Security Scanning¶
Introduction¶
Le scanning de sécurité continu identifie les vulnérabilités dans l'infrastructure OpenStack. Cette section couvre les outils et processus pour l'analyse des vulnérabilités, la conformité, et la détection des menaces.
Prérequis¶
- OpenStack en production
- Accès réseau aux systèmes à scanner
- Audit CADF configuré
Points à apprendre¶
Types de scans¶
graph TB
subgraph Vulnerability_Assessment["Vulnerability Assessment"]
os_vuln["OS Vulnerability<br/>(OpenSCAP)"]
container["Container Scanning<br/>(Trivy)"]
deps["Dependency Scanning<br/>(OWASP)"]
end
subgraph Configuration_Audit["Configuration Audit"]
cis["CIS Benchmark<br/>(oscap)"]
openstack_sec["OpenStack Security<br/>(Bandit)"]
secrets["Secret Detection<br/>(git-secrets)"]
end
subgraph Runtime_Security["Runtime Security"]
network["Network Scanning<br/>(Nmap, Nessus)"]
ids["Intrusion Detection<br/>(Falco, OSSEC)"]
siem["Log Analysis<br/>(SIEM)"]
endOpenSCAP - Vulnerability Scanning¶
#!/bin/bash
# openscap-scan.sh
# Installer OpenSCAP
apt install -y openscap-scanner scap-security-guide
# Scanner avec profil CIS
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--results /var/log/oscap-results.xml \
--report /var/log/oscap-report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
# Scanner les vulnérabilités (OVAL)
oscap oval eval \
--results /var/log/oval-results.xml \
--report /var/log/oval-report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-oval.xml
echo "Reports generated in /var/log/"
Trivy - Container Scanning¶
# Installer Trivy
apt install -y wget
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/trivy.list
apt update && apt install -y trivy
# Scanner une image
trivy image --severity HIGH,CRITICAL kolla/ubuntu-source-nova-api:2024.1
# Scanner toutes les images Kolla
for image in $(docker images --format "{{.Repository}}:{{.Tag}}" | grep kolla); do
echo "Scanning: $image"
trivy image --severity HIGH,CRITICAL --no-progress $image >> /var/log/trivy-scan.txt
done
# Format JSON pour CI/CD
trivy image --format json --output trivy-results.json kolla/ubuntu-source-nova-api:2024.1
# Générer SBOM
trivy image --format cyclonedx --output sbom.json kolla/ubuntu-source-nova-api:2024.1
Bandit - Python Security Linting¶
# Scanner le code OpenStack
pip install bandit
# Scanner un projet
bandit -r /opt/openstack/nova -f json -o bandit-nova.json
# Avec niveau de confiance
bandit -r /opt/openstack/keystone -ll -f html -o bandit-keystone.html
Nmap - Network Scanning¶
#!/bin/bash
# network-scan.sh
NETWORK="10.0.0.0/24"
OUTPUT_DIR="/var/log/security-scans"
mkdir -p $OUTPUT_DIR
# Découverte d'hôtes
nmap -sn $NETWORK -oG $OUTPUT_DIR/hosts.txt
# Scan de ports des controllers
nmap -sS -sV -O \
-p- \
--script=vuln \
-oA $OUTPUT_DIR/controllers \
10.0.0.11 10.0.0.12 10.0.0.13
# Vérifier les ports non nécessaires
echo "=== Unexpected Open Ports ==="
grep -v -E "(5000|8774|9696|9292|8776|443|3306|5672|9090|3000)" $OUTPUT_DIR/controllers.nmap | grep "open"
# Scan SSL/TLS
nmap --script ssl-enum-ciphers -p 443,5000,8774 10.0.0.10 > $OUTPUT_DIR/tls-scan.txt
Falco - Runtime Security¶
# falco-rules-openstack.yaml
# Détecter les modifications de config
- rule: Config File Modified
desc: Detect modifications to OpenStack configuration files
condition: >
open_write and
fd.name startswith /etc/kolla/ and
not proc.name in (docker, containerd)
output: >
Config file modified (user=%user.name file=%fd.name process=%proc.name)
priority: WARNING
# Détecter les accès SSH suspects
- rule: SSH from Unexpected IP
desc: SSH connection from non-management network
condition: >
evt.type = accept and
fd.sport = 22 and
not fd.sip.name startswith "10.0."
