu, click Configuration > ConfigMaps.
- In the search box type "live-crawler".
- For the
vulnerability-advisor-live-crawler
ConfigMap, select Action > Edit. Thevulnerability-advisor-live-crawler
JSON file displays. - Modify the value of the
enabled
parameter.- To disable crawler, set the
enabled
parameter tofalse
. - To enable crawler, set the
enabled
parameter totrue
.
- To disable crawler, set the
- (Optional) You can also configure the time interval for scanning containers on the host. To configure the time interval, modify the value of the
crawl-interval
parameter. The default value is 86400 (seconds per day). - Click Submit.
- You must restart the crawler container. The container crawler is deployed as DaemonSets named
vulnerability-advisor-live-crawler
. Restart the crawler container by running the following command:kubectl delete pods -n kube-system $(kubectl get pods -n kube-system | awk '{print $1}' | grep live-crawler)
Configuring the Vulnerability Advisor image crawler
- From the navigation menu, click Configuration > ConfigMaps.
- In the search box type "registry-crawler".
- For the
vulnerability-advisor-registry-crawler
ConfigMap, select Action > Edit. Thevulnerability-advisor-registry-crawler
JSON file displays. - Modify the value of the
enabled
parameter.- To disable crawler, set the
enabled
parameter tofalse
. - To enable crawler, set the
enabled
parameter totrue
.
- To disable crawler, set the
- Click Submit.
Configuring the Vulnerability Advisor image crawler to rescan images
- From the navigation menu, click Workloads > Deployments.
- In the search box type "registry-crawler".
- For the
vulnerability-advisor-registry-crawler
deployment, select Action > Edit. Thevulnerability-advisor-registry-crawler
JSON file displays. -
Modify the value of the following parameters.
- To rescan images that were successfully scanned, set the
RESET_WHITELIST
option totrue
. - To rescan images that failed to scan, set the
RESET_BLACKLIST
option totrue
.
- To rescan images that were successfully scanned, set the
-
Click Submit.
Configuring the number of rows for list views of containers and images
- From the navigation menu, click Tools > Vulnerability Advisor.
- Select one namespace from the table. The Vulnerability Advisor (List Containers) window is displayed. Each row in the table includes a report for each container. 50 rows are displayed per page with a maximum of 100 rows in total.
- To configure the number of rows, add the
max
parameter in the URL of the page. For example, when you add&max=200
parameter in the URL, a maximum of 200 rows in total are displayed. - To increase the number of displayed rows in each page, add the
count
parameter in the URL of the page. For example, when you add the&count=100
parameter to the URL, each page includes a maximum of 100 rows. -
You can configure both
max
andcount
parameters. For example, when you add&max=300&count=100
to the URL, each page displays a maximum of 100 rows, and a maximum of 300 rows (maximum 3 pages) in total.https://xxx.xxx.xxx.xxx:8443/va/ui/list?access_group=kube-system&max=300&count=100
max
andcount
URL parameters are enabled for the following tasks:- Vulnerability Advisor (List Containers)
- Vulnerability Advisor (List Images)
- Mutation Advisor (List Containers)
Logs and report management
The Vulnerability Advisor components, Kafka log and Minio data, consume a large amount of disk space on the VA nodes. By default, Kafka retains 600 minutes (10 hours) of logs, and Minio retains 30 days of data. This data includes container reports.
Configuring data curation interval of VA Minio cleaner
- From the navigation menu, click Configuration > ConfigMaps.
- For the
vulnerability-advisor-minio-cleaner-config
ConfigMap, select Action > Edit. Thevulnerability-advisor-minio-cleaner-config
JSON file displays. - Modify the value of each Minio bucket
vacos:30 vacos-hf:5 vacos-ma:30 vacos-summary:30
in thedata.clean.sh
section. The unit is days. - Click Submit.
Mutation Advisor
You can view the modification alerts of system files, configuration files, content files, or OS process. From the navigation menu, click Tools > Vulnerability Advisor > namespaces. Select the Go to Mutation Advisor button to view alerts.
Configuring the Mutation Advisor process crawler
- From the navigation menu, click Configuration > ConfigMaps.
- In the search box, type "ma-crawler".
