Slide 1

Slide 1 text

Segurança em Containers Carol Valencia Devops Engineer

Slide 2

Slide 2 text

Container Threats Best Practices Agenda

Slide 3

Slide 3 text

Container

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

NET UTS IPC PID Namespaces : Linux Kernel Process IDs Unix Timesharing System Network USER NS Linux 3.8 (2013) ● Docker Linux 2.6.19 (2006) Linux 2.6.24 (2008) ● CGROUP Linux 2.6.29 (2009) Inter-process communication Linux 2.6.19 (2006) Linux 2.4.19 (2002) Mount

Slide 6

Slide 6 text

df -h Commands CLONE_NEWNS /proc mounted on the host system the new process sort of inherits a view on the underlying mounts chroot / pivot_root NS (Mount) Namespace

Slide 7

Slide 7 text

hostname Commands CLONE_NEWUTS Hostname Domainname UTS Namespace Unix Timesharing System

Slide 8

Slide 8 text

ipcs -a ipcs -s ipcs -q ipcs -m Commands CLONE_NEWIPC IPC semaphores IPC message queues IPC shared memory IPS Namespace Inter-process communication

Slide 9

Slide 9 text

ps aux ps exf Commands CLONE_NEWPID Process within a PID namespace only see process in the same PID namespace PID Namespace Process IDs

Slide 10

Slide 10 text

/var/run/netns - ip netns add vetha0 ------------ veth1 ip link add veth0 type veth peer name veth1 - ip link list Commans clone_flag = CLONE_NEWNET - routes - firewall rules - network devices - ip address Network stack Bridge, host or overlay networks veth interface allocated on a bridge 172.17.0.1/16 Network Network Namespace

Slide 11

Slide 11 text

id ls -la Commands CLONE_NEWUSER Allows to map UID/GID UID 0 (root) User Namespace

Slide 12

Slide 12 text

- Blkio (block I/O) - Hugetlb - Net_prio Control what a process can SEE - PID - Mount - Network - UTS - IPS - User Namespaces Cgroup Control what a process can USE

Slide 13

Slide 13 text

/proc/[pid]/ns/ directory Each process has a /proc/[pid]/ns/ subdirectory containing one entry for each namespace that supports being manipulated by setns(2)

Slide 14

Slide 14 text

Container https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf ● Linux kernel namespaces ● Linux control groups (cgroups) ● Linux runtime: Docker daemon: dockerd ● Linux capabilities (libcap) ● Linux security mechanism: AppArmor or SELinux

Slide 15

Slide 15 text

Linux Capabilities By default, a container own only 14 of 37 capabilities

Slide 16

Slide 16 text

BPF for Tracing, Internals - SDN - DDoS mitigation - Intrusion detection - Container security Linux Observability Brendan Gregg

Slide 17

Slide 17 text

Threads

Slide 18

Slide 18 text

Threads Containers ● Kernel exploits ● Denial-of-service attacks (Dos) ● Container breakouts ● Poisoned images ● Application secrets

Slide 19

Slide 19 text

Overview Docker Architecture https://www.slideshare.net/jmoc25/testing-docker-images-security-ncn-edition

Slide 20

Slide 20 text

NIST Special Publication 800-190 Developing Cycle with Containers Eradicate vulnerabilities before container deployment

Slide 21

Slide 21 text

Best Practices

Slide 22

Slide 22 text

Hardening Host Center for Internet Security (CIS) Benchmark for Distribution Unsecured, unhardened host OS best practices

Slide 23

Slide 23 text

Hardening Container Runtimes Center for Internet Security (CIS) Benchmark for Docker Docker-bench-security API listen on /var/run/docker.sock Don’t mount the docker socket docker container run -d --v /var/run/docker.sock:/var/run/docker.sock eu/danger Sign container images Docker Content Trust guarantees the integrity of the publisher and the integrity of the contents of a container image export DOCKER_CONTENT_TRUST=1

Slide 24

Slide 24 text

Hardening Container Images Public images ? Run as root ? Admin capabilities ? Unprivileged users grant the specific capabilities that it needs Nosuid & RO mounts Access Control: SELinux, AppArmor, Seccomp-bpf.

Slide 25

Slide 25 text

Hardening Secrets docker run -v $(pwd)/secrets:/secrets:ro debian Intro_to_container_security Secrets in the Source code Secrets in the Dockerfiles / images

Slide 26

Slide 26 text

Hardening Secrets Encryptation Dynamic secrets ◉ Hashicorp Vault ◉ CyberArk Conjur ◉ Aqua Secrets

Slide 27

Slide 27 text

Container User Running containers as root users Run containers as non-root users RUN groupadd -r user && useradd -r -g user user USER user Disable setuid rights in Dockerfile: RUN find / -perm +6000 -type f -exec chmod a-s {} \; \ || true

Slide 28

Slide 28 text

Container Privileges Capabilities Running privileged containers docker run -d --privileged ubuntu grant it only the specific capabilities that it needs docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN

Slide 29

Slide 29 text

Firewall for system calls (syscalls) Seccomp security-seccomp

Slide 30

Slide 30 text

It uses Berkeley Packet Filter (BPF) rules to filter syscalls and control how they are handled. These filters can significantly limit a containers access to the Docker Host’s Linux kernel - especially for simple containers/applications.

Slide 31

Slide 31 text

https://github.com/docker/labs/blob/master/security/seccomp/seccomp-profiles/deny.json { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32" ], "syscalls": [ ] } there are no syscalls in the whitelist. This means that no syscalls will be allowed from containers started with this profile.

Slide 32

Slide 32 text

default-no-chmod { "name": "chmod", "action": "SCMP_ACT_ALLOW", "args": [] }, { "name": "fchmod", "action": "SCMP_ACT_ALLOW", "args": [] }, { "name": "fchmodat", "action": "SCMP_ACT_ALLOW", "args": [] }, The default.json profile has the chmod(), fchmod(), and chmodatsyscalls included in its whitelist..

Slide 33

Slide 33 text

Tools ◉ Docker-bench-security ◉ Grafeas: audit and govern your software supply chain ◉ Sysdig: container troubleshooting and security investigation ◉ CoreOs / Clair: Vulnerability Static Analysis for Containers ◉ Aqua / Microscanner: Scan your container images for package vulnerabilities ◉ Anchore: Detailed analysis on their container images, run queries, produce reports and define policies that can be used in CI/CD pipelines ◉ Lynis ◉ Dagda ◉ Tenable ◉ Twistlock

Slide 34

Slide 34 text

Tools Security Compliance ◉ OpenSCAP - Open Source Security Content Automation Protocol ◉ Open Policy Agent / OPA.

Slide 35

Slide 35 text

Brendan Gregg- BPF Performance Tools: Linux System and Application Observability

Slide 36

Slide 36 text

Dhttps://github.com/krol3/container_go You can c Linkedin: Carol Valencia Github: krol3 [email protected] https://qrco.de/bbCE5X Thanks! Demo https://github.com/krol3/container_go