Upgrade to Pro — share decks privately, control downloads, hide ads and more …

D2-4 Chris Van Tuin - A Security State of Mind:...

D2-4 Chris Van Tuin - A Security State of Mind: Compliance and Vulnerability Audits for Containers

Data breaches are on the rise and placing increased pressure on Enterprise IT to protect the business. With the rise of DevOps and as hackers takes advantage of known vulnerabilities on unpatched or misconfigured systems, Enterprise IT increasingly needs to automate vulnerability management, security management, and compliance checking. OpenSCAP is an opensource tool for automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

In this presentation, you’ll learn about:

How Containers enable DevOps, Container Technology, and the security risks with deploying containers in the enterprise
Security vulnerability (CVEs) and Configuration issues (CCEs) notifications and checks
Automating vulnerability management, security management, and compliance checking with OpenSCAP
Scanning online and offline Containers and Virtual Machines with OpenSCAP
Generating and understanding OpenSCAP audit reports
Customizing OpenSCAP profiles
Join Chris Van Tuin, Chief Technologist, West at Red Hat, as he walks through the inherent security risks of deploying containers in the enterprise and how OpenSCAP can help protect and secure the business.

DevOpsDays Zurich

May 09, 2017
Tweet

More Decks by DevOpsDays Zurich

Other Decks in Technology

Transcript

  1. A DEVOPS STATE OF MIND: Compliance and Vulnerability Audits for

    Containers Chris Van Tuin Chief Technologist, North America [email protected]
  2. 4 IT MUST EVOLVE TO STAY AHEAD OF DEMANDS Time

    to Value Months to Years Weeks and Months Days and Weeks
  3. 5 DEV QA OPS Culture DEVOPS: BREAK DOWN THE WALLS

    Open organization + 
 cross-functional teams Software factory automation Linux + Containers IaaS Orchestration CI/CD Source Control Management Collaboration Build and Artifact Management Testing Frameworks Open Source CI/CD pipelines with feedback Process Technology + +
  4. 10 DevSecOps End to End Security + + <——————— SECURITY

    ———————> DEV QA OPS Linux + Containers IaaS Orchestration CI/CD Source Control Management Collaboration Build and Artifact Management Testing Frameworks Open Source Culture Process Technology
  5. 12 docker.io Registry Private Registry Certified FROM fedora:latest CMD echo

    “Hello” Build file Physical, Virtual, Cloud Image Container Build Run Ship LINUX CONTAINERS
  6. 18

  7. 64% of official images in Docker Hub 
 contain high

    priority security vulnerabilities examples: ShellShock (bash) Heartbleed (OpenSSL) Poodle (OpenSSL) Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015 (http:// www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf) WHAT’S INSIDE THE CONTAINER MATTERS
  8. OpenSCAP Reports Scan SCAP Security Guide for RHEL CCE-27002-5 Set

    Password Minimum Length login.defs Content Scan physical servers, virtual machines, docker images and containers
 for Compliance (CCEs) and known Vulnerabilities (CVEs)
  9. USE CASE #1: Scan for Compliance Are password quality requirements

    set? Are obsolete 
 services enabled, 
 e.g. telnet? Is openssh properly configured? Is /tmp on a separate partition?
  10. SCAN oscap xccdf eval --profile rht-ccp \ --report /var/www/html/report.html \

    --results /var/www/html/results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
  11. What RPMs need updating? What is the criticality of the

    vulnerability? What is the vulnerability? What CVEs have and have not been addressed? USE CASE #2: Scan for Known Vulnerabilities
  12. SCAN # obtain RHSA file from Red Hat for RHEL

    wget http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml # run Vulnerability scan oscap oval eval --results /var/www/html/rhsa-results-oval.xml \ --report /var/www/html/oval-report.html com.redhat.rhsa-all.xml # view the Report firefox /var/www/html/oval-report.html
  13. Is the docker image compliant? Is the docker image patched?

    Is the docker container compliant? Is the docker container patched? USE CASE #3: Containers
  14. # Compliance Scan oscap-docker image docker.io/richxsl/rhel6.2 xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp

    \ /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml # Vulnerability Scan on RHEL 6.2 image oscap-docker image-cve docker.io/richxsl/rhel6.2 --results /var/www/html/image-oval.xml --report /var/www/html/image-rhel62.html SCAN DOCKER IMAGES (“offline”) # start a container named myrhel62 docker run --name myrhel62 -it docker.io/richxsl/rhel6.2 /bin/bash # Compliance Scan oscap-docker container myrhel62 xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp \ /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml # Vulnerability Scan oscap-docker container-cve docker.io/richxsl/rhel6.2 --results /var/www/html/container-oval.xml --report /var/www/html/container- rhel62.html DOCKER CONTAINERS (“online”)
  15. 48 Version 1 Version 1 Version 1 Version 1.2 `

    Tests / CI ROLLING UPDATE DEPLOYMENT
  16. ADD NAME (View > Master > Slide master) Version 1

    Version 1.2 New applications can be spun up and tested before old applications are removed, lowering risk for upgrades
  17. ADD NAME (View > Master > Slide master) Tests and

    certification can be done before customers access it Version 1 Version 1.2 Tests / CI
  18. ADD NAME (View > Master > Slide master) Once ready,

    the new version is used and the old version can be removed Version 1 Version 1.2
  19. ADD NAME (View > Master > Slide master) Rollbacks can

    be done using the same method if desired Version 1.2
  20. Version 1.2 Version 1 80% 20% 25% Conversion Rate 35%

    Conversion Rate A/B TESTING with CANARY DEPLOYMENT
  21. 59 Hardware (Intel, AMD) or Virtual Machine Containers Containers Containers

    Unit File Docker Image KUBERNETES / DOCKER SYSTEMD Cgroups Namespaces SELinux Drivers CONTAINER HOST SECURITY Best Practices • Don’t run as root • Limit SSH Access • Use namespaces • Define resource quotas • Enable logging • Apply Security Errata • Apply Security Context and seccomp filters http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html seccomp
  22. SECURING CONTAINER ENVIRONMENT Images CI/CD Container host Network isolation Storage

    API & Platform access Monitoring & Logging Federated clusters Registry {} Builds