Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing Docker Images Security All Day DevOps 2017

7c4b1ae16723b56facc7a8a8f95aa6ce?s=47 jmortegac
October 24, 2017

Testing Docker Images Security All Day DevOps 2017

Testing Docker Images Security All Day DevOps 2017

7c4b1ae16723b56facc7a8a8f95aa6ce?s=128

jmortegac

October 24, 2017
Tweet

More Decks by jmortegac

Other Decks in Technology

Transcript

  1. None
  2. jmortega.github.io about.me/jmortegac Software Engineer & Security Researcher

  3. Introduction to docker security Security best practices Tools for auditing

    docker images Three Takeaways
  4. • “Docker containers wrap up a piece of software in

    a complete filesystem that contains everything it needs to run: code,runtime, system tools, system libraries –anything you can install on a server. This guarantees that it will always run the same,regardless of the environment it is running in.”
  5. None
  6. • Docker provides an additional layer of isolation, making your

    infrastructure safer by default. • Makes the application lifecycle fast and easier, reducing risks in your applications
  7. • Docker uses several mechanisms for security: ◦ Linux kernel

    namespaces ◦ Linux Control Groups (cgroups) ◦ The Docker daemon ◦ Linux capabilities (libcap) ◦ Linux security mechanisms like AppArmor or SELinux
  8. • Namespaces:provides an isolated view of the system where processes

    cannot see other processes in other containers • Each container also gets its own network stack. • A container doesn’t get privileged access to the sockets or interfaces of another container.
  9. • Cgroups: kernel feature that limits and isolates the resource

    usage(CPU,memory,network) of a collection of processes. • Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges.
  10. • The docker daemon (/usr/bin/docker) is responsible for managing the

    control groups, orchestrating the namespaces, and so on so that docker images can be run and secured. • Because of the need to manage kernel functions, Docker runs with root privileges. • Limit the users who have control of the Docker Daemon
  11. • Restrict access to the daemon only to the ones

    really needing it (users, processes) • Don’t expose the daemon to the outside your network • If you do so, make sure you have put this behind a secure proxy, like NGINX
  12. None
  13. None
  14. None
  15. None
  16. https://github.com/CenturyLinkLabs/dockerfile-from-image

  17. None
  18. • Images are extracted in a chrooted sub process, being

    the first-step in a wider effort toward privilege separation. • From Docker 1.10, all images are stored and accessed by the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image Docker Content Trust.
  19. None
  20. • Protects against untrusted images • Can enable signing checks

    on every managed host • Signature verification transparent to users • Guarantee integrity of your images when pulled • Provides trust from publisher to consumer • export DOCKER_CONTENT_TRUST=1 • ~/.docker/trust/trusted-certificates/
  21. • Do not write secrets(users and passwords). • Remove unnecessary

    setuid, setgid permissions (Privilege escalation) • Download packages securely using GPG and certificates • Try to restrict an image or container to one service
  22. • To disable setuid rights, add the following to the

    Dockerfile of your image
  23. • Set a specific user. • Don’t run your applications

    as root in containers.
  24. • Don’t run containers with --privileged flag • The --privileged

    flag gives all capabilities to the container. • docker run --privileged … • docker run --cap-drop=ALL --cap-add= CAP_NET_ADMIN ...
  25. • Manual management within the container: docker run --cap-add ALL

    • Restricted capabilities with root: docker run --cap-drop ALL --cap-add $CAP • No capabilities: docker run --user
  26. None
  27. None
  28. • We can verify the integrity of the image •

    Checksum validation when pulling image from docker hub • Pulling by digest to enforce consistent
  29. • Pulling by Docker content trust • $ export DOCKER_CONTENT_TRUST=1

    $ docker pull debian:latest Pull (1 of 1): debian:latest@sha256:a25306f38…
  30. • Check packages installed in the container

  31. Docker security is about limiting and controlling the attack surface

    on the kernel.
  32. Run filesystems as read-only so that attackers can not overwrite

    data or save malicious scripts to the image.
  33. None
  34. None
  35. None
  36. Auditing Docker Images

  37. • You can scan your images for known vulnerabilities •

    There are tools for that, like Docker Security Scanning, Docker Bench Security and CoreOS Clair • Find known vulnerable binaries
  38. • Checks based on best practices for hosts and containers

    • Find Common Vulnerabilities and Exposures (CVEs) https://docs.docker.com/docker-cloud/builds/image-scan/
  39. • Checks against CVE database for image layers • Binary

    scanning of all components in the image • Performs binary scan to pick up on statically linked binaries • Analyses libraries statically compiled in the image • Generates a reports that shows if there are CVE in the libraries inside the image
  40. None
  41. None
  42. https://www.docker.com/docker-cve-database

  43. None
  44. None
  45. • Vulnerability Static Analysis for Containers • https://github.com/coreos/clair

  46. • You've found an image by searching the internet and

    want to determine if it's safe enough for you to use in production. • You're regularly deploying into a containerized production environment and want operations to alert or block deployments on insecure software.
  47. None
  48. None
  49. • Checks based on best practices for hosts and containers

    • https://github.com/docker/docker-bench-security • Open-source tool for running automated tests • Inspired by the CIS Docker 1.11 benchmark • Runs against containers currently running on same host • Checks for AppArmor, read-only volumes, etc...
  50. None
  51. • The host configuration • The Docker daemon configuration •

    The Docker daemon configuration files • Container images and build files • Container runtime • Docker security operations
  52. • The Docker daemon configuration • [WARN] 2.1- Restrict network

    traffic between containers • [WARN] 4.1 - Create a user for the container • [WARN] * Running as root: • [WARN] 5.4 - Restrict Linux Kernel Capabilities within containers • [WARN] * Capabilities added: CapAdd=[audit_control] • [WARN] 5.13 - Mount container's root filesystem as readonly • [WARN] * Container running with root FS mounted R/W:
  53. None
  54. • Lynis • Dagda • Anchore

  55. • https://github.com/CISOfy/lynis-docker • Lynis is a Linux, Mac and Unix

    security auditing and system hardening tool that includes a module to audit Dockerfiles. • lynis audit dockerfile <file>
  56. None
  57. • https://github.com/eliasgranderubio/dagda • Static analysis of known vulnerabilities on Docker

    containers • Allows monitoring Docker containers for detecting anomalous activities
  58. Python 3 MongoDB PyMongo Requests Python-dateutil Joblib Docker-py Flask Flask-cors

    PyYAML
  59. • python3 dagda.py check --docker_image <image_name> • python3 dagda.py history

    <image_name> --id <Id_Scan>
  60. None
  61. None
  62. None
  63. None
  64. None
  65. None
  66. None
  67. None
  68. None
  69. None
  70. None
  71. Signing • Secure & sign your source Dependences • Pin

    & verify your dependencies Content Trust • Sign your artifacts with Docker Content Trust Privileges • Least Privilege configurations
  72. • https://docs.docker.com/engine/security • http://www.oreilly.com/webops-perf/free/files/dock er-security.pdf • http://container-solutions.com/content/uploads/201 5/06/15.06.15_DockerCheatSheet_A2.pdf • https://www.openshift.com/promotions/docker-sec

    urity.html
  73. • Docker Content Trust https://docs.docker.com/engine/security/trust/cont ent_trust • Docker Security Scanning

    https://docs.docker.com/docker-cloud/builds/image-scan https://blog.docker.com/2016/04/docker-security http://softwaretester.info/docker-audit
  74. None
  75. None
  76. jmortega.github.io @jmortegac Thanks!

  77. None
  78. None
  79. bit.ly/addo-slack Find me on slack, right now!