$30 off During Our Annual Pro Sale. View Details »

Operating Docker Securely - BSM

Operating Docker Securely - BSM

Jen Andre

July 10, 2015
Tweet

More Decks by Jen Andre

Other Decks in Technology

Transcript

  1. Operating Docker Securely
    Jen  Andre

    View Slide

  2. about me
    @fun_cuddles  /  jenpire.com  /  
    organizer  @BostonGoLang  
    EIR  @Accomplice  
    co-­‐founder  @threatstack,    formerly  
    researcher  @Mandiant,  engineering  /  
    security  analyst  @Symantce    

    View Slide

  3. Come  to  our  launch  happy  hour!    
    Sign  up  at  hacksecure.org/events  

    View Slide

  4. what is ?

    View Slide

  5. “Docker  containers  wrap  up  a  piece  of  
    soMware  in  a  complete  filesystem  that  
    contains  everything  it  needs  to  run:  code,  
    runPme,  system  tools,  system  libraries  –  
    anything  you  can  install  on  a  server.  This  
    guarantees  that  it  will  always  run  the  same,  
    regardless  of  the  environment  it  is  running  in.”

    View Slide

  6. docker is ‘virtualization’
    • “process”  vs  “system”  virtualizaPon  
    • the  kernel  is  your  hypervisor  
    • the  isolaPon  properPes  are  not  the  same.
    ^lightweight

    View Slide

  7. how it works

    View Slide

  8. benefits and features
    • speed  of  provisioning    
    • startup  1me  in  seconds,  not  minutes  
    • “build  once,  deploy  anywhere”  
    • speedy  builds  and  deployments  
    • image  layering    
    • resolves  tension  between  “build”  vs.  “bake”  to  facilitate  
    immutable  infrastructure  
    • image  repository  facilitates  reuse  
    • DockerHub

    View Slide

  9. It’s real and it’s here.

    View Slide

  10. is docker secure?

    View Slide

  11. this is the wrong question.

    View Slide

  12. managing misinformation
    VS
    http://iamondemand.com/blog/5-key-benefits-of-docker-ci-version-control-portability-isolation-and-security/
    http://www.securityweek.com/disrupting-disruptor-security-docker-containers

    View Slide

  13. 1.    How  does  proposed  Docker  usage  change  my  threat  
    model?  
    2.    How  do  I  ensure  I  can  trust  the  code  running  in  my  
    containers?  
    3.  How  do  I  know  if  I’ve  configured  my  Docker  host  +  
    containers  in  a  way  that  minimizes  my  risk?  
    4.  How  do  containers  change  my  security  pracPces,  e.g.  
    monitoring?
    questions for the security
    professional

    View Slide

  14. but also consider
    the  consistency  of  applicaPon  environments  in  Docker  
    containers  provides  for  interesPng  opportuni1es  for  
    new  automaPon  around  security  hardening,  audiPng,  
    and  tesPng.

    View Slide

  15. issues with trust
    docker  images  are  binaries  (opaque)  
    who  am  I  trusPng?  
    who  is  updaPng  these  things  when  there  is  a  criPcal  
    security  flaw?  

    View Slide

  16. The problem of patch management is a
    real thing.
    http://www.banyanops.com/blog/analyzing-docker-hub/

    View Slide

  17. confusing advice
    http://serverfault.com/questions/611082/how-to-handle-security-updates-within-docker-containers

    View Slide

  18. always be updating!
    • Do  perform  security  upgrades  (debian  example  
    below)  
    • sudo  docker  exec  -­‐it    apt-­‐get  update    
    • sudo  docker  exec  -­‐it    apt-­‐get  upgrade  
    -­‐s  |  grep  -­‐i  security  #  dry  run  
    • sudo  docker  exec  -­‐it    apt-­‐get  upgrade  
    #  commit  changes  when  done  

    View Slide

  19. who are you
    trusting?

    View Slide

  20. what  if  someone  
    replaced  libc  with  a  
    backdoored  version?

    View Slide

  21. community  
    addressing trust
    automate  policy  audiPng  +  
    enforcement
    for  a  given  container,  tell  me  who/what  
    I  am  trusPng
    build  from  a  trusted  base  image
    be  aware  of  who  you  are  trusPng
    don’t  overrely  on  Docker  hub
    tooling  to  apply  and    
    validate  security  updates

    View Slide

  22. more advice
    • “The  best  opPon  is  to  block  index.docker.io  locally,  and  
    download  and  verify  images  manually  before  imporPng  
    them  into  Docker  using  docker  load.”  
    • hcps:/
    /Ptanous.com/posts/docker-­‐insecurity#fn:4  
    • Use  a  private  docker  registry  
    • hcps:/
    /www.digitalocean.com/community/tutorials/how-­‐to-­‐set-­‐up-­‐a-­‐private-­‐docker-­‐registry-­‐
    on-­‐ubuntu-­‐14-­‐04  ,  hcps:/
    /quay.io    
       
    • Use  RedHat  cerPfied  containers  
    •  hcp:/
    /www.redhat.com/en/about/press-­‐releases/red-­‐hat-­‐announces-­‐cerPficaPon-­‐for-­‐
    containerized-­‐applicaPons-­‐extends-­‐customer-­‐confidence-­‐and-­‐trust-­‐to-­‐the-­‐cloud  

