vesta v1.0.8 releases: Docker and Kubernetes cluster configuration detect toolkit
Vesta
Vesta is a static analysis of vulnerabilities, Docker, and Kubernetes cluster configuration detect toolkit. It inspects Kubernetes and Docker configures cluster pods and containers with safe practices. It also analyses image or container components with an extra python module and node npm scan.
Vesta is a flexible toolkit that can run on physical machines in different types of systems (Windows, Linux, MacOS).
Checklist
Docker
| Supported | Check Item | Description | Severity |
|---|---|---|---|
| ✔ | PrivilegeAllowed | A privileged module is allowed. | critical |
| ✔ | Capabilities | Dangerous capabilities are opening. | critical |
| ✔ | Volume Mount | Mount dangerous location. | critical |
| ✔ | Docker Unauthorized | 2375 port is opening and unauthorized. | critical |
| ✔ | Kernel version | The kernel version is under the escape version. | critical |
| ✔ | Network Module | Net Module is host and containerd version less than 1.41. | critical |
| ✔ | Docker Server version | The server version is included in the vulnerable version | critical/high/medium/low |
| ✔ | Image tag check | The image is not tagged or the latest. | low |
| Pending | docker-compose | Some dangerous configuration. | – |
| Pending | Container env | Check Unauthorized databases and weak passwords, such as MySQL, Redis, Memcache, etc. | – |
Kubernetes
| Supported | Check Item | Description | Severity |
|---|---|---|---|
| ✔ | PrivilegeAllowed | A privileged module is allowed. | critical |
| ✔ | Capabilities | Dangerous capabilities are opening. | critical |
| ✔ | PV and PVC | PV has mounted in a dangerous location and is activated. | critical/medium |
| ✔ | ClusterRoleBinding | Permissions with default server account. | high/medium |
| ✔ | Kubernetes-dashboard | Checking -enable-skip-login and account permission. | critical/high/low |
| ✔ | Kernel version (k8s versions is less than v1.24) | The kernel version is under the escape version. | critical |
| ✔ | Docker Server version (k8s versions is less than v1.24) | The server version is included in the vulnerable version | critical/high/medium/low |
| ✔ | Kubernetes certification expiration | Certification is expired after 30 days. | medium |
| ✔ | Auto Mount ServiceAccount Token | Mounting /var/run/secrets/kubernetes.io/serviceaccount/token. | low |
| ✔ | NoResourceLimits | No resource limits are set. | low |
| ✔ | Job and Cronjob | No seccomp or seLinux are set in Job or CronJob. | low |
| Pending | CVE-2022-29179 | CVE-2022-29179 with cilium installed | critical |
| Pending | Envoy admin | Envoy admin is opening and listening to 0.0.0.0. | – |
| Pending | Kubelet 10255 and Kubectl proxy | 10255 port is opening or Kubectl proxy is opening. | – |
| Pending | Trampoline attack | RBAC is vulnerable to Trampoline attacks. | – |
Changelog v1.0.8
Notable Updates:
- Add Docker Swarm Service checking
Checking thedocker config,docker secretin Docker swarm, and find the relevant docker services. Also, reviewing the vulnerable container related to the docker services. - Annotate the tag of image checking
After researching, We find that it is hard to observe evidence of image poisoning, and there are often numerous security issues related to image tags after scanning. Therefore, annotate the image tags checking temporarily. - Add dangerous image used checking in Docker
Each container will also check whether it uses the dangerous image. - Add checking of the usage of
ephemeral-storagelimitation - Fixed the incorrect of the input parameter in
image scan
