docker security: are your containers tightly secured to the ship?
TRANSCRIPT
![Page 1: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/1.jpg)
Docker Amsterdam Meetup - January 2015 1
Docker Security
Are Your Containers Tightly Secured To The Ship?
Michael BoelenCISOfy
![Page 2: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/2.jpg)
2
whoami
Michael Boelen
◼ Founder of CISOfy
◼ Open Source developer:Rootkit Hunter and Lynis
◼ Passion for Linux security / auditing
◼ Blogging about it: Linux-Audit.com
![Page 3: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/3.jpg)
3
Docker and Me
My Reasons
Understanding: New technology
Development: Docker security scan (Lynis plugin)
Using it: Server deployments
![Page 4: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/4.jpg)
4
Docker and Security
The Research...
Limited resources
Outdated articles
Security not important?
Proposal: Let's fix these issues
![Page 5: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/5.jpg)
5
Docker and Security
Proposal
Tooling: simplify Linux security
Articles about Docker security
Provide input to projects
Presentations
→ Lynis
→ Blog post
→ You!
→ In progress
![Page 6: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/6.jpg)
6
Goal
What
Stabilize the vessel
Secure the containers
![Page 7: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/7.jpg)
7
Goal
Photo credits: imagebase.net
How
Benefits
Risks
Defenses
Best Practices
![Page 8: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/8.jpg)
8
Goal
Why?
![Page 9: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/9.jpg)
9
Goal
Data!
Docker + Software = Data Sharing
And... Protect it
![Page 10: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/10.jpg)
10
Warning
From this point, there might be lies...
![Page 11: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/11.jpg)
11
Security Benefits of Docker
![Page 12: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/12.jpg)
12
Security Benefits
Segregation
◼ The „Holy Grail“ of security
◼ Smaller units means more control
![Page 13: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/13.jpg)
13
Security Benefits
Granular control
◼ Limit users, access and data
◼ Easier to understand
◼ Easier to defend
![Page 14: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/14.jpg)
14
Security Benefits
Information Disclosure
◼ Decreased data leakage
◼ Less resources available
![Page 15: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/15.jpg)
15
Docker Risks
![Page 16: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/16.jpg)
16
Docker Risks
Software security
◼ Bugs
◼ Security vulnerabilities
◼ Regular updates needed
◼ Backdoors? Auditing?
![Page 17: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/17.jpg)
17
Docker Risks
Knowledge gap
◼ IT auditor
◼ Your colleagues
◼ You...?
![Page 18: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/18.jpg)
18
Docker Risks
Does Not Contain
◼ No full isolation (yet)
◼ Handle containers as a host
◼ Know strengths and weaknesses
![Page 19: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/19.jpg)
19
Docker Defenses
![Page 20: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/20.jpg)
20
Docker Defenses
Docker Website
◼ HTTPS
◼ Digital signatures
◼ Images verified after downloading
![Page 21: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/21.jpg)
21
Docker Defenses
Docker Containers
◼ Namespaces and cgroups
◼ Seccomp
◼ Capabilities
◼ Frameworks
Copyright Docker, Inc
![Page 22: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/22.jpg)
22
Docker Defenses
Namespaces
◼ Isolates parts of the OS
◼ PID namespaces
◼ Network namespaces
◼ User namespaces → Not really!
![Page 23: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/23.jpg)
23
Docker Defenses
Namespaces (cont.)
