CN115189934A - Automatic configuration safety detection method and system for Kubernets - Google Patents
Automatic configuration safety detection method and system for Kubernets Download PDFInfo
- Publication number
- CN115189934A CN115189934A CN202210789926.8A CN202210789926A CN115189934A CN 115189934 A CN115189934 A CN 115189934A CN 202210789926 A CN202210789926 A CN 202210789926A CN 115189934 A CN115189934 A CN 115189934A
- Authority
- CN
- China
- Prior art keywords
- configuration
- kubernets
- detection
- rule
- environment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 185
- 238000012360 testing method Methods 0.000 claims abstract description 36
- 238000000034 method Methods 0.000 claims description 52
- 230000008569 process Effects 0.000 claims description 30
- 238000012545 processing Methods 0.000 claims description 5
- 238000007689 inspection Methods 0.000 claims description 4
- 230000001960 triggered effect Effects 0.000 claims description 4
- 230000006872 improvement Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 230000007613 environmental effect Effects 0.000 description 2
- 231100001261 hazardous Toxicity 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an automatic configuration safety detection method and system aiming at Kubernets, which comprises the following steps: the following security configuration detection rules are defined: a data file authority detection rule in a Kubernets environment, a detection rule of danger parameter configuration in the Kubernets environment, a danger version detection rule in the Kubernets environment and a detection rule of danger Capabilities in Pod configuration; acquiring basic configuration information of a Kubernets environment, checking data file authority, parameter configuration and a yaml configuration file, and performing rule matching according to the acquired target environment setting; and sorting and analyzing the detection results of the baseline test step. The invention realizes more comprehensive detection of the safety configuration of the Kubernetes environment on the basis of detecting the related rules of the existing basic configuration.
Description
Technical Field
The invention relates to the technical field of network security and virtualization, in particular to a Kubernetes-oriented automatic configuration security detection method and system.
Background
With the increasing development of virtualization technology, kubernets, which is a production-level container arrangement engine, is also widely used, and 48% of the adoption rate is achieved at present according to the investigation. The security problem of such container arrangement engines is becoming a focus of attention, because enterprises usually deploy various key services and data in kubernets cluster, and in order to ensure the security of important services and data stored in cloud by enterprises, the risk of container escape needs to be avoided. Since a security configuration of a container may lead to a serious security breach, a baseline detection of the container at a pre-operation stage is necessary.
The existing detection method is based on the CIS Kubernets safety standard, and the safety problem existing in the basic configuration detection of the Kubernets environment is solved from aspects of master node service, node service, safety control and the like. The method has the problems that for a plurality of Pods which are individually configured in the practical use process of a Kubernets environment user, the Pods are only described according to a relatively single and general detection rule of a safety standard, so that accurate and targeted safety detection is difficult to achieve, and with the wide use of a container arrangement engine, a container escape vulnerability related to the Kubernets environment safety is gradually exposed.
Patent document CN111865971A discloses a kubernets service container security detection method based on sidecar scheme, which includes: integrating LSM and/or Rootkit based security modules in the kernel; adding a unified sidecar container for each kubernets service container needing monitoring and control in the Pod, and opening a shared process namespace for multiple containers in the Pod; and the monitoring process in the sidecar container is communicated with the kernel, so that the monitoring process in the sidecar container is matched with the security module, and the process and the file system in the kubernets service container are monitored and controlled according to the security monitoring option in the sidecar container. However, the patent document still has the defect that the detection rule is only described according to a relatively single and general safety standard, and the accurate and targeted safety detection is difficult to achieve.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide an automatic configuration safety detection method and system aiming at Kubernets.
The invention provides an automatic configuration safety detection method for Kubernets, which comprises the following steps:
a rule definition step: the following security configuration detection rules are defined: a data file authority detection rule of a Kubernets environment, a detection rule of dangerous parameter configuration of the Kubernets environment, a dangerous version detection rule of the Kubernets environment and a dangerous Capabilities detection rule in Pod configuration;
a benchmark test step: acquiring basic configuration information of a Kubernets environment based on the rule defined in the rule definition step, checking data file authority, parameter configuration and a yaml configuration file, and performing rule matching according to the acquired target environment setting;
a finishing and analyzing step: and sorting and analyzing the detection results of the baseline test step.
