wazuh / wazuh-docker

Wazuh - Docker containers
https://wazuh.com
Other
718 stars 406 forks source link

Container images vulnerability management #221

Closed JPLachance closed 4 years ago

JPLachance commented 5 years ago

Greetings,

I just did a scan using Snyk of the wazuh/wazuh:3.9.3_6.8.1 container image and here are the results: Screen Shot 2019-07-30 at 09 42 47

As of July 30, 2019, the wazuh/wazuh:3.9.3_6.8.1 container image contains 57 known high theoretical CVEs, 42 mediums, 5 lows.

This is caused by two things:

So, how did you tackle vulnerability management for Wazuh Cloud services? 🙂

In the community, we see people reworking their container images to use a super slim base and install only what is truly required for the app to work.

Thanks for the help!

manuasir commented 5 years ago

Hello @JPLachance,

As this involves several critical problems, we will take it as a top priority. We're thinking about the best way to approach the solution, and we've been planning about changing the current phusion base image, which has been clearly outdated. Instead of using a third-party Ubuntu 16 based image, we could change it to an official Ubuntu or CentOS image.

Regarding your question about our cloud service, we're using own generation Docker images. Due to strict regulatory compliances, we also have to pass weekly for catching CVEs and patching them so this problem is only applying to our public Docker images.

I'd also like to thank you for reporting these scan results, your contributions to this community have been always very valuable, and they help to this product to improve its quality and robustness. For that, very much appreciated.

Don't hesitate to share your thoughts on this, also please stay tuned to this ticket for tracking the solution.

Best regards

xr09 commented 4 years ago

Closing this since it was already addressed in https://github.com/wazuh/wazuh-docker/issues/259. We have selected CentOS 7 as the new base image with S6-Overlay as process manager.

More info: https://github.com/wazuh/wazuh-docker/issues/273