Introdução em Segurança de Containers

Transcript

1. Introdução em Segurança de Containers Carol Valencia Devops Engineer

2. Tópicos - Containers - Principais riscos em containers - Boas

   práticas em Segurança com containers - Ferramentas

3. Containers

4. NIST Special Publication 800-190 Virtualização Containers

5. https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf Container - Linux kernel namespaces - Linux control groups

   (cgroups) - Docker daemon: dockerd - Linux capabilities (libcap) - Linux security mechanism: AppArmor or SELinux

6. Docker arquitetura: Client/server https://nickjanetakis.com/blog/understanding-how-the-docker-daemon-and-docker-cli-work-together

7. https://www.slideshare.net/jmoc25/testing-docker-images-security-ncn-edition Usuários conectam Docker host

8. NIST Special Publication 800-190 Ciclo de Arquitetura com Containers

9. Principais Riscos em Containers

10. Riscos • Risco em containers ◦ Vulnerabilidades dentro do runtime

    do software. ◦ Sem limites no acesso de rede desde o container. • Risco em imagens ◦ Vulnerabilidades de imagem ◦ Defeitos na configuração da imagem ◦ Embedded malware ◦ Embedded secrets ◦ Uso de imagens não confiáveis

11. Boas Práticas em Segurança com Containers

12. Docker daemon API API listen on /var/run/docker.sock Don’t mount the

    docker socket docker container run -d -p 9000:9000 -v /var/run/docker.sock:/var /run/docker.sock portainer/portainer

13. https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf Restrição em Arquivos docker run -v $(pwd)/secrets:/secrets:ro debian touch

    /secrets/x xxxx

14. x Container Privileges: Capabilities Running privileged containers docker run -d

    --privileged ubuntu grant it only the specific capabilities that it needs docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN docker run -d --cap-add SYS_PTRACE ubuntu

15. https://d3oypxn00j2a10.cloudfront.net/assets/img/Docker%20Security/WP_Intro_to_container_security_03.20.2015.pdf Container: Restrição de Permissão Running containers as root users

    Run containers as non-root users RUN groupadd -r user && useradd -r -g user user USER user Disable setuid rights in Dockerfile: RUN find / -perm +6000 -type f -exec chmod a-s {} \; \ || true

16. Docker Security - Host configuration. Unsecured, unhardened host OS best

    practices - Docker hardening standard Docker bench security

17. Docker Content Trust Pulling and running containers from public registries

    Scan container images to detect and prevent containers with known vulnerabilities or malicious packages docker pull debian Sign container images - Docker Content Trust guarantees the integrity of the publisher and the integrity of the contents of a container image export DOCKER_CONTENT_TRUST=1

18. Scan container images to detect and prevent containers with known

    vulnerabilities or malicious packages

19. Ferramentas

20. Docker Bench Security

21. Lynis

22. Ferramentas - Docker Bench Security - Lynis - Dagda -

    CoreOS Clair - Sonatype’s Nexus Lifecycle - Tenable - Anchore - Twistlock - Aqua Security

23. Conclusões • Conhecer os componentes no fluxo do CI/CD da

    aplicação: infraestrutura, libs, CI/CD. • Proteção da aplicação e do pipeline de containers. • Usar ferramentas de segurança, muitas delas open source.

24. Referências • Application Container Security Guide - NIST • Docker

    Security • CIS Docker 1.13.0 Benchmark • Testing Docker Images Security: Jose Manuel Ortega • Google Security Containers • Isolate containers with a user namespace • Understanding-and-securing-linux-namespaces

25. Carol Valencia linkedin.com/in/carolgv github.com/krol3 email: [email protected]