コード例 #1
0
    def scan(self, image, scan_args):
        '''
        Wrapper function for basic security scans using
        openscap
        '''

        mnt_dir = self._ensure_mnt_dir()

        # Mount the temporary image/container to the dir
        DM = DockerMount(mnt_dir, mnt_mkdir=True)
        try:
            _tmp_mnt_dir = DM.mount(image)
        except MountError as e:
            sys.stderr.write(str(e) + "\n")
            return None

        try:
            chroot = self._find_chroot_path(_tmp_mnt_dir)

            # Scan the chroot
            scan_result = self.helper._scan(chroot, image, scan_args)
            print(scan_result.stdout)
            print(scan_result.stderr, file=sys.stderr)

        finally:
            # Clean up
            self.helper._cleanup_by_path(_tmp_mnt_dir, DM)
            self._remove_mnt_dir(mnt_dir)

        return scan_result.returncode
コード例 #2
0
def build_rpm_for_docker_backend(image, name, temp_dir, labels):
    """
    build rpm package for specified docker image

    :param image, instance of Atomic.objects.image.Image
    :param name, str, name of the associated container
    :param temp_dir: str, directory where all the data will be processed
    :param labels: dict, these labels come from container image
    :return: instance of StandaloneContainerInstallation
    """
    from Atomic.mount import DockerMount, MountContextManager
    mount_path = os.path.join(temp_dir, "mountpoint")
    destination = os.path.join(temp_dir, "system_rpm")
    os.makedirs(destination)
    os.makedirs(mount_path)
    dm = DockerMount(mount_path)
    cm = MountContextManager(dm, image.id)
    with cm:
        # if we are on devicemapper, the path to container is <mount_point>/hostfs/
        dm_candidate_path = os.path.join(cm.mnt_path, "rootfs")
        if os.path.exists(dm_candidate_path):
            exports_dir = os.path.join(dm_candidate_path, "exports")
        else:
            exports_dir = os.path.join(cm.mnt_path, "exports")
        r = RPMHostInstall.generate_rpm(
            name, image.id, labels, exports_dir, destination)
        return ContainerInstallation(r[0], r[1], r[2])
コード例 #3
0
    def scan_cve(self, image, scan_args):
        '''
        Wrapper function for scanning a container or image
        '''
        # Mount the temporary image/container to the dir
        DM = DockerMount(self.mnt_dir, mnt_mkdir=True)
        _tmp_mnt_dir = DM.mount(image)

        # Remeber actual mounted fs in 'rootfs'
        chroot = os.path.join(_tmp_mnt_dir, 'rootfs')

        # Figure out which RHEL dist is in the chroot
        dist = self.helper._get_dist(chroot)

        # Fetch the CVE input data for the dist
        fetch = getInputCVE(self.tmp_dir)

        # TODO
        # This should probably be in a try/except
        fetch._fetch_single(dist)

        # Scan the chroot
        sys.stdout.write(self.helper._scan_cve(chroot, dist, scan_args))

        # Clean up
        self.helper._cleanup_by_path(_tmp_mnt_dir)
コード例 #4
0
    def scan(self, image, scan_args):
        '''
        Wrapper function for basic security scans using
        openscap
        '''

        mnt_dir = self._ensure_mnt_dir()

        # Mount the temporary image/container to the dir
        DM = DockerMount(mnt_dir, mnt_mkdir=True)
        try:
            _tmp_mnt_dir = DM.mount(image)
        except MountError as e:
            sys.stderr.write(str(e) + "\n")
            return None

        # Remeber actual mounted fs in 'rootfs'
        chroot = os.path.join(_tmp_mnt_dir, 'rootfs')

        # Scan the chroot
        sys.stdout.write(self.helper._scan(chroot, scan_args))

        # Clean up
        self.helper._cleanup_by_path(_tmp_mnt_dir)
        self._remove_mnt_dir(mnt_dir)
コード例 #5
0
    def scan(self, image, scan_args):
        '''
        Wrapper function for basic security scans using
        openscap
        '''
        # Mount the temporary image/container to the dir
        DM = DockerMount(self.mnt_dir, mnt_mkdir=True)
        _tmp_mnt_dir = DM.mount(image)

