Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing Docker Images Security NoConName edition 2017

jmortegac
November 26, 2017
Programming
1
130

Testing Docker Images Security NoConName edition 2017

En esta conferencia se presentarán las mejores praćticas a nivel de revisiones de seguridad en las imágenes de docker. En primer lugar, se verá una descripción general del proceso de despliegue de una imagen en el repositorio oficial docker hub. En segundo lugar, se comentarán las principales superficies de ataque y las amenazas sobre dichas imágenes. Por último, se verá cómo se puede detectar vulnerabilidades en las imágenes con herramientas que permite automatizar éste proceso y otras técnicas de análisis de código junto con las mejores prácticas que explican cómo remediar estas vulnerabilidades. Se harán demos con herramientas Opensource y algunos casos de uso con python.

jmortegac

November 26, 2017
Tweet

More Decks by jmortegac

See All by jmortegac
Evolution of security strategies in K8s environments
jmortega
0
5
Implementing Observability for Kubernetes
jmortega
0
9
Computación distribuida usando Python
jmortega
0
39
Seguridad_en_arquitecturas_serverless_y_entornos_cloud.pdf
jmortega
0
61
Construyendo arquitecturas zero trust sobre entornos cloud
jmortega
0
33
Tips and tricks for data science projects with Python
jmortega
0
36
Sharing secret keys in Docker containers and K8s
jmortega
0
84
Implementing cert-manager in K8s
jmortega
0
120
Python para equipos de ciberseguridad(pycones)
jmortega
0
88

Other Decks in Programming

See All in Programming
SmartHRのパフォーマンス改善が 総力戦だった話
daisukeshinoku
8
3.4k
第4回 AWSとGitHub勉強会 - GitHub Actionsを使ったCD環境の構築 -
ogiwarat
0
120
A JVM Threading Model for the containerized times
lhespanha
0
830
A Practitioner's Journey from Ruby 1.8 to Present
koic
1
710
pnpm workspace実践ノウハウ
mh4gf
8
970
RAILS_ENVを統合する取り組み: 開発用デプロイ環境をよりシンプルに
akarin
2
710
第6回 AWSとGitHub勉強会 - AWS ECS Fargate環境の構築 -
ogiwarat
0
140
GO TechTalk #22 Reactで描くタクシーアプリ『GO』の世界
mot_techtalk
0
180
Dagger Hilt로 의존성 주입부터 멀티모듈화까지
fornewid
0
240
Compose Multiplatform 101
dalinaum
2
360
テスト自動化ツールを比較してみた 導入後の課題と相性の良いテスト
tapompom
2
450
Chatwork プロダクト本部 紹介資料(エンジニア向け)
chatwork_hr
1
590

Featured

See All Featured
Three Pipe Problems
jasonvnalue
89
9.2k
Fireside Chat
paigeccino
18
2.2k
Adopting Sorbet at Scale
ufuk
66
8.1k
GraphQLとの向き合い方2022年版
quramy
25
11k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.2k
What's new in Ruby 2.0
geeforr
336
30k
Git: the NoSQL Database
bkeepers
PRO
420
61k
BBQ
matthewcrist
76
8.4k
Learning to Love Humans: Emotional Interface Design
aarron
265
38k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
19k

Transcript

  1. WhoamI
    Testing Docker Images Security
    José Manuel Ortega
    Noviembre 2017

    View Slide

  2. WhoamI
    @jmortegac
    jmortega.github.io
    about.me/jmortegac

    View Slide

  3. WhoamI
    Introduction to docker security
    Security best practices
    3. Tools for auditing docker host
    Tools for auditing docker images
    Demo

    View Slide

  4. WhoamI

    View Slide

  5. WhoamI

    View Slide

  6. WhoamI
    ● Docker uses several mechanisms:
    ○ Linux kernel namespaces
    ○ Linux Control Groups (cgroups)
    ○ The Docker daemon
    ○ Linux capabilities (libcap)
    ○ Linux security mechanisms like
    ○ AppArmor,SELinux,Seccomp

    View Slide

  7. WhoamI
    ● Provides an isolated view of the system where
    processes cannot see other processes in other
    containers
    ● Each container also gets its own network stack.
    ● A container doesn’t get privileged access to
    the sockets or interfaces of another container.

