Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing Docker Images Security NoConName edition 2017

November 26, 2017

Testing Docker Images Security NoConName edition 2017

En esta conferencia se presentarán las mejores praćticas a nivel de revisiones de seguridad en las imágenes de docker. En primer lugar, se verá una descripción general del proceso de despliegue de una imagen en el repositorio oficial docker hub. En segundo lugar, se comentarán las principales superficies de ataque y las amenazas sobre dichas imágenes. Por último, se verá cómo se puede detectar vulnerabilidades en las imágenes con herramientas que permite automatizar éste proceso y otras técnicas de análisis de código junto con las mejores prácticas que explican cómo remediar estas vulnerabilidades. Se harán demos con herramientas Opensource y algunos casos de uso con python.


November 26, 2017

More Decks by jmortegac

Other Decks in Programming


  1. WhoamI Introduction to docker security Security best practices 3. Tools

    for auditing docker host Tools for auditing docker images Demo
  2. WhoamI • Docker uses several mechanisms: ◦ Linux kernel namespaces

    ◦ Linux Control Groups (cgroups) ◦ The Docker daemon ◦ Linux capabilities (libcap) ◦ Linux security mechanisms like ◦ AppArmor,SELinux,Seccomp
  3. WhoamI • Provides an isolated view of the system where

    processes cannot see other processes in other containers • Each container also gets its own network stack. • A container doesn’t get privileged access to the sockets or interfaces of another container.
  4. WhoamI • Cgroups: kernel feature that limits and isolates the

    resource usage (CPU, memory, network) of a collection of processes. • Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges
  5. WhoamI • We can verify the integrity of the image

    • Checksum validation when pulling image from docker hub • Pulling by digest to enforce consistent
  6. WhoamI • A capability is a unix action a user

    can perform • Goal is to restrict “capabilities” • Privileged process = all the capabilities! • Unprivileged process = check individual user capabilities • Example Capabilities: ◦ CAP_CHOWN ◦ CAP_SETUID ◦ CAP_NET_RAW ◦ CAP_SYS_ADMIN
  7. WhoamI Run filesystems as read-only so that attackers can not

    overwrite data or save malicious scripts to the image.
  8. WhoamI • Do not run processes in a container as

    root to avoid root access from attackers. • Enable User-namespace (disabled by default.) • Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to file. • Cut down the kernel calls that a container can make to reduce the potential attack surface. • Limit the resources that a container can use (SELinux/AppArmor)
  9. WhoamI • Set a specific user. • Don’t run your

    applications as root in containers.
  10. WhoamI • AppArmor is a Mandatory Access Control (MAC) system

    which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users. • Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense
  11. WhoamI • Restricts system calls based on a policy •

    Block things like ◦ Kernel manipulation (init_module, finit_module, delete_module) ◦ Executing mount options ◦ Change permissions ◦ Change owner and groups
  12. WhoamI • Auditing docker environment and containers • Open-source tool

    for running automated tests • Inspired by the CIS Docker 1.11 benchmark • Runs against containers currently running on same host • Checks for AppArmor, read-only volumes, etc... • https://github.com/docker/docker-bench-security
  13. WhoamI • The host configuration • The Docker daemon configuration

    • The Docker daemon configuration files • Container images and build files • Container runtime • Docker security operations
  14. WhoamI • The Docker daemon configuration • [WARN] 2.1- Restrict

    network traffic between containers • [WARN] 4.1 - Create a user for the container • [WARN] * Running as root: • [WARN] 5.4 - Restrict Linux Kernel Capabilities within containers • [WARN] * Capabilities added: CapAdd=[audit_control] • [WARN] 5.13 - Mount container's root filesystem as readonly • [WARN] * Container running with root FS mounted R/W:
  15. WhoamI • https://github.com/CISOfy/lynis-docker • Lynis is a Linux, Mac and

    Unix security auditing and system hardening tool that includes a module to audit Dockerfiles. • lynis audit system • lynis audit dockerfile <file>
  16. WhoamI • You can scan your images for known vulnerabilities

    • Find known vulnerable binaries • Docker Security Scanning • OWASP Dependency checker • Anchore Cloud • Tenable.io Container Security • Dagda
  17. WhoamI Signing • Secure & sign your source Dependences •

    Pin & verify your dependencies Content Trust • Sign your artifacts with Docker Content Trust Privileges • Least Privilege configurations
  18. WhoamI • https://docs.docker.com/engine/security • http://www.oreilly.com/webops-perf/free/files/docker-securit y.pdf • http://container-solutions.com/content/uploads/2015/06/15. 06.15_DockerCheatSheet_A2.pdf •

    Docker Content Trust https://docs.docker.com/engine/security/trust/content_trust • Docker Security Scanning https://docs.docker.com/docker-cloud/builds/image-scan https://blog.docker.com/2016/04/docker-security http://softwaretester.info/docker-audit