Check Container Images with Original Rules@GoConference 2019 Autumn

Transcript

1. Copyright Ⓒ 2019 GOODWITH LLC All Rights Reserved. Tomoya Amachi

   (@tomoyamachi) Check Container Images with Original Rules

2. Today’s (glorious) blather Why do I want to check container

   images? 01 About Docker image architecture How to scan images with our products Create original checker 02 03 04 Who am I? 00

3. Who am I? SECTION 0

4. Who am I? • Tomoya AMACHI/天地 知也 • @tomoyamachi •

   CEO at GOODWITH LLC., • Family ◦ Wife, one daughter and two sons • Language ◦ JavaScript / Go / Python / PHP • PaaS ◦ GCP (GAE, GKE, Firebase), AWS (ECS)

5. OSS Author of ... Main Committer of ... https://github.com/goodwithtech/dockle Container

   Image Linter for Security, Helping build the Best-Practice Docker Image https://github.com/future-architect/vuls Agent-less VULnerable Scanner All-round vulnerability scanner https://github.com/aquasecurity/trivy Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

6. Now on sale!! (CM)

7. Why do I want to check container images? SECTION 1

8. There are some vulnerabilities exist for Docker... • Host OS

   • Docker Daemon • Container Runtime • Image Registry • Orchestration Tools • Container Image

9. But if we use GKE... https://www.slideshare.net/GoogleCloudPlatformJP/cloud-onair-dive-to-google-kubernetes-engine-201882 Container-Optimized OS gVisor GCR

   Image Registry

10. But if we use GKE... • Host OS : Container

    OS or Ubuntu • Container Runtime : gVisor • Image Registry : GCR • Docker Daemon : Managed • Orchestration Tool : need to be configured • Container Image : easy to control it is difficult to control them except for Container Image. Managed

11. if we use AWS Fargate... https://aws.amazon.com/jp/blogs/startup/techblog-container-fargate-1/ OS Docker Engine ecs-agent

    ... ECR Image Registry

12. AWS Fargate... • Host OS : cannot choose • Image

    Registry : ECR • Container Runtime : Managed • Docker Daemon : difficult to control • Orchestration Tool : original tool • Container Image : easy to control it is difficult to control them except for Container Image. Managed

13. Wrap-up • Container Image is easy to control and can

    be used in any environment (any services) • Container Image can be checked before running containers

14. Wrap-up • Container Image is easy to control and can

    be used in any environment (any services) • Container Image can be checked before running containers More Efficient to check

15. About Docker image architecture SECTION 2

16. Docker use “overlayfs”※ Source：https://docs.docker.com/storage/storage driver/ Source：https://docs.docker.com/storage/storagedriver/overlayfs-dr iver/ ※ exists other

    options (AUFS, Btrfs...) https://docs.docker.com/storage/storagedriver/select-storage-driver/

17. And Image is compressed tar.gz file https://www.slideshare.net/cr0hn/rootedcon-2017-docker-might-not-be-your-friend-trojanizing-docker-images

18. DEMO $ docker save golang:1.13 -o g.tar.gz $ tar zxvf

    g.tar.gz $ tree ├── 1070caa1a8d894408 │ ├── VERSION │ ├── json │ └── layer.tar ├── 6bd93c6873c822f79 │ ├── VERSION │ ├── json │ └── layer.tar ├── 52b59e9ead8e18faf.json ├── manifest.json └── repositories Docker image configured files

19. DEMO $ cat 52b59e9ead8e18faf.json "docker_version": "18.06.1-ce", "history": [ { "created":

    "2019-09-12T00:22:xxx", "created_by": "/bin/sh -c apt-get update && apt-get install -y openssh-client subversion procps && rm -rf /var/lib/apt/*" } ... ], ... Images contain built information

20. How to scan images with our products SECTION 3

21. Trivy・Vuls OS Package Library Lock file Name Version Arch Name

    Version Matching Vulnerability Database Parse Distribution Version Analyze Analyze os-release /var/lib/dpkg/.. /var/lib/dpkg/.. os-release Analyze /var/lib/dpkg/..

22. Dockle Password status File privilege Command history Port Mount point

    Built-in Security Rule - Empty password - Invalid privilege Parse Built-in Dockerfile Rule - Avoid sudo - Clear package cache Matching Check suid, guid /etc/shadow /etc/shadow configuration

23. How to use • Prepare the target image file ◦

    Download the image if it doesn’t exist in the local image • Check each merged file via Filename or Privilege • Analyze the target merged files • Match with the product’s rules

24. There are many vulnerabilities detected in public images https://containers.goodwith.tech

25. Create original checker SECTION 4

26. How it works This is a sample repository. The design

    of the repository is very simple. https://github.com/tomoyamachi/imagecheck-for-gocon If you try to create better design, please check aquasecurity/trivy and goodwithtech/dockle. nginx setting Built-in Rule - Use LTVS log format Matching Analyze nginx.conf nginx/conf.d/

27. Filtering files in container images https://github.com/tomoyamachi/imagecheck-for-gocon/blob/master/pkg/nginx/nginx.go#L25 import "github.com/goodwithtech/deckoder/analyzer" type FileMap

    map[string]FileData type FileData struct { Body []byte FileMode os.FileMode } fileMap, err := analyzer.Analyze( ctx, imageName, func(h *tar.Header) (bool, error){ ... filter process ... }, option )

28. Create original check rules : check log format scanner :=

    bufio.NewScanner(bodyBuff) for scanner.Scan() { line := scanner.Text() cmds := splitBySpace(line) if len(cmds) >= 3 && cmds[0] == "access_log"{ if !strings.Contains(cmds[2], "ltsv") { return fmt.Errorf(`Expect log format contains "ltsv" but %q`, cmds[2]) } } } return nil https://github.com/tomoyamachi/imagecheck-for-gocon/blob/master/pkg/nginx/nginx.go#L62-L76

29. Run scripts Run script $ go get github.com/tomoyamachi/imagecheck-for-gocon $ cd

    /path/to/project $ go run main.go nginx:latest 2019/10/21 01:49:28 Start assessments... 2019/10/21 01:49:28 etc/nginx/nginx.conf: Expect log format contains "ltsv" but "main;" Exit status 1 Now we can check nginx log format!!

30. Wrap-up SECTION 5

31. Wrap-up • You can check almost all the files before

    running containers • Easy to check container images with “goodwithtech/deckoder” and “aquasecurity/fanal”