$30 off During Our Annual Pro Sale. View Details »

Check Container Images with Original Rules@GoConference 2019 Autumn

Check Container Images with Original Rules@GoConference 2019 Autumn

Tomoya Amachi

October 28, 2019
Tweet

More Decks by Tomoya Amachi

Other Decks in Technology

Transcript

  1. Copyright Ⓒ 2019 GOODWITH LLC All Rights Reserved.
    Tomoya Amachi
    (@tomoyamachi)
    Check Container Images
    with Original Rules

    View Slide

  2. Today’s (glorious) blather
    Why do I want to check container images? 01
    About Docker image architecture
    How to scan images with our products
    Create original checker
    02
    03
    04
    Who am I? 00

    View Slide

  3. Who am I?
    SECTION 0

    View Slide

  4. Who am I?
    ● Tomoya AMACHI/天地 知也
    ● @tomoyamachi
    ● CEO at GOODWITH LLC.,
    ● Family
    ○ Wife, one daughter and two sons
    ● Language
    ○ JavaScript / Go / Python / PHP
    ● PaaS
    ○ GCP (GAE, GKE, Firebase), AWS (ECS)

    View Slide

  5. OSS
    Author of ...
    Main Committer of ...
    https://github.com/goodwithtech/dockle
    Container Image Linter for Security,
    Helping build the Best-Practice Docker Image
    https://github.com/future-architect/vuls
    Agent-less VULnerable Scanner
    All-round vulnerability scanner
    https://github.com/aquasecurity/trivy
    Simple and Comprehensive Vulnerability
    Scanner for Containers, Suitable for CI

    View Slide

  6. Now on sale!! (CM)

    View Slide

  7. Why do I want to check
    container images?
    SECTION 1

    View Slide

  8. There are some vulnerabilities exist for Docker...
    ● Host OS
    ● Docker Daemon
    ● Container Runtime
    ● Image Registry
    ● Orchestration Tools
    ● Container Image

    View Slide

  9. But if we use GKE...
    https://www.slideshare.net/GoogleCloudPlatformJP/cloud-onair-dive-to-google-kubernetes-engine-201882
    Container-Optimized OS
    gVisor
    GCR
    Image Registry

    View Slide

  10. But if we use GKE...
    ● Host OS : Container OS or Ubuntu
    ● Container Runtime : gVisor
    ● Image Registry : GCR
    ● Docker Daemon : Managed
    ● Orchestration Tool : need to be configured
    ● Container Image : easy to control
    it is difficult to control them except for Container Image.
    Managed

    View Slide

  11. if we use AWS Fargate...
    https://aws.amazon.com/jp/blogs/startup/techblog-container-fargate-1/
    OS
    Docker Engine
    ecs-agent ...
    ECR
    Image Registry

    View Slide

  12. AWS Fargate...
    ● Host OS : cannot choose
    ● Image Registry : ECR
    ● Container Runtime : Managed
    ● Docker Daemon : difficult to control
    ● Orchestration Tool : original tool
    ● Container Image : easy to control
    it is difficult to control them except for Container Image.
    Managed

    View Slide

  13. Wrap-up
    ● Container Image is easy to control and
    can be used in any environment
    (any services)
    ● Container Image can be checked before
    running containers

    View Slide

  14. Wrap-up
    ● Container Image is easy to control and
    can be used in any environment
    (any services)
    ● Container Image can be checked before
    running containers
    More Efficient to check

    View Slide

  15. About Docker image
    architecture
    SECTION 2

    View Slide

  16. Docker use “overlayfs”※
    Source:https://docs.docker.com/storage/storage
    driver/
    Source:https://docs.docker.com/storage/storagedriver/overlayfs-dr
    iver/
    ※ exists other options (AUFS, Btrfs...)
    https://docs.docker.com/storage/storagedriver/select-storage-driver/

    View Slide

  17. And Image is compressed tar.gz file
    https://www.slideshare.net/cr0hn/rootedcon-2017-docker-might-not-be-your-friend-trojanizing-docker-images

