Testing Docker Images Security NoConName edition 2017

Transcript

1. WhoamI Testing Docker Images Security José Manuel Ortega Noviembre 2017

2. WhoamI @jmortegac jmortega.github.io about.me/jmortegac

3. WhoamI Introduction to docker security Security best practices 3. Tools

   for auditing docker host Tools for auditing docker images Demo

4. WhoamI

5. WhoamI

6. WhoamI • Docker uses several mechanisms: ◦ Linux kernel namespaces

   ◦ Linux Control Groups (cgroups) ◦ The Docker daemon ◦ Linux capabilities (libcap) ◦ Linux security mechanisms like ◦ AppArmor,SELinux,Seccomp

7. WhoamI • Provides an isolated view of the system where

   processes cannot see other processes in other containers • Each container also gets its own network stack. • A container doesn’t get privileged access to the sockets or interfaces of another container.

8. WhoamI • Cgroups: kernel feature that limits and isolates the

   resource usage (CPU, memory, network) of a collection of processes. • Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges

9. WhoamI

10. WhoamI

11. WhoamI

12. WhoamI

13. WhoamI

14. WhoamI

15. WhoamI

16. WhoamI

17. WhoamI

18. WhoamI

19. WhoamI • We can verify the integrity of the image

    • Checksum validation when pulling image from docker hub • Pulling by digest to enforce consistent

20. WhoamI

21. WhoamI

22. WhoamI

23. WhoamI • A capability is a unix action a user

    can perform • Goal is to restrict “capabilities” • Privileged process = all the capabilities! • Unprivileged process = check individual user capabilities • Example Capabilities: ◦ CAP_CHOWN ◦ CAP_SETUID ◦ CAP_NET_RAW ◦ CAP_SYS_ADMIN

24. WhoamI

25. WhoamI

26. WhoamI

27. WhoamI

28. WhoamI

29. WhoamI Docker security is about limiting and controlling the attack

    surface on the kernel.

30. WhoamI Run filesystems as read-only so that attackers can not

    overwrite data or save malicious scripts to the image.

31. WhoamI • Do not run processes in a container as

    root to avoid root access from attackers. • Enable User-namespace (disabled by default.) • Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to file. • Cut down the kernel calls that a container can make to reduce the potential attack surface. • Limit the resources that a container can use (SELinux/AppArmor)

32. WhoamI • Set a specific user. • Don’t run your

    applications as root in containers.

33. WhoamI

34. WhoamI

35. WhoamI • AppArmor is a Mandatory Access Control (MAC) system

    which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users. • Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense

36. WhoamI • Restricts system calls based on a policy •

    Block things like ◦ Kernel manipulation (init_module, finit_module, delete_module) ◦ Executing mount options ◦ Change permissions ◦ Change owner and groups

37. WhoamI

38. WhoamI

39. WhoamI

40. WhoamI

41. WhoamI

42. WhoamI Auditing Docker Host

43. WhoamI • Auditing docker environment and containers • Open-source tool

    for running automated tests • Inspired by the CIS Docker 1.11 benchmark • Runs against containers currently running on same host • Checks for AppArmor, read-only volumes, etc... • https://github.com/docker/docker-bench-security

44. WhoamI

45. WhoamI • The host configuration • The Docker daemon configuration

    • The Docker daemon configuration files • Container images and build files • Container runtime • Docker security operations

46. WhoamI • The Docker daemon configuration • [WARN] 2.1- Restrict

    network traffic between containers • [WARN] 4.1 - Create a user for the container • [WARN] * Running as root: • [WARN] 5.4 - Restrict Linux Kernel Capabilities within containers • [WARN] * Capabilities added: CapAdd=[audit_control] • [WARN] 5.13 - Mount container's root filesystem as readonly • [WARN] * Container running with root FS mounted R/W:

47. WhoamI

48. WhoamI

49. WhoamI

50. WhoamI • https://github.com/CISOfy/lynis-docker • Lynis is a Linux, Mac and

    Unix security auditing and system hardening tool that includes a module to audit Dockerfiles. • lynis audit system • lynis audit dockerfile <file>

51. WhoamI

52. WhoamI

53. WhoamI

54. WhoamI

55. WhoamI https://github.com/CISOfy/lynis/blob/master/include/helper_audit_dockerfile

56. WhoamI

57. WhoamI

58. WhoamI

59. WhoamI Demo time

60. WhoamI Auditing Docker Images

61. WhoamI • You can scan your images for known vulnerabilities

    • Find known vulnerable binaries • Docker Security Scanning • OWASP Dependency checker • Anchore Cloud • Tenable.io Container Security • Dagda

62. WhoamI

63. WhoamI

64. WhoamI

65. WhoamI

66. WhoamI https://hub.docker.com/r/deepfenceio/deepfence_depcheck/

67. WhoamI

68. WhoamI

69. WhoamI

70. WhoamI

71. WhoamI

72. WhoamI

73. WhoamI https://github.com/eliasgranderubio/dagda

74. WhoamI Python 3 MongoDB PyMongo Requests Python-dateutil Joblib Docker-py Flask

    Flask-cors PyYAML

75. WhoamI

76. WhoamI

77. WhoamI

78. WhoamI

79. WhoamI Docker Images for Malware Analysis

80. WhoamI Demo time

81. WhoamI Signing • Secure & sign your source Dependences •

    Pin & verify your dependencies Content Trust • Sign your artifacts with Docker Content Trust Privileges • Least Privilege configurations

82. WhoamI • https://docs.docker.com/engine/security • http://www.oreilly.com/webops-perf/free/files/docker-securit y.pdf • http://container-solutions.com/content/uploads/2015/06/15. 06.15_DockerCheatSheet_A2.pdf •

    Docker Content Trust https://docs.docker.com/engine/security/trust/content_trust • Docker Security Scanning https://docs.docker.com/docker-cloud/builds/image-scan https://blog.docker.com/2016/04/docker-security http://softwaretester.info/docker-audit

83. WhoamI

84. WhoamI jmortega.github.io @jmortegac