◼ IPC namespaces (process communication)
◼ UTS namespaces (hostname/NIS)
◼ Mount namespaces
![Page 24: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/24.jpg)
24
Docker Defenses
Seccomp
◼ Secure computing mode
◼ Filters syscalls with BPF
◼ Isolation, not virtualization
◼ Used in Chrome, OpenSSH, vsftpd, LXD and Mbox
![Page 25: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/25.jpg)
25
Docker Defenses
Seccomp
◼ Default list of blocked calls
◼ kexec_load◼ open_by_handle_at◼ init_module◼ finit_module◼ delete_module
![Page 26: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/26.jpg)
26
Docker Defenses
Control Groups (cgroups)
◼ Restrict resources
◼ Prioritize
◼ Accounting
◼ Control
![Page 27: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/27.jpg)
27
Docker Defenses
Capabilities
◼ = Root user, split into roles
◼ Default list of allowed capabilities
◼ --cap-add / --cap-drop
◼ Combine (e.g. add all, drop a few)
![Page 28: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/28.jpg)
28
Docker Defenses
Capability Functionality
CAP_AUDIT_WRITE Audit log write access
CAP_AUDIT_CONTROL Configure Linux Audit subsystem
CAP_MAC_OVERRIDE Override kernel MAC policy
CAP_MAC_ADMIN Configure kernel MAC policy
CAP_NET_ADMIN Configure networking
CAP_SETPCAP Process capabilities
CAP_SYS_MODULE Insert and remove kernel modules
CAP_SYS_NICE Priority of processes
CAP_SYS_PACCT Process accounting
CAP_SYS_RAWIO Modify kernel memory
CAP_SYS_RESOURCE Resource Limits
CAP_SYS_TIME System clock alteration
CAP_SYS_TTY_CONFIG Configure tty devices
CAP_SYSLOG Kernel syslogging (printk)
CAP_SYS_ADMIN All others
![Page 29: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/29.jpg)
29
Docker Defenses
AppArmor / SELinux
◼ MAC frameworks
◼ Help with containment
◼ Learning them now, will pay off later
![Page 30: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/30.jpg)
30
Docker Defenses
Audit subsystem
◼ Developed by Red Hat
◼ Files / system calls
◼ Monitors the (system | file) integrity
![Page 31: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/31.jpg)
31
Docker Defenses
Audit (example)
# Time related calls-a always,exit -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -S clock_settime -k time-change
# Hostname and domain-a always,exit -S sethostname -S setdomainname -k system-locale
# Password files-w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/sudoers -p wa -k identity
![Page 32: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/32.jpg)
32
Best Practices
![Page 33: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/33.jpg)
33
Best Practices
Harden your Host
◼ Security = Defense in Depth
◼ Use AppArmor / SELinux / GRSEC
◼ Limit users / services / network
![Page 34: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/34.jpg)
34
Best Practices
Harden your Host (cont.)
◼ Update your kernel on a regular basis
◼ Stay up-to-date with Docker
◼ Limit Docker permissions
![Page 35: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/35.jpg)
35
Best Practices
Harden your Containers
◼ Use AppArmor / SELinux
◼ Drop capabilities (man capabilities)
◼ Filter syscalls (seccomp)
◼ Network filtering (iptables)
![Page 36: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/36.jpg)
36
Best Practices
Docker News
◼ Stay informed
◼ Follow the Docker blog
◼ Keep an eye on Docker/LXC news
![Page 37: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/37.jpg)
37
Best Practices
Docker Management
◼ Encrypt connections
◼ Configure and use TLS
◼ Set the DOCKER_HOST and DOCKER_TLS_VERIFY variable
![Page 38: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/38.jpg)
38
Best Practices
SSH in containers
◼ Don't use this..
◼ Use “docker exec -it mycontainer bash” instead
![Page 39: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/39.jpg)
39
Best Practices
Read-Only
◼ Mounts
◼ Data
◼ Configuration
![Page 40: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/40.jpg)
40
Best Practices
User Mappings*
◼ Map users to non-privileged
◼ /etc/subuid
◼ /etc/subgid
* when available
![Page 41: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/41.jpg)
41
Best Practices
Don't Trust
◼ Verify downloads
◼ Be careful with images from others
◼ Measure / monitor
![Page 42: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/42.jpg)
42
Next Step..
Check out Linux-Audit.com
Scan your systems → Lynis
Connect with me:
E-mail [email protected] @mboelenGoogle+ +MichaelBoelenWeb https://cisofy.comBlog http://linux-audit.com
![Page 43: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/43.jpg)
43
Feedback / Questions?
![Page 44: Docker Security: Are Your Containers Tightly Secured to the Ship?](https://reader035.vdocuments.site/reader035/viewer/2022062514/55a5223a1a28abbf348b4851/html5/thumbnails/44.jpg)
44