track containers - fosdem...track containers josé manuel ortega @jmortegac agenda introduction to...
TRANSCRIPT
![Page 1: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/1.jpg)
Everything you need to know about Containers Security
Track Containers
José Manuel Ortega
![Page 2: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/2.jpg)
@jmortegac
![Page 3: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/3.jpg)
Agenda
● Introduction to containers security● Linux Containers(LXC)● Docker Security● Security pipeline && Container threats● Tools for auditing container images
![Page 4: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/4.jpg)
Virtualization vs containers
![Page 5: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/5.jpg)
Virtualization vs containers
![Page 6: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/6.jpg)
Security mechanims
![Page 7: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/7.jpg)
Namespaces
● Provides an isolated view of the system where processes cannot see other processes in other containers
● Each container also gets its own network stack.
● A container doesn’t get privileged access to the sockets or interfaces of another container.
![Page 8: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/8.jpg)
Cgroups && capabilities
● Cgroups: kernel feature that limits and isolates the resource usage (CPU, memory, network) of a collection of processes.
● Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges
![Page 9: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/9.jpg)
Linux Containers(LXC)
![Page 10: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/10.jpg)
LXC
● Lightweight virtual machines● VMs without the hypervisor● Kernel namespaces● Apparmor and SELinux profiles● Seccomp policies● Kernel capabilities and Control groups
![Page 11: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/11.jpg)
LXC
![Page 12: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/12.jpg)
LXC:limit resources
![Page 13: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/13.jpg)
LXC:limit resources
![Page 14: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/14.jpg)
Docker
![Page 15: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/15.jpg)
![Page 16: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/16.jpg)
Container pipeline
![Page 17: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/17.jpg)
Docker images
![Page 18: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/18.jpg)
Docker security● Isolation via kernel namespaces● Aditional layer of security Apparmor, SELinux,
GRSEC● Each container gets its own network stack● Control groups for resources limiting● Other interesting features….
![Page 19: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/19.jpg)
Docker Content Trust
● We can verify the integrity of the image● Checksum validation when pulling image
from docker hub● Pulling by digest to enforce consistent
![Page 20: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/20.jpg)
![Page 21: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/21.jpg)
![Page 22: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/22.jpg)
Docker Capabilites● A capability is a unix action a user can
perform● Goal is to restrict “capabilities”● Privileged process = all the capabilities!● Unprivileged process = check individual user
capabilities● Example Capabilities:
○ CAP_CHOWN○ CAP_NET_RAW
![Page 23: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/23.jpg)
![Page 24: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/24.jpg)
![Page 25: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/25.jpg)
Containers security is about limiting and controlling the attack surface on the kernel.
![Page 26: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/26.jpg)
Least privilege principle
● Do not run processes in a container as root to avoid root access from attackers.
● Enable User-namespace
● Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to file.
● Cut down the kernel calls that a container can make to reduce the potential attack surface.
![Page 27: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/27.jpg)
Read only containers & volumes
![Page 28: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/28.jpg)
Seccomp
● Restricts system calls based on a policy● Block/limit things like:
○ Kernel manipulation (init_module, finit_module, delete_module)
○ Executing mount options○ Change permissions○ Change owner and groups
![Page 29: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/29.jpg)
![Page 30: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/30.jpg)
Docker bench security
● Auditing docker environment and containers
● Open-source tool for running automated tests
● Inspired by the CIS Docker 1.11 benchmark
● Runs against containers currently running on same host
● Checks for AppArmor, read-only volumes, etc...https://github.com/docker/docker-bench-security
![Page 31: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/31.jpg)
Docker bench security
● The host configuration● The Docker daemon configuration● The Docker daemon configuration files● Container images and build files● Container runtime● Docker security operations
![Page 32: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/32.jpg)
![Page 33: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/33.jpg)
Lynis
● https://github.com/CISOfy/lynis-docker● Lynis is a Linux, Mac and Unix security
auditing and system hardening tool that includes a module to audit Dockerfiles.
● lynis audit system● lynis audit dockerfile <file>
![Page 34: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/34.jpg)
![Page 35: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/35.jpg)
Security Pipeline
![Page 36: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/36.jpg)
CI/CD
![Page 37: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/37.jpg)
CI/CD
![Page 38: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/38.jpg)
Container threats
![Page 39: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/39.jpg)
● Kernel Exploits(Dirty Cow exploit)● Vulnerabilities like the glibc buffer
overflow● SQL injection attacks● MongoDB and ElasticSearch
ransomware attacks
![Page 40: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/40.jpg)
● Don’t run containers as root● Drop all capabilities and enable only needed● Enable user namespaces● Use seccomp for limit syscalls for avoid kernel
exploits● Keep the host kernel updated with last patches● Mount volumes with read only
Remember
![Page 41: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/41.jpg)
Audit Container Images
![Page 42: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/42.jpg)
● You can scan your images for known vulnerabilities
● Find known vulnerable binaries○ Docker Security Scanning○ Anchore Cloud○ Dagda○ Tenable.io Container Security
●
![Page 43: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/43.jpg)
Docker security scanning
![Page 44: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/44.jpg)
Docker security scanning
![Page 45: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/45.jpg)
![Page 46: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/46.jpg)
Anchore
![Page 47: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/47.jpg)
Anchore
![Page 48: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/48.jpg)
Anchore
![Page 49: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/49.jpg)
![Page 50: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/50.jpg)
Dagda
![Page 51: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/51.jpg)
Tenable.io container security
![Page 52: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/52.jpg)
![Page 53: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/53.jpg)
![Page 54: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/54.jpg)
![Page 55: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/55.jpg)
References● https://docs.docker.com/engine/security● http://www.oreilly.com/webops-perf/free/files/docker-securi
ty.pdf● http://container-solutions.com/content/uploads/2015/06/15.0
6.15_DockerCheatSheet_A2.pdf● Docker Content Trust
https://docs.docker.com/engine/security/trust/content_trust● Docker Security Scanning● https://docs.docker.com/docker-cloud/builds/image-scan● https://blog.docker.com/2016/04/docker-security● http://softwaretester.info/docker-audit
●
![Page 56: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/56.jpg)
![Page 57: Track Containers - FOSDEM...Track Containers José Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container](https://reader034.vdocuments.site/reader034/viewer/2022042314/5f02b13e7e708231d4058884/html5/thumbnails/57.jpg)
Thanks!
Contact:
@jmortegac
jmortega.github.io
about.me/jmortegac