Introdução em Segurança de Containers Carol Valencia Devops Engineer

Tópicos - Containers - Principais riscos em containers - Boas práticas em Segurança com containers - Ferramentas

Containers

NIST Special Publication 800-190 Virtualização Containers

https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf Container - Linux kernel namespaces - Linux control groups (cgroups) - Docker daemon: dockerd - Linux capabilities (libcap) - Linux security mechanism: AppArmor or SELinux

Docker arquitetura: Client/server https://nickjanetakis.com/blog/understanding-how-the-docker-daemon-and-docker-cli-work-together

https://www.slideshare.net/jmoc25/testing-docker-images-security-ncn-edition Usuários conectam Docker host

NIST Special Publication 800-190 Ciclo de Arquitetura com Containers

Principais Riscos em Containers

Riscos ● Risco em containers ○ Vulnerabilidades dentro do runtime do software. ○ Sem limites no acesso de rede desde o container. ● Risco em imagens ○ Vulnerabilidades de imagem ○ Defeitos na configuração da imagem ○ Embedded malware ○ Embedded secrets ○ Uso de imagens não confiáveis

Boas Práticas em Segurança com Containers

Docker daemon API API listen on /var/run/docker.sock Don’t mount the docker socket docker container run -d -p 9000:9000 -v /var/run/docker.sock:/var /run/docker.sock portainer/portainer

https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf Restrição em Arquivos docker run -v $(pwd)/secrets:/secrets:ro debian touch /secrets/x xxxx

x Container Privileges: Capabilities Running privileged containers docker run -d --privileged ubuntu grant it only the specific capabilities that it needs docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN docker run -d --cap-add SYS_PTRACE ubuntu

https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf Container: Restrição de Permissão Running containers as root users Run containers as non-root users RUN groupadd -r user && useradd -r -g user user USER user Disable setuid rights in Dockerfile: RUN find / -perm +6000 -type f -exec chmod a-s {} \; \ || true

Docker Security - Host configuration. Unsecured, unhardened host OS best practices - Docker hardening standard Docker bench security

Docker Content Trust Pulling and running containers from public registries Scan container images to detect and prevent containers with known vulnerabilities or malicious packages docker pull debian Sign container images - Docker Content Trust guarantees the integrity of the publisher and the integrity of the contents of a container image export DOCKER_CONTENT_TRUST=1

Scan container images to detect and prevent containers with known vulnerabilities or malicious packages

Ferramentas

Docker Bench Security

Lynis

Ferramentas - Docker Bench Security - Lynis - Dagda - CoreOS Clair - Sonatype’s Nexus Lifecycle - Tenable - Anchore - Twistlock - Aqua Security

Conclusões ● Conhecer os componentes no fluxo do CI/CD da aplicação: infraestrutura, libs, CI/CD. ● Proteção da aplicação e do pipeline de containers. ● Usar ferramentas de segurança, muitas delas open source.

Referências ● Application Container Security Guide - NIST ● Docker Security ● CIS Docker 1.13.0 Benchmark ● Testing Docker Images Security: Jose Manuel Ortega ● Google Security Containers ● Isolate containers with a user namespace ● Understanding-and-securing-linux-namespaces

Carol Valencia linkedin.com/in/carolgv github.com/krol3 email: guillen.carolina@gmail.com