"Running a tight ship": A security model for Docker environments

Transcript

1. © 2016 Cassini Consulting Dustin Huptas „Running a tight ship“:

   A security model for Docker environments Berlin, February 5, 2016

2. Disclaimer This is not a hacker talk and I am

   not one. I left out networking as it would require a separate talk. There is no silver bullet. At Least not one. https://www.flickr.com/photos/12587661@N06/2300406685

3. 3 06.02.16 Cassini Consulting Cassini consulting #devops #linux#configmgt#security #virtualization#Containers #networking#ipv6

   Dustin Huptas @dhpts System Architecture, Networking, Security, Dev‘ingthe Ops

4. READY FOR TAKEOFF?

5. Development of Docker and security since 2013 „Docker containers can

   haz networking now!“ Remote API Container Breakout PoC Authorization Bypass on Docker Hub Docker Hub Outage CVE-2014- 8178/8179 Challenges Websockets Official Repos / Docker Hub Docker 1.3.3/1.4.0: Security Fixes Docker Security Bench Trusted Registry Content Trust Improvements 2013 2014 2015

6. Development of Docker and security since 2013 „Docker containers can

   haz networking now!“ Remote API Container Breakout PoC Authorization Bypass on Docker Hub Docker Hub Outage CVE-2014- 8178/8179 Challenges Websockets Official Repos / Docker Hub Docker 1.3.3/1.4.0: Security Fixes Docker Security Bench Trusted Registry Content Trust Improvements 2013 2014 2015 Docker vs. Security Docker and Security

7. Build Chain Registry Docker Host Docker Daemon Push PULL 3

   2 1 4

8. Build Chain 1

9. Latest& Greatest PinnedVersions vs.

10. None

11. Two ways to create your own base images TAR’ing convert

    image to tarball docker import <tarball> Install user land in a local directory install OS image in VM and clean up OR appliance-creator debootstrap

12. configuration management? credentials in images? credentials in ENV variables?

13. Only encrypted credentials in (data) containers key/value stores Agent injected

    ENV credentials

14. Registry 2

15. None
16. None
17. None

18. Content trust and notary Source: https://docs.google.com/document/d/1Xn9kuhICOFj_P37ZWng8LeR_32NAj4Ytm42XAVWuTHw/edit#

19. Content trust and notary Source: https://docs.google.com/document/d/1Xn9kuhICOFj_P37ZWng8LeR_32NAj4Ytm42XAVWuTHw/edit# notary server checks signatures

    of meta data based on The Update Framework (TUF) signatures of Docker image hashes are verified

20. Content trust and notary Unsigned images Local notary server and

    signing steps: https://github.com/de-wiring/ix/tree/master/023_registries

21. Content trust and notary Signed images root@debian-jessie:~# env DOCKER_CONTENT_TRUST=1 docker

    pull dewiring/trustit:latest Pull (1 of 1): dewiring/trustit:latest@sha256:c58ee9f9d1b1a0b59471cac2c089ac995dd559949ee088533fc6f 4a0dcd2719f sha256:c58ee9f9d1b1a0b59471cac2c089ac995dd559949ee088533fc6f4a0dcd2719f: Pulling from dewiring/trustit 2c49f83e0b13: Already exists 4a5e6db8c069: Already exists 88ab9df21bce: Already exists 2c900b53c032: Already exists 8d86df29cb44: Already exists Digest: sha256:c58ee9f9d1b1a0b59471cac2c089ac995dd559949ee088533fc6f4a0dcd2719f Status: Downloaded newer image for dewiring/trustit@sha256:c58ee9f9d1b1a0b59471cac2c089ac995dd559949ee088533fc6f4a0dcd2 719f Tagging dewiring/trustit@sha256:c58ee9f9d1b1a0b59471cac2c089ac995dd559949ee088533fc6f4a0dcd2 719f as dewiring/trustit:latest

22. Docker HOST Local Images 3

23. Hardening the host itself GRSecurity Audit daemon SELinux and AppArmor

24. Docker Daemon 4

25. Docker Daemon § The daemon runs as user root. §

    The API is extensive with a lot of functionality. § Docker offers authentication but no authorization when using the API. Docker 1.10 just made the authorization plugin feature available. § Having access to the API grants far-reaching capabilities similar to the root account.

26. Isolate the daemon (e.g. SELinux, AppArmor) Enable auditing Define access

    paths to API

27. [root@localhost ~]# rpm -qa|grep docker docker-1.8.2-1.gitf1db8f2.fc22.x86_64 docker-selinux-1.8.2-1.gitf1db8f2.fc22.x86_64 [root@localhost ~]# ps

    -efZ|grep docker system_u:system_r:docker_t:s0 root 870 1 0 16:16 ? 00:00:00 /usr/bin/docker -d --selinux-enabled [root@localhost ~]# ps -efZ |grep svirt_lxc_net_t system_u:system_r:svirt_lxc_net_t:s0:c178,c327 root 1074 870 0 16:17 pts/1 00:00:00 /bin/bash

28. root@vagrant-ubuntu-vivid-64:/etc/apparmor.d# apparmor_status apparmor module is loaded. 6 profiles are loaded.