    View Slide

  23. opportunities
    • trust,  but  verify:  build  an  binary  audiPng  tool  for  Docker  
    images!  
    • e.g.,  scan  images,  validate  installed  libraries  and  binaries    do  
    not  have  criPcal  security  issues  and  align  with  signed  package  
    manifests.  
    • hcps:/
    /github.com/banyanops/collector    +`cruM’  but  for  containers?  
    • hcps:/
    /github.com/OpenSCAP/container-­‐compliance  -­‐  RHEL  only  
    • contribute  to  the  packaging/distribuPon  trust  conversaPon!  
    • hcps:/
    /github.com/docker/distribuPon/pull/179  
    • references:  hcp:/
    /theupdateframework.com/  

    View Slide

  24. best practices,
    hardening, &
    secure
    configurations
    ]

    View Slide

  25. the good!
    Docker  released  a  
    comprehensive  
    security  benchmark.
    hcps:/
    /blog.docker.com/2015/05/understanding-­‐docker-­‐security-­‐and-­‐best-­‐pracPces/

    View Slide

  26. the bad
    …it’s  118  pages  of  material!

    View Slide

  27. the good!: can we automate these
    checks?
    dockerbench.com  
    github.com/dockersecuritytools/bacen  <-­‐  ping  me  or  @jerbia    at  
    github  to  contribute!

    View Slide

  28. serverspec example

    View Slide

  29. the problem of isolation

    View Slide

  30. container hardening: the good
    there’s actually a lot of knobs to turn!

    View Slide

  31. toggling capabilities
    • “give  root  without  all  of  root”  
    • use  flags  on  Docker  command  line:  —cap-­‐add,  —
    cap-­‐drop

    View Slide

  32. cgroups
    • control  resource  alloca1on  (e.g.  memory,  cpus)  
    • prevent  one  container  from  sucking  all  of  the  
    resources  (DoS)  another  container  on  the  same  host  
    •  $ docker run -it --rm -m 128m fedora
    bash
    • hcps:/
    /goldmann.pl/blog/2014/09/11/resource-­‐management-­‐in-­‐docker/

    View Slide

  33. • user  namespaces  (soon!)  so  you  don’t  have  to  run  
    id=0  processes  as  root!  
    • seccomp  filtering  to  permit  or  block  individual  
    system  calls  (soon!)  
    • hcp:/
    /opensource.com/business/15/3/docker-­‐security-­‐future
    coming soon

    View Slide

  34. AppArmor  +  SELinux
    • SELinux  /  AppArmor  policies  (—security-­‐opt)

    View Slide

  35. using apparmor with
    1. Create  the  custom  profile:  vim  my_container_profile  
    2. Load  it  into  app  armor:  cat  my_container_profile  |  
    sudo  apparmor_parser  -­‐r  
    3. `
    4. Run  it  with  your  docker  container:  docker  run  —
    security-­‐opt=“apparmor:my_container_profile”  
    5. $$$  Profit?

    View Slide

  36. • Docker’s  default  capabiliPes  are  
    set  by  app  armor!  (and  turned  
    off  when  you  docker  run  —
    privileged=true)    
    • be  careful:  when  you  supply  
    your  own  apparmor  profile,  
    your  are  essenPally  resetng  
    the  capabiliPes.  
    • copy  or  inherit  these  when  you  create  a  
    new  profile  for  your  containers.      
    this looks familiar…

    View Slide

  37. the bad
    there’s a lot of knobs to turn :(

    View Slide

  38. we can do better.

    View Slide

  39. View Slide

  40. • IF  in  the  future…  
    • DockerHub  registry  becomes  your  go-­‐to  trusted  
    distribuPon  source  for  applicaPons.…  
    •  Why  not    
    • Have  a  registry  for  apparmor  and  SELinux  profiles  
    geared  for  official  dockerized  app  containers?  
    • …Include  seccomp  filters  and  other  security  configs?  
    • Share  your  polices  &  reduce  the  burden  of  having  to  
    harden  your  own  apps/containers.

    View Slide

  41. #  fetch  apparmor  security  profile  for  wordpress  
    image  
    docker  security-­‐profile  fetch  wordpress:latest  
       
    #  you  can  even  fetch  by  image  /  tag  
    docker  security-­‐profile  fetch  
    0cc6ffbf1a0cd78ab244c4b3b5cef13618bf4c8bcd229ec2673
    1a951c33df72e    
    #  allow  users  to  submit/push  their  own  app  armor  
    profiles    
    docker  security-­‐profile  push  —-­‐profile=“apparmor:/
    etc/apparmor/wordpress.profile”  jandre/
    wordpress:custom

    View Slide

  42. in conclusion
    • we  need  more  automaPon  around  security  audiPng,  
    hardening,  tesPng,  and  monitoring  
    • InnovaPon  here  should  come  not  just  from  the  
    Docker  folks.  
    • The  consistency  of  Docker  containers  enables  us  to  
    be  innovaPve  in  how  we  automate  the  above  ^^  

    View Slide

  43. is this interesting to you?
    • contact  me!  [email protected]  
    • follow  @securedocker  for  Docker  security  news  
    • Visit  me  at  hacksecure.org  

    View Slide