    View Slide

  8. WhoamI
    ● Cgroups: kernel feature that limits and
    isolates the resource usage (CPU, memory,
    network) of a collection of processes.
    ● Linux Capabilities: divides the privileges of
    root into distinct units and smaller groups of
    privileges

    View Slide

  9. WhoamI

    View Slide

  10. WhoamI

    View Slide

  11. WhoamI

    View Slide

  12. WhoamI

    View Slide

  13. WhoamI

    View Slide

  14. WhoamI

    View Slide

  15. WhoamI

    View Slide

  16. WhoamI

    View Slide

  17. WhoamI

    View Slide

  18. WhoamI

    View Slide

  19. WhoamI
    ● We can verify the integrity of the image
    ● Checksum validation when pulling image
    from docker hub
    ● Pulling by digest to enforce consistent

    View Slide

  20. WhoamI

    View Slide

  21. WhoamI

    View Slide

  22. WhoamI

    View Slide

  23. WhoamI
    ● A capability is a unix action a user can perform
    ● Goal is to restrict “capabilities”
    ● Privileged process = all the capabilities!
    ● Unprivileged process = check individual user
    capabilities
    ● Example Capabilities:
    ○ CAP_CHOWN
    ○ CAP_SETUID
    ○ CAP_NET_RAW
    ○ CAP_SYS_ADMIN

    View Slide

  24. WhoamI

    View Slide

  25. WhoamI

    View Slide

  26. WhoamI

    View Slide

  27. WhoamI

    View Slide

  28. WhoamI

    View Slide

  29. WhoamI
    Docker security is about
    limiting and controlling
    the attack surface on the
    kernel.

    View Slide

  30. WhoamI
    Run filesystems as
    read-only so that attackers
    can not overwrite data or
    save malicious scripts to the
    image.

    View Slide

  31. WhoamI
    ● Do not run processes in a container as root to avoid
    root access from attackers.
    ● Enable User-namespace (disabled by default.)
    ● Run filesystems as read-only so that attackers can
    not overwrite data or save malicious scripts to file.
    ● Cut down the kernel calls that a container can make
    to reduce the potential attack surface.
    ● Limit the resources that a container can use
    (SELinux/AppArmor)

    View Slide

  32. WhoamI
    ● Set a specific user.
    ● Don’t run your applications as root in
    containers.

    View Slide

  33. WhoamI

    View Slide

  34. WhoamI

    View Slide

  35. WhoamI
    ● AppArmor is a Mandatory Access Control (MAC) system
    which is a kernel (LSM) enhancement to confine
    programs to a limited set of resources. AppArmor's
    security model is to bind access control attributes to
    programs rather than to users.
    ● Security-Enhanced Linux (SELinux) is a Linux kernel
    security module that provides a mechanism for supporting
    access control security policies, including United States
    Department of Defense

    View Slide

  36. WhoamI
    ● Restricts system calls based on a policy
    ● Block things like
    ○ Kernel manipulation (init_module,
    finit_module, delete_module)
    ○ Executing mount options
    ○ Change permissions
    ○ Change owner and groups

    View Slide

  37. WhoamI

    View Slide

  38. WhoamI

    View Slide

  39. WhoamI

    View Slide

  40. WhoamI

    View Slide

  41. WhoamI

    View Slide

  42. WhoamI
    Auditing Docker Host

    View Slide

  43. WhoamI
    ● Auditing docker environment and containers
    ● Open-source tool for running automated tests
    ● Inspired by the CIS Docker 1.11 benchmark
    ● Runs against containers currently running on same host
    ● Checks for AppArmor, read-only volumes, etc...
    ● https://github.com/docker/docker-bench-security

