Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introdução em Segurança de Containers

Carol
April 24, 2019

Introdução em Segurança de Containers

Carol

April 24, 2019
Tweet

More Decks by Carol

Other Decks in Technology

Transcript

  1. Tópicos - Containers - Principais riscos em containers - Boas

    práticas em Segurança com containers - Ferramentas
  2. https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf Container - Linux kernel namespaces - Linux control groups

    (cgroups) - Docker daemon: dockerd - Linux capabilities (libcap) - Linux security mechanism: AppArmor or SELinux
  3. Riscos • Risco em containers ◦ Vulnerabilidades dentro do runtime

    do software. ◦ Sem limites no acesso de rede desde o container. • Risco em imagens ◦ Vulnerabilidades de imagem ◦ Defeitos na configuração da imagem ◦ Embedded malware ◦ Embedded secrets ◦ Uso de imagens não confiáveis
  4. Docker daemon API API listen on /var/run/docker.sock Don’t mount the

    docker socket docker container run -d -p 9000:9000 -v /var/run/docker.sock:/var /run/docker.sock portainer/portainer
  5. x Container Privileges: Capabilities Running privileged containers docker run -d

    --privileged ubuntu grant it only the specific capabilities that it needs docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN docker run -d --cap-add SYS_PTRACE ubuntu
  6. https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf Container: Restrição de Permissão Running containers as root users

    Run containers as non-root users RUN groupadd -r user && useradd -r -g user user USER user Disable setuid rights in Dockerfile: RUN find / -perm +6000 -type f -exec chmod a-s {} \; \ || true
  7. Docker Security - Host configuration. Unsecured, unhardened host OS best

    practices - Docker hardening standard Docker bench security
  8. Docker Content Trust Pulling and running containers from public registries

    Scan container images to detect and prevent containers with known vulnerabilities or malicious packages docker pull debian Sign container images - Docker Content Trust guarantees the integrity of the publisher and the integrity of the contents of a container image export DOCKER_CONTENT_TRUST=1
  9. Ferramentas - Docker Bench Security - Lynis - Dagda -

    CoreOS Clair - Sonatype’s Nexus Lifecycle - Tenable - Anchore - Twistlock - Aqua Security
  10. Conclusões • Conhecer os componentes no fluxo do CI/CD da

    aplicação: infraestrutura, libs, CI/CD. • Proteção da aplicação e do pipeline de containers. • Usar ferramentas de segurança, muitas delas open source.
  11. Referências • Application Container Security Guide - NIST • Docker

    Security • CIS Docker 1.13.0 Benchmark • Testing Docker Images Security: Jose Manuel Ortega • Google Security Containers • Isolate containers with a user namespace • Understanding-and-securing-linux-namespaces