'

​CoreOS introduces Clair, a container security monitoring tool

CoreOS's new open-source project Clair, monitors containers security. Since it's so easy for security holes to hide in containers this is no small matter.

Want to see a cloud administrator sweat? Push them on how they're tracking their containers' security. As popular as container technologies such as Docker are, securing them and tracking how they're secured are still works in progress.

quay-image-security.png
With CoreOS's Quay and Clair, it will be much easier to know when your containers are hiding insecurities.
CoreOS, the makers of Linux for massive server deployments and a container power in its own right, is working on an answer: Clair.

This is an open-source project that will provide a tool for monitoring your containers' security. Quentin Machu, a CoreOS software engineer, explained, "Clair is an API-driven analysis service that provides insight into the current vulnerabilities in your containers. It allows you to easily build services that do on-going detection of the vulnerabilities. Clair is open source because CoreOS believes tools that help improve the security of the world's infrastructure should be available to all users and vendors."

In addition, Quay, CoreOS's container registry, will incorporate this new security program in Security Scanning. This new Quay Security Scanning feature, CoreOS claims, will automatically detect and report vulnerabilities in containers.

In internal testing, Quay Security Scanning has already scanned millions of containers. The bad news is that it found that nearly 80 percent of these containers have major vulnerabilities, such as Heartbleed.

Fortunately, CoreOS Linux contains an auto-update tool which patched Heartbleed at the operating system level. Unfortunately, that still leaves a lot of containers with serious security problems hiding inside them. And now you know why serious system administrators lose sleep over containers.

Here's how Quay Security Scanning will work at high level. Every time an image is pushed into Quay, the analysis system will check for vulnerabilities, flag it in the interface, and send a notification. This message will include the level -- high, medium or low -- of the vulnerability. It will include a description of the packages' problem. In the portal, a link is included to the vulnerability's source information. This will include, when available, the steps required to patch the vulnerability.

Clair, in turn, according to Machu, "scans each container layer and provides a notification of vulnerabilities that may be a threat, based on the vulnerability databases Common Vulnerabilities and Exposures (CVE) maintained by Red Hat, Ubuntu, and Debian. Since layers can be shared between many containers, introspection is vital to build an inventory of packages and match that against known CVEs."

You will be able to try Quay Security Scanning with Docker and rkt (formerly Rocket) containers.

Matthew Garrett, CoreOS's principal security software engineer, added in an e-mail,

Vulnerabilities in software are an unfortunate fact of life, and it's vital that admins know about them as soon as possible and be able to apply fixes. Containers add additional security by strengthening the boundaries between applications, but existing ops tooling is frequently unaware of containers and unable to notify admins of potential issues. The Quay Security Scanner, powered by Clair, will increase the visibility of vulnerabilities at the container layer and make it easier for admins to ensure that their networks remain secure. In order to help achieve the CoreOS goal of improving the security of the Internet, we are open sourcing Clair today so the entire industry can benefit.

Let's hope it works as well as CoreOS thinks it will. Containers need a much higher level of security to fulfill their promise.

Related Stories: