Check Container Images with Original Rules@GoConference 2019 Autumn

5bc984d78def65048378c439d77c379f?s=47 Tomoya Amachi
October 28, 2019
Technology
2
2k

Check Container Images with Original Rules@GoConference 2019 Autumn

5bc984d78def65048378c439d77c379f?s=128

Tomoya Amachi

October 28, 2019
Tweet

More Decks by Tomoya Amachi

See All by Tomoya Amachi
5bc984d78def65048378c439d77c379f?s=48 tomoyamachi
1
180
5bc984d78def65048378c439d77c379f?s=48 tomoyamachi
2
2.4k
5bc984d78def65048378c439d77c379f?s=48 tomoyamachi
2
680
5bc984d78def65048378c439d77c379f?s=48 tomoyamachi
0
240

Other Decks in Technology

See All in Technology
664b6e8ebe272fcfa5dbd6070eaf3cd4?s=48 wadayusuke
2
670
C5e26822fb2aa64410b50eac63ef7d84?s=48 fill9120
1
230
Ce2ffa10331de7d89e06eabe1d231aef?s=48 hornets79
1
120
92e7a56a50535ef4c51c112c71d3f9c1?s=48 jkubota
0
280
79dcb04101764d7bf66f898dd446838e?s=48 tsukubachallenge
0
260
3dc29e8cfc6ef333e2b41a1b0e826b57?s=48 cortinico
5
260
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
280
4615930de72ec08f99d3227761ace0d8?s=48 yenlung
2
460
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
450
951ca4f70b5884e18cf3f7e88c441d6a?s=48 issdu
1
370
470bbf16e3547a17e40c34da937be921?s=48 kikmysy4
0
150
46fdd2ebc85d68659b83d5eb5c6a49aa?s=48 keisukeyamashita
3
370

Featured

See All Featured
245cee81a9c424266e5e401d844ea881?s=48 lara
588
60k
0c6fd6a08d0f898159cda7cafcacf07f?s=48 afnizarnur
175
14k
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
620
40k
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
236
9.7k
24fc194843a71f10949be18d5a692682?s=48 gr2m
82
11k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
142
19k
5b9fe87ec1faa67a4599782930f45ec9?s=48 sstephenson
144
11k
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
12
430
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
2
420
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
391
60k
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
250
11k
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
154
6.1k

Transcript

  1. Copyright Ⓒ 2019 GOODWITH LLC All Rights Reserved. Tomoya Amachi

    (@tomoyamachi) Check Container Images with Original Rules

  2. Today’s (glorious) blather Why do I want to check container

    images? 01 About Docker image architecture How to scan images with our products Create original checker 02 03 04 Who am I? 00

  3. Who am I? SECTION 0

  4. Who am I? • Tomoya AMACHI/天地 知也 • @tomoyamachi •

    CEO at GOODWITH LLC., • Family ◦ Wife, one daughter and two sons • Language ◦ JavaScript / Go / Python / PHP • PaaS ◦ GCP (GAE, GKE, Firebase), AWS (ECS)

  5. OSS Author of ... Main Committer of ... https://github.com/goodwithtech/dockle Container

    Image Linter for Security, Helping build the Best-Practice Docker Image https://github.com/future-architect/vuls Agent-less VULnerable Scanner All-round vulnerability scanner https://github.com/aquasecurity/trivy Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

  6. Now on sale!! (CM)

  7. Why do I want to check container images? SECTION 1

  8. There are some vulnerabilities exist for Docker... • Host OS

    • Docker Daemon • Container Runtime • Image Registry • Orchestration Tools • Container Image

  9. But if we use GKE... https://www.slideshare.net/GoogleCloudPlatformJP/cloud-onair-dive-to-google-kubernetes-engine-201882 Container-Optimized OS gVisor GCR

    Image Registry

  10. But if we use GKE... • Host OS : Container

    OS or Ubuntu • Container Runtime : gVisor • Image Registry : GCR • Docker Daemon : Managed • Orchestration Tool : need to be configured • Container Image : easy to control it is difficult to control them except for Container Image. Managed

  11. if we use AWS Fargate... https://aws.amazon.com/jp/blogs/startup/techblog-container-fargate-1/ OS Docker Engine ecs-agent

    ... ECR Image Registry

  12. AWS Fargate... • Host OS : cannot choose • Image

    Registry : ECR • Container Runtime : Managed • Docker Daemon : difficult to control • Orchestration Tool : original tool • Container Image : easy to control it is difficult to control them except for Container Image. Managed

