container-security-testing

📁 ed1s0nz/cyberstrikeai 📅 7 days ago

总安装量

周安装量

#34733

全站排名

安装命令

npx skills add https://github.com/ed1s0nz/cyberstrikeai --skill container-security-testing

Agent 安装分布

amp 1

opencode 1

kimi-cli 1

codex 1

github-copilot 1

codebuddy 1

Skill 文档

å®¹å¨å®å¨æµè¯

æ¦è¿°

æµè¯èå´

1. éåå®å¨

æ£æ¥é¡¹ç®ï¼

åºç¡éåæ¼æ´
ä¾èµåæ¼æ´
éåéç½®
ææä¿¡æ¯

2. è¿è¡æ¶å®å¨

æ£æ¥é¡¹ç®ï¼

å®¹å¨æé
èµæºéå¶
ç½ç»éç¦»
æä»¶ç³»ç»

3. ç¼æå®å¨

æ£æ¥é¡¹ç®ï¼

Kuberneteséç½®
æå¡è´¦æ·
RBAC
ç½ç»çç¥

Dockerå®å¨æµè¯

éåæ«æ

ä½¿ç¨Trivyï¼

# æ«æéå
trivy image nginx:latest

# æ«ææ¬å°éå
trivy image --input nginx.tar

# åªæ¾ç¤ºé«å±æ¼æ´
trivy image --severity HIGH,CRITICAL nginx:latest

ä½¿ç¨Clairï¼

# å¯å¨Clair
docker run -d --name clair clair:latest

# æ«æéå
clair-scanner --ip 192.168.1.100 nginx:latest

ä½¿ç¨Docker Benchï¼

# è¿è¡Dockerå®å¨åºåæµè¯
docker run --rm --net host --pid host --userns host --cap-add audit_control \
  -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
  -v /etc:/etc:ro \
  -v /usr/bin/containerd:/usr/bin/containerd:ro \
  -v /usr/bin/runc:/usr/bin/runc:ro \
  -v /usr/lib/systemd:/usr/lib/systemd:ro \
  -v /var/lib:/var/lib:ro \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  --label docker_bench_security \
  docker/docker-bench-security

å®¹å¨éç½®æ£æ¥

æ£æ¥Dockerfileï¼

# å®å¨é®é¢ç¤ºä¾
FROM ubuntu:latest  # ä½¿ç¨latestæ ç¾
RUN apt-get update && apt-get install -y curl  # æªæå®çæ¬
COPY . /app  # å¯è½åå«æææä»¶
ENV PASSWORD=secret  # ç¡¬ç¼ç å¯ç 
USER root  # ä½¿ç¨rootç¨æ·

å®å¨æä½³å®è·µï¼

# ä½¿ç¨ç¹å®çæ¬
FROM ubuntu:20.04

# æå®åçæ¬
RUN apt-get update && apt-get install -y curl=7.68.0-1ubuntu2.7

# ä½¿ç¨érootç¨æ·
RUN useradd -m appuser
USER appuser

# æå°åéå
FROM alpine:3.15

# å¤é¶æ®µæå»º
FROM golang:1.18 AS builder
WORKDIR /app
COPY . .
RUN go build -o app

FROM alpine:3.15
COPY --from=builder /app/app /app

è¿è¡æ¶æ£æ¥

æ£æ¥å®¹å¨æéï¼

# æ£æ¥ç¹æå®¹å¨
docker ps --filter "label=privileged=true"

# æ£æ¥æè½½çä¸»æºç®å½
docker inspect container_name | grep -A 10 Mounts

# æ£æ¥å®¹å¨ç½ç»
docker network inspect network_name

æ£æ¥èµæºéå¶ï¼

# æ£æ¥ååéå¶
docker stats container_name

# æ£æ¥CPUéå¶
docker inspect container_name | grep -i cpu

Kuberneteså®å¨æµè¯

éç½®æ£æ¥

ä½¿ç¨kube-benchï¼

# è¿è¡kube-bench
kube-bench run

# æ£æ¥ç¹å®åºå
kube-bench run --targets master,node,etcd

ä½¿ç¨kube-hunterï¼

# è¿è¡kube-hunter
kube-hunter --remote target-ip

# ä¸»å¨æ¨¡å¼
kube-hunter --active

Podå®å¨

æ£æ¥Podå®å¨çç¥ï¼

# ä¸å®å¨çPodéç½®
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: app
    image: nginx
    securityContext:
      privileged: true  # ç¹ææ¨¡å¼
      runAsUser: 0  # rootç¨æ·

å®å¨éç½®ï¼

apiVersion: v1
kind: Pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 2000
  containers:
  - name: app
    image: nginx
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL
        add:
        - NET_BIND_SERVICE

