Updating the Trivy database in an air-gapped environment
Another technical deep dive in the field of infrastructure virtualization in the SPIRIT/21 blog. vSphere with Tanzu is a VMware solution that enables Kubernetes workloads to be run on existing IT infrastructure. By integrating Kubernetes with vSphere, organizations can manage advanced applications and bridge the gap between IT and developers. Here, we look at a specific feature of the solution.
What is an air-gapped system?
An air-gapped system is a security measure in which a computer or network system is physically and logically isolated from other systems in order to prevent the transmission of data. This also implies that the system is disconnected from the Internet.
What is Trivy?
Trivy is an open-source security scanner used for container and application protection. It scans container images for security vulnerabilities by caching a database locally and downloading only changes in the future. This allows for faster subsequent scans. The database contains information about security vulnerabilities and vulnerabilities used to analyze container images.
Trivy in an air-gapped environment
After VMware has implemented Supervisor Services, the Trivy Vulnerability Scanner is included in the Harbor Supervisor Service installation. To use Trivy, the Trivy DB must be updated or downloaded at least once, since it is not included in the standard package.
The trivy database can be updated by copying files from a live trivy instance (trivy with Internet access) to an air-gapped trivy instance.
Install Trivy on an Ubuntu VM with Internet access:
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
Update Trivy-DB:
trivy server —download-db-only
Copy the files “trivy.db” and “metadata.json” to Trivy Container:
Find Trivy Pod
kubectl -n svc-harbor-domain-c10 get pods
NAME READY STATUS RESTARTS AGE
harbor-core-79485fdb96-v9hnf 1/1 Running 1 (11h ago) 11h
harbor-database-0 1/1 Running 11h
harbor-exporter-7f6d468c67-4hzql 1/1 11h
harbor-jobservice-5bd8445875-sbq26 1/1 Running 3 (11h ago) 11h
harbor-portal-8667958c6c-csbq5 1/1 Running 11h
harbor-redis-0 1/1 Running 11h
harbor-registry-648cf9d757-vlwkz 2/2 11h
harbor-trivy-0 1/1 11h
Open terminal in the Trivy container
kubectl -n svc-harbor-domain-c10 exec harbor-trivy-0 -it — /bin/sh
Create a directory where to copy the db and json files
sh-5.0 mkdir / home/ scanner/. cache/ trivy/ db
sh-5.0$ exit
Find Trivy Pod
kubectl -n svc-harbor-domain-c10 get pods
NAME READY STATUS RESTARTS AGE
harbor-core-79485fdb96-v9hnf 1/1 Running 1 (11h ago) 11h
harbor-database-0 1/1 Running 11h
harbor-exporter-7f6d468c67-4hzql 1/1 11h
harbor-jobservice-5bd8445875-sbq26 1/1 Running 3 (11h ago) 11h
harbor-portal-8667958c6c-csbq5 1/1 Running 11h
harbor-redis-0 1/1 Running 11h
harbor-registry-648cf9d757-vlwkz 2/2 11h
harbor-trivy-0 1/1 11h
Open terminal in the Trivy container
kubectl -n svc-harbor-domain-c10 exec harbor-trivy-0 -it — /bin/sh
Create a directory where to copy the db and json files
sh-5.0 mkdir / home/ scanner/. cache/ trivy/ db
sh-5.0$ exit
Conclusion
Even in air-gapped environments, the Trivy database can be updated with a little twist. If you have any further challenges in your infrastructure, suggestions or questions, don’t hesitate to contact us.
Read more
Ransomware is the epitome of cybercrime, often with drastic consequences for the victims. We take a closer look at what it is and how you can protect yourself.
How well protected is my data on its way to the cloud? A guide to avoiding losses and attacks.
Tech Deep-Dive: Was ist ein Sender Policy Framework (SPF)-Record? Welche Vorteile und Einschränkungen bringt er mit sich? Teil 1 der Blogserie “Sicherheit durch E-Mail-Autentifizierungsmethoden”
Muhamed Ahmovic
Technischer Presales
Phone: +49 172 629 6400
E-Mail: mahmovic@spirit21.com
Muhamed is responsible for the design, planning and implementation of IT solutions with a focus on VMware, Storages and Microsoft. If you have any questions about encryption technologies, you’ve come to the right place.