    View Slide

  18. DEMO
    $ docker save golang:1.13 -o g.tar.gz
    $ tar zxvf g.tar.gz
    $ tree
    ├── 1070caa1a8d894408
    │ ├── VERSION
    │ ├── json
    │ └── layer.tar
    ├── 6bd93c6873c822f79
    │ ├── VERSION
    │ ├── json
    │ └── layer.tar
    ├── 52b59e9ead8e18faf.json
    ├── manifest.json
    └── repositories
    Docker image
    configured files

    View Slide

  19. DEMO
    $ cat 52b59e9ead8e18faf.json
    "docker_version": "18.06.1-ce",
    "history": [
    {
    "created": "2019-09-12T00:22:xxx",
    "created_by": "/bin/sh -c apt-get
    update && apt-get install -y openssh-client
    subversion procps && rm -rf /var/lib/apt/*"
    }
    ...
    ],
    ...
    Images contain
    built information

    View Slide

  20. How to scan images
    with our products
    SECTION 3

    View Slide

  21. Trivy・Vuls
    OS
    Package
    Library
    Lock file
    Name
    Version
    Arch
    Name
    Version
    Matching
    Vulnerability
    Database
    Parse
    Distribution
    Version
    Analyze
    Analyze
    os-release /var/lib/dpkg/..
    /var/lib/dpkg/..
    os-release
    Analyze
    /var/lib/dpkg/..

    View Slide

  22. Dockle
    Password status
    File privilege
    Command history
    Port
    Mount point
    Built-in Security Rule
    - Empty password
    - Invalid privilege
    Parse
    Built-in Dockerfile Rule
    - Avoid sudo
    - Clear package cache
    Matching
    Check suid, guid
    /etc/shadow
    /etc/shadow
    configuration

    View Slide

  23. How to use
    ● Prepare the target image file
    ○ Download the image if it doesn’t exist in the local image
    ● Check each merged file via Filename or
    Privilege
    ● Analyze the target merged files
    ● Match with the product’s rules

    View Slide

  24. There are many vulnerabilities detected in public images
    https://containers.goodwith.tech

    View Slide

  25. Create original checker
    SECTION 4

    View Slide

  26. How it works
    This is a sample repository.
    The design of the repository
    is very simple.
    https://github.com/tomoyamachi/imagecheck-for-gocon
    If you try to create better
    design, please check
    aquasecurity/trivy and
    goodwithtech/dockle.
    nginx setting Built-in Rule
    - Use LTVS log format
    Matching
    Analyze
    nginx.conf nginx/conf.d/

    View Slide

  27. Filtering files in container images
    https://github.com/tomoyamachi/imagecheck-for-gocon/blob/master/pkg/nginx/nginx.go#L25
    import "github.com/goodwithtech/deckoder/analyzer"
    type FileMap map[string]FileData
    type FileData struct {
    Body []byte
    FileMode os.FileMode
    }
    fileMap, err := analyzer.Analyze(
    ctx, imageName,
    func(h *tar.Header) (bool, error){
    ... filter process ...
    }, option
    )

    View Slide

  28. Create original check rules : check log format
    scanner := bufio.NewScanner(bodyBuff)
    for scanner.Scan() {
    line := scanner.Text()
    cmds := splitBySpace(line)
    if len(cmds) >= 3 && cmds[0] == "access_log"{
    if !strings.Contains(cmds[2], "ltsv") {
    return fmt.Errorf(`Expect log format
    contains "ltsv" but %q`, cmds[2])
    }
    }
    }
    return nil
    https://github.com/tomoyamachi/imagecheck-for-gocon/blob/master/pkg/nginx/nginx.go#L62-L76

    View Slide

  29. Run scripts
    Run script
    $ go get github.com/tomoyamachi/imagecheck-for-gocon
    $ cd /path/to/project
    $ go run main.go nginx:latest
    2019/10/21 01:49:28 Start assessments...
    2019/10/21 01:49:28 etc/nginx/nginx.conf: Expect log
    format contains "ltsv" but "main;"
    Exit status 1
    Now we can check nginx log format!!

    View Slide

  30. Wrap-up
    SECTION 5

    View Slide

  31. Wrap-up
    ● You can check almost all the files before
    running containers
    ● Easy to check container images with
    “goodwithtech/deckoder” and
    “aquasecurity/fanal”

    View Slide