  13. Wrap-up • Container Image is easy to control and can

    be used in any environment (any services) • Container Image can be checked before running containers

  14. Wrap-up • Container Image is easy to control and can

    be used in any environment (any services) • Container Image can be checked before running containers More Efficient to check

  15. About Docker image architecture SECTION 2

  16. Docker use “overlayfs”※ Source:https://docs.docker.com/storage/storage driver/ Source:https://docs.docker.com/storage/storagedriver/overlayfs-dr iver/ ※ exists other

    options (AUFS, Btrfs...) https://docs.docker.com/storage/storagedriver/select-storage-driver/

  17. And Image is compressed tar.gz file https://www.slideshare.net/cr0hn/rootedcon-2017-docker-might-not-be-your-friend-trojanizing-docker-images

  18. DEMO $ docker save golang:1.13 -o g.tar.gz $ tar zxvf

    g.tar.gz $ tree ├── 1070caa1a8d894408 │ ├── VERSION │ ├── json │ └── layer.tar ├── 6bd93c6873c822f79 │ ├── VERSION │ ├── json │ └── layer.tar ├── 52b59e9ead8e18faf.json ├── manifest.json └── repositories Docker image configured files

  19. DEMO $ cat 52b59e9ead8e18faf.json "docker_version": "18.06.1-ce", "history": [ { "created":

    "2019-09-12T00:22:xxx", "created_by": "/bin/sh -c apt-get update && apt-get install -y openssh-client subversion procps && rm -rf /var/lib/apt/*" } ... ], ... Images contain built information

  20. How to scan images with our products SECTION 3

  21. Trivy・Vuls OS Package Library Lock file Name Version Arch Name

    Version Matching Vulnerability Database Parse Distribution Version Analyze Analyze os-release /var/lib/dpkg/.. /var/lib/dpkg/.. os-release Analyze /var/lib/dpkg/..

  22. Dockle Password status File privilege Command history Port Mount point

    Built-in Security Rule - Empty password - Invalid privilege Parse Built-in Dockerfile Rule - Avoid sudo - Clear package cache Matching Check suid, guid /etc/shadow /etc/shadow configuration

  23. How to use • Prepare the target image file ◦

    Download the image if it doesn’t exist in the local image • Check each merged file via Filename or Privilege • Analyze the target merged files • Match with the product’s rules

  24. There are many vulnerabilities detected in public images https://containers.goodwith.tech

  25. Create original checker SECTION 4

  26. How it works This is a sample repository. The design

    of the repository is very simple. https://github.com/tomoyamachi/imagecheck-for-gocon If you try to create better design, please check aquasecurity/trivy and goodwithtech/dockle. nginx setting Built-in Rule - Use LTVS log format Matching Analyze nginx.conf nginx/conf.d/

  27. Filtering files in container images https://github.com/tomoyamachi/imagecheck-for-gocon/blob/master/pkg/nginx/nginx.go#L25 import "github.com/goodwithtech/deckoder/analyzer" type FileMap

    map[string]FileData type FileData struct { Body []byte FileMode os.FileMode } fileMap, err := analyzer.Analyze( ctx, imageName, func(h *tar.Header) (bool, error){ ... filter process ... }, option )

  28. Create original check rules : check log format scanner :=

    bufio.NewScanner(bodyBuff) for scanner.Scan() { line := scanner.Text() cmds := splitBySpace(line) if len(cmds) >= 3 && cmds[0] == "access_log"{ if !strings.Contains(cmds[2], "ltsv") { return fmt.Errorf(`Expect log format contains "ltsv" but %q`, cmds[2]) } } } return nil https://github.com/tomoyamachi/imagecheck-for-gocon/blob/master/pkg/nginx/nginx.go#L62-L76

  29. Run scripts Run script $ go get github.com/tomoyamachi/imagecheck-for-gocon $ cd

    /path/to/project $ go run main.go nginx:latest 2019/10/21 01:49:28 Start assessments... 2019/10/21 01:49:28 etc/nginx/nginx.conf: Expect log format contains "ltsv" but "main;" Exit status 1 Now we can check nginx log format!!

  30. Wrap-up SECTION 5

  31. Wrap-up • You can check almost all the files before

    running containers • Easy to check container images with “goodwithtech/deckoder” and “aquasecurity/fanal”