dagda
0.8.0
DAGDA是對Docker Images/Container中的已知漏洞,特洛伊斯,病毒,惡意軟件和其他惡意威脅的靜態分析的工具,並監視Docker守護程序和運行Docker容器以檢測異常活動。
為了履行其使命,首先將已知的漏洞(常見的漏洞和暴露率),投標(Bugtraq ID),RHSA(紅帽安全諮詢)和RHBA(紅色帽子型問題諮詢)以及來自進攻安全數據庫中的已知利用(可用於搜索這些漏洞)在這些漏洞中的搜索和搜索時,這些漏洞是對這些漏洞的搜索和探索。
然後,當您對已知漏洞進行靜態分析時, DAGDA會檢索有關安裝在Docker映像中的軟件的信息,例如OS軟件包和編程語言的依賴項,並為每種產品及其版本驗證是否沒有漏洞在MongongoDB中的漏洞。此外, DAGDA使用Clamav作為防病毒引擎來檢測Docker Images/Containers中包含的特洛伊木馬,病毒,惡意軟件和其他惡意威脅。
DAGDA支持多個Linux基礎圖像:
DAGDA基於OWASP依賴性檢查 +退休。 JS,以分析以下分析多個依賴關係:
另一方面, DAGDA與FALCO集成,用於監視運行的Docker容器以檢測異常活動。此外, DAGDA還包括Docker Daemon的實時活動的聚集。
最後,Docker Image/Container的每個分析報告(包括所有靜態分析和所有運行時監視)都存儲在同一MongoDB中,以便在需要時擁有每個Docker Image/Container的歷史記錄。
在DAGDA使用之前,您必須安裝下一個要求:
可以使用PIP安裝要求:
sudo pip3 install -r requirements.txt您必須已經安裝了使用DAGDA的Docker。如果您需要Docker安裝的說明,請參閱“ Howto intermant docker”頁面。
為了避免使用docker命令時必須使用sudo ,請創建一個名為docker的Unix組並將用戶添加到其中。當docker守護程序開始時,它使docker Group的Unix套接字讀/寫道的所有權。
您必須已經安裝了MongoDB 3.6或更高版本才能使用DAGDA ,因為在MongoDB中既存儲了漏洞/exploits和分析結果。
如果您需要有關MongoDB安裝的說明,請參見How-Tointion Mongodb Community Edition頁面。
您也可以使用Docker運行MongoDB:
docker pull mongo
docker run -d -p 27017:27017 mongo您必須在主機OS中安裝了內核標題,因為DAGDA與FALCO集成在一起,以監視運行的Docker容器以檢測異常活動。
通常可以在類似Debian的發行版上完成: apt-get -y install linux-headers-$(uname -r)
或者,在類似Rhel的分佈上: yum -y install kernel-devel-$(uname -r)
之後,建議使用命令/usr/lib/dkms/dkms_autoinstaller start來避免下一個sysdig falco錯誤跟踪:
rmmod: ERROR: Module sysdig_probe is not currently loaded
重要的是要注意:在某些分佈中,已經檢測到需要SYSDIG安裝,因此,如果您需要SYSDIG安裝的說明,請參見Linux頁面的HOFTO SENTALSSDIG。
您必須運行python3 dagda.py start以啟動dagda服務器。有關詳細信息,請參見Wiki頁面中的開始子命令。
DAGDA服務器啟動並在DAGDA CLI使用之前,您必鬚根據需要設置下一個環境變量:
export DAGDA_HOST= ' 127.0.0.1 '
export DAGDA_PORT=5000儘管在此用法文檔中僅顯示CLI使用情況,但DAGDA具有用於使用它的REST API。有關詳細信息,請參見REST API文檔頁面。
對於初始運行,您需要通過運行來填充數據庫中的漏洞和利用:
python3 dagda.py vuln --init上一個命令可能需要幾分鐘的時間才能完成,所以要耐心等待。
如果您需要重新流動數據庫以使用新的漏洞和利用來更新,則只需要重新運行上一個命令即可。
另外,您可以使用dagda.py vuln在個人數據庫上運行查詢。用法示例將是下一個:
python3 dagda.py vuln --product openldap --product_version 2.2.20上一個查詢的預期輸出如下:
[
{
"CVE-2005-4442" : {
"cveid" : " CVE-2005-4442 " ,
"cvss_access_complexity" : " Low " ,
"cvss_access_vector" : " Local access " ,
"cvss_authentication" : " None required " ,
"cvss_availability_impact" : " Complete " ,
"cvss_base" : 7.2 ,
"cvss_confidentiality_impact" : " Complete " ,
"cvss_exploit" : 3.9 ,
"cvss_impact" : 10.0 ,
"cvss_integrity_impact" : " Complete " ,
"cvss_vector" : [
" AV:L " ,
" AC:L " ,
" Au:N " ,
" C:C " ,
" I:C " ,
" A:C "
],
"cweid" : " CWE-0 " ,
"mod_date" : " 05-09-2008 " ,
"pub_date" : " 20-12-2005 " ,
"summary" : " Untrusted search path vulnerability in OpenLDAP before 2.2.28-r3 on Gentoo Linux allows local users in the portage group to gain privileges via a malicious shared object in the Portage temporary build directory, which is part of the RUNPATH. "
