Upload File

how to secure containers

17
Sysdig Falco Mark Stemm, Falco Engineer

Upload: sysdig

Post on 16-Apr-2017

170 views

Category:

Software


1 download

Report

TRANSCRIPT

Page 1: How to Secure Containers

Sysdig FalcoMark Stemm, Falco Engineer

Page 2: How to Secure Containers

Information presented is confidential

Home Security Analogy

• Home Security Prevents Intrusion• Door locks• Window sensors• Bars on ground floor windows• Exterior cameras

• …And Detects Intrusion• Motion sensors

Page 3: How to Secure Containers

Information presented is confidential

Computer System Security

• Prevents Intrusion• Passwords• Two-factor authentication• Fixing software vulnerabilities• Firewalls

• Detects Intrusion• Sysdig Falco!

• Both methods essential for full protection

Page 4: How to Secure Containers

Information presented is confidential

What is Sysdig Falco

• A behavioral activity monitor• Detects suspicious activity defined by a set of

rules• Uses sysdig’s flexible and powerful filtering

expressions• With full support for containers• Utilizes sysdig’s container support

• And flexible notification methods• Alert to files, standard output, syslog, programs

• Open Source• Anyone can contribute rules or improvements

Page 5: How to Secure Containers

Information presented is confidential

Quick Examples

A shell is run in a container container.id != host and proc.name = bash

Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write

Container namespace change evt.type = setns and not proc.name in (docker, sysdig)

Non-device files written in /dev (evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null

Process tries to access cameraevt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)

Page 6: How to Secure Containers

Information presented is confidential

Falco Architecture

sysdig_probe KernelModule

Kernel

User

Syscalls

Sysdig Libraries

`

Events

Alerting

Falco Rules

SuspiciousEvents File

Syslog

Stdout

Filter Expression

Shell

Page 7: How to Secure Containers

Information presented is confidential

Falco Rules

• .yaml file containing Macros, Lists, and Rules• Example:

- macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)

- list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash]

- rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING

Page 8: How to Secure Containers

Information presented is confidential

Falco Rules

• Macros• name: text to use in later rules• condition: filter expression snippet

• List• name: text to use later• items: list of items

• Rules• name: used to identify rule• desc: description of rule• condition: filter expression, can contain macro

references• output: message to emit when rule triggers, can contain

formatted info from event• priority: severity of rule (WARNING, INFO, etc.)

Page 9: How to Secure Containers

Information presented is confidential

Falco Rules

• Filtering Expressions• Use the same format as sysdig• Full container/k8s/mesos/etc support

• Falco rules are combined into one giant filtering expression, joined by ORs

• Each rule must contain at least one evt.type expression • i.e. evt.type=open and …• Allows for very fast filtering of events.

Page 10: How to Secure Containers

Information presented is confidential

Alerts And Outputs

• Events that match filter expression result in alerts

• Rule’s output field used to format event into alert message

• Falco configuration used to control where alert message is sent.

• Any combination of• Syslog• File• Standard Output• Shell (e.g. mail -s "Falco Notification" [email protected])

mailto:[email protected]
Page 11: How to Secure Containers

Information presented is confidential

Installing Falco

• Debian Package• apt-get -y install falco

• Redhat Package• yum -y install falco

• Installation Script• curl -s https://s3.amazonaws.com/download.draios.com/stable/install-falco | sudo bash

• More on making this safe in the demo!• Docker container• docker pull sysdig/falco

• Full instructions: https://github.com/draios/falco/wiki/How-to-Install-Falco-for-Linux

https://github.com/draios/falco/wiki/How-to-Install-Falco-for-Linux
https://github.com/draios/falco/wiki/How-to-Install-Falco-for-Linux
Page 12: How to Secure Containers

Information presented is confidential

Running Falco

• As a service• $ service falco start• alerts to syslog

• By hand• $ sudo falco -r <rules file> -c <config file>• alerts to syslog, stdout

• Using docker• docker run -i -t --name falco --privileged -v

/var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/falco

• Full Instructions: https://github.com/draios/falco/wiki/Running-Falco

https://github.com/draios/falco/wiki/Running-Falco
Page 13: How to Secure Containers

Demo

Page 14: How to Secure Containers

Information presented is confidential

What we’re going to show you

• Falco installation using docker• Overview of rules file• Walkthrough of simple attacks• Writing to files below /bin• Running bash inside container• Synthetic event generator

• Exploiting a bad REST API• Misbehaving Containers• Receiving Falco Events in Sysdig Cloud!

