Copyright Ⓒ 2019 GOODWITH LLC All Rights Reserved. Tomoya Amachi (@tomoyamachi) Check Container Images with Original Rules

Today’s (glorious) blather Why do I want to check container images? 01 About Docker image architecture How to scan images with our products Create original checker 02 03 04 Who am I? 00

Who am I? SECTION 0

Who am I? ● Tomoya AMACHI/天地 知也 ● @tomoyamachi ● CEO at GOODWITH LLC., ● Family ○ Wife, one daughter and two sons ● Language ○ JavaScript / Go / Python / PHP ● PaaS ○ GCP (GAE, GKE, Firebase), AWS (ECS)

OSS Author of ... Main Committer of ... https://github.com/goodwithtech/dockle Container Image Linter for Security, Helping build the Best-Practice Docker Image https://github.com/future-architect/vuls Agent-less VULnerable Scanner All-round vulnerability scanner https://github.com/aquasecurity/trivy Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

Now on sale!! (CM)

Why do I want to check container images? SECTION 1

There are some vulnerabilities exist for Docker... ● Host OS ● Docker Daemon ● Container Runtime ● Image Registry ● Orchestration Tools ● Container Image

But if we use GKE... https://www.slideshare.net/GoogleCloudPlatformJP/cloud-onair-dive-to-google-kubernetes-engine-201882 Container-Optimized OS gVisor GCR Image Registry

But if we use GKE... ● Host OS : Container OS or Ubuntu ● Container Runtime : gVisor ● Image Registry : GCR ● Docker Daemon : Managed ● Orchestration Tool : need to be configured ● Container Image : easy to control it is difficult to control them except for Container Image. Managed

if we use AWS Fargate... https://aws.amazon.com/jp/blogs/startup/techblog-container-fargate-1/ OS Docker Engine ecs-agent ... ECR Image Registry

AWS Fargate... ● Host OS : cannot choose ● Image Registry : ECR ● Container Runtime : Managed ● Docker Daemon : difficult to control ● Orchestration Tool : original tool ● Container Image : easy to control it is difficult to control them except for Container Image. Managed

Wrap-up ● Container Image is easy to control and can be used in any environment (any services) ● Container Image can be checked before running containers

Wrap-up ● Container Image is easy to control and can be used in any environment (any services) ● Container Image can be checked before running containers More Efficient to check

About Docker image architecture SECTION 2

Docker use “overlayfs”※ Source：https://docs.docker.com/storage/storage driver/ Source：https://docs.docker.com/storage/storagedriver/overlayfs-dr iver/ ※ exists other options (AUFS, Btrfs...) https://docs.docker.com/storage/storagedriver/select-storage-driver/

And Image is compressed tar.gz file https://www.slideshare.net/cr0hn/rootedcon-2017-docker-might-not-be-your-friend-trojanizing-docker-images

DEMO $ docker save golang:1.13 -o g.tar.gz $ tar zxvf g.tar.gz $ tree ├── 1070caa1a8d894408 │ ├── VERSION │ ├── json │ └── layer.tar ├── 6bd93c6873c822f79 │ ├── VERSION │ ├── json │ └── layer.tar ├── 52b59e9ead8e18faf.json ├── manifest.json └── repositories Docker image configured files

DEMO $ cat 52b59e9ead8e18faf.json "docker_version": "18.06.1-ce", "history": [ { "created": "2019-09-12T00:22:xxx", "created_by": "/bin/sh -c apt-get update && apt-get install -y openssh-client subversion procps && rm -rf /var/lib/apt/*" } ... ], ... Images contain built information

How to scan images with our products SECTION 3

Trivy・Vuls OS Package Library Lock file Name Version Arch Name Version Matching Vulnerability Database Parse Distribution Version Analyze Analyze os-release /var/lib/dpkg/.. /var/lib/dpkg/.. os-release Analyze /var/lib/dpkg/..

Dockle Password status File privilege Command history Port Mount point Built-in Security Rule - Empty password - Invalid privilege Parse Built-in Dockerfile Rule - Avoid sudo - Clear package cache Matching Check suid, guid /etc/shadow /etc/shadow configuration

How to use ● Prepare the target image file ○ Download the image if it doesn’t exist in the local image ● Check each merged file via Filename or Privilege ● Analyze the target merged files ● Match with the product’s rules

There are many vulnerabilities detected in public images https://containers.goodwith.tech

Create original checker SECTION 4

How it works This is a sample repository. The design of the repository is very simple. https://github.com/tomoyamachi/imagecheck-for-gocon If you try to create better design, please check aquasecurity/trivy and goodwithtech/dockle. nginx setting Built-in Rule - Use LTVS log format Matching Analyze nginx.conf nginx/conf.d/

Filtering files in container images https://github.com/tomoyamachi/imagecheck-for-gocon/blob/master/pkg/nginx/nginx.go#L25 import "github.com/goodwithtech/deckoder/analyzer" type FileMap map[string]FileData type FileData struct { Body []byte FileMode os.FileMode } fileMap, err := analyzer.Analyze( ctx, imageName, func(h *tar.Header) (bool, error){ ... filter process ... }, option )

Create original check rules : check log format scanner := bufio.NewScanner(bodyBuff) for scanner.Scan() { line := scanner.Text() cmds := splitBySpace(line) if len(cmds) >= 3 && cmds[0] == "access_log"{ if !strings.Contains(cmds[2], "ltsv") { return fmt.Errorf(`Expect log format contains "ltsv" but %q`, cmds[2]) } } } return nil https://github.com/tomoyamachi/imagecheck-for-gocon/blob/master/pkg/nginx/nginx.go#L62-L76

Run scripts Run script $ go get github.com/tomoyamachi/imagecheck-for-gocon $ cd /path/to/project $ go run main.go nginx:latest 2019/10/21 01:49:28 Start assessments... 2019/10/21 01:49:28 etc/nginx/nginx.conf: Expect log format contains "ltsv" but "main;" Exit status 1 Now we can check nginx log format!!

Wrap-up SECTION 5

Wrap-up ● You can check almost all the files before running containers ● Easy to check container images with “goodwithtech/deckoder” and “aquasecurity/fanal”