    6 profiles are in enforce mode. /sbin/dhclient /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/sbin/tcpdump docker-default 0 profiles are in complain mode. 2 processes have profiles defined. 2 processes are in enforce mode. /sbin/dhclient (549) docker-default (2923) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. root@vagrant-ubuntu-vivid-64:/etc/apparmor.d# ps -efZ|grep docker unconfined root 2684 1 0 15:46 ? 00:00:03 /usr/bin/docker -d -H fd:// docker-default root 2923 2684 0 15:52 pts/1 00:00:00 /bin/bash

29. Restricting access to the API? (1) Make Docker API accessible

    via socket file § Limit permissions of the socket § Make sure no user is part of the Docker group § Access across host boundaries via SSH (2) Allow Docker API via network § TLS certificates, server- and client-side § Distribute public keys § Disable socket (3) Agent-based approach § E.g. via socket or TLS (only on local network interface) § Agent proxies access to API § Agent provides own API to implement authorization socket network agent (4) Authz Plugin § Create one or multiple authorization plugins to the Docker daemon § Available since Docker 1.10 (aka yesterday!) authz

30. ContainerS @runtime 5

31. A few essential steps to improve security for your Docker

    containers § Don’t run containers as user root (use USER directive in Dockerfile, -u/--user). § Don’t run as --privileged. § Use --volume and --device read-only if possible, use --read-only, if useful. § Only EXPOSE ports that are necessary. § Set up container native logging and monitoring. --userns-remap

32. User Namespaces Capabilities CGroups SELinux & AppArmor Seccomp

33. User Namespaces Capabilities CGroups SELinux & AppArmor Seccomp

34. Testing

35. Docker Security Benchmark § Detailed guide for hardening Docker hosts,

    daemon, images and containers § Includes test routines § benchmarks.cisecurity.org § Tools for automation are available

36. Automated security checks

37. Automated security checks

38. Automated security checks

39. Hardening remains an important topic – and it’s necessary for

    containers as well. Docker helps to improve the security level of application processes. "UI for security" Things are work in progress. Luckily things are moving forward.

40. Q & A

41. Recommended reading § http://securedocker.org/news/ § https://news.ycombinator.com/item?id=10927043 § https://github.com/meltwater/secretary § https://github.com/mozilla/sops

    § https://www.conjur.net § https://www.vaultproject.io § https://github.com/asteris-llc/vaultfs § https://github.com/GDSSecurity/Docker-Secure-Deployment-Guidelines § https://docs.google.com/document/d/1Xn9kuhICOFj_P37ZWng8LeR_32NAj4Ytm42XA VWuTHw § https://github.com/docker/notary § https://docs.docker.com/registry/deploying/ § https://integratedcode.us/2015/10/13/user-namespaces-have-arrived-in-docker/ § https://jaxenter.com/docker-and-security-how-do-they-fit-together-122333.html § https://github.com/de-wiring/docker-selinux-playground/blob/master/docs/README.md § https://github.com/de-wiring/tests-docker-hardening § https://github.com/de-wiring/puppet-docker-hardening

42. Docker security history Challenges § https://blog.docker.com/2013/03/docker-containers-can-haz-networking-now/ § https://blog.docker.com/2013/04/list-of-publicly-available-docker-images/ § https://blog.docker.com/2013/05/new-registry-goes-live/

    § https://blog.docker.com/2013/06/docker-0-4-remote-api-build-openstack-integration/ § https://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/ § https://groups.google.com/forum/#!msg/docker-dev/F8LLeAZhiYE/RmlGPNcouXAJ § https://blog.docker.com/2014/08/disclosure-of-authorization-bypass-on-the-docker-hub/ § https://groups.google.com/forum/#!topic/docker-user/IrjXTHA6jJc § https://www.docker.com/docker-cve-database(CVE-2014-6407, CVE-2014-6408) § https://blog.docker.com/2015/01/docker-hub-jan-5-outage/ § https://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7/ (CVE-2014-8178, CVE-2014-8179) Improvements § https://blog.docker.com/2013/07/docker-0-5-0-external-volumes-advanced-networking-self-hosted-registry/ § https://blog.docker.com/2013/08/containers-docker-how-secure-are-they/ § https://blog.docker.com/2013/08/websockets-dockerfile-upgrade-better-registry-support-expert-mode-and-more/ § https://blog.docker.com/2013/11/introducing-trusted-builds/ § https://blog.docker.com/2014/02/docker-and-security/ § https://blog.docker.com/2014/06/announcing-docker-hub-and-official-repositories/ § https://blog.docker.com/2014/07/new-dockercon-video-docker-security-renamed-from-docker-and-selinux/ § https://blog.docker.com/2014/10/docker-1-3-signed-images-process-injection-security-options-mac-shared-directories/ § https://blog.docker.com/2014/12/advancing-docker-security-docker-1-4-0-and-1-3-3-releases/ § https://blog.docker.com/2015/03/secured-at-docker-diogo-monica-and-nathan-mccauley/ § https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/ § https://blog.docker.com/2015/05/docker-security-tools/ § https://blog.docker.com/2015/07/new-tool-v1-registry-docker-trusted-registry-v2-open-source/ § https://blog.docker.com/2015/08/docker-1-8-content-trust-toolbox-registry-orchestration/ § https://blog.docker.com/2015/08/content-trust-docker-1-8/

43. Cassini Consulting Dustin Huptas Oberwallstraße 24 10117 Berlin Deutschland Alle

    Angaben basieren auf dem derzeitigen Kenntnisstand. Änderungen vorbehalten. Dieses Dokument von Cassini Consulting ist ausschließlich für den Adressaten bzw. Auftraggeber bestimmt. Es bleibt bis zur einer ausdrücklichen Übertragung von Nutzungsrechten Eigentum von Cassini. Jede Bearbeitung, Verwertung, Vervielfältigung und/oder gewerbsmäßige Verbreitung des Werkes ist nur mit Einverständnis von Cassini zulässig.