Segurança em Containers Carol Valencia Devops Engineer

Container Threats Best Practices Agenda

Container

No content

NET UTS IPC PID Namespaces : Linux Kernel Process IDs Unix Timesharing System Network USER NS Linux 3.8 (2013) ● Docker Linux 2.6.19 (2006) Linux 2.6.24 (2008) ● CGROUP Linux 2.6.29 (2009) Inter-process communication Linux 2.6.19 (2006) Linux 2.4.19 (2002) Mount

df -h Commands CLONE_NEWNS /proc mounted on the host system the new process sort of inherits a view on the underlying mounts chroot / pivot_root NS (Mount) Namespace

hostname Commands CLONE_NEWUTS Hostname Domainname UTS Namespace Unix Timesharing System

ipcs -a ipcs -s ipcs -q ipcs -m Commands CLONE_NEWIPC IPC semaphores IPC message queues IPC shared memory IPS Namespace Inter-process communication

ps aux ps exf Commands CLONE_NEWPID Process within a PID namespace only see process in the same PID namespace PID Namespace Process IDs

/var/run/netns - ip netns add vetha0 ------------ veth1 ip link add veth0 type veth peer name veth1 - ip link list Commans clone_flag = CLONE_NEWNET - routes - firewall rules - network devices - ip address Network stack Bridge, host or overlay networks veth interface allocated on a bridge 172.17.0.1/16 Network Network Namespace

id ls -la Commands CLONE_NEWUSER Allows to map UID/GID UID 0 (root) User Namespace

- Blkio (block I/O) - Hugetlb - Net_prio Control what a process can SEE - PID - Mount - Network - UTS - IPS - User Namespaces Cgroup Control what a process can USE

/proc/[pid]/ns/ directory Each process has a /proc/[pid]/ns/ subdirectory containing one entry for each namespace that supports being manipulated by setns(2)

Container https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf ● Linux kernel namespaces ● Linux control groups (cgroups) ● Linux runtime: Docker daemon: dockerd ● Linux capabilities (libcap) ● Linux security mechanism: AppArmor or SELinux

Linux Capabilities By default, a container own only 14 of 37 capabilities

BPF for Tracing, Internals - SDN - DDoS mitigation - Intrusion detection - Container security Linux Observability Brendan Gregg

Threads

Threads Containers ● Kernel exploits ● Denial-of-service attacks (Dos) ● Container breakouts ● Poisoned images ● Application secrets

Overview Docker Architecture https://www.slideshare.net/jmoc25/testing-docker-images-security-ncn-edition

NIST Special Publication 800-190 Developing Cycle with Containers Eradicate vulnerabilities before container deployment

Best Practices

Hardening Host Center for Internet Security (CIS) Benchmark for Distribution Unsecured, unhardened host OS best practices

Hardening Container Runtimes Center for Internet Security (CIS) Benchmark for Docker Docker-bench-security API listen on /var/run/docker.sock Don’t mount the docker socket docker container run -d --v /var/run/docker.sock:/var/run/docker.sock eu/danger Sign container images Docker Content Trust guarantees the integrity of the publisher and the integrity of the contents of a container image export DOCKER_CONTENT_TRUST=1

Hardening Container Images Public images ? Run as root ? Admin capabilities ? Unprivileged users grant the specific capabilities that it needs Nosuid & RO mounts Access Control: SELinux, AppArmor, Seccomp-bpf.

Hardening Secrets docker run -v $(pwd)/secrets:/secrets:ro debian Intro_to_container_security Secrets in the Source code Secrets in the Dockerfiles / images

Hardening Secrets Encryptation Dynamic secrets ◉ Hashicorp Vault ◉ CyberArk Conjur ◉ Aqua Secrets

Container User Running containers as root users Run containers as non-root users RUN groupadd -r user && useradd -r -g user user USER user Disable setuid rights in Dockerfile: RUN find / -perm +6000 -type f -exec chmod a-s {} \; \ || true

Container Privileges Capabilities Running privileged containers docker run -d --privileged ubuntu grant it only the specific capabilities that it needs docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN

Firewall for system calls (syscalls) Seccomp security-seccomp

It uses Berkeley Packet Filter (BPF) rules to filter syscalls and control how they are handled. These filters can significantly limit a containers access to the Docker Host’s Linux kernel - especially for simple containers/applications.

https://github.com/docker/labs/blob/master/security/seccomp/seccomp-profiles/deny.json { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32" ], "syscalls": [ ] } there are no syscalls in the whitelist. This means that no syscalls will be allowed from containers started with this profile.

default-no-chmod { "name": "chmod", "action": "SCMP_ACT_ALLOW", "args": [] }, { "name": "fchmod", "action": "SCMP_ACT_ALLOW", "args": [] }, { "name": "fchmodat", "action": "SCMP_ACT_ALLOW", "args": [] }, The default.json profile has the chmod(), fchmod(), and chmodatsyscalls included in its whitelist..

Tools ◉ Docker-bench-security ◉ Grafeas: audit and govern your software supply chain ◉ Sysdig: container troubleshooting and security investigation ◉ CoreOs / Clair: Vulnerability Static Analysis for Containers ◉ Aqua / Microscanner: Scan your container images for package vulnerabilities ◉ Anchore: Detailed analysis on their container images, run queries, produce reports and define policies that can be used in CI/CD pipelines ◉ Lynis ◉ Dagda ◉ Tenable ◉ Twistlock

Tools Security Compliance ◉ OpenSCAP - Open Source Security Content Automation Protocol ◉ Open Policy Agent / OPA.

Brendan Gregg- BPF Performance Tools: Linux System and Application Observability

Dhttps://github.com/krol3/container_go You can c Linkedin: Carol Valencia Github: krol3 [email protected] https://qrco.de/bbCE5X Thanks! Demo https://github.com/krol3/container_go