}
},
{
"CVE-2006-2754" : {
"cveid" : " CVE-2006-2754 " ,
"cvss_access_complexity" : " Low " ,
"cvss_access_vector" : " Network " ,
"cvss_authentication" : " None required " ,
"cvss_availability_impact" : " None " ,
"cvss_base" : 5.0 ,
"cvss_confidentiality_impact" : " None " ,
"cvss_exploit" : 10.0 ,
"cvss_impact" : 2.9 ,
"cvss_integrity_impact" : " Partial " ,
"cvss_vector" : [
" AV:N " ,
" AC:L " ,
" Au:N " ,
" C:N " ,
" I:P " ,
" A:N "
],
"cweid" : " CWE-0 " ,
"mod_date" : " 07-03-2011 " ,
"pub_date" : " 01-06-2006 " ,
"summary" : " Stack-based buffer overflow in st.c in slurpd for OpenLDAP before 2.3.22 might allow attackers to execute arbitrary code via a long hostname. "
}
},
{
"CVE-2006-5779" : {
"cveid" : " CVE-2006-5779 " ,
"cvss_access_complexity" : " Low " ,
"cvss_access_vector" : " Network " ,
"cvss_authentication" : " None required " ,
"cvss_availability_impact" : " Partial " ,
"cvss_base" : 5.0 ,
"cvss_confidentiality_impact" : " None " ,
"cvss_exploit" : 10.0 ,
"cvss_impact" : 2.9 ,
"cvss_integrity_impact" : " None " ,
"cvss_vector" : [
" AV:N " ,
" AC:L " ,
" Au:N " ,
" C:N " ,
" I:N " ,
" A:P "
],
"cweid" : " CWE-399 " ,
"mod_date" : " 26-08-2011 " ,
"pub_date" : " 07-11-2006 " ,
"summary" : " OpenLDAP before 2.3.29 allows remote attackers to cause a denial of service (daemon crash) via LDAP BIND requests with long authcid names, which triggers an assertion failure. "
}
},
{
"CVE-2006-6493" : {
"cveid" : " CVE-2006-6493 " ,
"cvss_access_complexity" : " High " ,
"cvss_access_vector" : " Network " ,
"cvss_authentication" : " None required " ,
"cvss_availability_impact" : " Partial " ,
"cvss_base" : 5.1 ,
"cvss_confidentiality_impact" : " Partial " ,
"cvss_exploit" : 4.9 ,
"cvss_impact" : 6.4 ,
"cvss_integrity_impact" : " Partial " ,
"cvss_vector" : [
" AV:N " ,
" AC:H " ,
" Au:N " ,
" C:P " ,
" I:P " ,
" A:P "
],
"cweid" : " CWE-0 " ,
"mod_date" : " 07-03-2011 " ,
"pub_date" : " 12-12-2006 " ,
"summary" : " Buffer overflow in the krbv4_ldap_auth function in servers/slapd/kerberos.c in OpenLDAP 2.4.3 and earlier, when OpenLDAP is compiled with the --enable-kbind (Kerberos KBIND) option, allows remote attackers to execute arbitrary code via an LDAP bind request using the LDAP_AUTH_KRBV41 authentication method and long credential data. "
}
},
{
"CVE-2007-5707" : {
"cveid" : " CVE-2007-5707 " ,
"cvss_access_complexity" : " Medium " ,
"cvss_access_vector" : " Network " ,
"cvss_authentication" : " None required " ,
"cvss_availability_impact" : " Complete " ,
"cvss_base" : 7.1 ,
"cvss_confidentiality_impact" : " None " ,
"cvss_exploit" : 8.6 ,
"cvss_impact" : 6.9 ,
"cvss_integrity_impact" : " None " ,
"cvss_vector" : [
" AV:N " ,
" AC:M " ,
" Au:N " ,
" C:N " ,
" I:N " ,
" A:C "
],
