Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing Docker Security LinuxLab 2017

7c4b1ae16723b56facc7a8a8f95aa6ce?s=47 jmortegac
December 07, 2017

Testing Docker Security LinuxLab 2017

Testing Docker Security LinuxLab 2017

7c4b1ae16723b56facc7a8a8f95aa6ce?s=128

jmortegac

December 07, 2017
Tweet

More Decks by jmortegac

Other Decks in Technology

Transcript

  1. Testing Docker Security LinuxLab 2017 José Manuel Ortega

  2. @jmortegac

  3. Agenda • Introduction to docker security • Security best practices

    • Tools for auditing docker host • Tools for auditing docker images • Demo
  4. Virtualization vs containers

  5. Container pipeline

  6. Security mechanims • Docker uses several mechanisms: ◦ Linux kernel

    namespaces ◦ Linux Control Groups (cgroups) ◦ The Docker daemon ◦ Linux capabilities (libcap) ◦ Linux security mechanisms like AppArmor,SELinux,Seccomp
  7. Namespaces • Provides an isolated view of the system where

    processes cannot see other processes in other containers • Each container also gets its own network stack. • A container doesn’t get privileged access to the sockets or interfaces of another container.
  8. Cgroups && capabilities • Cgroups: kernel feature that limits and

    isolates the resource usage (CPU, memory, network) of a collection of processes. • Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges
  9. Docker images

  10. Docker images

  11. Dockerfile

  12. None
  13. None
  14. None
  15. None
  16. Docker Content Trust

  17. Docker Content Trust • We can verify the integrity of

    the image • Checksum validation when pulling image from docker hub • Pulling by digest to enforce consistent
  18. None
  19. None
  20. Docker Capabilites • A capability is a unix action a

    user can perform • Goal is to restrict “capabilities” • Privileged process = all the capabilities! • Unprivileged process = check individual user capabilities • Example Capabilities: ◦ CAP_CHOWN ◦ CAP_NET_RAW
  21. None
  22. None
  23. None
  24. --cap-drop all --cap-add <specific_functionality>

  25. Docker security is about limiting and controlling the attack surface

    on the kernel.
  26. Run filesystems as read-only so that attackers can not overwrite

    data or save malicious scripts to the image.
  27. Least privilege principle • Do not run processes in a

    container as root to avoid root access from attackers. • Enable User-namespace • Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to file. • Cut down the kernel calls that a container can make to reduce the potential attack surface.
  28. DockerFile security • Set a specific user. • Don’t run

    your applications as root in containers.
  29. Read only containers & volumes

  30. Privileged vs non-privileged

  31. Privileged vs non-privileged

  32. Seccomp • Restricts system calls based on a policy •

    Block/limit things like: ◦ Kernel manipulation (init_module, finit_module, delete_module) ◦ Executing mount options ◦ Change permissions ◦ Change owner and groups
  33. None
  34. Audit Docker Host

  35. Docker bench security • Auditing docker environment and containers •

    Open-source tool for running automated tests • Inspired by the CIS Docker 1.11 benchmark • Runs against containers currently running on same host • Checks for AppArmor, read-only volumes, etc... https://github.com/docker/docker-bench-securit y
  36. Docker bench security

  37. Docker bench security • The host configuration • The Docker

    daemon configuration • The Docker daemon configuration files • Container images and build files • Container runtime • Docker security operations
  38. Lynis • https://github.com/CISOfy/lynis-docker • Lynis is a Linux, Mac and

    Unix security auditing and system hardening tool that includes a module to audit Dockerfiles. • lynis audit system • lynis audit dockerfile <file>
  39. None
  40. Demo time

  41. Audit Docker Images

  42. • You can scan your images for known vulnerabilities •

    Find known vulnerable binaries ◦ Docker Security Scanning ◦ OWASP Dependency checker ◦ Anchore Cloud ◦ Dagda ◦ Tenable.io Container Security
  43. Docker security scanning

  44. Docker security scanning

  45. None
  46. OWASP Dependency checker

  47. Anchore

  48. Anchore

  49. Anchore

  50. None
  51. Dagda

  52. Tenable.io container security

  53. None
  54. None
  55. None
  56. Docker images for malware analysis

  57. References • https://docs.docker.com/engine/security • http://www.oreilly.com/webops-perf/free/files/docker-securi ty.pdf • http://container-solutions.com/content/uploads/2015/06/15.0 6.15_DockerCheatSheet_A2.pdf •

    Docker Content Trust https://docs.docker.com/engine/security/trust/content_trust • Docker Security Scanning • https://docs.docker.com/docker-cloud/builds/image-scan • https://blog.docker.com/2016/04/docker-security • http://softwaretester.info/docker-audit
  58. None
  59. Thanks! Contact: @jmortegac jmortega.github.io about.met/jmortegac