Tripwire for DevOps continues to add new features and capabilities. The newest of these is the ability to perform vulnerability scans against Amazon Machine Images (AMIs) in the same Tripwire for DevOps workflow used for your Docker containers. This blog will discuss the creation of AMIs and how to audit them for vulnerabilities within Tripwire for DevOps.
Amazon Web Services (AWS) uses the Amazon Machine Image mechanism to provide some of the DevOps practices to more monolithic application stacks. AMIs are templates stored in AWS used to launch new operating system instances in the AWS cloud. This is equivalent to virtual machine file formats and infrastructure used by most virtualization technologies. Not all applications or services can be easily containerized, and AMI usage is one method of achieving continuous delivery for monolithic applications and services.
Tripwire for DevOps allows you to evaluate your Amazon Machine Images for vulnerabilities at build time before they have been instantiated in your environment. This removes the risk of having vulnerabilities present for any period of time.
The first step in deploying an AMI template in AWS is creating one suited to your application stack. There are multiple ways of making a new AMI, including converting other popular virtualization formats into an AMI.
One tool we make use of at Tripwire is Packer by HashiCorp, which can be used to create and configure AMIs. For purposes of a demo, I used a Packer template found online to create an AMI containing an Apache webserver. The AMI is built with the following command:
Upon running the packer AMI creation command, you will be given the AMI ID for your newly created AMI within AWS. You can use this or any other AMI ID within Tripwire for DevOps.
Using your new AMI ID (ami-00dd51d2 in this example), you can now request a scan from Tripwire for DevOps. Just as with scanning Docker containers, this process is designed to be automated from within your build tools, such as Jenkins or TeamCity.
The twdevops command line tool will request a scan of the AMI within Tripwire for DevOps.
Results of Amazon Machine Image scans can be viewed both within the Tripwire for DevOps user interface or consumed within your build tools for automatic quality gate processing.
Below we can see results shown within Tripwire for DevOps. I have also added a directory traversal vulnerability to my example AMI build process for illustration purposes.
Tripwire for DevOps scan results can also be utilized directly in your build tools, as results can be ingested in the standardized Junit format. Configuration of the quality gate mechanism allows build jobs to be passed or failed based on default security levels or completely customized for your own services.
Below we can see the Jenkins Test Result, which shows the build failing due to a vulnerability being found.
Tripwire for DevOps enables users who are utilizing either Amazon Machine Images or Docker container images to evaluate their images and virtual machines for vulnerabilities earlier in the build process, providing enhanced security for those using continuous delivery practices.
Learn how to ensure your Docker containers and AWS Machine Images are free from vulnerabilities before they ever hit production here.