ContainerandMicroserviceSecurity

AdrianMouat

ChiefScientist@ContainerSolutions

Wrote"UsingDocker"forO'Reilly

40%DiscountwithAUTHDcode

FreeDockerSecurityminibook

@adrianmouat

http://www.oreilly.com/webops-perf/free/docker-security.csp

OverviewTheBene tsofSecurityContainerAttackVectorsSecurityPhilosophyDemoTips&Techniques

TheBene tsofSecurity

ContainerAttackVectors

KernelAttacks

DenialofService

ContainerBreakouts

PoisonedImages

Sni ngSecrets

SecurityParadigms

Defence-In-DepthMultiplelayersofsecurity

LeastPrivilege

Onlyaccessdataandresourcesessentialtofunction"LeastPrivilegeMicroservices"byNathanMcCauleyandDiogoMónica

DEMO

Sowhatnow?IdeallyhaveguidelinesforprocedureNeedtoisolatecontainer(andprobablyhost)dockernetworkdisconnect

Don'tdelete,preferablydon'tstopifsafedockerdi

HowtomitigateRuncontainerwithlessprivileges--read-onlyUsenon-privilegeduser...

Notasolution!StillallowsremoteexecutionofarbitraryJSRealsolutionistoreplacevulnerablelibraryImageshouldbescannedforknownvulns

ImageScanningDockerSecurityScanningOthersolutionsClairfromCoreOSAquaSecurityTwistlockAtomicScanfromRedHatNeuVector

DependencyCheckersOWASPDependencyCheckerNodeSecurityProject(NSP)

Tips&Techniques

UseContainersandVMsUseVMstosegregategroupsofcontainersFormultitenancyEachuser'scontainersinseparateVM

Fordi erentsecuritylevelsContainersprocessingCCdetailsinownVM

Aside:DirtyCow(CVE-2016-5195)

RecentvulnerabilityfoundinthekernelAllows“privilegeescalation”CanbeusedtobreakoutofcontainersAlsobreaksread-only lesystemshttps://dirtycow.ninja/https://blog.paranoidsoftware.com/dirty-cow-cve-2016-5195-docker-container-escape/

dockerrun--rmamouat/dirty-cow-test

SegregatebyNetworkUsemultiple"logical"networkse.g.backend,frontend

frontendshouldnotbeabletobackendnetwork"link"containerwillbeinboth

dockernetworkcreatefrontend

DockerPrivileges==

RootPrivileges

CanmountanydirectoryCancreateandcopyout"backdoors"

dockerrun-v$PWD:/datadebian/bin/sh-c\'cp/bin/sh/data/&&chownroot.root/data/sh&&chmoda+s/data/sh'

UserNamespacing

Bydefault,thereisnousernamespacingRootincontainerisrootonhostDon'trunappsinaVMasrootSamegoesforcontainers

UserNamespacingCanbeturnedonsince1.10Mapsusersincontainerstohigh-numberedusersonhostSetondaemon,notpercontainerDuetocomplicationswithownershipofimagelayers

GotchasProblemswithvolumesandpluginsCan'tuse--pid=hostor--net=hostCan'tuseread-onlyRestrictionsonsomeoperations(e.g.mknod)

SetaUSERCreateauserinyourDocker leChangetotheuserviaUSERorsu/sudo/gosu

RUNgroupadd-ruser&&useradd-r-guseruserUSERuser

BecarefulwhendeletingdatainDocker les

Thisdoesn'tworkFROMdebianRUNapt-getupdate&&apt-getinstall-ycurlRUNcurlhttp://sourcecode.com/file.tgz-o/file.tgzRUNtarxzf/file.tgz&&makeRUNrm/file.tgz

ThisdoesFROMdebianRUNapt-getupdate&&apt-getinstall-ycurlRUNcurlhttp://sourcecode.com/file.tgz-o/file.tgz&&tarxzf/file.tgz&&make&&rm/file.tgz

Andthisisreallybad#CopygithubsshkeyCOPYgithub_rsa/root/.ssh/id_rsa...#RemovesshkeyRUNrm/root/.ssh/id_rsa

SetContainerFStoRead-Only

$dockerrun--read-onlydebiantouchxtouch:cannottouch'x':Read-onlyfilesystem

SetVolumestoRead-Only$dockerrun-v$(pwd)/secrets:/secrets:ro\debiantouch/secrets/xtouch:cannottouch'/secrets/x':Read-onlyfilesystem

DropCapabilities$dockerrun--cap-dropSETUID--cap-dropSETGIDmyimage$dockerrun--cap-dropALL--cap-add...

