● “Docker containers wrap up a piece of software in a complete filesystem that contains everything it needs to run: code,runtime, system tools, system libraries –anything you can install on a server. This guarantees that it will always run the same,regardless of the environment it is running in.”
● Docker provides an additional layer of isolation, making your infrastructure safer by default. ● Makes the application lifecycle fast and easier, reducing risks in your applications
● Docker uses several mechanisms for security: ○ Linux kernel namespaces ○ Linux Control Groups (cgroups) ○ The Docker daemon ○ Linux capabilities (libcap) ○ Linux security mechanisms like AppArmor or SELinux
● Namespaces:provides an isolated view of the system where processes cannot see other processes in other containers ● Each container also gets its own network stack. ● A container doesn’t get privileged access to the sockets or interfaces of another container.
● Cgroups: kernel feature that limits and isolates the resource usage(CPU,memory,network) of a collection of processes. ● Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges.
● The docker daemon (/usr/bin/docker) is responsible for managing the control groups, orchestrating the namespaces, and so on so that docker images can be run and secured. ● Because of the need to manage kernel functions, Docker runs with root privileges. ● Limit the users who have control of the Docker Daemon
● Restrict access to the daemon only to the ones really needing it (users, processes) ● Don’t expose the daemon to the outside your network ● If you do so, make sure you have put this behind a secure proxy, like NGINX
● Images are extracted in a chrooted sub process, being the first-step in a wider effort toward privilege separation. ● From Docker 1.10, all images are stored and accessed by the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image Docker Content Trust.
● Protects against untrusted images ● Can enable signing checks on every managed host ● Signature verification transparent to users ● Guarantee integrity of your images when pulled ● Provides trust from publisher to consumer ● export DOCKER_CONTENT_TRUST=1 ● ~/.docker/trust/trusted-certificates/
● Do not write secrets(users and passwords). ● Remove unnecessary setuid, setgid permissions (Privilege escalation) ● Download packages securely using GPG and certificates ● Try to restrict an image or container to one service
● Don’t run containers with --privileged flag ● The --privileged flag gives all capabilities to the container. ● docker run --privileged … ● docker run --cap-drop=ALL --cap-add= CAP_NET_ADMIN ...
● Manual management within the container: docker run --cap-add ALL ● Restricted capabilities with root: docker run --cap-drop ALL --cap-add $CAP ● No capabilities: docker run --user
● You can scan your images for known vulnerabilities ● There are tools for that, like Docker Security Scanning, Docker Bench Security and CoreOS Clair ● Find known vulnerable binaries
● Checks based on best practices for hosts and containers ● Find Common Vulnerabilities and Exposures (CVEs) https://docs.docker.com/docker-cloud/builds/image-scan/
● Checks against CVE database for image layers ● Binary scanning of all components in the image ● Performs binary scan to pick up on statically linked binaries ● Analyses libraries statically compiled in the image ● Generates a reports that shows if there are CVE in the libraries inside the image
● You've found an image by searching the internet and want to determine if it's safe enough for you to use in production. ● You're regularly deploying into a containerized production environment and want operations to alert or block deployments on insecure software.
● Checks based on best practices for hosts and containers ● https://github.com/docker/docker-bench-security ● Open-source tool for running automated tests ● Inspired by the CIS Docker 1.11 benchmark ● Runs against containers currently running on same host ● Checks for AppArmor, read-only volumes, etc...
● https://github.com/CISOfy/lynis-docker ● Lynis is a Linux, Mac and Unix security auditing and system hardening tool that includes a module to audit Dockerfiles. ● lynis audit dockerfile
● https://github.com/eliasgranderubio/dagda ● Static analysis of known vulnerabilities on Docker containers ● Allows monitoring Docker containers for detecting anomalous activities
jmortega
inureyes
onlinesalon
replu
oracle4engineer
mosa_siru
kosui
muziyoshiz
k1style
yutoy
hiashisan
biwashi
iselegant
lara
malarkey
shpigford
kastner
chriscoyier
eitanlees
marcelosomers
jakevdp
speakerdeck
chrislema
jeffersonlam