"cweid" : " CWE-399 " ,
"mod_date" : " 07-03-2011 " ,
"pub_date" : " 30-10-2007 " ,
"summary" : " OpenLDAP before 2.3.39 allows remote attackers to cause a denial of service (slapd crash) via an LDAP request with a malformed objectClasses attribute. NOTE: this has been reported as a double free, but the reports are inconsistent. "
}
},
{
"CVE-2007-5708" : {
"cveid" : " CVE-2007-5708 " ,
"cvss_access_complexity" : " Medium " ,
"cvss_access_vector" : " Network " ,
"cvss_authentication" : " None required " ,
"cvss_availability_impact" : " Complete " ,
"cvss_base" : 7.1 ,
"cvss_confidentiality_impact" : " None " ,
"cvss_exploit" : 8.6 ,
"cvss_impact" : 6.9 ,
"cvss_integrity_impact" : " None " ,
"cvss_vector" : [
" AV:N " ,
" AC:M " ,
" Au:N " ,
" C:N " ,
" I:N " ,
" A:C "
],
"cweid" : " CWE-399 " ,
"mod_date" : " 07-03-2011 " ,
"pub_date" : " 30-10-2007 " ,
"summary" : " slapo-pcache (overlays/pcache.c) in slapd in OpenLDAP before 2.3.39, when running as a proxy-caching server, allocates memory using a malloc variant instead of calloc, which prevents an array from being initialized properly and might allow attackers to cause a denial of service (segmentation fault) via unknown vectors that prevent the array from being null terminated. "
}
},
{
"CVE-2011-4079" : {
"cveid" : " CVE-2011-4079 " ,
"cvss_access_complexity" : " Low " ,
"cvss_access_vector" : " Network " ,
"cvss_authentication" : " Requires single instance " ,
"cvss_availability_impact" : " Partial " ,
"cvss_base" : 4.0 ,
"cvss_confidentiality_impact" : " None " ,
"cvss_exploit" : 8.0 ,
"cvss_impact" : 2.9 ,
"cvss_integrity_impact" : " None " ,
"cvss_vector" : [
" AV:N " ,
" AC:L " ,
" Au:S " ,
" C:N " ,
" I:N " ,
" A:P "
],
"cweid" : " CWE-189 " ,
"mod_date" : " 06-01-2017 " ,
"pub_date" : " 27-10-2011 " ,
"summary" : " Off-by-one error in the UTF8StringNormalize function in OpenLDAP 2.4.26 and earlier allows remote attackers to cause a denial of service (slapd crash) via a zero-length string that triggers a heap-based buffer overflow, as demonstrated using an empty postalAddressAttribute value in an LDIF entry. "
}
},
{
"BID-83610" : {
"bugtraq_id" : 83610 ,
"class" : " Failure to Handle Exceptional Conditions " ,
"cve" : [
" CVE-2006-6493 "
],
"local" : " no " ,
"remote" : " yes " ,
"title" : " OpenLDAP CVE-2006-6493 Remote Security Vulnerability "
}
},
{
"BID-83843" : {
"bugtraq_id" : 83843 ,
"class" : " Failure to Handle Exceptional Conditions " ,
"cve" : [
" CVE-2006-2754 "
],
"local" : " no " ,
"remote" : " yes " ,
"title" : " OpenLDAP CVE-2006-2754 Remote Security Vulnerability "
}
}
]要獲取有關特定CVE的所有信息,您必須運行下一個命令:
python3 dagda.py vuln --cve_info CVE-2009-2890上一個查詢的預期輸出如下:
[
{
"cveid" : " CVE-2009-2890 " ,
"cvss_access_complexity" : " Medium " ,