Setcpushares$dockerrun-dmyimage$dockerrun-d-c512myimage$dockerrun-d-c512myimage

Setmemorylimits$dockerrun-m512mmyimage

Defangsetuid/setgidbinaries

Applicationsprobablydon'tneedthemSodon'truntheminproduction

To ndthem$dockerrundebian\find/-perm+6000-typef-execls-ld{}\;2>/dev/null-rwsr-xr-x1rootroot10248Apr1500:02/usr/lib/pt_chown-rwxr-sr-x1rootshadow62272Nov202014/usr/bin/chage-rwsr-xr-x1rootroot75376Nov202014/usr/bin/gpasswd-rwsr-xr-x1rootroot53616Nov202014/usr/bin/chfn...

TodefangthemFROMdebian:wheezyRUNfind/-perm+6000-typef-execchmoda-s{}\;\||true

Result$dockerbuild-tdefanged-debian....Successfullybuilt526744cf1bc1$dockerrun--rmdefanged-debian\find/-perm+6000-typef-execls-ld{}\;\2>/dev/null|wc-l0$

UseMinimalImages

LesssoftwareLessattacksurface

AlpineLinux

StaticbinariesGomakesthiseasy

https://hub.docker.com/_/alpine/

https://medium.com/iron-io-blog/an-easier-way-to-create-tiny-golang-docker-images-7ba2893b160

UseLinuxSecurityModules

SELinuxByNSA!PolicybasedMACnotDACFileaccess,sockets,interfaces

PITAHardtode neownpoliciesHavetousedevicemapperExtraworktousevolumes

$sestatus|grepmodeCurrentmode:enforcing$mkdirdata$echo"hello">data/file$dockerrun-v$(pwd)/data:/datadebiancat/data/filecat:/data/file:Permissiondenied

$ls--scontextdataunconfined_u:object_r:user_home_t:s0file$chcon-Rtsvirt_sandbox_file_tdata$dockerrun-v$(pwd)/data:/datadebiancat/data/filehello

AppArmorUsedbyDebian&UbuntuOnbydefaultLimitscontaineraccesstohost lesandkernelcapabilitiesCanpassinownpolicyforacontainerProcessbased;notas ne-grainedasSELinux

AlsoaPITA,but...

BANEProjectbyJessieFrazelleSimpli escreatingAppArmorpro les

SecurityHardenedKernelPatchedkernelwithsecurityenhancementsgrsecurityPaXLagbehindlatestkernelversion

VerifyImagesKnowwhatyou'rerunningAndwhereitcamefromOnlyuseautomatedbuilds,checkDocker leDockerContentTrustPullbydigest

AuditingImmutableinfrastructureAuditimages,notcontainersDockerdiScanningtoolsscalock,twistlock,clair

SharingSecrets

BakeitintotheImage

EnvironmentVariables

Suggestedby12factorappsCanbeseentoomanyplaceslinkedcontainers,inspect

Can'tbedeletedGetincludedinreports

$dockerrun-eAPI_TOKEN=MY_SECRETmyimage

MountedvolumesorDataVolumeContainers

Works,butickyFilescangetcheckedinbyaccident

$dockerrun-v/secretdir/keyfile:/keyfile:romyimage$dockerrun--volumes-frommy-secret-containermyimage

SecureKey-ValuestoreDocker1.13inSwarmMode

KubernetesSecrets

Vault

Cancontrolleases,storeencrypted

https://github.com/docker/docker/pull/27794

https://hashicorp.com/blog/vault.html

ConclusionContainersAddisolationProvidetoolsforrestrictingattackers

UsewithVMsifconcernedThinkDefence-In-Depth&LeastPrivilege

Thankyou!

ChiefScientist@ContainerSolutions

Wrote"UsingDocker"forO'Reilly

FreeDockerSecurityminibook

@adrianmouat

https://www.openshift.com/promotions/docker-security.html