Preferably, in the rule defining step, the security configuration detection rule is defined according to a CIS kubernets security baseline, and security restriction is performed on data file authority and parameter configuration in a kubernets environment.
Preferably, in the rule defining step, the dangerous version detection rule of the kubernets environment is a custom rule which is suitable for a preset environment by combining with a container escape vulnerability design related to kubernets safety;
in the rule definition step, the detection rule of dangerous Capabilities in the Pod configuration is a custom rule which is designed to be suitable for a preset environment by combining high-risk Capabilities known to cause container escape.
Preferably, in the benchmark testing step, based on the security configuration detection rule, in the process of baseline check, it is determined whether high-risk configuration risk information exists in the kubernets environment, it is determined whether the kubernets environment meets a condition of related vulnerability triggering, it is determined whether Pod configured with high-risk Capabilities exists in the kubernets environment, an alarm is triggered on the risk configuration information, and a detection result is recorded.
Preferably, according to the dangerous version detection rule of the Kubernets environment, whether high-risk configuration risk information exists in the Kubernets environment or not is judged, and whether the Kubernets environment meets the condition of triggering related vulnerabilities or not is judged;
and judging whether the Kubernets environment has the Pod with the high risk Capabilities according to the detection rule of the dangerous Capabilities in the Pod configuration, triggering an alarm for dangerous configuration information and recording the detection result.
Preferably, the specific process for detecting the escape risk of the container is as follows: in the early stage of container operation, the safety problem of container escape loopholes related to a Kubernets environment is protected, the occurrence condition of known safety risks is destroyed, and the container escape risk is avoided on a configuration layer.
Preferably, the matching and processing procedure of the benchmark test rule is as follows: and according to the safety configuration items defined in the benchmark test rule, carrying out rule matching on the acquired Kubernets environment basic configuration information in the test process, and recording the detection result.
Preferably, the step of sorting and analyzing specifically comprises:
according to the guiding principle of the CIS and the practical application in the scene, the result is divided into three threat levels, namely high, medium and low, in the detection report, and the detailed detection result is output according to the requirement.
Preferably, the threat level classification specifically includes:
the problem that would lead to the risk of container escape is classified as a high threat level; the method comprises the steps of dividing problems related to security configuration parameters and configuration file authority setting in a Kubernetes environment into medium threat levels; the problem listed as a security recommendation in the CIS Kubernetes security reference is classified as a low threat level.
The invention also provides an automatic configuration safety detection system aiming at Kubernets, which comprises the following modules:
a rule definition module: the following security configuration detection rules are defined: a data file authority detection rule of a Kubernets environment, a detection rule of dangerous parameter configuration of the Kubernets environment, a dangerous version detection rule of the Kubernets environment and a dangerous Capabilities detection rule in Pod configuration;
a benchmark test module: acquiring basic configuration information of a Kubernetes environment based on the rule defined in the rule definition step, checking data file authority, parameter configuration and a yaml configuration file, and performing rule matching according to the acquired target environment setting;
a sorting and analyzing module: and sorting and analyzing the detection results of the baseline test step.
Compared with the prior art, the invention has the following beneficial effects:
1. the invention realizes more comprehensive detection of the security configuration of the Kubernets environment on the basis of detecting the related rules of the existing basic configuration;
2. the method can be used for Kubernets baseline inspection and analysis of environmental safety, and can realize individual detection aiming at the known container escape risk;
3. the invention aims at the intrusion risk possibly caused by the configuration information of the current environment and timely alarm output, and damages the occurrence condition of the known safety risk, so that the serious container escape risk existing in Kubernets is avoided on the configuration level.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a flow chart of the steps of an automated configuration security detection method for Kubernets according to the present invention;
FIG. 2 is a block diagram of an automated configuration security detection system for Kubernets in accordance with the present invention;
fig. 3 is a flow chart of simple steps of the automated configuration security detection method for kubernets according to the present invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will aid those skilled in the art in further understanding the present invention, but are not intended to limit the invention in any manner. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
Example 1:
as shown in fig. 1, the present embodiment provides an automatic configuration security detection method for kubernets, which includes the following steps:
a rule definition step: the following security configuration detection rules are defined: a data file authority detection rule in a Kubernets environment, a detection rule of danger parameter configuration in the Kubernets environment, a danger version detection rule in the Kubernets environment and a detection rule of danger Capabilities in Pod configuration; defining a safety configuration detection rule according to a CIS Kubernetes safety baseline, and carrying out safety limitation on data file authority and parameter configuration in a Kubernetes environment; the risk version detection rule of the Kubernetes environment is a self-defined rule which is designed to be suitable for a preset environment by combining a container escape vulnerability related to Kubernetes safety; the detection rules for hazardous Capabilities in Pod configurations are custom rules designed to fit into the pre-set environment in combination with high risk Capabilities known to cause container escape.
