terrier: Image and Container analysis tool

by do son · April 6, 2020

Terrier

Terrier is an Image and Container analysis tool that can be used to scan OCI images and Containers to identify and verify the presence of specific files according to their hashes.

What does Terrier do?

It is a CLI tool that allows you to:

Scan an OCI image for the presence of one or more files that match one or more provided SHA256 hashes
Scan a running Container for the presence of one or more files that match one or more provided SHA256 hashes

What is Terrier useful for?

Scenario 1

It can be used to verify if a specific OCI image is making use of a specific binary, which use in a supply chain verification scenario. For example, we may want to check that a specific Docker image is making use of a specific version or versions of cURL. In this case, Terrier is supplied with the SHA256 hashes of the binaries that are trusted.

An example YAML file for this scenario might look like this:

mode: image

# verbose: true

# veryverbose: true

image: golang1131.tar



files:

  - name: '/usr/local/bin/analysis.sh'

    hashes:

       - hash: '9adc0bf7362bb66b98005aebec36691a62c80d54755e361788c776367d11b105'

  - name: '/usr/bin/curl'

    hashes:

       - hash: '23afbfab4f35ac90d9841a6e05f0d1487b6e0c3a914ea8dab3676c6dde612495'

  - name: '/usr/local/bin/staticcheck'

    hashes:

       - hash: '73f89162bacda8dd2354021dc56dc2f3dba136e873e372312843cd895dde24a2'

Scenario 2

It can be used to verify the presence of a particular file or files in an OCI image according to a set of provided hashes. This can be useful to check if an OCI image contains a malicious file or a file that is required to be identified.

An example YAML file for this scenario might look like this:

mode: image

# verbose: true

# veryverbose: true

image: alpinetest.tar

hashes:

  - hash: '8b7c559b8cccca0d30d01bc4b5dc944766208a53d18a03aa8afe97252207521f'

  - hash: '22e88c7d6da9b73fbb515ed6a8f6d133c680527a799e3069ca7ce346d90649b2'

  - hash: '60a2c86db4523e5d3eb41a247b4e7042a21d5c9d483d59053159d9ed50c8aa41'

  - hash: '9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96'

Scenario 3

It can be used to verify the components of Containers at runtime by analyzing the contents of /var/lib/docker/overlay2/…/merged An example YAML file for this scenario might look like this:

mode: container

verbose: true

# veryverbose: true

# image: latestgo13.tar

path: merged



files:

  - name: '/usr/local/bin/analysis.sh'

    hashes:

       - hash: '9adc0bf7362bb66b98005aebec36691a62c80d54755e361788c776367d11b105'

  - name: '/usr/local/go/bin/go'

    hashes:

       - hash: '23afbfab4f35ac90d9841a6e05f0d1487b6e0c3a914ea8dab3676c6dde612495'

  - name: '/usr/local/bin/staticcheck'

    hashes:

       - hash: '73f89162bacda8dd2354021dc56dc2f3dba136e873e372312843cd895dde24a2'

  - name: '/usr/local/bin/gosec'

    hashes:

       - hash: 'e7cb8304e032ccde8e342a7f85ba0ba5cb0b8383a09a77ca282793ad7e9f8c1f'

  - name: '/usr/local/bin/errcheck'

    hashes:

       - hash: '41f725d7a872cad4ce1f403938937822572e0a38a51e8a1b29707f5884a2f0d7'

  - name: '/var/lib/dpkg/info/apt.postrm'

    hashes:

       - hash: '6a8f9af3abcfb8c6e35887d11d41a83782b50f5766d42bd1e32a38781cba0b1c'