"cvss_access_vector" : " Network " ,
"cvss_authentication" : " None required " ,
"cvss_availability_impact" : " None " ,
"cvss_base" : 4.3 ,
"cvss_confidentiality_impact" : " None " ,
"cvss_exploit" : 8.6 ,
"cvss_impact" : 2.9 ,
"cvss_integrity_impact" : " Partial " ,
"cvss_vector" : [
" AV:N " ,
" AC:M " ,
" Au:N " ,
" C:N " ,
" I:P " ,
" A:N "
],
"cweid" : " CWE-79 " ,
"mod_date" : " 20-08-2009 " ,
"pub_date" : " 20-08-2009 " ,
"summary" : " Cross-site scripting (XSS) vulnerability in results.php in PHP Scripts Now Riddles allows remote attackers to inject arbitrary web script or HTML via the searchquery parameter. "
}
]如果您想了解有關dagda.py vuln的更多詳細信息,請鍵入python3 dagda.py vuln --help或查看Wiki頁面中的vuln子命令。
該數據庫稱為vuln_database ,有10個集合:
http://www.securityfocus.com/ ) - 源biddb_downloader在接下來的小節中,對已知漏洞,特洛伊木馬,病毒,惡意軟件和其他惡意威脅進行靜態分析以及監視運行Docker容器以檢測異常活動的靜態分析。
DAGDA的主要目標之一是對Docker Images/Container中的已知漏洞,特洛伊木馬,病毒,惡意軟件和其他惡意威脅進行分析,因此,如果您想對Docker Image/Container進行分析,則必須輸入:
python3 dagda.py check --docker_image jboss/wildfly有關詳細信息,請參見檢查子命令WIKI頁面。
上一個命令的預期輸出將是下一個命令。在此輸出中, DAGDA響應分析id 。
{
"id" : " 58667994ed253915723c50e7 " ,
"msg" : " Accepted the analysis of <jboss/wildfly> "
}另外,如果您想以遠程方式運行靜態分析,則可以使用代理子命令:
python3 dagda.py agent localhost:5000 -i jboss/wildfly上一個命令的預期輸出將是下一個命令。在此輸出中, DAGDA響應分析id 。
{
"id" : " 58667994ed253915723c50e7 " ,
"image_name" : " jboss/wildfly "
}如果您想查看混凝土碼頭分析,則必須輸入:
python3 dagda.py history < DOCKER_IMAGE_NAME_HERE > --id < REPORT_ID_HERE >有關dagda.py history的更多詳細信息,請鍵入python3 dagda.py history --help或查看Wiki頁面中的歷史記錄子命令。
分析可能需要幾分鐘才能完成,因此請耐心等待。如果您鍵入上一個命令,則在鍵入python3 dagda.py history jboss/wildfly --id 58667994ed253915723c50e7時,預期輸出如下所示。
{
"id" : " 58667994ed253915723c50e7 " ,
"image_name" : " jboss/wildfly " ,
"status" : " Completed " ,
"timestamp" : " 2016-12-14 13:17:12.802486 " ,
"static_analysis" : {
"malware_binaries" : [
{
"file" : " /tmp/test/removal-tool.exe " ,
"malware" : " Worm.Sober "
},
{
"file" : " /tmp/test/error.hta " ,
"malware" : " VBS.Inor.D "
}
],
"os_packages" : {
"total_os_packages" : 182 ,
"vuln_os_packages" : 41 ,
"ok_os_packages" : 141 ,
"os_packages_details" : [
{
"product" : " sed " ,
"version" : " 4.2.2 " ,
"is_vulnerable" : false ,
"is_false_positive" : false ,
"vulnerabilities" : []
},
{
"product" : " grep " ,
"version" : " 2.20 " ,
"is_vulnerable" : true ,
"is_false_positive" : false ,
"vulnerabilities" : [
{
"CVE-2015-1345" : {
"cveid" : " CVE-2015-1345 " ,
"cvss_access_complexity" : " Low " ,
"cvss_access_vector" : " Local access " ,
"cvss_authentication" : " None required " ,
"cvss_availability_impact" : " Partial " ,
"cvss_base" : 2.1 ,
"cvss_confidentiality_impact" : " None " ,
"cvss_exploit" : 3.9 ,
"cvss_impact" : 2.9 ,
"cvss_integrity_impact" : " None " ,
"cvss_vector" : [