A benchmark test step: acquiring basic configuration information of a Kubernets environment based on the rule defined in the rule definition step, checking data file authority, parameter configuration and a yaml configuration file, and performing rule matching according to the acquired target environment setting; based on a safety configuration detection rule, in the process of baseline inspection, judging whether the Kubernets environment has high-risk configuration risk information or not, judging whether the Kubernets environment meets the condition of triggering related vulnerabilities or not, judging whether the Kubernets environment has Pod configured with high-risk Capabilities or not, triggering an alarm on the risk configuration information and recording a detection result; according to a dangerous version detection rule of the Kubernetes environment, judging whether the Kubernetes environment has high-risk configuration risk information or not, and judging whether the Kubernetes environment meets a condition of triggering related vulnerabilities or not; judging whether the Kubernets environment has the Pod with the high risk Capabilities according to the detection rule of the dangerous Capabilities in the Pod configuration, triggering an alarm for dangerous configuration information and recording the detection result; the matching and processing process of the benchmark test rule is as follows: and according to the safety configuration items defined in the benchmark test rule, carrying out rule matching on the acquired Kubernets environment basic configuration information in the test process, and recording the detection result.
And (3) finishing and analyzing: sorting and analyzing the detection results of the baseline test step; the sorting and analyzing steps are as follows: according to the guiding principle of the CIS and the practical application in the scene, the result is divided into three threat levels of high, medium and low in the detection report, and the detailed detection result is output according to the requirement. The threat level classification specifically comprises: the problem that would lead to the risk of container escape is classified as a high threat level; the method comprises the steps of dividing problems related to security configuration parameters and configuration file authority setting in a Kubernetes environment into medium threat levels; the problem listed as a security recommendation in the CIS kubernets security reference is classified as a low threat level.
The specific process for detecting the escape risk of the container comprises the following steps: in the early stage of container operation, the safety problem of container escape loopholes related to a Kubernets environment is protected, the occurrence condition of known safety risks is destroyed, and the container escape risk is avoided on a configuration layer.
The method of the embodiment comprises the following steps: firstly, designing a custom rule suitable for a specific environment by combining a container escape vulnerability relating to Kubernets safety, and judging whether high-risk configuration risk information exists in the Kubernets environment and whether conditions for triggering related vulnerabilities are met in a detection process; secondly, designing a self-defining rule suitable for a specific environment by combining high-risk Capabilities which are known to cause container escape, and judging whether the Kubernets environment has Pod with the high-risk Capabilities or not in the detection process; and finally, analyzing and combing the detection result, classifying threat levels, and outputting a detailed detection result according to the requirement. The method and the device can be used for detecting the known container escape risk individually, alarming and outputting intrusion risk possibly caused by the configuration information of the current environment in time, and damaging the occurrence condition of the known safety risk, so that the serious container escape risk existing in Kubernetes is avoided on the configuration level.
The method of the embodiment can collect basic configuration information of the container environment, detect system environment configuration safety according to a benchmark test rule and avoid potential container escape risks. The benchmark test rules include CIS benchmark test standards, dangerous Capabilities detection rules, and dangerous version detection rules that are suitable for a particular environment. Matching the acquired basic configuration information of the container environment through a benchmark test module according to a benchmark detection rule, reserving detailed information for dangerous system configuration, outputting a final detection report through arrangement and analysis of a detection result, giving an alarm and giving an improvement suggestion for potential escape risks.