output: >
SSH connection from unexpected IP (ip=%fd.sip user=%user.name)
priority: CRITICAL
# Détecter les tentatives d'escalade
- rule: Privilege Escalation Attempt
desc: Detect sudo/su usage
condition: >
spawned_process and
proc.name in (sudo, su) and
not user.name = root
output: >
Privilege escalation attempt (user=%user.name command=%proc.cmdline)
priority: WARNING
# Container escape attempts
- rule: Container Escape Attempt
desc: Detect potential container escape
condition: >
container and
evt.type = ptrace and
evt.arg.request = PTRACE_ATTACH
output: >
Potential container escape (container=%container.name)
priority: CRITICAL
Script de scan complet¶
#!/bin/bash
# security-scan.sh
set -e
SCAN_DATE=$(date +%Y%m%d)
REPORT_DIR="/var/log/security-scans/$SCAN_DATE"
mkdir -p $REPORT_DIR
echo "=== Security Scan Started: $(date) ===" | tee $REPORT_DIR/summary.txt
# 1. OpenSCAP System Scan
echo -e "\n[1/5] Running OpenSCAP..." | tee -a $REPORT_DIR/summary.txt
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--results $REPORT_DIR/oscap-results.xml \
--report $REPORT_DIR/oscap-report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 2>&1 || true
# Extraire le score
OSCAP_SCORE=$(grep -oP 'score>\K[0-9.]+' $REPORT_DIR/oscap-results.xml | head -1)
echo "OpenSCAP Score: $OSCAP_SCORE%" | tee -a $REPORT_DIR/summary.txt
# 2. Container Vulnerability Scan
echo -e "\n[2/5] Scanning containers..." | tee -a $REPORT_DIR/summary.txt
> $REPORT_DIR/trivy-summary.txt
for image in $(docker images --format "{{.Repository}}:{{.Tag}}" | grep kolla | head -10); do
VULNS=$(trivy image --severity HIGH,CRITICAL --quiet --format json $image 2>/dev/null | jq '[.Results[].Vulnerabilities // [] | length] | add')
echo "$image: $VULNS HIGH/CRITICAL vulnerabilities" >> $REPORT_DIR/trivy-summary.txt
done
TOTAL_VULNS=$(awk '{sum+=$NF} END {print sum}' $REPORT_DIR/trivy-summary.txt)
echo "Total Container Vulnerabilities: $TOTAL_VULNS" | tee -a $REPORT_DIR/summary.txt
# 3. Network Scan
echo -e "\n[3/5] Network scanning..." | tee -a $REPORT_DIR/summary.txt
nmap -sS -p- --open 10.0.0.10-13 -oG $REPORT_DIR/nmap-results.txt 2>/dev/null
OPEN_PORTS=$(grep -c "open" $REPORT_DIR/nmap-results.txt || echo 0)
echo "Open Ports Found: $OPEN_PORTS" | tee -a $REPORT_DIR/summary.txt
# 4. TLS/SSL Check
echo -e "\n[4/5] TLS Configuration check..." | tee -a $REPORT_DIR/summary.txt
for port in 5000 8774 9696 443; do
RESULT=$(echo | timeout 5 openssl s_client -connect 10.0.0.10:$port 2>/dev/null | grep -E "Protocol|Cipher")
echo "Port $port: $RESULT" >> $REPORT_DIR/tls-check.txt
done
TLS_ISSUES=$(grep -c "TLSv1.0\|TLSv1.1" $REPORT_DIR/tls-check.txt || echo 0)
echo "TLS Issues: $TLS_ISSUES" | tee -a $REPORT_DIR/summary.txt
# 5. Secret Detection
echo -e "\n[5/5] Checking for exposed secrets..." | tee -a $REPORT_DIR/summary.txt
grep -r -l -E "(password|secret|key)\s*=" /etc/kolla/ 2>/dev/null | \
grep -v ".yml" | head -10 > $REPORT_DIR/exposed-secrets.txt || true
EXPOSED=$(wc -l < $REPORT_DIR/exposed-secrets.txt)
echo "Files with potential exposed secrets: $EXPOSED" | tee -a $REPORT_DIR/summary.txt
# Générer le rapport final
echo -e "\n=== Scan Complete ===" | tee -a $REPORT_DIR/summary.txt
echo "Reports saved to: $REPORT_DIR"
# Évaluation globale
if [ $TOTAL_VULNS -gt 50 ] || [ $TLS_ISSUES -gt 0 ] || [ $EXPOSED -gt 0 ]; then
echo "STATUS: CRITICAL - Immediate action required" | tee -a $REPORT_DIR/summary.txt
exit 1
elif [ $TOTAL_VULNS -gt 10 ]; then
echo "STATUS: WARNING - Review recommended" | tee -a $REPORT_DIR/summary.txt
exit 0
else
echo "STATUS: OK" | tee -a $REPORT_DIR/summary.txt
exit 0
fi
Pipeline CI/CD Security¶
# .gitlab-ci.yml
security-scan:
stage: security
image: aquasec/trivy:latest
script:
- trivy image --exit-code 1 --severity CRITICAL ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}
allow_failure: false
sast:
stage: security
image: python:3.11
script:
- pip install bandit
- bandit -r src/ -f json -o bandit-report.json
artifacts:
reports:
sast: bandit-report.json
dependency-scan:
stage: security
image: owasp/dependency-check:latest
script:
- /usr/share/dependency-check/bin/dependency-check.sh
--scan .
