Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Container Security

Carol
August 03, 2019

Container Security

Understand the basics concepts in container, review linux kernel features, explore the vulnerabilities and best practices to developer containers.

Carol

August 03, 2019
Tweet

More Decks by Carol

Other Decks in Programming

Transcript

  1. NET UTS IPC PID Namespaces : Linux Kernel Process IDs

    Unix Timesharing System Network USER NS Linux 3.8 (2013) • Docker Linux 2.6.19 (2006) Linux 2.6.24 (2008) • CGROUP Linux 2.6.29 (2009) Inter-process communication Linux 2.6.19 (2006) Linux 2.4.19 (2002) Mount
  2. df -h Commands CLONE_NEWNS /proc mounted on the host system

    the new process sort of inherits a view on the underlying mounts chroot / pivot_root NS (Mount) Namespace
  3. ipcs -a ipcs -s ipcs -q ipcs -m Commands CLONE_NEWIPC

    IPC semaphores IPC message queues IPC shared memory IPS Namespace Inter-process communication
  4. ps aux ps exf Commands CLONE_NEWPID Process within a PID

    namespace only see process in the same PID namespace PID Namespace Process IDs
  5. /var/run/netns - ip netns add <new_namespace> vetha0 ------------ veth1 ip

    link add veth0 type veth peer name veth1 - ip link list Commans clone_flag = CLONE_NEWNET - routes - firewall rules - network devices - ip address Network stack Bridge, host or overlay networks veth interface allocated on a bridge 172.17.0.1/16 Network Network Namespace
  6. - Blkio (block I/O) - Hugetlb - Net_prio Control what

    a process can SEE - PID - Mount - Network - UTS - IPS - User Namespaces Cgroup Control what a process can USE
  7. /proc/[pid]/ns/ directory Each process has a /proc/[pid]/ns/ subdirectory containing one

    entry for each namespace that supports being manipulated by setns(2)
  8. Container https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf • Linux kernel namespaces • Linux control groups

    (cgroups) • Linux runtime: Docker daemon: dockerd • Linux capabilities (libcap) • Linux security mechanism: AppArmor or SELinux
  9. BPF for Tracing, Internals - SDN - DDoS mitigation -

    Intrusion detection - Container security Linux Observability Brendan Gregg
  10. Threads Containers • Kernel exploits • Denial-of-service attacks (Dos) •

    Container breakouts • Poisoned images • Application secrets
  11. Hardening Container Runtimes Center for Internet Security (CIS) Benchmark for

    Docker Docker-bench-security API listen on /var/run/docker.sock Don’t mount the docker socket docker container run -d --v /var/run/docker.sock:/var/run/docker.sock eu/danger Sign container images Docker Content Trust guarantees the integrity of the publisher and the integrity of the contents of a container image export DOCKER_CONTENT_TRUST=1
  12. Hardening Container Images Public images ? Run as root ?

    Admin capabilities ? Unprivileged users grant the specific capabilities that it needs Nosuid & RO mounts Access Control: SELinux, AppArmor, Seccomp-bpf.
  13. Container User Running containers as root users Run containers as

    non-root users RUN groupadd -r user && useradd -r -g user user USER user Disable setuid rights in Dockerfile: RUN find / -perm +6000 -type f -exec chmod a-s {} \; \ || true
  14. Container Privileges Capabilities Running privileged containers docker run -d --privileged

    ubuntu grant it only the specific capabilities that it needs docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN
  15. It uses Berkeley Packet Filter (BPF) rules to filter syscalls

    and control how they are handled. These filters can significantly limit a containers access to the Docker Host’s Linux kernel - especially for simple containers/applications.
  16. https://github.com/docker/labs/blob/master/security/seccomp/seccomp-profiles/deny.json { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32" ],

    "syscalls": [ ] } there are no syscalls in the whitelist. This means that no syscalls will be allowed from containers started with this profile.
  17. default-no-chmod { "name": "chmod", "action": "SCMP_ACT_ALLOW", "args": [] }, {

    "name": "fchmod", "action": "SCMP_ACT_ALLOW", "args": [] }, { "name": "fchmodat", "action": "SCMP_ACT_ALLOW", "args": [] }, The default.json profile has the chmod(), fchmod(), and chmodatsyscalls included in its whitelist..
  18. Tools ◉ Docker-bench-security ◉ Grafeas: audit and govern your software

    supply chain ◉ Sysdig: container troubleshooting and security investigation ◉ CoreOs / Clair: Vulnerability Static Analysis for Containers ◉ Aqua / Microscanner: Scan your container images for package vulnerabilities ◉ Anchore: Detailed analysis on their container images, run queries, produce reports and define policies that can be used in CI/CD pipelines ◉ Lynis ◉ Dagda ◉ Tenable ◉ Twistlock
  19. Tools Security Compliance ◉ OpenSCAP - Open Source Security Content

    Automation Protocol ◉ Open Policy Agent / OPA.
  20. Dhttps://github.com/krol3/container_go You can c Linkedin: Carol Valencia Github: krol3 [email protected]

    https://qrco.de/bbCE5X Thanks! Demo https://github.com/krol3/container_go