trivy系统漏洞扫描
//
仓库地址: http://github.com/aquasecurity/trivy/releases
trivy能够扫描的对象包括:
Container Image Filesystem Git Repository (remote) Virtual Machine Image Kubernetes AWS显示的安全问题严重程度,默认全部
级别类型:UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
# 下载trivy工具
mkdir -p /opt/trivy && cd /opt/trivy
- 方式一
wget https://github.com/aquasecurity/trivy/releases/download/v0.59.1/trivy_0.59.1_FreeBSD-64bit.tar.gz
- 方式二
网络原因我用方式二,docker路径换成你的目录
docker pull docker.1ms.run/aquasec/trivy:0.57.1
cp /data/docker/overlay2/e91a75e7f19c4df4c60413f0408fb7eb58a952f46ac88a8c04b00c5bd60743c7/diff/usr/local/bin/trivy /usr/local/bin/
1
2
2
curl -o /usr/local/bin/trivy http://download.yfklife.cn/blog/ops/security/trivy && chmod +x /usr/local/bin/trivy
# 配置trivy离线数据库
# 安装oras工具
curl -L https://github.com/oras-project/oras/releases/download/v1.2.0/oras_1.2.0_linux_amd64.tar.gz -o oras.tar.gz
tar -xzf oras.tar.gz -C /usr/local/bin/
1
2
2
curl -o /usr/local/bin/oras http://download.yfklife.cn/blog/ops/security/oras && chmod +x /usr/local/bin/oras
# 下载trivy离线数据库
oras pull ghcr.nju.edu.cn/aquasecurity/trivy-db:2
oras pull ghcr.nju.edu.cn/aquasecurity/trivy-java-db:1
1
2
2
会在当前目录生成两个压缩文件:db.tar.gz 、javadb.tar.gz
# 解压并指定数据库路径
mkdir -p /root/.cache/trivy/db /root/.cache/trivy/java-db
tar -xf db.tar.gz -C /root/.cache/trivy/db
tar xf javadb.tar.gz -C /root/.cache/trivy/java-db
1
2
3
2
3
# 运行Trivy扫描
# Trivy指定本地数据库
trivy filesystem / --db-repository file:/root/.cache/trivy/db
# Trivy指定html文件形式输出
cd /opt/trivy
mkdir contrib
curl -o ./contrib/html.tpl http://download.yfklife.cn/blog/ops/security/html.tpl
trivy fs / --db-repository file:/root/.cache/trivy/java-db --db-repository file:/root/.cache/trivy/db --scanners vuln --format template --template "@./contrib/html.tpl" -o qapm_report.html -s HIGH,CRITICAL
trivy image d8800155a2bf --db-repository file:/root/.cache/trivy/db --scanners vuln --format template --template "@./contrib/html.tpl" -o qapm_report.html -s HIGH,CRITICAL
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
# trivy指定配置文件trivy.yaml
cd /opt/trivy
cat >cat trivy.yaml<<'EOF'
timeout: 10m
format: json
dependency-tree: true
list-all-pkgs: true
exit-code: 1
output: result.json
severity:
- HIGH
- CRITICAL
scan:
skip-dirs:
- /lib64
- /lib
- /usr/lib
- /usr/include
- /data/docker
scanners:
- vuln
- secret
vulnerability:
type:
- os
- library
ignore-unfixed: true
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
trivy fs / --config /opt/trivy/trivy.yaml --db-repository file:/root/.cache/trivy/java-db --db-repository file:/root/.cache/trivy/db --scanners vuln --format template --template "@./contrib/html.tpl" -o qapm_report.html -s HIGH,CRITICAL
1
2
2
下载查看文件:qapm_report.html
# lynis安全扫描(审计)
# 下载lynis
git clone https://github.com/CISOfy/lynis
# 执行本地安全扫描
cd lynis && ./lynis audit system
#lynis在审计完成日志记录文件: /var/log/lynis.log ,/var/log/lynis-report.dat
#过滤可能需要修改的项
grep -E "^warning|^suggestion" /var/log/lynis-report.dat
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
//
如果此文章对您有帮助,点击 -->> 请博主喝咖啡 (opens new window)
上次更新: 2025/03/28, 13:42:54