automated container security - continuous lifecycle...
Post on 20-May-2020
18 Views
Preview:
TRANSCRIPT
Automated Container Security
Dima Stopeldima@twistlock.com
•••••••••
Who is the guy on stage?
Container lifecycle
● CI integration● Package
vulnerability management
● Library vulnerability management
● Registry scan● Image compliance● Image trust
● RBAC● Identity
management● Container
compliance● Runtime
protection
Changes in the attack vector
New security challengesDocker Virtual Machine / Bare Metal
No update mechanism Update mechanism keeps the OS up to date
No antivirus (device mapper) Typical Antivirus
Compliance (CIS vulnerabilities) --
OS kernel is shared between containers
Hypervisor is the interface point
•••
••••
•••••• docker run ubuntu
FROM buildpack-deps:wheezy
# gpg keys listed at https://github.com/nodejs/node
RUN set -ex \
&& for key in \
9554F04D7259F04124DE6B476D5A82AC7E37093B \
...
; do \
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
done
RUN curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64.tar.xz" \
...
&& gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \
...
CMD [ "node" ]
dima@icecream:~$ sudo docker history node
IMAGE CREATED CREATED BY SIZE COMMENT
940065556150 6 days ago /bin/sh -c #(nop) CMD ["node"] 0 B
5f4d45468b32 6 days ago /bin/sh -c curl -SLO "https://nodejs.org/dist 37.42 MB
30f05ea42c64 6 days ago /bin/sh -c #(nop) ENV NODE_VERSION=5.7.1 0 B
15224b5905c8 7 days ago /bin/sh -c #(nop) ENV NPM_CONFIG_LOGLEVEL=inf 0 B
ac2b28ee0fd4 7 days ago /bin/sh -c set -ex && for key in 9554F0 51.75 kB
7aad83ccd4c5 7 days ago /bin/sh -c apt-get update && apt-get install 314.7 MB
575901a9b28b 7 days ago /bin/sh -c apt-get update && apt-get install 122.6 MB
6b3946d5b323 7 days ago /bin/sh -c apt-get update && apt-get install 44.32 MB
040bf8e08425 7 days ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0 B
73e8d4f6bf84 7 days ago /bin/sh -c #(nop) ADD file:b5391cb13172fb513d 125.1 MB
•
•
•
•
CVE-2016-0798 & CVE-2016-0798 is the DROWN Attack
•••
••••
user@host ~ $ docker kill a83Error response from daemon: [Twistlock] The command 'container_kill' denied for user 'jake' by rule 'Default - Deny all'
•••
Vulnerable
••
••
••
1.a.b.c.d.
2.3.4.5.
top related