how secure is your docker container pipeline?
TRANSCRIPT
How secure is your container pipeline?
Manideep Konakandla
www.manideepk.com (@manideep_k1)
Feb 22, 2017
2
Who am I? Hmm, yeah - Shameless Bragging
• J.N Tata Scholar, ISC2 Scholar, RSA Conference Security Scholar etc.
• Masters Student (Graduating in May’17) + Security Researcher at CMU
• Authored a book on Info Sec & Ethical Hacking at the age of 21
• Featured in INDIA’s largest news papers and news channels
• 10 certifications + Trained 15,000+ people in Information Security
• Ex “Team Lead – Core Security & Data Analytics” at TCS
• Interest areas : Container Security, Application Security, System Security etc.
More details about me on www.manideepk.com
3
What am I up to with Containers?
• Co-author, Contributor for CIS Docker 1.12 & 1.13 benchmarks
• Extensive research at Carnegie Mellon (CMU)
• Presented findings at OWASP AppsecUSA, Bsides SF, RSA (Poster), Grehack etc.
• Cloud Security Research Intern @Adobe last Summer
4
Security skills can be taught
but
Security mindset comes only with passion
5
Before we start
6
What are we doing for next 40 mins?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Security
• Images
• Runtime
• Other components
• Enterprise zone
Misc.
Wrap up
7
What are we doing for next 40 mins?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Security
• Images
• Runtime
• Other components
• Enterprise zone
Misc.
Wrap up
8
Quick “60 second” Intro
Containers?
Lightweight
Application centric
No more - “it works on my machine” Micro-services
Namespaces : Isolation (PID, User, Network, IPC,
Mount, UTS)
Cgroups : Isolates, limits and accounts resource
usage (CPU, memory etc.)
BUZZ……….! Are containers
brand new?
Img Ref: www.docker.com
Containers in 45 seconds
9
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com
10
What’s next?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Security
• Images
• Runtime
• Other components
• Enterprise zone
Misc.
Wrap up
11
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com
12
Life cycle of an “Image”
Build Spin
Dockerfile Image Container
Maintaining images
13
Security in “Dockerfile” - Golden Rules
• Do not write secrets in Dockerfile (Info Disclosure - Twitter’s Vine). Use secret management solutions
• Create a USER or else container will run as a root (Privilege escalation)
• Follow version pinning for images, packages (no ‘latest’) etc. (Caching Issue)
• Remove unnecessary setuid, setgid permissions (Privilege escalation)
• Download packages securely using GPG (MITM) and also do not download
unnecessary packages (Increased attack surface)
• Do not write any kind of update instructions alone in the Dockerfile (Caching)
• Use COPY instead of ADD (Increased attack surface)
• Use HEALTHCHECK command (Best practice)
• Use gosu instead of sudo wherever possible
• Try to restrict a image (/container) to one service
14
Building Images
15
Maintaining/ Consuming Images - Golden Rules
• Docker Content Trust
- Provides authenticity, integrity and freshness guarantees
- Takes some time to understand & prepare your own setup (worth it!)
• Vulnerability–free Images
- Tool selection : binary level analysis + hash based
• Except compatibility issues, all images and packages must be up-to-date
16
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com
17
Container Runtime - Golden Rules
• Do not disable/misconfigure seccomp, apparmor/selinux, capabilities
• Change the default memory limits, CPU shares (else DOS)
• Do not use default docker0 bridge (ARP spoofing, MITM etc.)
• Enable PIDs cgroup per container (fork bomb)
• Do not use privileged containers and try to set no new privileges flag (priv. issues)
• Beware of non namespaced components : kernel keyring etc. (Container breakout)
• Bind incoming traffic to any specific interface (Info disclosure etc.)
• Do not share host’s namespaces to containers (Info disclosure etc.)
• Mounts (Violation of least privilege)
• Ensure Docker commands get latest images (Caching issue)
18
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com
19
Other components - Golden Rules
• Daemon Security
- Fix dangerous defaults such as allowing communication between containers
- Enable/use/implement much needed security controls (user namespaces,
ulimits, authorization plugins, restricting daemon access)
• Communication Security
• Registry’s Security (Did not explore specifically)
• Host Security
- Maintain latest Linux kernel (PIDs cgroup only in > 4.3) and Docker version
- Apply kernel hardening policies (GRSecurity, PaX etc.)
- Harden the host as per CIS / SANS / your custom hardening guidelines
20
Enterprise zone (Personal users ALLOWED!)
• Images
- Say “no” to Docker Hub (definitely not general images) - Maintain your own in-house registries (What security controls?)
- Base image selection and also using image optimization techniques
• Runtime
- Customize seccomp, apparmor/selinux etc. profiles
• Misc.
- Create container specific standards and guidelines
- Use commercial tools (useful features like Image Lockdown, RBAC, profiling,
monitoring, anomaly detection, secret management etc.)
- Customize CIS Docker benchmarks as per your requirements and adhere to it
- Use file monitoring solutions
- Container specific SIEM rules
- Group containers on VM’s (categories?) - Your general security controls
21
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com
22
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Security
• Images
• Runtime
• Other components
• Enterprise zone
Misc.
Wrap up
What’s next?
23
Misc.
• Tool recommendations (Meet me!)
- Images
- Network level
- Container Ecosystem
• Hardware isolation to containers (Clear containers – are they really containers?)
• Future expectation of containers (My 2¢)
• Virtual machines security to containers (view of kernel)
24
What’s next?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Security
• Images
• Runtime
• Other components
• Enterprise zone
Misc.
Wrap up
25
So, what did you learn today?
26
It’s not good to keep questions in your mind
Throw them out and I am here to catch
27
References
1. CIS Docker Benchmarks - 1.12 and 1.13
2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf
3. www.oreilly.com/webops-perf/free/files/docker-security.pdf
4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf
5. http://www.slideshare.net/Docker/docker-security-workshop-slides
6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231
7. https://docs.docker.com/engine/security/
8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence
28 TCS Confidential
That’s it…!
You can collect my V-Card
Reach me on www.manideepk.com for any questions