--format JSON
--out dependency-check-report.json
artifacts:
reports:
dependency_scanning: dependency-check-report.json
Diagramme processus¶
flowchart TB
Start([Start])
subgraph Scheduled["Scheduled Scans"]
daily["Daily OS Vulnerability Scan<br/>(OpenSCAP)"]
weekly["Weekly Container Scan<br/>(Trivy)"]
monthly["Monthly Penetration Test<br/>(Nmap, Nessus)"]
daily --> weekly --> monthly
end
subgraph Continuous["Continuous Monitoring"]
runtime["Runtime Detection<br/>(Falco)"]
loganalysis["Log Analysis<br/>(SIEM)"]
netmon["Network Monitoring<br/>(IDS)"]
end
subgraph CICD["CI/CD Pipeline"]
push["Code Push"]
sast["SAST (Bandit)"]
depscan["Dependency Scan"]
containerscan["Container Scan"]
critical{Critical Issues?}
block["Block Deployment"]
alertsec["Alert Security Team"]
deploy["Deploy"]
push --> sast --> depscan --> containerscan --> critical
critical -->|yes| block --> alertsec --> Stop1([Stop])
critical -->|no| deploy
end
reports["Generate Reports"]
dashboard["Update Dashboard"]
newvuln{New Vulnerabilities?}
tickets["Create Tickets"]
prioritize["Prioritize Remediation"]
Stop2([Stop])
Start --> Scheduled
Start --> Continuous
Start --> CICD
Scheduled --> reports
Continuous --> reports
deploy --> reports
reports --> dashboard
dashboard --> newvuln
newvuln -->|yes| tickets --> prioritize --> Stop2
newvuln -->|no| Stop2Exemples pratiques¶
Automatisation hebdomadaire¶
# /etc/cron.d/security-scans
# Daily vulnerability scan
0 2 * * * root /opt/scripts/security-scan.sh >> /var/log/security-scan.log 2>&1
# Weekly full container scan
0 3 * * 0 root /opt/scripts/trivy-full-scan.sh >> /var/log/trivy-scan.log 2>&1
# Monthly report generation
0 4 1 * * root /opt/scripts/generate-security-report.sh
Dashboard Grafana Security¶
{
"title": "Security Dashboard",
"panels": [
{
"title": "Vulnerability Trend",
"type": "timeseries",
"targets": [
{"expr": "openstack_security_vulnerabilities_total{severity=\"critical\"}"}
]
},
{
"title": "Compliance Score",
"type": "gauge",
"targets": [
{"expr": "oscap_compliance_score"}
]
},
{
"title": "Security Events",
"type": "table",
"targets": [
{"expr": "{job=\"falco\"} | json"}
]
}
]
}
Ressources¶
Checkpoint¶
- OpenSCAP configuré avec profil CIS
- Trivy scan des images containers
- Nmap scan réseau régulier
- Falco pour runtime security
- Script de scan automatisé
- Intégration CI/CD
- Dashboard security dans Grafana
- Rapport de vulnérabilités généré