As the use of containers is becoming more popular and streamlined, the security aspects related to containers have also become more critical for businesses. Containerization has particular structural and operational elements that need special attention. The architectural differences like a shared kernel for containers demand a different security approach altogether, in comparison to traditional security approaches. This makes it very important to understand and perform container-specific security scanning at the earlier stages of the build process. To meet these dynamic requirements of the DevOps teams, several open-source security tools are available in the market. This article covers some popular open-source security tools your DevOps teams can use to ensure the security of your container environment.
Anchore Engine is an open-source security tool created for analyzing and scanning container images for vulnerabilities. This tool is available as a Docker container image that can be run as a standalone installation or within an orchestration platform. It lets DevOps engineers identify, test, and address vulnerabilities in the Docker images they are using to create applications. It also has the OSS foundation for Anchore Enterprise, which provides policy management, a summary dashboard, user management, security and policy evaluation reports, graphical client controls, and other backend modules and features.
There are multiple methods to get started with Anchore Engine. This tool has a simple and easy install process thanks to the Docker compose file. It implements the backend/serverside component for scanning the images. The scanner can be used in the form of a CLI tool such as an Anchore CLI or a Jenkins plugin. It can also scan repositories and add any tags in the repository. Once added, it polls the registry regularly and schedules them to be analyzed. Users of this tool can also extend Anchore Engine with plugins that add new queries, policies, and image analysis. It can be accessed directly via a RESTful API or via the Anchore CLI. The latest installation guides and details are available on the GitHub page as well as on the support knowledge base.
Falco is an open-source Kubernetes-aware security auditing tool. It was created by Sysdig and now it is a part of the Cloud Native Computing Foundation (CNCF). This tool provides behavioral monitoring for containers, network, and host activities. Some key features include complete container visibility using a single sensor that allows DevOps to gain insight into container behavior. It can detect malicious or unknown behavior and send alerts to users by logging and notifications.
Falco can track and analyze the behavior of actions happening inside the container, including Linux System Calls. It can track container-based incidents including shellcode running inside containers, any container running in privileged mode, mounting of any sensitive directory path (like /proc) from the host, unexpected attempts to read sensitive files (like /etc/shadow), or use of any standard system binary for making outbound network connections. Upon detection of any malicious behavior, like the use of specific system calls, particular arguments or properties of the calling process, it can send alerts to admins.
Clair is an open-source vulnerability scanner and static analysis tool for container images provided by CoreOS. This tool routinely collects the vulnerability information from multiple sources and stores it in the database. It exposes APIs for clients to perform and invoke scans. Users of this tool can use the Clair API to list their container images, which will create a list of features existing in the image and save them in the database. Also, when updates to vulnerability metadata happen, an alarm/notification can be sent to alert systems that a change has occurred. Several third-party tools can be used with Clair to scan images from a terminal as part of a deploy script. One of the good options is Klar, which can be downloaded from the GitHub page.
This tool’s installation details are available at GitHub, and it can be run as a container with Docker. It also comes with a Docker Compose file and a Helm Chart to make the installation easier, or it can be compiled from the source. The goal behind the Clair project is to facilitate a transparent view of the security of the container-based infrastructure. So, the project was named after the French word, which has English meaning of bright, clear, and transparent.
Dagda is an open-source tool, which is used to performs static analysis of known vulnerabilities, malware, viruses, Trojans, and other malicious threats in Docker images or containers. It can be used to monitor the Docker daemon and running Docker containers for finding out irregular or uncommon activities. This tool supports several Linux base images such as Red Hat, CentOS, Fedora, Debian, Ubuntu, OpenSUSE, and Alpine.
Dagda also comes with a Docker Compose file as well, which makes it easy to evaluate. Even though Dagda supports the monitoring of containers, it must be integrated with Sysdig Falco (an open-source cloud-native runtime security project). It does not support scanning of registries or repositories, which makes it a more fitting solution for on-demand scans than scheduled registry scans. After installation, vulnerabilities and known exploits database are imported and saved into a MongoDB. Then it collects details about the software installed into a Docker image to verify that each product and its version is free of vulnerabilities against the previously stored details in the MongoDB. Also, this tool uses ClamAV as an antivirus engine for identifying Trojans, malware, viruses, and other malicious threats included within the Docker containers/images. Primary target users for this tool are system administrators, developers, and security professionals. The Docker Compose file and related installation details are available in Dagda’s GitHub repository.
OpenSCAP is a command-line auditing tool that enables its users to scan, load, edit, validate, and export SCAP documents. SCAP (Security Content Automation Protocol) is a compliance checking solution for enterprise-level Linux infrastructure, which is maintained by the NIST. It uses the Extensible Configuration Checklist Description Format (XCCDF), a usual way of showing checklist content and outlines security checklists.
OpenSCAP provides a set of tools for compliance management and scanning, which can scan a container image. With the help of tools like oscap-docker, it can also help users scan for compliance like xccdf (Extensible Configuration Checklist Description Format). This package also has several additional tools/components such as OpenSCAP Base (to perform configuration and vulnerability scans), OpenSCAP Daemon (a service running in the background), SCAP Workbench (a graphical utility that offers an easy way to perform common oscap tasks) and SCAPtimony (middleware that stores SCAP results for user’s infrastructure). The detailed user manual guide of OpenSCAP can be found on the user manual page. Also, the compilation, testing and debugging related information is available at OpenSCAP Developer Manual.
Pick the right open-source security tools for you
Open-source security tools play an important role in securing your container-based infrastructure. Tools such as Anchore can be used for strong governance capabilities, while on the other hand, Dagda can be used to perform static analysis of known vulnerabilities. Two other tools, OpenSCAP and Clair, also provide good capabilities for vulnerability scanning and compliance management. So, depending upon your business requirements and priorities, you can select the right tool to secure your container investments.
Featured image: Freepik / rawpixel.com