VMClarity 是 OpenClarity 开发的一款专注于虚拟机安全的工具。它通过多种检测机制和综合分析,为用户提供了全面的虚拟机安全评估与管理解决方案。VMClarity 旨在帮助企业识别和解决虚拟机中的潜在安全风险,从而提高整体系统的安全性。
VMClarity是一个开源工具,用于无代理检测和管理虚拟机软件成分清单(SBOM)以及漏洞、漏洞利用、恶意软件、rootkit、错误配置和泄漏的机密等安全威胁。
为了成功部署VMClarity v0.8.1,需要准备以下镜像
nerdctl pull registry.cn-shanghai.aliyuncs.com/kubesec/aquasec-trivy:0.52.1
nerdctl tag registry.cn-shanghai.aliyuncs.com/kubesec/aquasec-trivy:0.52.1 docker.io/aquasec/trivy:0.52.1
nerdctl pull registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:vmclarity-apiserver-v0.7.1
nerdctl tag registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:vmclarity-apiserver-v0.7.1 ghcr.io/openclarity/vmclarity-apiserver:v0.7.1
nerdctl pull registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:exploit-db-server-v0.3.0
nerdctl tag registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:exploit-db-server-v0.3.0 ghcr.io/openclarity/exploit-db-server:v0.3.0
nerdctl pull registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:freshclam-mirror-v0.3.1
nerdctl tag registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:freshclam-mirror-v0.3.1 ghcr.io/openclarity/freshclam-mirror:v0.3.1
nerdctl pull registry.cn-shanghai.aliyuncs.com/kubesec/nginxinc:nginx-unprivileged-1.26.0
nerdctl tag registry.cn-shanghai.aliyuncs.com/kubesec/nginxinc:nginx-unprivileged-1.26.0 docker.io/nginxinc/nginx-unprivileged:1.26.0
nerdctl pull registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:vmclarity-ui-v0.7.1
nerdctl tag registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:vmclarity-ui-v0.7.1 ghcr.io/openclarity/vmclarity-ui:v0.7.1
nerdctl pull registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:vmclarity-ui-backend-v0.7.1
nerdctl tag registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:vmclarity-ui-backend-v0.7.1 ghcr.io/openclarity/vmclarity-ui-backend:v0.7.1
nerdctl pull registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:yara-rule-server-v0.3.0
nerdctl tag registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:yara-rule-server-v0.3.0 ghcr.io/openclarity/yara-rule-server:v0.3.0
nerdctl pull registry.cn-shanghai.aliyuncs.com/kubesec/swaggerapi:swagger-ui-v5.17.14
nerdctl tag registry.cn-shanghai.aliyuncs.com/kubesec/swaggerapi:swagger-ui-v5.17.14 docker.io/swaggerapi/swagger-ui:v5.17.14
nerdctl pull registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:grype-server-v0.7.2
nerdctl tag registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:grype-server-v0.7.2 ghcr.io/openclarity/grype-server:v0.7.2
nerdctl pull registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:vmclarity-orchestrator-v0.7.1
nerdctl tag registry.cn-shanghai.aliyuncs.com/kubesec/openclarity:vmclarity-orchestrator-v0.7.1 ghcr.io/openclarity/vmclarity-orchestrator:v0.7.1
nerdctl pull registry.cn-shanghai.aliyuncs.com/kubesec/postgresql:16.3.0-debian-12-r13
nerdctl tag registry.cn-shanghai.aliyuncs.com/kubesec/postgresql:16.3.0-debian-12-r13 docker.io/bitnami/postgresql:16.3.0-debian-12-r13
使用Helm安装VMClarity
helm install vmclarity oci://ghcr.io/openclarity/charts/vmclarity --version 0.7.1 --namespace vmclarity --create-namespace --set orchestrator.provider=kubernetes --set orchestrator.serviceAccount.automountServiceAccountToken=true
-
vmclarity-gateway service改为NodePort
kubectl -n vmclarity patch service/vmclarity-gateway -p '{"spec": {"type": "NodePort"}}'
-
查看所有pod状态
root@kube:~# kubectl -n vmclarity get pods
NAME READY STATUS RESTARTS AGE
vmclarity-apiserver-998fc7575-4bvsx 1/1 Running 0 5m27s
vmclarity-cr-discovery-server-6k2k2 1/1 Running 0 10m
vmclarity-exploit-db-server-578679dbb5-8gwnr 1/1 Running 0 10m
vmclarity-freshclam-mirror-7864c645bc-hzqb9 1/1 Running 0 10m
vmclarity-gateway-6657777675-q5xq8 1/1 Running 0 10m
vmclarity-grype-server-65dbfbb68-nh9fn 1/1 Running 0 10m
vmclarity-orchestrator-7d576b59f9-jqkdt 1/1 Running 0 10m
vmclarity-postgresql-0 1/1 Running 0 10m
vmclarity-swagger-ui-86596c9866-9mv9b 1/1 Running 0 10m
vmclarity-trivy-server-65655cc45d-wcwvl 1/1 Running 0 10m
vmclarity-ui-75d788bb7d-gdg58 1/1 Running 0 10m
vmclarity-uibackend-fd9d4b9d-q2d6t 1/1 Running 0 10m
vmclarity-yara-rule-server-845478589c-m9cc8 1/1 Running 0 10m
在游览器中打开VMClarity UI
http://nodeIP:NodePort
kubectl -n vmclarity get svc
-
创建扫描任务:
https://openclarity.io/docs/vmclarity/getting-started/first-tasks/
-
在AWS上使用VMClarity:
https://link.zhihu.com/?target=https%3A//openclarity.io/docs/vmclarity/getting-started/deploy-aws/
-
在Azure上使用VmClarity:
https://openclarity.io/docs/vmclarity/getting-started/deploy-azure/
-
在GCP上使用VMClarity
https://openclarity.io/docs/vmclarity/getting-started/deploy-gcp/
-
在Docker中部署VmClarity
https://openclarity.io/docs/vmclarity/getting-started/deploy-docker/
Prometheus Exporter实现自定义指标
原文始发于微信公众号(Nil聊安全):使用VMClarity提升虚拟机的安全性
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论