Example 2:
as shown in fig. 2, this embodiment further provides an automatic configuration security detection system for kubernets, which includes the following modules:
a rule definition module: the following security configuration detection rules are defined: a data file authority detection rule in a Kubernets environment, a detection rule of danger parameter configuration in the Kubernets environment, a danger version detection rule in the Kubernets environment and a detection rule of danger Capabilities in Pod configuration;
a benchmark test module: acquiring basic configuration information of a Kubernets environment based on the rule defined in the rule definition step, checking data file authority, parameter configuration and a yaml configuration file, and performing rule matching according to the acquired target environment setting;
a sorting and analyzing module: and (5) sorting and analyzing the detection results of the baseline test step.
Example 3:
those skilled in the art will understand this embodiment as a more specific description of embodiments 1 and 2.
The embodiment provides an automatic configuration security detection system for kubernets, which comprises the following modules: the system comprises a safety configuration detection rule module, a rule-based benchmark test module and a final detection result sorting and analyzing module;
a security configuration detection rule module: the method comprises the steps of defining a data file authority detection rule of a Kubernets environment, detecting a dangerous parameter configuration, defining a dangerous capability detection rule in a Pod configuration by combining with high-risk Capabilities which can cause container escape, and combining with a dangerous version detection rule which relates to Kubernets safety and is suitable for a specific environment in a container escape vulnerability design.
A rule-based benchmarking module: acquiring basic configuration information of a Kubernets environment, checking data file authority, parameter configuration and a yaml configuration file, performing rule matching according to the acquired target environment setting, judging whether high-risk configuration risk information exists in the Kubernets environment, whether conditions for triggering related vulnerabilities are met and whether Pod configured with high-risk Capabilities exists in the Kubernets environment in the process of baseline checking, triggering an alarm on the risk configuration information and recording a detection result.
The detection result sorting and analyzing module: and sorting and analyzing the baseline detection result, dividing the result into a high threat level, a medium threat level and a low threat level in a detection report according to the guiding principle of the CIS and the practical application in the scene, outputting a detailed detection result according to the requirement and providing an improvement suggestion.
Security configuration detection rules are defined. And defining a safety configuration detection rule according to a CIS Kubernets safety baseline, and performing safety limitation on data file authority and parameter configuration of a Kubernets environment.
Hazardous version detection rules in a Kubernetes environment. And designing a custom rule suitable for a specific environment by combining with a container escape vulnerability related to Kubernets safety, and judging whether high-risk configuration risk information exists in the Kubernets environment and whether conditions for triggering related vulnerabilities are met in the detection process.
Detection rules for dangerous Capabilities in Pod configurations. And designing a custom rule suitable for a specific environment by combining high-risk Capabilities which are known to cause container escape, and judging whether the Kubernets environment has Pod with the high-risk Capabilities in the detection process.
In the container operation pre-stage, safety problems such as container escape leaks and the like related to a Kubernetes environment are protected, known safety risk occurrence conditions are damaged, and the container escape risk is avoided on a configuration layer.
And matching and processing the benchmark test rule. And according to the safety configuration items defined in the benchmark test rule, carrying out rule matching on the acquired Kubernetes environment basic configuration information in the test process, and recording the detection result.
And (5) sorting and analyzing the baseline detection result. According to the guiding principle of the CIS and the practical application in the scene, the result is divided into three threat levels of high, medium and low in the detection report, and the detailed detection result is output according to the requirement.
The method of the embodiment combines a container escape vulnerability related to Kubernets safety, designs a custom rule suitable for a specific environment, detects high-risk configuration risk information of the Kubernets environment and whether conditions triggered by related vulnerabilities are met, achieves more comprehensive detection of safety configuration of the Kubernets environment on the basis of detection of related rules of existing basic configuration, specifically aims at individual detection of known container escape risks, and timely alarm output of intrusion risks possibly caused by configuration information of the current environment, and avoids serious container escape risks existing in the Kubernets on the safety configuration level.
