Container Security

Transcript

1. Segurança em Containers Carol Valencia Devops Engineer

2. Container Threats Best Practices Agenda

3. Container

4. None

5. NET UTS IPC PID Namespaces : Linux Kernel Process IDs

   Unix Timesharing System Network USER NS Linux 3.8 (2013) • Docker Linux 2.6.19 (2006) Linux 2.6.24 (2008) • CGROUP Linux 2.6.29 (2009) Inter-process communication Linux 2.6.19 (2006) Linux 2.4.19 (2002) Mount

6. df -h Commands CLONE_NEWNS /proc mounted on the host system

   the new process sort of inherits a view on the underlying mounts chroot / pivot_root NS (Mount) Namespace

7. hostname Commands CLONE_NEWUTS Hostname Domainname UTS Namespace Unix Timesharing System

8. ipcs -a ipcs -s ipcs -q ipcs -m Commands CLONE_NEWIPC

   IPC semaphores IPC message queues IPC shared memory IPS Namespace Inter-process communication

9. ps aux ps exf Commands CLONE_NEWPID Process within a PID

   namespace only see process in the same PID namespace PID Namespace Process IDs

10. /var/run/netns - ip netns add <new_namespace> vetha0 ------------ veth1 ip

    link add veth0 type veth peer name veth1 - ip link list Commans clone_flag = CLONE_NEWNET - routes - firewall rules - network devices - ip address Network stack Bridge, host or overlay networks veth interface allocated on a bridge 172.17.0.1/16 Network Network Namespace

11. id ls -la Commands CLONE_NEWUSER Allows to map UID/GID UID

    0 (root) User Namespace

12. - Blkio (block I/O) - Hugetlb - Net_prio Control what

    a process can SEE - PID - Mount - Network - UTS - IPS - User Namespaces Cgroup Control what a process can USE

13. /proc/[pid]/ns/ directory Each process has a /proc/[pid]/ns/ subdirectory containing one

    entry for each namespace that supports being manipulated by setns(2)

14. Container https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf • Linux kernel namespaces • Linux control groups

    (cgroups) • Linux runtime: Docker daemon: dockerd • Linux capabilities (libcap) • Linux security mechanism: AppArmor or SELinux

15. Linux Capabilities By default, a container own only 14 of

    37 capabilities

16. BPF for Tracing, Internals - SDN - DDoS mitigation -

    Intrusion detection - Container security Linux Observability Brendan Gregg

17. Threads

18. Threads Containers • Kernel exploits • Denial-of-service attacks (Dos) •

    Container breakouts • Poisoned images • Application secrets

19. Overview Docker Architecture https://www.slideshare.net/jmoc25/testing-docker-images-security-ncn-edition

20. NIST Special Publication 800-190 Developing Cycle with Containers Eradicate vulnerabilities

    before container deployment

21. Best Practices

22. Hardening Host Center for Internet Security (CIS) Benchmark for Distribution

    Unsecured, unhardened host OS best practices

23. Hardening Container Runtimes Center for Internet Security (CIS) Benchmark for

    Docker Docker-bench-security API listen on /var/run/docker.sock Don’t mount the docker socket docker container run -d --v /var/run/docker.sock:/var/run/docker.sock eu/danger Sign container images Docker Content Trust guarantees the integrity of the publisher and the integrity of the contents of a container image export DOCKER_CONTENT_TRUST=1

24. Hardening Container Images Public images ? Run as root ?

    Admin capabilities ? Unprivileged users grant the specific capabilities that it needs Nosuid & RO mounts Access Control: SELinux, AppArmor, Seccomp-bpf.

25. Hardening Secrets docker run -v $(pwd)/secrets:/secrets:ro debian Intro_to_container_security Secrets in

    the Source code Secrets in the Dockerfiles / images

26. Hardening Secrets Encryptation Dynamic secrets ◉ Hashicorp Vault ◉ CyberArk

    Conjur ◉ Aqua Secrets

27. Container User Running containers as root users Run containers as

    non-root users RUN groupadd -r user && useradd -r -g user user USER user Disable setuid rights in Dockerfile: RUN find / -perm +6000 -type f -exec chmod a-s {} \; \ || true

28. Container Privileges Capabilities Running privileged containers docker run -d --privileged

    ubuntu grant it only the specific capabilities that it needs docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN

29. Firewall for system calls (syscalls) Seccomp security-seccomp

30. It uses Berkeley Packet Filter (BPF) rules to filter syscalls

    and control how they are handled. These filters can significantly limit a containers access to the Docker Host’s Linux kernel - especially for simple containers/applications.

31. https://github.com/docker/labs/blob/master/security/seccomp/seccomp-profiles/deny.json { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32" ],

    "syscalls": [ ] } there are no syscalls in the whitelist. This means that no syscalls will be allowed from containers started with this profile.

32. default-no-chmod { "name": "chmod", "action": "SCMP_ACT_ALLOW", "args": [] }, {

    "name": "fchmod", "action": "SCMP_ACT_ALLOW", "args": [] }, { "name": "fchmodat", "action": "SCMP_ACT_ALLOW", "args": [] }, The default.json profile has the chmod(), fchmod(), and chmodatsyscalls included in its whitelist..

33. Tools ◉ Docker-bench-security ◉ Grafeas: audit and govern your software

    supply chain ◉ Sysdig: container troubleshooting and security investigation ◉ CoreOs / Clair: Vulnerability Static Analysis for Containers ◉ Aqua / Microscanner: Scan your container images for package vulnerabilities ◉ Anchore: Detailed analysis on their container images, run queries, produce reports and define policies that can be used in CI/CD pipelines ◉ Lynis ◉ Dagda ◉ Tenable ◉ Twistlock

34. Tools Security Compliance ◉ OpenSCAP - Open Source Security Content

    Automation Protocol ◉ Open Policy Agent / OPA.

35. Brendan Gregg- BPF Performance Tools: Linux System and Application Observability

36. Dhttps://github.com/krol3/container_go You can c Linkedin: Carol Valencia Github: krol3 [email protected]

    https://qrco.de/bbCE5X Thanks! Demo https://github.com/krol3/container_go