    View Slide

  44. WhoamI

    View Slide

  45. WhoamI
    ● The host configuration
    ● The Docker daemon configuration
    ● The Docker daemon configuration
    files
    ● Container images and build files
    ● Container runtime
    ● Docker security operations

    View Slide

  46. WhoamI
    ● The Docker daemon configuration
    ● [WARN] 2.1- Restrict network traffic between containers
    ● [WARN] 4.1 - Create a user for the container
    ● [WARN] * Running as root:
    ● [WARN] 5.4 - Restrict Linux Kernel Capabilities within
    containers
    ● [WARN] * Capabilities added: CapAdd=[audit_control]
    ● [WARN] 5.13 - Mount container's root filesystem as
    readonly
    ● [WARN] * Container running with root FS mounted R/W:

    View Slide

  47. WhoamI

    View Slide

  48. WhoamI

    View Slide

  49. WhoamI

    View Slide

  50. WhoamI
    ● https://github.com/CISOfy/lynis-docker
    ● Lynis is a Linux, Mac and Unix security
    auditing and system hardening tool that
    includes a module to audit Dockerfiles.
    ● lynis audit system
    ● lynis audit dockerfile

    View Slide

  51. WhoamI

    View Slide

  52. WhoamI

    View Slide

  53. WhoamI

    View Slide

  54. WhoamI

    View Slide

  55. WhoamI
    https://github.com/CISOfy/lynis/blob/master/include/helper_audit_dockerfile

    View Slide

  56. WhoamI

    View Slide

  57. WhoamI

    View Slide

  58. WhoamI

    View Slide

  59. WhoamI
    Demo time

    View Slide

  60. WhoamI
    Auditing Docker Images

    View Slide

  61. WhoamI
    ● You can scan your images for known
    vulnerabilities
    ● Find known vulnerable binaries
    ● Docker Security Scanning
    ● OWASP Dependency checker
    ● Anchore Cloud
    ● Tenable.io Container Security
    ● Dagda

    View Slide

  62. WhoamI

    View Slide

  63. WhoamI

    View Slide

  64. WhoamI

    View Slide

  65. WhoamI

    View Slide

  66. WhoamI
    https://hub.docker.com/r/deepfenceio/deepfence_depcheck/

    View Slide

  67. WhoamI

    View Slide

  68. WhoamI

    View Slide

  69. WhoamI

    View Slide

  70. WhoamI

    View Slide

  71. WhoamI

    View Slide

  72. WhoamI

    View Slide

  73. WhoamI
    https://github.com/eliasgranderubio/dagda

    View Slide

  74. WhoamI
    Python 3
    MongoDB
    PyMongo
    Requests
    Python-dateutil
    Joblib
    Docker-py
    Flask
    Flask-cors
    PyYAML

    View Slide

  75. WhoamI

    View Slide

  76. WhoamI

    View Slide

  77. WhoamI

    View Slide

  78. WhoamI

    View Slide

  79. WhoamI
    Docker Images for Malware Analysis

    View Slide

  80. WhoamI
    Demo time

    View Slide

  81. WhoamI
    Signing ● Secure & sign your source
    Dependences ● Pin & verify your dependencies
    Content Trust
    ● Sign your artifacts with Docker
    Content Trust
    Privileges ● Least Privilege configurations

    View Slide

  82. WhoamI
    ● https://docs.docker.com/engine/security
    ● http://www.oreilly.com/webops-perf/free/files/docker-securit
    y.pdf
    ● http://container-solutions.com/content/uploads/2015/06/15.
    06.15_DockerCheatSheet_A2.pdf
    ● Docker Content Trust
    https://docs.docker.com/engine/security/trust/content_trust
    ● Docker Security Scanning
    https://docs.docker.com/docker-cloud/builds/image-scan
    https://blog.docker.com/2016/04/docker-security
    http://softwaretester.info/docker-audit

    View Slide

  83. WhoamI

    View Slide

  84. WhoamI jmortega.github.io
    @jmortegac

    View Slide