- For the
vulnerability-advisor-process-ma-crawler
ConfigMap, select Action > Edit. Thevulnerability-advisor-process-ma-crawler
JSON file displays. - Modify the value of the
enabled
parameter.- To disable crawler, set the
enabled
parameter tofalse
. - To enable crawler, set the
enabled
parameter totrue
.
- To disable crawler, set the
- (Optional) You can also configure the time interval for scanning containers on the host. To configure the time interval, modify the value of the
crawl-interval
parameter. The default value is 300 (seconds per 5 minutes). - Click Submit.
- You must restart the crawler container. The crawler container is deployed as DaemonSet named
vulnerability-advisor-process-ma-crawler
. Restart the crawler container by running the following command:kubectl delete pods -n kube-system $(kubectl get pods -n kube-system | awk '{print $1}' | grep ma-crawler)
Configuring the Mutation Advisor file crawler
File Mutation is also implemented by the Vulnerability Advisor container crawler. For information, see Configuring the Vulnerability Advisor container crawler.
Configuring log clean-up interval of Kafka cluster
- Set up the
kubectl
CLI. See Accessing your IBM Cloud Private cluster by using the kubectl CLI. -
Edit the
vulnerability-advisor-kafka
StatefulSet object to re-configure Kafka.kubectl --namespace=kube-system edit StatefulSet vulnerability-advisor-kafka
-
Modify the value of the
KAFKA_LOG_RETENTION_MINUTES
environment variable. The default value is 600 minutes (10 hours). - Save the changes.
Viewing security reports
From the management console, you can view security reports for containers and images organized by namespace. These security reports are generated by using a default policy.
- From the navigation menu, click Tools > Vulnerability Advisor.
- Select the namespace that you want to view. The Vulnerability Advisor dashboard displays. From this dashboard, you can review the reports for containers and images in the selected namespace. The report details the following information on each
container or image:
- Name - name of the container or image
- Owner - the namespace that the image or container belongs to.
- Latest Scan - the timestamp when the image or container was scanned.
- Type - specifies whether the object is a container or image
- Organizational Policies - the security policy that is being used. This is set on the Managing Policies page.
- Vulnerable Packages - current vulnerabilities that are identified for the container or image.
- Container Settings - summary of potential security and compliance issues. Recommendations for security are also presented here.
Managing Policies
- From the navigation menu, click Tools > Vulnerability Advisor.
- Select the namespace that you want to view reports for. The Vulnerability Advisor dashboard displays.
- From the horizontal navigation menu of the Vulnerability Advisor dashboard, select Manage Policies.
- On the Manage policies page, select the policy changes that you want to make by toggling the ON/OFF radio buttons.
- Click Submit Policy.
Updating security notices for the Vulnerability Advisor components
Security notices for all supported Linux distribution are preloaded in the Elasticsearch cluster for the Vulnerability Advisor. However, security notices for each Linux distribution are updated periodically on the Internet.
IBM publishes security notices by pushing a new usnloader
image to Docker Hub at 00:00am E.S.T daily. New usnloader
images are tagged with a time stamp. For example, security notices that are released in May 10th 2018 are
tagged as cloudviz/usnloader: 20180510
. An image tagged latest
is also pushed daily when the build completes at 00:00am E.S.T. Each timestamped version of the usnloader
image, is available on Docker Hub for
7 days.
Prerequisites
If your environment does not have internet access, you need to manually pull the usnloader
image from Docker Hub daily. To set up a manual pull, complete the following steps:
- Create a Linux Cron Job on a host that has Internet access. Schedule the Cron Job to pull the
usnloader
image every day at 5:00pm E.S.T. - Push the latest
usnloader
image to your IBM Cloud Private private registry. See Pushing and pulling images . - Complete the procedure for updating security notices. Ensure to update the
image
specification in the Kubernetes CronJobusnloader.yaml
to point to the image in the IBM Cloud Private private registry. For exampleimage: mycluster.icp:8500/services/usnloader:latest
.