RBACæ£æ¥

æ£æ¥è§è²æéï¼

# ååºææè§è²
kubectl get roles --all-namespaces

# æ£æ¥è§è²ç»å®
kubectl get rolebindings --all-namespaces

# æ£æ¥éç¾¤è§è²
kubectl get clusterroles

# æ£æ¥ç¨æ·æé
kubectl auth can-i --list --as=system:serviceaccount:default:sa-name

å¸¸è§é®é¢ï¼

è¿åº¦æé
æªä½¿ç¨çè§è²
æªä½¿ç¨çæå¡è´¦æ·

ç½ç»çç¥

æ£æ¥ç½ç»çç¥ï¼

# ååºææç½ç»çç¥
kubectl get networkpolicies --all-namespaces

# æ£æ¥ç½ç»çç¥éç½®
kubectl describe networkpolicy policy-name -n namespace

ç½ç»çç¥ç¤ºä¾ï¼

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

å·¥å·ä½¿ç¨

Falco

è¿è¡æ¶å®å¨çæ§ï¼

# å®è£Falco
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco

# æ£æ¥è§å
falco -r /etc/falco/rules.d/

Aqua Security

# æ«æéå
aqua image scan nginx:latest

# æ«æKuberneteséç¾¤
aqua k8s scan

Snyk

# æ«æDockerfile
snyk test --docker nginx:latest

# æ«æKuberneteséç½®
snyk iac test k8s/

æµè¯æ¸å

éåå®å¨

æ«æåºç¡éåæ¼æ´
æ«æä¾èµåæ¼æ´
æ£æ¥Dockerfileéç½®
æ£æ¥ææä¿¡æ¯æ³é²

è¿è¡æ¶å®å¨

æ£æ¥å®¹å¨æé
æ£æ¥èµæºéå¶
æ£æ¥ç½ç»éç¦»
æ£æ¥æä»¶ç³»ç»æè½½

ç¼æå®å¨

æ£æ¥Kuberneteséç½®
æ£æ¥RBACéç½®
æ£æ¥ç½ç»çç¥
æ£æ¥Podå®å¨çç¥

å¸¸è§å®å¨é®é¢

1. éåæ¼æ´

é®é¢ï¼

åºç¡éååå«æ¼æ´
ä¾èµååå«æ¼æ´
æªåæ¶æ´æ°

ä¿®å¤ï¼

å®ææ«æéå
åæ¶æ´æ°åºç¡éå
ä½¿ç¨æå°åéå

2. è¿åº¦æé

é®é¢ï¼

å®¹å¨ä»¥rootè¿è¡
ç¹ææ¨¡å¼
æè½½ææç®å½

ä¿®å¤ï¼

ä½¿ç¨érootç¨æ·
ç¦ç¨ç¹ææ¨¡å¼
éå¶æä»¶ç³»ç»è®¿é®

3. éç½®éè¯¯

é®é¢ï¼

é»è®¤éç½®ä¸å®å¨
ç½ç»çç¥ç¼ºå¤±
RBACéç½®éè¯¯

ä¿®å¤ï¼

éµå¾ªå®å¨æä½³å®è·µ
å®æ½ç½ç»çç¥
æ£ç¡®éç½®RBAC

4. ææä¿¡æ¯æ³é²

é®é¢ï¼

éååå«å¯é¥
ç¯å¢åéæ´é²
éç½®æä»¶æ³é²

ä¿®å¤ï¼

ä½¿ç¨å¯é¥ç®¡ç
é¿åç¡¬ç¼ç
ä½¿ç¨Secretå¯¹è±¡

æä½³å®è·µ

1. éåå®å¨

ä½¿ç¨å®æ¹åºç¡éå
å®ææ´æ°éå
æ«æéåæ¼æ´
æå°åéåå¤§å°

2. è¿è¡æ¶å®å¨

ä½¿ç¨érootç¨æ·
éå¶å®¹å¨æé
å®æ½èµæºéå¶
å¯ç¨å®å¨ä¸ä¸æ

3. ç¼æå®å¨

éç½®ç½ç»çç¥
å®æ½RBAC
ä½¿ç¨Podå®å¨çç¥
å¯ç¨å®¡è®¡æ¥å¿

æ³¨æäºé¡¹

ä»å¨ææç¯å¢ä¸è¿è¡æµè¯
é¿åå¯¹çäº§ç¯å¢é æå½±å
æ³¨æä¸åå®¹å¨å¹³å°çå·®å¼
å®æè¿è¡å®å¨æ«æ

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台

container-security-testing

Agent 安装分布

Skill 文档

å®¹å¨å®å ¨æµè¯

æ¦è¿°

æµè¯èå´

1. éåå®å ¨

2. è¿è¡æ¶å®å ¨

3. ç¼æå®å ¨

Dockerå®å ¨æµè¯

éåæ«æ

å®¹å¨é ç½®æ£æ¥

è¿è¡æ¶æ£æ¥

Kuberneteså®å ¨æµè¯

é ç½®æ£æ¥

Podå®å ¨

RBACæ£æ¥

ç½ç»ç­ç¥

å·¥å ·ä½¿ç¨

Falco

Aqua Security

Snyk

æµè¯æ¸ å

éåå®å ¨

è¿è¡æ¶å®å ¨

ç¼æå®å ¨

å¸¸è§å®å ¨é®é¢

1. éåæ¼æ´

2. è¿åº¦æé

3. é ç½®éè¯¯

4. ææä¿¡æ¯æ³é²

æä½³å®è·µ

1. éåå®å ¨

2. è¿è¡æ¶å®å ¨

3. ç¼æå®å ¨

æ³¨æäºé¡¹

å®¹å¨å®å¨æµè¯

æ¦è¿°

æµè¯èå´

1. éåå®å¨

2. è¿è¡æ¶å®å¨

3. ç¼æå®å¨

Dockerå®å¨æµè¯

éåæ«æ

å®¹å¨éç½®æ£æ¥

è¿è¡æ¶æ£æ¥

Kuberneteså®å¨æµè¯

éç½®æ£æ¥

Podå®å¨

RBACæ£æ¥

ç½ç»çç¥

å·¥å·ä½¿ç¨

æµè¯æ¸å

éåå®å¨

è¿è¡æ¶å®å¨

ç¼æå®å¨

å¸¸è§å®å¨é®é¢

1. éåæ¼æ´

2. è¿åº¦æé

3. éç½®éè¯¯

4. ææä¿¡æ¯æ³é²

æä½³å®è·µ

1. éåå®å¨

2. è¿è¡æ¶å®å¨

3. ç¼æå®å¨

æ³¨æäºé¡¹