" AV:L " ,
" AC:L " ,
" Au:N " ,
" C:N " ,
" I:N " ,
" A:P "
],
"cweid" : " CWE-119 " ,
"mod_date" : " 23-12-2016 " ,
"pub_date" : " 12-02-2015 " ,
"summary" : " The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option. "
}
}
]
},
{
"product" : " lua " ,
"version" : " 5.1.4 " ,
"is_vulnerable" : true ,
"is_false_positive" : false ,
"vulnerabilities" : [
{
"CVE-2014-5461" : {
"cveid" : " CVE-2014-5461 " ,
"cvss_access_complexity" : " Low " ,
"cvss_access_vector" : " Network " ,
"cvss_authentication" : " None required " ,
"cvss_availability_impact" : " Partial " ,
"cvss_base" : 5.0 ,
"cvss_confidentiality_impact" : " None " ,
"cvss_exploit" : 10.0 ,
"cvss_impact" : 2.9 ,
"cvss_integrity_impact" : " None " ,
"cvss_vector" : [
" AV:N " ,
" AC:L " ,
" Au:N " ,
" C:N " ,
" I:N " ,
" A:P "
],
"cweid" : " CWE-119 " ,
"mod_date" : " 06-01-2017 " ,
"pub_date" : " 04-09-2014 " ,
"summary" : " Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments. "
}
},
{
"BID-34237" : {
"bugtraq_id" : 34237 ,
"class" : " Unknown " ,
"cve" : [],
"local" : " no " ,
"remote" : " yes " ,
"title" : " Lua Unspecified Bytecode Verifier Security Vulnerability "
}
}
]
},
[ ... ]
, {
"product" : " sqlite " ,
"version" : " 3.7.17 " ,
"is_vulnerable" : false ,
"is_false_positive" : false ,
"vulnerabilities" : []
}
]
},
"prog_lang_dependencies" : {
"vuln_dependencies" : 9 ,
"dependencies_details" : {
"java" : [
{
"product" : " xalan-java " ,
"version" : " 2.5.2 " ,
"product_file_path" : " /opt/jboss/java/xalan.2.5.2.jar " ,
"is_vulnerable" : true ,
"is_false_positive" : false ,
"vulnerabilities" : [
{
"CVE-2014-0107" : {
"cveid" : " CVE-2014-0107 " ,
"cvss_access_complexity" : " Low " ,
"cvss_access_vector" : " Network " ,
"cvss_authentication" : " None required " ,
"cvss_availability_impact" : " Partial " ,
"cvss_base" : 7.5 ,
"cvss_confidentiality_impact" : " Partial " ,
"cvss_exploit" : 10.0 ,
"cvss_impact" : 6.4 ,
"cvss_integrity_impact" : " Partial " ,
"cvss_vector" : [
" AV:N " ,
" AC:L " ,
" Au:N " ,
" C:P " ,
" I:P " ,
" A:P "
],
"cweid" : " CWE-264 " ,
"mod_date" : " 06-01-2017 " ,
"pub_date" : " 15-04-2014 " ,
"summary" : " The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function. "
}
},
{
"BID-66397" : {
"bugtraq_id" : 66397 ,
"class" : " Input Validation Error " ,
"cve" : [
" CVE-2014-0107 "
],
"local" : " no " ,
"remote" : " yes " ,
"title" : " Apache Xalan-Java Library CVE-2014-0107 Security Bypass Vulnerability "
}
}
]
},
{
"product" : " jboss_wildfly_application_server " ,
"version" : " - " ,
"product_file_path" : " /opt/jboss/java/jboss_wildfly_application_server.jar " ,
"is_vulnerable" : true ,
"is_false_positive" : false ,
"vulnerabilities" : [
{
"CVE-2014-0018" : {
"cveid" : " CVE-2014-0018 " ,
"cvss_access_complexity" : " Medium " ,
