1231647f94
- Created SECURITY-HARDENING-PLAN.md with 6 security levels - Added setup-node1-security.sh for automated hardening - Added scan-image.sh for pre-deployment image scanning - Created docker-compose.secure.yml template - Includes: Trivy, fail2ban, UFW, auditd, rkhunter, chkrootkit - Network isolation, egress filtering, process monitoring - Incident response procedures and recovery playbook
121 lines
3.3 KiB
Bash
Executable File
121 lines
3.3 KiB
Bash
Executable File
#!/bin/bash
|
||
# ============================================================
|
||
# scan-image.sh — Сканування Docker образу перед використанням
|
||
# ============================================================
|
||
# Використання:
|
||
# ./scan-image.sh postgres:16-alpine
|
||
# ./scan-image.sh --pull postgres:16-alpine
|
||
# ============================================================
|
||
|
||
set -e
|
||
|
||
# Кольори
|
||
RED='\033[0;31m'
|
||
GREEN='\033[0;32m'
|
||
YELLOW='\033[1;33m'
|
||
CYAN='\033[0;36m'
|
||
NC='\033[0m'
|
||
|
||
# Параметри
|
||
PULL=false
|
||
IMAGE=""
|
||
|
||
# Парсинг аргументів
|
||
while [[ $# -gt 0 ]]; do
|
||
case $1 in
|
||
--pull|-p)
|
||
PULL=true
|
||
shift
|
||
;;
|
||
*)
|
||
IMAGE="$1"
|
||
shift
|
||
;;
|
||
esac
|
||
done
|
||
|
||
if [ -z "$IMAGE" ]; then
|
||
echo "Usage: $0 [--pull] <image_name>"
|
||
echo "Example: $0 postgres:16-alpine"
|
||
echo " $0 --pull postgres:16-alpine"
|
||
exit 1
|
||
fi
|
||
|
||
echo -e "${CYAN}🔍 Scanning Docker Image: $IMAGE${NC}"
|
||
echo "========================================"
|
||
date
|
||
echo ""
|
||
|
||
# Перевірка Trivy
|
||
if ! command -v trivy &> /dev/null; then
|
||
echo -e "${RED}❌ Trivy not installed!${NC}"
|
||
echo "Install: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin"
|
||
exit 1
|
||
fi
|
||
|
||
# Pull якщо потрібно
|
||
if [ "$PULL" = true ]; then
|
||
echo -e "${YELLOW}📥 Pulling image...${NC}"
|
||
docker pull "$IMAGE"
|
||
echo ""
|
||
fi
|
||
|
||
# Отримати digest
|
||
echo -e "${YELLOW}📋 Image Info:${NC}"
|
||
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$IMAGE" 2>/dev/null || echo "N/A")
|
||
echo " Digest: $DIGEST"
|
||
echo ""
|
||
|
||
# Сканування на вразливості
|
||
echo -e "${YELLOW}🔒 Scanning for vulnerabilities...${NC}"
|
||
echo ""
|
||
|
||
# Запуск Trivy
|
||
trivy image --severity HIGH,CRITICAL "$IMAGE"
|
||
SCAN_EXIT=$?
|
||
|
||
echo ""
|
||
echo "========================================"
|
||
|
||
if [ $SCAN_EXIT -eq 0 ]; then
|
||
echo -e "${GREEN}✅ No HIGH/CRITICAL vulnerabilities found${NC}"
|
||
echo ""
|
||
echo -e "${GREEN}Safe to use:${NC}"
|
||
echo " image: $IMAGE"
|
||
if [ "$DIGEST" != "N/A" ]; then
|
||
echo ""
|
||
echo -e "${GREEN}Recommended (pinned by digest):${NC}"
|
||
echo " image: $DIGEST"
|
||
fi
|
||
else
|
||
echo -e "${RED}❌ Vulnerabilities found!${NC}"
|
||
echo ""
|
||
echo "Options:"
|
||
echo " 1. Use a different image version"
|
||
echo " 2. Build custom image with patches"
|
||
echo " 3. Accept risk (not recommended)"
|
||
exit 1
|
||
fi
|
||
|
||
# Додаткова перевірка на malware
|
||
echo ""
|
||
echo -e "${YELLOW}🦠 Checking for known malware patterns...${NC}"
|
||
|
||
# Запустити контейнер і перевірити /tmp
|
||
MALWARE_CHECK=$(docker run --rm "$IMAGE" sh -c "ls -la /tmp 2>/dev/null | grep -E '(httpd|\.perf|mysql|xmrig|kdevtmp)' || echo 'clean'" 2>/dev/null || echo "check_failed")
|
||
|
||
if [ "$MALWARE_CHECK" = "clean" ]; then
|
||
echo -e "${GREEN}✅ No known malware patterns in /tmp${NC}"
|
||
elif [ "$MALWARE_CHECK" = "check_failed" ]; then
|
||
echo -e "${YELLOW}⚠️ Could not check /tmp (image may not have shell)${NC}"
|
||
else
|
||
echo -e "${RED}❌ MALWARE DETECTED in /tmp!${NC}"
|
||
echo "$MALWARE_CHECK"
|
||
echo ""
|
||
echo -e "${RED}DO NOT USE THIS IMAGE!${NC}"
|
||
exit 1
|
||
fi
|
||
|
||
echo ""
|
||
echo -e "${GREEN}🎉 Image scan complete!${NC}"
|