Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing Docker Images Security NoConName edition 2017

7c4b1ae16723b56facc7a8a8f95aa6ce?s=47 jmortegac
November 26, 2017

Testing Docker Images Security NoConName edition 2017

En esta conferencia se presentarán las mejores praćticas a nivel de revisiones de seguridad en las imágenes de docker. En primer lugar, se verá una descripción general del proceso de despliegue de una imagen en el repositorio oficial docker hub. En segundo lugar, se comentarán las principales superficies de ataque y las amenazas sobre dichas imágenes. Por último, se verá cómo se puede detectar vulnerabilidades en las imágenes con herramientas que permite automatizar éste proceso y otras técnicas de análisis de código junto con las mejores prácticas que explican cómo remediar estas vulnerabilidades. Se harán demos con herramientas Opensource y algunos casos de uso con python.

7c4b1ae16723b56facc7a8a8f95aa6ce?s=128

jmortegac

November 26, 2017
Tweet

More Decks by jmortegac

Other Decks in Programming

Transcript

  1. WhoamI Testing Docker Images Security José Manuel Ortega Noviembre 2017

  2. WhoamI @jmortegac jmortega.github.io about.me/jmortegac

  3. WhoamI Introduction to docker security Security best practices 3. Tools

    for auditing docker host Tools for auditing docker images Demo
  4. WhoamI

  5. WhoamI

  6. WhoamI • Docker uses several mechanisms: ◦ Linux kernel namespaces

    ◦ Linux Control Groups (cgroups) ◦ The Docker daemon ◦ Linux capabilities (libcap) ◦ Linux security mechanisms like ◦ AppArmor,SELinux,Seccomp
  7. WhoamI • Provides an isolated view of the system where

    processes cannot see other processes in other containers • Each container also gets its own network stack. • A container doesn’t get privileged access to the sockets or interfaces of another container.
  8. WhoamI • Cgroups: kernel feature that limits and isolates the

    resource usage (CPU, memory, network) of a collection of processes. • Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges
  9. WhoamI

  10. WhoamI

  11. WhoamI

  12. WhoamI

  13. WhoamI

  14. WhoamI

  15. WhoamI

  16. WhoamI

  17. WhoamI

  18. WhoamI

  19. WhoamI • We can verify the integrity of the image

    • Checksum validation when pulling image from docker hub • Pulling by digest to enforce consistent
  20. WhoamI

  21. WhoamI

  22. WhoamI

  23. WhoamI • A capability is a unix action a user

    can perform • Goal is to restrict “capabilities” • Privileged process = all the capabilities! • Unprivileged process = check individual user capabilities • Example Capabilities: ◦ CAP_CHOWN ◦ CAP_SETUID ◦ CAP_NET_RAW ◦ CAP_SYS_ADMIN
  24. WhoamI

  25. WhoamI

  26. WhoamI

  27. WhoamI

  28. WhoamI

  29. WhoamI Docker security is about limiting and controlling the attack

    surface on the kernel.
  30. WhoamI Run filesystems as read-only so that attackers can not

    overwrite data or save malicious scripts to the image.
  31. WhoamI • Do not run processes in a container as

    root to avoid root access from attackers. • Enable User-namespace (disabled by default.) • Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to file. • Cut down the kernel calls that a container can make to reduce the potential attack surface. • Limit the resources that a container can use (SELinux/AppArmor)
  32. WhoamI • Set a specific user. • Don’t run your

    applications as root in containers.
  33. WhoamI

  34. WhoamI

  35. WhoamI • AppArmor is a Mandatory Access Control (MAC) system

    which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users. • Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense
  36. WhoamI • Restricts system calls based on a policy •

    Block things like ◦ Kernel manipulation (init_module, finit_module, delete_module) ◦ Executing mount options ◦ Change permissions ◦ Change owner and groups
  37. WhoamI

  38. WhoamI

  39. WhoamI

  40. WhoamI

  41. WhoamI

  42. WhoamI Auditing Docker Host

  43. WhoamI • Auditing docker environment and containers • Open-source tool

    for running automated tests • Inspired by the CIS Docker 1.11 benchmark • Runs against containers currently running on same host • Checks for AppArmor, read-only volumes, etc... • https://github.com/docker/docker-bench-security
  44. WhoamI

  45. WhoamI • The host configuration • The Docker daemon configuration

    • The Docker daemon configuration files • Container images and build files • Container runtime • Docker security operations
  46. WhoamI • The Docker daemon configuration • [WARN] 2.1- Restrict

    network traffic between containers • [WARN] 4.1 - Create a user for the container • [WARN] * Running as root: • [WARN] 5.4 - Restrict Linux Kernel Capabilities within containers • [WARN] * Capabilities added: CapAdd=[audit_control] • [WARN] 5.13 - Mount container's root filesystem as readonly • [WARN] * Container running with root FS mounted R/W:
  47. WhoamI

  48. WhoamI

  49. WhoamI

  50. WhoamI • https://github.com/CISOfy/lynis-docker • Lynis is a Linux, Mac and

    Unix security auditing and system hardening tool that includes a module to audit Dockerfiles. • lynis audit system • lynis audit dockerfile <file>
  51. WhoamI

  52. WhoamI

  53. WhoamI

  54. WhoamI

  55. WhoamI https://github.com/CISOfy/lynis/blob/master/include/helper_audit_dockerfile

  56. WhoamI

  57. WhoamI

  58. WhoamI

  59. WhoamI Demo time

  60. WhoamI Auditing Docker Images

  61. WhoamI • You can scan your images for known vulnerabilities

    • Find known vulnerable binaries • Docker Security Scanning • OWASP Dependency checker • Anchore Cloud • Tenable.io Container Security • Dagda
  62. WhoamI

  63. WhoamI

  64. WhoamI

  65. WhoamI

  66. WhoamI https://hub.docker.com/r/deepfenceio/deepfence_depcheck/

  67. WhoamI

  68. WhoamI

  69. WhoamI

  70. WhoamI

  71. WhoamI

  72. WhoamI

  73. WhoamI https://github.com/eliasgranderubio/dagda

  74. WhoamI Python 3 MongoDB PyMongo Requests Python-dateutil Joblib Docker-py Flask

    Flask-cors PyYAML
  75. WhoamI

  76. WhoamI

  77. WhoamI

  78. WhoamI

  79. WhoamI Docker Images for Malware Analysis

  80. WhoamI Demo time

  81. WhoamI Signing • Secure & sign your source Dependences •

    Pin & verify your dependencies Content Trust • Sign your artifacts with Docker Content Trust Privileges • Least Privilege configurations
  82. WhoamI • https://docs.docker.com/engine/security • http://www.oreilly.com/webops-perf/free/files/docker-securit y.pdf • http://container-solutions.com/content/uploads/2015/06/15. 06.15_DockerCheatSheet_A2.pdf •

    Docker Content Trust https://docs.docker.com/engine/security/trust/content_trust • Docker Security Scanning https://docs.docker.com/docker-cloud/builds/image-scan https://blog.docker.com/2016/04/docker-security http://softwaretester.info/docker-audit
  83. WhoamI

  84. WhoamI jmortega.github.io @jmortegac