Page 15: How to Secure Containers

Information presented is confidential

Join The Community

• Website• http://www.sysdig.org/falco/

• Mailing List• https://groups.google.com/forum/#!forum

/falco• Public Slack• https://sysdig.slack.com/messages/falco/

• Blog• https://sysdig.com/blog/tag/falco/

https://groups.google.com/forum/#!forum/falco
https://groups.google.com/forum/#!forum/falco
Page 16: How to Secure Containers

Information presented is confidential

Learn More

• Github• https://github.com/draios/falco• Pull Requests welcome!

• Wiki• https://github.com/draios/falco/wiki

• Docker Hub• https://hub.docker.com/r/sysdig/

falco/

https://github.com/draios/falco
https://github.com/draios/falco/wiki
Page 17: How to Secure Containers

Thank You!


Sarathy w 0340 Secure Linux Containers Roadmap

How Mobile Malware Bypasses Secure Containers

Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

Kubernetes - how to orchestrate containers

Contain Yourself: Building Mobile Secure Containers

How to Secure Voip

SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker

Understanding Containers and SAS 9.4 Container Deployment...understand how containers evolved, how orchestration engines work with containers, and what the benefits and limitations

SCONE: Secure Linux Containers with Intel SGX · 2016-11-12 · SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1, Thomas Knauth1, Andre

The How and Why of Windows containers

Understanding Containers and SAS 9.4 Container Deploymentsupport.sas.com/.../papers/understanding-containers... · Understanding Containers and SAS ... must limit how many VMs run

How secure is it?

How Megaports Screens Containers

SCONE: Secure Linux Containers with Intel SGX

How Secure is Text Secure

Containers vs VMs for Secure Cloud Applications ID: #RSAC MODERATOR: PANELISTS: Containers vs VMs for Secure Cloud Applications ASD-W04 Simon Crosby Scott Johnston Mark Russinovich

How Secure are Secure Interdomain Routing Protocols?

SCONE: Secure Linux Containers with Intel SGXowen/courses/cmps223/papers/scone.pdfSCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1, Thomas

Building with containers: How containers will drive cloud services

How secure is

How Secure are Secure Inter-Domain Routing Protocols?

Spawnpoint: Secure Deployment of Distributed, Managed Containers … · 2018-01-14 · Spawnpoint: Secure Deployment of Distributed, Managed Containers by John Kolb A thesis submitted

Safety and Security Checks for Containers · the safe and secure transport of Syngenta products in containers. These checks will: Ensure that containers used to transport Syngenta

Secure Containers for Embedded and IoT ViryaOS RFC...A Secure Xen based runtime Containers supported natively A turnkey solution A Flexible build system Supports aarch64 and x86_64

How to configure AMS. Containers Vessels Organizations

SCONE: Secure Linux Containers with Intel SGX · SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1, Thomas Knauth1, Andre Martin1, Christian

Containers with Intel SCONE: Secure Linux SGXsbansal/col862-os17/notes/SCONE_ppt… · Linux Containers ... Namespaces PID Process IDs Network Network devices, stacks, ports, etc

Solaris Containers: Resource Management and Zones · Solaris Containers: Resource Management and Zones ... Solaris 10 Container Leitfaden, ... Solaris Containers How To Guide,

HOW TO MOVE THE CONTAINERS (technology)

How To Secure MIS

Contain Yourself: Building Mobile Secure Containers Ron Gutierrez Gotham Digital Science (GDS)

Best Practices to Secure Application Containers and ... · shared Operating System. •Application Containers are isolated from other Application Containers and share the resources

Containers: The What, Why, and How

How Secure is Cloud

Secure trade and 100% container scanning of containers · Secure trade and 100% scanning of containers . 4 Summary and conclusions The European Union shares the concerns of the United