Читать книгу Cloud Native Security - Chris Binnie - Страница 4

1 Chapter 1Figure 1.1: How virtual machines and containers reside on a host

2 Chapter 5Figure 5.1: The excellent kube-hunter has found Kubernetes components but is...Figure 5.2: We need the vulnerability IDs so that we can look up more detail...Figure 5.3: Looking up KHV002 in the Knowledge Base offers more detail.Figure 5.4: An internal view of Minishift is a slight improvement over k3s's...

3 Chapter 6Figure 6.1: The Common Vulnerability Scoring SystemFigure 6.2: Trivy's assessment of the latest nginx container imageFigure 6.3: Older versions of images tend to flag more issues, as you'd expe...Figure 6.4: Anchore is up, courtesy of Docker Compose.Figure 6.5: Only 2 medium-ranked CVEs have been found by Anchore, but 52 low...Figure 6.6: Harbor has the excellent Clair CVE scanner built-in.Figure 6.7: Different scanning results again for the nginx container imageFigure 6.8: Harbor lets you inspect the layers of your images with ease.

4 Chapter 7Figure 7.1: A combination of Docker and Webswing means that running ZAP with...Figure 7.2: A redacted HTML report from a baseline scanFigure 7.3: A trimmed screenshot of the HTML report after scanning Nmap’s ho...

5 Chapter 10Figure 10.1: Fine-grained permissions from GitHub via personal access tokens...Figure 10.2: GitRob initializing and beginning to scan all repositories belo...

6 Chapter 11Figure 11.1: The Ansible directory structure, courtesy of the tree command

7 Chapter 12Figure 12.1: Even an HTTP 403 is revealing.

8 Chapter 13Figure 13.1: The start of the Netdata installation processFigure 13.2: Netdata has completed its installation successfully.Figure 13.3: The top of the dashboardFigure 13.4: Networking information showing the docker0 network interfaceFigure 13.5: The cpuidle dashboard to show how quiet your CPU cores areFigure 13.6: Temperature metrics can be useful for on-premises hosts that ha...Figure 13.7: The splash screen for Komiser made available by our containerFigure 13.8: A billing summary per-service plus outstanding support tickets...Figure 13.9: Checking running instances is useful not just for costs but str...Figure 13.10: Lambda functions aren't forgotten about in Komiser.Figure 13.11: Potentially costly utilized network resource in an AWS region...

9 Chapter 14Figure 14.1: Cloud Custodian courtesy of the Python installation routeFigure 14.2: In the AWS Console or programmatically, add a tag to an EC2 ins...Figure 14.3: Highly permissive EC2 policy for our first test policy in Cloud...Figure 14.4: We have stopped our instance successfully using a policy.

10 Chapter 15Figure 15.1: Some of the permissions that your user/role will need in AWS, b...Figure 15.2: The start of the Cloud Reports build process, courtesy of Node....Figure 15.3: The end of the build processFigure 15.4: The IAM policy is very permissive, even as read-only, so be sur...Figure 15.5: Check your progress via the Last Used column in IAM for your us...Figure 15.6: HTML output after using the -f html switch, with the AWS accoun...Figure 15.7: A relatively empty region in the AWS account still produced 16 ...Figure 15.8: Prowler needs two IAM policies attached to an IAM user or role....Figure 15.9: Prowler is firing up and ready to scan a (redacted) AWS account...

11 Chapter 16Figure 16.1: You should only give S3 Read access to S3 Inspector for obvious...Figure 16.2: Redacted output from the same results as Listing 16.1, focusing...Figure 16.3: The top-level listing in the AWS Console of S3 buckets reminds ...Figure 16.4: There are relatively new Edit Public Access Settings options no...Figure 16.5: GrayhatWarfare is an excellent resource for learning about stor...Figure 16.6: Public files discovered in S3 buckets

12 Chapter 18Figure 18.1: Rakkess outputFigure 18.2: Rakkess output for the certificate-controller accountFigure 18.3: kubectl-who-can get secretsFigure 18.4: Example of rback output

13 Chapter 19Figure 19.1: Traffic flow in the base Kubernetes clusterFigure 19.2: Network traffic after default deny policies appliedFigure 19.3: Network traffic after allow-webapp-access policy added

14 Chapter 20Figure 20.1: PodSecurityPolicies