Clair: Making container security easy
Security is one of the prime pillars of any reliable software solution. And when we talk about container-based application, a lot of components are needed to be taken care of to ensure a completely secure system. Completeness here signifies protecting a container, its application and performance including infrastructure, software supply chain, system tools, system libraries, and runtime.
There are many solutions available in the open-source community and here I will be picking one of them, Clair. Clair is a project for the static analysis of vulnerabilities in appc and docker containers.
How Clair works?
Clair imports vulnerability data from a configured known set of sources on regular intervals and store it in a database. The Common Vulnerabilities and Exposures (CVE) data is correlated with the indexed contents of container images in order to produce lists of vulnerabilities that threaten a container.
The Clair container then exposes APIs to create an interface between the client and the database. Clients use the Clair API to query the database for vulnerabilities of a particular image. Clair API also indexes the container images which creates a list of features present in the image and stores them in a database. The correlation of vulnerabilities and features is done for each request, hence avoiding the need to rescan images.
Deploying Clair
For deploying Clair, I recommend a hands-on approach to fully understand the process and so I have created a Katacoda Lab for it. Here, you can follow the guided instructions and deploy your own Clair setup to scan images
STEP 1 : Writing the main docker-compose file
The process starts by creating the docker-compose file for both Postgres container for storing the CVE data and Clair container for creating the API. It is readily available on GitHub and can be simply downloaded using the following command
curl -LO https://raw.githubusercontent.com/coreos/clair/05cbf328aa6b00a167124dbdbec229e348d97c04/contrib/compose/docker-compose.ymlThis compose file has been configured to use the latest Clair image however I always prefer going for a stable fixed version and would also recommend you to update the image name to clair:v2.0.1 .
STEP 2 : Create configuration files
First create a folder named clair_config using the following command
mkdir clair_configAnd then download the configuration file in it
curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o clair_config/config.yamlYou may require some modifications in the configuration file before using it like replacing the host value from localhost to postgres and adding a section of password with value password in clair_config/config.yaml . You can manually do that by opening the file in your desired editor or just run the following command
sed 's/host=localhost/host=postgres password=password/' -i clair_config/config.yamlSTEP 3 : Deploying and populating the database
Use the following command to deploy only the Postgres container from the compose file
docker-compose up -d postgresNow we know that Clair downloads the CVE data on regular intervals but the first pull can take some time, so we will do that manually. Start by downloading the data using the following command
curl -LO https://gist.githubusercontent.com/BenHall/34ae4e6129d81f871e353c63b6a869a7/raw/5818fba954b0b00352d07771fabab6b9daba5510/clair.sqlAnd then push this data in the Postgres container using
docker run -it \ -v $(pwd):/sql/ \ — network “${USER}_default” \ — link clair_postgres:clair_postgres \ postgres:latest \ bash -c “PGPASSWORD=password psql -h clair_postgres -U postgres < /sql/clair.sql”STEP 4 : Deploying Clair container
Now the database is ready to be used and we can deploy the Clair container using the below-mentioned command
docker-compose up -d clairSTEP 5 : Installing Klar
Clair works by accepting Image Layers via an HTTP API. To scan all the layers, we need a way to send each layer and aggregate the respond. So, we will use Klar to accomplish that. Klar is a simple tool to analyze images stored in a private or public Docker registry for security vulnerabilities using Clair. You can install it using the following command
curl -L https://github.com/optiopay/klar/releases/download/v1.5/klar-1.5-linux-amd64 -o /usr/local/bin/klar && chmod +x $_Scanning Images
To scan the image, we will provide the following inputs
- CLAIR_ADDR : Server address where Clair has been hosted i.e. localhost at port 6060
- CLAIR_OUTPUT : Severity level threshold, vulnerabilities with severity level higher than or equal to this threshold will be showed. The supported values are Unknown, Negligible, Low, Medium, High, Critical and Defcon1.
- CLAIR_THRESHOLD : How many outputted vulnerabilities Klar can tolerate before returning 1, default is 0
So, our final statement would look like
CLAIR_ADDR=http://localhost:6060 CLAIR_OUTPUT=Low CLAIR_THRESHOLD=10 klar <image-name>Understanding the output
The output on scanning image will look something like this
Analysing 11 layers
Found 65 vulnerabilities
— — — — — — — — — — — — — — — — — — — — -
CVE-2017–14532: [High]
ImageMagick 7.0.7–0 has a NULL Pointer Dereference in TIFFIgnoreTags in coders/tiff.c.
https://security-tracker.debian.org/tracker/CVE-2017-14532
— — — — — — — — — — — — — — — — — — — — -
Unknown: 5
Negligible: 27
Low: 5
Medium: 19
High: 9The output shows the following data
- Number of image layers scanned
- Number of Vulnerabilities found
- Vulnerability code, severity level, description and a URL to read more details about the vulnerability. These details are given for every vulnerability found in the image (I have shown only one for simplicity).
- Count of vulnerability grouped by different severity levels.
Prevention through benchmarking
Though Clair is a great tool to mitigate threats in a container, it is always advisable to start following best-practices. And one such practice is benchmarking of your container. Similar to electronics, benchmarking can also say a lot about your container. The Center for Internet Security (CIS) Docker Benchmarks is a reference document that can be used by developers to establish a secure configuration baseline for Docker. CIS Benchmarks are developed by an open community of security practitioners. Document for Docker Benchmarking can be found at here.