Firstly, basic configuration information of a Kubernets environment is obtained, and data file authority and parameter configuration are checked. Second, check yaml configuration file for the presence of dangerous version configurations or dangerous Capabilities. And finally, combing the detection results, dividing the results into high, medium and low threat levels in a detection report according to a CIS guiding principle and actual application in a scene, and outputting detailed detection results according to requirements.
Example 4:
those skilled in the art can understand this embodiment as a more specific description of embodiments 1 and 2.
The method comprises the steps of firstly, defining a safety configuration detection rule according to a CISKubernets safety baseline, and carrying out baseline check on data file authority and parameter configuration of a Kubernets environment; secondly, a risk version detection rule and a risk capability detection rule are defined by combining the risk of container escape related to Kubernets safety, whether high-risk configuration risk information exists in the Kubernets environment or not is judged in the baseline inspection process, and a detection result is recorded. And finally, analyzing and combing the detection result, classifying threat levels, outputting a detailed detection result according to the requirement and providing an improvement suggestion.
Further, the security configuration detection rule is based on a CIS Kubernets security baseline, and security limitation is performed on data file authority and parameter configuration of a Kubernets environment.
Further, the dangerous version detection rule in the kubernets environment is a rule which is defined to be suitable for a specific environment by combining the container escape vulnerability related to the kubernets safety, and according to the rule, whether high-risk configuration risk information exists in the kubernets environment or not and whether the condition for triggering the related vulnerability is met can be judged in the detection process.
Further, the detection rule of dangerous Capabilities in the Pod configuration is based on a rule defined by high-risk Capabilities known to cause container escape, and according to the rule, whether Pod configured with high-risk Capabilities exists in the kubernets environment can be judged in the detection process.
Further, the process of detecting the container escape risk includes, at the container operation pre-stage, protecting the safety problems such as container escape leaks and the like related to the kubernets environment, destroying the occurrence conditions of known safety risks, and avoiding the container escape risk at the configuration level.
Further, the reference test rule matching and processing process includes performing rule matching on the acquired kubernets environment basic configuration information in the test process according to the safety configuration items defined in the reference test rule, recording the detection result, and recording detailed information of dangerous system configuration.
Further, the process of base line detection result sorting and analysis is to divide the result into three threat levels of high, medium and low in the detection report according to the guiding principle of the CIS and the practical application in the scene, and output the detailed detection result according to the requirement.
Further, the threat level classification specifically includes that the problem which may cause the risk of container escape is classified into a high threat level, and if the detection result fails, important attention needs to be paid; the method comprises the steps of dividing related problems such as security configuration parameters, configuration file authority setting and the like in a Kubernetes environment into medium threat levels, and changing configuration according to improvement suggestions if detection is failed in detection results; the problem listed as a safety suggestion item in the CIS Kubernetes safety standard is divided into low threat levels, and only a prompt role is played in a detection result.
Example 5:
those skilled in the art will understand this embodiment as a more specific description of embodiments 1 and 2.
The present embodiment provides an automatic configuration security detection method for kubernets, a flowchart of the method is shown in fig. 3, and a specific flow of the method of the present embodiment is as follows:
step one, defining a security configuration detection rule. According to the method, a basic configuration detection rule of a Kubernets environment is defined according to a CIS Kubernets safety baseline, detection on data file authority and dangerous parameter configuration is achieved, according to known high-risk Capabilities which can cause container escape, a dangerous version detection rule which is suitable for a specific environment is designed according to a dangerous capability detection rule which is defined in Pod configuration and a container escape loophole which relates to Kubernets safety, and potential container escape risks are found in the basic configuration detection process.
And step two, carrying out automatic benchmark test according to the existing safety rules. Acquiring basic configuration information of a Kubernets environment, checking data file authority, parameter configuration and a yaml configuration file, performing rule matching according to the acquired target environment setting, judging whether high-risk configuration risk information exists in the Kubernets environment, whether conditions for triggering related vulnerabilities are met and whether Pod configured with high-risk Capabilities exists in the Kubernets environment in the process of baseline checking, triggering an alarm on the risk configuration information and recording a detection result.
And step three, sorting and analyzing the baseline detection result. According to the guiding principle of the CIS and the practical application in the scene, the results are divided into three threat levels of high, medium and low in the detection report, the detailed detection results are output according to the requirements, the potential escape risk is alarmed and improvement opinions are given, the safety problems are protected before operation through alarming of safety problems such as container escape leaks related to the Kubernets environment, the occurrence conditions of the known safety risks are damaged by the method for improving the basic configuration of the environment, and the container escape risk is avoided in the configuration level.
The automatic configuration security detection method for kubernets provided by the embodiment can be used for kubernets baseline check and analysis of environmental security. Firstly, designing a custom rule suitable for a specific environment by combining a container escape vulnerability relating to Kubernets safety, and judging whether high-risk configuration risk information exists in the Kubernets environment and whether conditions for triggering related vulnerabilities are met in a detection process; secondly, designing a self-defining rule suitable for a specific environment by combining high-risk Capabilities which are known to cause container escape, and judging whether the Kubernets environment has Pod with the high-risk Capabilities or not in the detection process; and finally, analyzing and combing the detection result, classifying threat levels, and outputting a detailed detection result according to the requirement. The method and the device can be used for detecting the known container escape risk individually, alarming and outputting intrusion risk possibly caused by the configuration information of the current environment in time, and damaging the occurrence condition of the known safety risk, so that the serious container escape risk existing in Kubernetes is avoided on the configuration level.
The present embodiment also provides an automatic configuration security detection system for kubernets, which can be implemented through the above step flow of the automatic configuration security detection method for kubernets, and those skilled in the art can understand that the automatic configuration security detection system method for kubernets is a preferred example of the automatic configuration security detection system for kubernets.
The invention realizes more comprehensive detection of the security configuration of the Kubernets environment on the basis of detecting the related rules of the existing basic configuration.
It is well within the knowledge of a person skilled in the art to implement the system and its various devices, modules, units provided by the present invention in a purely computer readable program code means that the same functionality can be implemented by logically programming method steps in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system and various devices, modules and units thereof provided by the invention can be regarded as a hardware component, and the devices, modules and units included in the system for realizing various functions can also be regarded as structures in the hardware component; means, modules, units for realizing various functions can also be regarded as structures in both software modules and hardware components for realizing the methods.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.
Claims (10)
1. An automatic configuration security detection method for Kubernets is characterized by comprising the following steps:
a rule definition step: the following security configuration detection rules are defined: a data file authority detection rule in a Kubernets environment, a detection rule of danger parameter configuration in the Kubernets environment, a danger version detection rule in the Kubernets environment and a detection rule of danger Capabilities in Pod configuration;
a benchmark test step: acquiring basic configuration information of a Kubernetes environment based on the rule defined in the rule definition step, checking data file authority, parameter configuration and a yaml configuration file, and performing rule matching according to the acquired target environment setting;
and (3) finishing and analyzing: and sorting and analyzing the detection results of the baseline test step.
2. The automated configuration security detection method for kubernets according to claim 1, wherein in the rule definition step, the security configuration detection rule is defined according to a CIS kubernets security baseline, and security restrictions are performed on data file rights and parameter configurations of a kubernets environment.
3. The automated configuration security detection method for Kubernets according to claim 1, wherein in the rule definition step, the dangerous version detection rule of the Kubernets environment is a custom rule which is designed to be suitable for a preset environment in combination with a container escape vulnerability relating to Kubernets security;
in the rule definition step, the detection rule of dangerous Capabilities in the Pod configuration is a custom rule which is designed to be suitable for a preset environment by combining high-risk Capabilities known to cause container escape.
4. The automatic configuration safety detection method for the kubernets according to claim 1, wherein in the benchmark testing step, based on the safety configuration detection rule, in the process of baseline inspection, whether high-risk configuration risk information exists in the kubernets environment is judged, whether the kubernets environment meets the condition of relevant vulnerability triggering is judged, whether Pod configured with high-risk Capabilities exists in the kubernets environment is judged, and an alarm is triggered on the risk configuration information and a detection result is recorded.