Procedure
To update the security notices for your IBM Cloud Private cluster, complete the following steps:
- Set up the
kubectl
CLI. See Accessing your IBM Cloud Private cluster by using the kubectl CLI. -
Create a Kubernetes CronJob
usnloader.yaml
by using the following specifications.--- apiVersion: batch/v1beta1 kind: CronJob metadata: labels: app: usnloader component: vulnerability-advisor name: usnloader namespace: kube-system spec: concurrencyPolicy: Replace failedJobsHistoryLimit: 1 successfulJobsHistoryLimit: 3 schedule: '0 6 * * *' suspend: false jobTemplate: spec: template: spec: containers: - command: ["python2.7", "/opt/usnloader/usnloader.py", "--elasticsearch-urls", "https://elasticsearch:9200", "--ca-file", "/tls/ca.crt", "--client-cert", "/tls/curator.crt", "--client-key", "/tls/curator.key"] image: cloudviz/usnloader:latest imagePullPolicy: Always name: usnloader volumeMounts: - mountPath: /var/log/cloudsight/ name: log - mountPath: /tls name: certs readOnly: true nodeSelector: va: "true" restartPolicy: OnFailure tolerations: - effect: NoSchedule key: "dedicated" operator: "Exists" - key: "CriticalAddonsOnly" operator: "Exists" volumes: - name: certs secret: defaultMode: 420 secretName: logging-elk-certs - emptyDir: {} name: log
To load security notices for a specific date, you can create a Kubernetes batch job
usnloader.yaml
and specify the image for the desired date. The batch job might resemble the following code:--- apiVersion: batch/v1 kind: Job metadata: name: usnloader namespace: kube-system labels: app: usnloader component: vulnerability-advisor spec: template: metadata: annotations: scheduler.alpha.kubernetes.io/critical-pod: "" name: vulnerability-advisor-usncrawler spec: containers: - command: - python2.7 - /opt/usnloader/usnloader.py - --elasticsearch-urls - https://elasticsearch:9200 - --ca-file - /tls/ca.crt - --client-cert - /tls/curator.crt - --client-key - /tls/curator.key image: "cloudviz/usnloader:latest" imagePullPolicy: Always name: usnloader volumeMounts: - mountPath: /var/log/cloudsight/ name: log - mountPath: /tls name: certs readOnly: true dnsPolicy: ClusterFirst nodeSelector: va: "true" priorityClassName: system-cluster-critical restartPolicy: OnFailure terminationGracePeriodSeconds: 30 tolerations: - effect: NoSchedule key: dedicated operator: Exists volumes: - name: certs secret: defaultMode: 420 secretName: logging-elk-certs - emptyDir: {} name: log
-
Launch the usnloader Job.
kubectl apply -f usnloader.yaml
-
Check the job.
kubectl -n kube-system get cronjob | grep usnloader
The output resembles the following code:
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE usnloader 0 6 * * * False 1 29s 4m
The CronJob pulls the latest image from Docker Hub, and loads the latest security notices into the Elasticsearch component of your Vulnerability Advisor.
kubectl -n kube-system get job | grep usnloader
The output resembles the following code:
usnloader-1526436600 1 0 33s
kubectl -n kube-system get pods --show-all | grep usnloader
The output resembles the following code:
apiVersion: batch/v1beta1 usnloader-1526436600-846nf 0/1 Completed 0 59s
kubectl -n kube-system logs -f usnloader-1526436600-846nf
The output resembles the following code:
2018-05-16 02:10:20,581 INFO 63 usnloader: Arguments received from the command line 2018-05-16 02:10:20,582 INFO 66 usnloader: {'elastic_search': 'vulnerability-advisor-elasticsearch:9200', 'elastic_search_password': '**********'} 2018-05-16 02:10:42,731 INFO 79 usnloader: No new usns 2018-05-16 02:10:42,744 INFO 58 log_update_status: [ { "latest_advisory": "deb-2018-msg00126.html", "index_load_time": "2018-05-16T02:10:07.866827", "distro": "debian" }, { "latest_advisory": "alpine_git_commit:", "index_load_time": "2018-05-15T03:02:11.375949", "distro": "alpine" }, { "latest_advisory": "RHSA-2018:0998", "index_load_time": "2018-05-16T02:10:07.744258", "distro": "redhat" }, { "latest_advisory": "centos-2018-May.txt.gz", "index_load_time": "2018-05-16T02:10:07.832857", "distro": "centos" }, { "latest_advisory": "FEDORA-2018-05", "index_load_time": "2018-05-16T02:10:07.656827", "distro": "fedora" }, { "latest_advisory": "ubuntu-2018-May.txt.gz", "index_load_time": "2018-05-16T02:10:07.551024", "distro": "ubuntu" } ]
You are now ready to use the Vulnerability Advisor with updated security notices.