        # Remeber actual mounted fs in 'rootfs'
        chroot = os.path.join(_tmp_mnt_dir, 'rootfs')

        # Scan the chroot
        sys.stdout.write(self.helper._scan(chroot, scan_args))

        # Clean up
        self.helper._cleanup_by_path(_tmp_mnt_dir)
コード例 #6
0
    def _cleanup_by_path(self, path):
        '''
        Cleans up the mounted chroot by umounting it and
        removing the temporary directory
        '''
        # Sometimes when this def is called, path will have 'rootfs'
        # appended.  If it does, strip it and proceed

        _no_rootfs = os.path.dirname(path) if os.path.basename(path) == \
            'rootfs' else path

        DM = DockerMount("/tmp")
        # umount chroot
        DM.unmount_path(_no_rootfs)

        # clean up temporary container
        DM._clean_temp_container_by_path(_no_rootfs)
        os.rmdir(_no_rootfs)
コード例 #7
0
    def scan_cve(self, image, scan_args):
        '''
        Wrapper function for scanning a container or image
        '''

        mnt_dir = self._ensure_mnt_dir()

        # Mount the temporary image/container to the dir
        DM = DockerMount(mnt_dir, mnt_mkdir=True)
        try:
            _tmp_mnt_dir = DM.mount(image)
        except MountError as e:
            sys.stderr.write(str(e) + "\n")
            return None

        try:
            chroot = self._find_chroot_path(_tmp_mnt_dir)

            # Figure out which RHEL dist is in the chroot
            name, conf = self.helper._get_target_name_and_config(image)
            dist = get_dist(chroot, self.helper.oscap_binary,
                            conf.get("Env", []) or [])

            if dist is None:
                sys.stderr.write("{0} is not based on RHEL\n".format(image))
                return None

            # Fetch the CVE input data for the dist
            fetch = getInputCVE(self.tmp_dir)
            fetch._fetch_single(dist)

            # Scan the chroot
            scan_result = self.helper._scan_cve(chroot, image, dist, scan_args)
            print(scan_result.stdout)
            print(scan_result.stderr, file=sys.stderr)

        finally:
            # Clean up
            self.helper._cleanup_by_path(_tmp_mnt_dir, DM)
            self._remove_mnt_dir(mnt_dir)

        return scan_result.returncode
コード例 #8
0
    def __init__(self, image_uuid, con_uuids, output, appc):
        self.image_name = image_uuid
        self.ac = appc
        self.CVEs = collections.namedtuple(
            'CVEs', 'title, severity,'
            'cve_ref_id, cve_ref_url,'
            'rhsa_ref_id, rhsa_ref_url')

        self.list_of_CVEs = []
        self.con_uuids = con_uuids
        self.output = output
        self.report_dir = os.path.join(self.ac.workdir, "reports")
        if not os.path.exists(self.report_dir):
            os.mkdir(self.report_dir)

        start = time.time()
        self.DM = DockerMount("/tmp", mnt_mkdir=True)
        self.dm_results = self.DM.mount(image_uuid)
        logging.debug("Created scanning chroot in {0}"
                      " seconds".format(time.time() - start))
        self.dest = self.dm_results
コード例 #9
0
    def scan_cve(self, image, scan_args):
        '''
        Wrapper function for scanning a container or image
        '''

        mnt_dir = self._ensure_mnt_dir()

        # Mount the temporary image/container to the dir
        DM = DockerMount(mnt_dir, mnt_mkdir=True)
        try:
            _tmp_mnt_dir = DM.mount(image)
        except MountError as e:
            sys.stderr.write(str(e) + "\n")
            return None

        # Remeber actual mounted fs in 'rootfs'
        chroot = os.path.join(_tmp_mnt_dir, 'rootfs')


        try:
            # Figure out which RHEL dist is in the chroot
            dist = self.helper._get_dist(chroot)

            if dist is None:
                sys.stderr.write("{0} is not based on RHEL\n".format(image))
                return None

            # Fetch the CVE input data for the dist
            fetch = getInputCVE(self.tmp_dir)
            fetch._fetch_single(dist)

            # Scan the chroot
            sys.stdout.write(self.helper._scan_cve(chroot, dist, scan_args))

        finally:
            # Clean up
            self.helper._cleanup_by_path(_tmp_mnt_dir)
            self._remove_mnt_dir(mnt_dir)