5. The automatic configuration safety detection method for the Kubernets according to claim 4, is characterized in that whether high-risk configuration risk information exists in the Kubernets environment or not is judged according to a dangerous version detection rule of the Kubernets environment, and whether the Kubernets environment meets a condition triggered by a related vulnerability or not is judged;
and judging whether the Kubernets environment has the Pod with the high risk Capabilities according to the detection rule of the dangerous Capabilities in the Pod configuration, triggering an alarm for dangerous configuration information and recording the detection result.
6. The automated configuration security detection method for kubernets according to claim 1, wherein the specific process of detecting the risk of container escape is as follows: in the container operation pre-stage, the safety problem of a container escape leak related to a Kubernetes environment is protected, the occurrence condition of a known safety risk is damaged, and the container escape risk is avoided on a configuration layer.
7. The automated configuration security detection method for kubernets according to claim 1, wherein the reference test rule matching and processing procedure is as follows: and according to the safety configuration items defined in the benchmark test rule, carrying out rule matching on the acquired Kubernets environment basic configuration information in the test process, and recording the detection result.
8. The automated configuration security detection method for kubernets according to claim 1, wherein the sorting and analyzing step specifically includes:
according to the guiding principle of the CIS and the practical application in the scene, the result is divided into three threat levels of high, medium and low in the detection report, and the detailed detection result is output according to the requirement.
9. The automated configuration security detection method for kubernets according to claim 1, wherein the threat level classification specifically is:
the problem that would lead to the risk of container escape is classified as a high threat level; the method comprises the steps of dividing problems related to security configuration parameters and configuration file authority setting in a Kubernets environment into medium threat levels; the problem listed as a security recommendation in the CIS Kubernetes security reference is classified as a low threat level.
10. An automated configuration security detection system for kubernets, comprising the following modules:
a rule definition module: the following security configuration detection rules are defined: a data file authority detection rule of a Kubernets environment, a detection rule of dangerous parameter configuration of the Kubernets environment, a dangerous version detection rule of the Kubernets environment and a dangerous Capabilities detection rule in Pod configuration;
a benchmark test module: acquiring basic configuration information of a Kubernets environment based on the rule defined in the rule definition step, checking data file authority, parameter configuration and a yaml configuration file, and performing rule matching according to the acquired target environment setting;
a sorting and analyzing module: and sorting and analyzing the detection results of the baseline test step.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210789926.8A CN115189934A (en) | 2022-07-06 | 2022-07-06 | Automatic configuration safety detection method and system for Kubernets |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210789926.8A CN115189934A (en) | 2022-07-06 | 2022-07-06 | Automatic configuration safety detection method and system for Kubernets |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115189934A true CN115189934A (en) | 2022-10-14 |
Family
ID=83517548
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210789926.8A Pending CN115189934A (en) | 2022-07-06 | 2022-07-06 | Automatic configuration safety detection method and system for Kubernets |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115189934A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108446159A (en) * | 2017-02-16 | 2018-08-24 | 中标软件有限公司 | Mobile terminal dual system based on Docker containers realizes system and method |
| CN109815704A (en) * | 2019-01-24 | 2019-05-28 | 中国—东盟信息港股份有限公司 | A kind of safety detection method and its system of Kubernetes cloud native applications |
| US20190354690A1 (en) * | 2016-12-08 | 2019-11-21 | Atricore Inc. | Systems, devices and methods for application and privacy compliance monitoring and security threat analysis processing |
| US20200334362A1 (en) * | 2019-04-22 | 2020-10-22 | Cyberark Software Ltd. | Securing privileged virtualized execution instances |
