3 Chapter 6Figure 6.1: The Common Vulnerability Scoring SystemFigure 6.2: Trivy's assessment of the latest nginx
container imageFigure 6.3: Older versions of images tend to flag more issues, as you'd expe...Figure 6.4: Anchore is up, courtesy of Docker Compose.Figure 6.5: Only 2 medium-ranked CVEs have been found by Anchore, but 52 low...Figure 6.6: Harbor has the excellent Clair CVE scanner built-in.Figure 6.7: Different scanning results again for the nginx
container imageFigure 6.8: Harbor lets you inspect the layers of your images with ease.
4 Chapter 7Figure 7.1: A combination of Docker and Webswing means that running ZAP with...Figure 7.2: A redacted HTML report from a baseline scanFigure 7.3: A trimmed screenshot of the HTML report after scanning Nmap’s ho...
5 Chapter 10Figure 10.1: Fine-grained permissions from GitHub via personal access tokens...Figure 10.2: GitRob initializing and beginning to scan all repositories belo...
6 Chapter 11Figure 11.1: The Ansible directory structure, courtesy of the tree
command
7 Chapter 12Figure 12.1: Even an HTTP 403 is revealing.
8 Chapter 13Figure 13.1: The start of the Netdata installation processFigure 13.2: Netdata has completed its installation successfully.Figure 13.3: The top of the dashboardFigure 13.4: Networking information showing the docker0
network interfaceFigure 13.5: The cpuidle
dashboard to show how quiet your CPU cores areFigure 13.6: Temperature metrics can be useful for on-premises hosts that ha...Figure 13.7: The splash screen for Komiser made available by our containerFigure 13.8: A billing summary per-service plus outstanding support tickets...Figure 13.9: Checking running instances is useful not just for costs but str...Figure 13.10: Lambda functions aren't forgotten about in Komiser.Figure 13.11: Potentially costly utilized network resource in an AWS region...
9 Chapter 14Figure 14.1: Cloud Custodian courtesy of the Python installation routeFigure 14.2: In the AWS Console or programmatically, add a tag to an EC2 ins...Figure 14.3: Highly permissive EC2 policy for our first test policy in Cloud...Figure 14.4: We have stopped our instance successfully using a policy.
10 Chapter 15Figure 15.1: Some of the permissions that your user/role will need in AWS, b...Figure 15.2: The start of the Cloud Reports build process, courtesy of Node....Figure 15.3: The end of the build processFigure 15.4: The IAM policy is very permissive, even as read-only, so be sur...Figure 15.5: Check your progress via the Last Used column in IAM for your us...Figure 15.6: HTML output after using the -f html
switch, with the AWS accoun...Figure 15.7: A relatively empty region in the AWS account still produced 16 ...Figure 15.8: Prowler needs two IAM policies attached to an IAM user or role....Figure 15.9: Prowler is firing up and ready to scan a (redacted) AWS account...
11 Chapter 16Figure 16.1: You should only give S3 Read access to S3 Inspector for obvious...Figure 16.2: Redacted output from the same results as Listing 16.1, focusing...Figure 16.3: The top-level listing in the AWS Console of S3 buckets reminds ...Figure 16.4: There are relatively new Edit Public Access Settings options no...Figure 16.5: GrayhatWarfare is an excellent resource for learning about stor...Figure 16.6: Public files discovered in S3 buckets
12 Chapter 18Figure 18.1: Rakkess outputFigure 18.2: Rakkess output for the certificate-controller
accountFigure 18.3: kubectl-who-can get secrets
Figure 18.4: Example of rback
output
13 Chapter 19Figure 19.1: Traffic flow in the base Kubernetes clusterFigure 19.2: Network traffic after default deny policies appliedFigure 19.3: Network traffic after allow-webapp-access
policy added
14 Chapter 20Figure 20.1: PodSecurityPolicies
Guide
1 Cover
Pages
1 iii
2 xix
3 xx
4 xxi
5 xxii
6 xxiii
7 xxiv
8 1
9 3
10 4
11 5
12 6
13 7
14 8
15 9
16 10
17 11
18 12
19 13
20 14
21 15
22 17
23 18
24 19
25 20
26 21
27 22
28 23
29 24
30 25