D2-4 Chris Van Tuin - A Security State of Mind: Compliance and Vulnerability Audits for Containers

Transcript

1. A DEVOPS STATE OF MIND: Compliance and Vulnerability Audits for

   Containers Chris Van Tuin Chief Technologist, North America [email protected]

2. “Only the Paranoid Survive” - Andy Grove, 1998

3. Software Disrupts Business Retail Finance Media Transportation ? ?

4. 4 IT MUST EVOLVE TO STAY AHEAD OF DEMANDS Time

   to Value Months to Years Weeks and Months Days and Weeks

5. 5 DEV QA OPS Culture DEVOPS: BREAK DOWN THE WALLS

   Open organization + 
 cross-functional teams Software factory automation Linux + Containers IaaS Orchestration CI/CD Source Control Management Collaboration Build and Artifact Management Testing Frameworks Open Source CI/CD pipelines with feedback Process Technology + +
6. None
7. None

8. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

9. “Patch? The servers are behind the firewall.” - Anonymous (far

   too many to name), 2005 - …

10. 10 DevSecOps End to End Security + + <——————— SECURITY

    ———————> DEV QA OPS Linux + Containers IaaS Orchestration CI/CD Source Control Management Collaboration Build and Artifact Management Testing Frameworks Open Source Culture Process Technology

11. 11 APPLICATION DELIVERY VIA CONTAINERS

12. 12 docker.io Registry Private Registry Certified FROM fedora:latest CMD echo

    “Hello” Build file Physical, Virtual, Cloud Image Container Build Run Ship LINUX CONTAINERS

13. MORE THAN CONTAINERS Scheduling Monitoring Persistence Discovery Lifecycle & health

    Scaling Aggregation Security

14. 14 The DevSecOps Software Factory + + <——————— SECURITY ———————>

    DEV QA OPS

15. SECURING CONTAINER IMAGES Images CI/CD Container host Registry Builds

16. CONTAINER IMAGE SECURITY

17. TREAT CONTAINERS AS IMMUTABLE code config data

18. 18

19. 19 IMAGE SIGNING Validate what images and version are running

20. CONTAINER REGISTRY SECURITY

21. 64% of official images in Docker Hub 
 contain high

    priority security vulnerabilities examples: ShellShock (bash) Heartbleed (OpenSSL) Poodle (OpenSSL) Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015 (http:// www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf) WHAT’S INSIDE THE CONTAINER MATTERS

22. PRIVATE REGISTRY

23. CI WITH CONTAINERS

24. CI/CD with Security

25. A CONVERGED SOFTWARE SUPPLY CHAIN

26. CUSTOM SUPPLY CHAIN

27. ADD NAME (View > Master > Slide master) CONTINUOUS INTEGRATION

    WITH SECURITY SCAN Security

28. Compliance and Vulnerability Audits with OpenSCAP

29. OpenSCAP Reports Scan SCAP Security Guide for RHEL CCE-27002-5 Set

    Password Minimum Length login.defs Content Scan physical servers, virtual machines, docker images and containers
 for Compliance (CCEs) and known Vulnerabilities (CVEs)

30. USE CASE #1: Scan for Compliance Are password quality requirements

    set? Are obsolete 
 services enabled, 
 e.g. telnet? Is openssh properly configured? Is /tmp on a separate partition?

31. SCAN oscap xccdf eval --profile rht-ccp \ --report /var/www/html/report.html \

    --results /var/www/html/results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

32. REPORT

33. REPORT

34. REPORT

35. REMEDIATION

36. What RPMs need updating? What is the criticality of the

    vulnerability? What is the vulnerability? What CVEs have and have not been addressed? USE CASE #2: Scan for Known Vulnerabilities

37. SCAN # obtain RHSA file from Red Hat for RHEL

    wget http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml # run Vulnerability scan oscap oval eval --results /var/www/html/rhsa-results-oval.xml \ --report /var/www/html/oval-report.html com.redhat.rhsa-all.xml # view the Report firefox /var/www/html/oval-report.html

38. REPORT

39. REPORT

40. Is the docker image compliant? Is the docker image patched?

    Is the docker container compliant? Is the docker container patched? USE CASE #3: Containers

41. # Compliance Scan oscap-docker image docker.io/richxsl/rhel6.2 xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp

    \ /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml # Vulnerability Scan on RHEL 6.2 image oscap-docker image-cve docker.io/richxsl/rhel6.2 --results /var/www/html/image-oval.xml --report /var/www/html/image-rhel62.html SCAN DOCKER IMAGES (“offline”) # start a container named myrhel62 docker run --name myrhel62 -it docker.io/richxsl/rhel6.2 /bin/bash # Compliance Scan oscap-docker container myrhel62 xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp \ /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml # Vulnerability Scan oscap-docker container-cve docker.io/richxsl/rhel6.2 --results /var/www/html/container-oval.xml --report /var/www/html/container- rhel62.html DOCKER CONTAINERS (“online”)
42. None

43. VS Without With 64% 99%

44. CD WITH CONTAINERS

45. CD with Security

46. CONTINUOUS DEPLOYMENT WITH CONTAINERS

47. 47 CONTINUOUS DEPLOYMENT

48. 48 Version 1 Version 1 Version 1 Version 1.2 `

    Tests / CI ROLLING UPDATE DEPLOYMENT

49. 49 Each container/pod is updated one by one Version 1

    33% Version 1.2 Version 1

50. 50 Version 1 66% Version 1.2 Version 1.2 Each container/pod

    is updated one by one

51. 51 Version 1.2 100% Version 1.2 Version 1.2 Each container/pod

    is updated one by one

52. Version 1 BLUE-GREEN DEPLOYMENT

53. ADD NAME (View > Master > Slide master) Version 1

    Version 1.2 New applications can be spun up and tested before old applications are removed, lowering risk for upgrades

54. ADD NAME (View > Master > Slide master) Tests and

    certification can be done before customers access it Version 1 Version 1.2 Tests / CI

55. ADD NAME (View > Master > Slide master) Once ready,

    the new version is used and the old version can be removed Version 1 Version 1.2

56. ADD NAME (View > Master > Slide master) Rollbacks can

    be done using the same method if desired Version 1.2

57. Version 1.2 Version 1 80% 20% 25% Conversion Rate 35%

    Conversion Rate A/B TESTING with CANARY DEPLOYMENT

58. CONTAINER RUNTIME SECURITY

59. 59 Hardware (Intel, AMD) or Virtual Machine Containers Containers Containers

    Unit File Docker Image KUBERNETES / DOCKER SYSTEMD Cgroups Namespaces SELinux Drivers CONTAINER HOST SECURITY Best Practices • Don’t run as root • Limit SSH Access • Use namespaces • Define resource quotas • Enable logging • Apply Security Errata • Apply Security Context and seccomp filters http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html seccomp

60. SECURING CONTAINER ENVIRONMENT Images CI/CD Container host Network isolation Storage

    API & Platform access Monitoring & Logging Federated clusters Registry {} Builds

61. THANK YOU Chris Van Tuin [email protected]