Tweet
Tweet

Slide 1

Slide 1 text

Testing Docker Security LinuxLab 2017 José Manuel Ortega

Slide 2

Slide 2 text

@jmortegac

Slide 3

Slide 3 text

Agenda ● Introduction to docker security ● Security best practices ● Tools for auditing docker host ● Tools for auditing docker images ● Demo

Slide 4

Slide 4 text

Virtualization vs containers

Slide 5

Slide 5 text

Container pipeline

Slide 6

Slide 6 text

Security mechanims ● Docker uses several mechanisms: ○ Linux kernel namespaces ○ Linux Control Groups (cgroups) ○ The Docker daemon ○ Linux capabilities (libcap) ○ Linux security mechanisms like AppArmor,SELinux,Seccomp

Slide 7

Slide 7 text

Namespaces ● Provides an isolated view of the system where processes cannot see other processes in other containers ● Each container also gets its own network stack. ● A container doesn’t get privileged access to the sockets or interfaces of another container.

Slide 8

Slide 8 text

Cgroups && capabilities ● Cgroups: kernel feature that limits and isolates the resource usage (CPU, memory, network) of a collection of processes. ● Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges

Slide 9

Slide 9 text

Docker images

Slide 10

Slide 10 text

Docker images

Slide 11

Slide 11 text

Dockerfile

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

Docker Content Trust

Slide 17

Slide 17 text

Docker Content Trust ● We can verify the integrity of the image ● Checksum validation when pulling image from docker hub ● Pulling by digest to enforce consistent

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

Docker Capabilites ● A capability is a unix action a user can perform ● Goal is to restrict “capabilities” ● Privileged process = all the capabilities! ● Unprivileged process = check individual user capabilities ● Example Capabilities: ○ CAP_CHOWN ○ CAP_NET_RAW

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

--cap-drop all --cap-add

Slide 25

Slide 25 text

Docker security is about limiting and controlling the attack surface on the kernel.

Slide 26

Slide 26 text

Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to the image.

Slide 27

Slide 27 text

Least privilege principle ● Do not run processes in a container as root to avoid root access from attackers. ● Enable User-namespace ● Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to file. ● Cut down the kernel calls that a container can make to reduce the potential attack surface.

Slide 28

Slide 28 text

DockerFile security ● Set a specific user. ● Don’t run your applications as root in containers.

Slide 29

Slide 29 text

Read only containers & volumes

Slide 30

Slide 30 text

Privileged vs non-privileged

Slide 31

Slide 31 text

Privileged vs non-privileged

Slide 32

Slide 32 text

Seccomp ● Restricts system calls based on a policy ● Block/limit things like: ○ Kernel manipulation (init_module, finit_module, delete_module) ○ Executing mount options ○ Change permissions ○ Change owner and groups

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

Audit Docker Host

Slide 35

Slide 35 text

Docker bench security ● Auditing docker environment and containers ● Open-source tool for running automated tests ● Inspired by the CIS Docker 1.11 benchmark ● Runs against containers currently running on same host ● Checks for AppArmor, read-only volumes, etc... https://github.com/docker/docker-bench-securit y

Slide 36

Slide 36 text

Docker bench security

Slide 37

Slide 37 text

Docker bench security ● The host configuration ● The Docker daemon configuration ● The Docker daemon configuration files ● Container images and build files ● Container runtime ● Docker security operations

Slide 38

Slide 38 text

Lynis ● https://github.com/CISOfy/lynis-docker ● Lynis is a Linux, Mac and Unix security auditing and system hardening tool that includes a module to audit Dockerfiles. ● lynis audit system ● lynis audit dockerfile

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

Demo time

Slide 41

Slide 41 text

Audit Docker Images

Slide 42

Slide 42 text

● You can scan your images for known vulnerabilities ● Find known vulnerable binaries ○ Docker Security Scanning ○ OWASP Dependency checker ○ Anchore Cloud ○ Dagda ○ Tenable.io Container Security

Slide 43

Slide 43 text

Docker security scanning

Slide 44

Slide 44 text

Docker security scanning

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

OWASP Dependency checker

Slide 47

Slide 47 text

Anchore

Slide 48

Slide 48 text

Anchore

Slide 49

Slide 49 text

Anchore

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

Dagda

Slide 52

Slide 52 text

Tenable.io container security

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

Docker images for malware analysis

Slide 57

Slide 57 text

References ● https://docs.docker.com/engine/security ● http://www.oreilly.com/webops-perf/free/files/docker-securi ty.pdf ● http://container-solutions.com/content/uploads/2015/06/15.0 6.15_DockerCheatSheet_A2.pdf ● Docker Content Trust https://docs.docker.com/engine/security/trust/content_trust ● Docker Security Scanning ● https://docs.docker.com/docker-cloud/builds/image-scan ● https://blog.docker.com/2016/04/docker-security ● http://softwaretester.info/docker-audit

Slide 58

Slide 58 text

No content

Slide 59

Slide 59 text

Thanks! Contact: @jmortegac jmortega.github.io about.met/jmortegac