"cvss_access_vector" : " Local access " ,
"cvss_authentication" : " None required " ,
"cvss_availability_impact" : " None " ,
"cvss_base" : 1.9 ,
"cvss_confidentiality_impact" : " None " ,
"cvss_exploit" : 3.4 ,
"cvss_impact" : 2.9 ,
"cvss_integrity_impact" : " Partial " ,
"cvss_vector" : [
" AV:L " ,
" AC:M " ,
" Au:N " ,
" C:N " ,
" I:P " ,
" A:N "
],
"cweid" : " CWE-264 " ,
"mod_date" : " 06-01-2017 " ,
"pub_date" : " 14-02-2014 " ,
"summary" : " Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.0 and JBoss WildFly Application Server, when run under a security manager, do not properly restrict access to the Modular Service Container (MSC) service registry, which allows local users to modify the server via a crafted deployment. "
}
}
]
},
[ ... ]
, {
"product" : " jboss_weld " ,
"version" : " 3.0.0 " ,
"product_file_path" : " /opt/jboss/java/jboss_weld.3.0.0.jar " ,
"is_vulnerable" : true ,
"is_false_positive" : false ,
"vulnerabilities" : [
{
"CVE-2014-8122" : {
"cveid" : " CVE-2014-8122 " ,
"cvss_access_complexity" : " Medium " ,
"cvss_access_vector" : " Network " ,
"cvss_authentication" : " None required " ,
"cvss_availability_impact" : " None " ,
"cvss_base" : 4.3 ,
"cvss_confidentiality_impact" : " Partial " ,
"cvss_exploit" : 8.6 ,
"cvss_impact" : 2.9 ,
"cvss_integrity_impact" : " None " ,
"cvss_vector" : [
" AV:N " ,
" AC:M " ,
" Au:N " ,
" C:P " ,
" I:N " ,
" A:N "
],
"cweid" : " CWE-362 " ,
"mod_date" : " 13-05-2015 " ,
"pub_date" : " 13-02-2015 " ,
"summary" : " Race condition in JBoss Weld before 2.2.8 and 3.x before 3.0.0 Alpha3 allows remote attackers to obtain information from a previous conversation via vectors related to a stale thread state. "
}
}
]
}
],
"js" : [],
"nodejs" : [],
"php" : [],
"python" : [
{
"product" : " lxml " ,
"version" : " 1.0.1 " ,
"product_file_path" : " /opt/jboss/python/lxml.1.0.1.py " ,
"is_vulnerable" : true ,
"is_false_positive" : false ,
"vulnerabilities" : [
{
"CVE-2014-3146" : {
"cveid" : " CVE-2014-3146 " ,
"cvss_access_complexity" : " Medium " ,
"cvss_access_vector" : " Network " ,
"cvss_authentication" : " None required " ,
"cvss_availability_impact" : " None " ,
"cvss_base" : 4.3 ,
"cvss_confidentiality_impact" : " None " ,
"cvss_exploit" : 8.6 ,
"cvss_impact" : 2.9 ,
"cvss_integrity_impact" : " Partial " ,
"cvss_vector" : [
" AV:N " ,
" AC:M " ,
" Au:N " ,
" C:N " ,
" I:P " ,
" A:N "
],
"cweid" : " CWE-0 " ,
"mod_date" : " 14-04-2015 " ,
"pub_date" : " 14-05-2014 " ,
"summary" : " Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function. "
}
}
]
}
],
"ruby" : []
}
}
}
}另一個主要的DAGDA目標是執行運行Docker容器的監視以檢測異常活動,因此,如果您想通過運行的Docker容器執行監視,則必須輸入:
python3 dagda.py monitor 69dbf26ab368 --start有關詳細信息,請參見監視器子命令WIKI頁面。
預期輸出看起來如下所示:
{
"id" : " 586f7631ed25396a829baaf4 " ,