| CN111865971A (en) * | 2020-07-17 | 2020-10-30 | 成都三零凯天通信实业有限公司 | Kubernetes service container security detection method based on sidecar scheme |
| CN113422692A (en) * | 2021-05-28 | 2021-09-21 | 作业帮教育科技(北京)有限公司 | Method, device and storage medium for detecting and processing node faults in K8s cluster |
| CN114091025A (en) * | 2021-11-25 | 2022-02-25 | 中国联合网络通信集团有限公司 | Security detection method and device based on cloud native platform and mirror image construction method |
| US20220131888A1 (en) * | 2020-10-23 | 2022-04-28 | International Business Machines Corporation | Context based risk assessment of a computing resource vulnerability |
-
2022
- 2022-07-06 CN CN202210789926.8A patent/CN115189934A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190354690A1 (en) * | 2016-12-08 | 2019-11-21 | Atricore Inc. | Systems, devices and methods for application and privacy compliance monitoring and security threat analysis processing |
| CN108446159A (en) * | 2017-02-16 | 2018-08-24 | 中标软件有限公司 | Mobile terminal dual system based on Docker containers realizes system and method |
| CN109815704A (en) * | 2019-01-24 | 2019-05-28 | 中国—东盟信息港股份有限公司 | A kind of safety detection method and its system of Kubernetes cloud native applications |
| US20200334362A1 (en) * | 2019-04-22 | 2020-10-22 | Cyberark Software Ltd. | Securing privileged virtualized execution instances |
| CN111865971A (en) * | 2020-07-17 | 2020-10-30 | 成都三零凯天通信实业有限公司 | Kubernetes service container security detection method based on sidecar scheme |
| US20220131888A1 (en) * | 2020-10-23 | 2022-04-28 | International Business Machines Corporation | Context based risk assessment of a computing resource vulnerability |
| CN113422692A (en) * | 2021-05-28 | 2021-09-21 | 作业帮教育科技(北京)有限公司 | Method, device and storage medium for detecting and processing node faults in K8s cluster |
| CN114091025A (en) * | 2021-11-25 | 2022-02-25 | 中国联合网络通信集团有限公司 | Security detection method and device based on cloud native platform and mirror image construction method |
Non-Patent Citations (3)
| Title |
|---|
| JOE PELLETIER: "常见的kubernetes配置安全威胁", Retrieved from the Internet <URL:https://cloud.tencent.com/developer/article/1680488> * |
| 郝鹏海;徐成龙;刘一田;: "基于Kafka和Kubernetes的云平台监控告警系统", 计算机系统应用, no. 08 * |
| 魏新宇: "金融级IT架构与运维 云原生 分布式与安全", 机械工业出版社, pages: 87 - 89 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113661693B (en) | Detecting sensitive data exposure via log | |
| CN110535855B (en) | Network event monitoring and analyzing method and system and information data processing terminal | |
| US9424426B2 (en) | Detection of malicious code insertion in trusted environments | |
| US11700270B2 (en) | Systems and methods for detecting a communication anomaly | |
| CN108322446A (en) | Intranet assets leak detection method, device, computer equipment and storage medium | |
| US20200193031A1 (en) | System and Method for an Automated Analysis of Operating System Samples, Crashes and Vulnerability Reproduction | |
| US20200012793A1 (en) | System and Method for An Automated Analysis of Operating System Samples | |
| CN106991328B (en) | A kind of vulnerability exploit detection recognition method based on dynamic memory fingerprint anomaly analysis | |
| CN110351277A (en) | Electric power monitoring system security protection alarm method | |
| CN109325350B (en) | Security assessment system and method for operation environment of electric power mobile terminal | |
| CN110290114A (en) | A kind of loophole automation means of defence and system based on warning information | |
| US9456001B2 (en) | Attack notification | |
| CN116094817A (en) | Network security detection system and method | |
| KR20140088712A (en) | System for monitoring access to personal information and method therefor | |
| Johnson | Barriers to the use of intrusion detection systems in safety-critical applications | |
| KR20110087826A (en) | Method for detecting malware using vitual machine | |
| CN111104670B (en) | APT attack identification and protection method | |
| KR20180130630A (en) | Vulnerability diagnosing and managing system and method of information system using automatic diagnosis tool | |
| CN115189934A (en) | Automatic configuration safety detection method and system for Kubernets | |
| US10402564B2 (en) | Fine-grained analysis and prevention of invalid privilege transitions | |
| CN113518055B (en) | Data security protection processing method and device, storage medium and terminal | |
| CN112711772B (en) | Audit system, method and storage medium for function execution in service | |
| KR20090084530A (en) | Method and apparatus for detection and prevention malicious code using script languages for computer system | |
| Wu | Intrusion Detection for Cyber-Physical Attacks in Cyber-Manufacturing System | |
| Pournouri et al. | Improving cyber situational awareness through data mining and predictive analytic techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20221014 |