"image_name" : " jboss/wildfly " ,
"msg" : " Monitoring of docker container with id <69dbf26ab368> started "
}如果您打字時,可以在需要時停止監視:
python3 dagda.py monitor 69dbf26ab368 --stop當您在運行容器上停止監視時的預期輸出如下所示:
{
"id" : " 586f7631ed25396a829baaf4 " ,
"image_name" : " jboss/wildfly " ,
"timestamp" : " 2017-01-06 10:49:21.212508 " ,
"status" : " Completed " ,
"runtime_analysis" : {
"container_id" : " 69dbf26ab368 " ,
"start_timestamp" : " 2017-01-06 10:49:21.212508 " ,
"stop_timestamp" : " 2017-01-06 10:50:16.343847 " ,
"anomalous_activities_detected" : {
"anomalous_counts_by_severity" : {
"Warning" : 2
},
"anomalous_activities_details" : [{
"output" : " 10:49:47.492517329: Warning Unexpected setuid call by non-sudo, non-root program (user=<NA> command=ping 8.8.8.8 uid=<NA>) container=thirsty_spence (id=69dbf26ab368) " ,
"priority" : " Warning " ,
"rule" : " Non sudo setuid " ,
"time" : " 2017-01-06 10:49:47.492516 "
}, {
"output" : " 10:49:53.181654702: Warning Unexpected setuid call by non-sudo, non-root program (user=<NA> command=ping 8.8.4.4 uid=<NA>) container=thirsty_spence (id=69dbf26ab368) " ,
"priority" : " Warning " ,
"rule" : " Non sudo setuid " ,
"time" : " 2017-01-06 10:49:53.181653 "
}]
}
}
}如果您想查看所有報告,請參閱“歷史記錄命令”。
DAGDA包括Docker Daemon的實時事件的收集,因此,如果您想獲得所有Docker Daemon事件,則必須輸入:
python3 dagda.py docker events預期輸出看起來如下所示:
[
{
"Action" : " attach " ,
"Actor" : {
"Attributes" : {
"build-date" : " 20171128 " ,
"image" : " jboss/wildfly " ,
"license" : " GPLv2 " ,
"name" : " amazing_wilson " ,
"vendor" : " CentOS "
},
"ID" : " 73c5ed015df661ce799baa685a39c32125a47b71f3476e9d452adc381fb8114c "
},
"Type" : " container " ,
"from" : " jboss/wildfly " ,
"id" : " 73c5ed015df661ce799baa685a39c32125a47b71f3476e9d452adc381fb8114c " ,
"scope" : " local " ,
"status" : " attach " ,
"time" : 1517323482 ,
"timeNano" : 1517323482957358115
},
{
"Action" : " create " ,
"Actor" : {
"Attributes" : {
"build-date" : " 20171128 " ,
"image" : " jboss/wildfly " ,
"license" : " GPLv2 " ,
"name" : " amazing_wilson " ,
"vendor" : " CentOS "
},
"ID" : " 73c5ed015df661ce799baa685a39c32125a47b71f3476e9d452adc381fb8114c "
},
"Type" : " container " ,
"from" : " jboss/wildfly " ,
"id" : " 73c5ed015df661ce799baa685a39c32125a47b71f3476e9d452adc381fb8114c " ,
"scope" : " local " ,
"status" : " create " ,
"time" : 1517323482 ,
"timeNano" : 1517323482944595092
}
]如果要查看此命令的所有允許過濾器,請參見Docker命令。
本節介紹了使用Docker容器(包括Mongo數據庫和Dogda容器)使用docker-compose安裝DAGDA 。 Docker插座與DAGDA容器共享,因此可以從執行docker-compose主機中檢查Docker映像和容器。
在DAGDA的根文件夾中執行以下命令,然後, DAGDA服務器將在端口5000開始收聽:
docker-compose build
docker-compose up -d下面顯示了有關DAGDA內部工作流程的10,000英尺圖:
通常,達格達效果很好,但是有些情況可能會引起問題。如果您遇到問題,請檢查故障排除頁面是否進行修復。
有關詳細信息,請參見“更改日誌”頁面。
有關錯誤,問題和討論,請使用github問題或在Twitter上(@3grander)ping我。
