container and microservice securitycontainer-solutions.com/content/uploads/2017/04/slides.pdf ·...
TRANSCRIPT
ChiefScientist@ContainerSolutions
Wrote"UsingDocker"forO'Reilly
40%DiscountwithAUTHDcode
FreeDockerSecurityminibook
@adrianmouat
http://www.oreilly.com/webops-perf/free/docker-security.csp
LeastPrivilege
Onlyaccessdataandresourcesessentialtofunction"LeastPrivilegeMicroservices"byNathanMcCauleyandDiogoMónica
Sowhatnow?IdeallyhaveguidelinesforprocedureNeedtoisolatecontainer(andprobablyhost)dockernetworkdisconnect
Don'tdelete,preferablydon'tstopifsafedockerdi
Notasolution!StillallowsremoteexecutionofarbitraryJSRealsolutionistoreplacevulnerablelibraryImageshouldbescannedforknownvulns
ImageScanningDockerSecurityScanningOthersolutionsClairfromCoreOSAquaSecurityTwistlockAtomicScanfromRedHatNeuVector
UseContainersandVMsUseVMstosegregategroupsofcontainersFormultitenancyEachuser'scontainersinseparateVM
Fordi erentsecuritylevelsContainersprocessingCCdetailsinownVM
Aside:DirtyCow(CVE-2016-5195)
RecentvulnerabilityfoundinthekernelAllows“privilegeescalation”CanbeusedtobreakoutofcontainersAlsobreaksread-only lesystemshttps://dirtycow.ninja/https://blog.paranoidsoftware.com/dirty-cow-cve-2016-5195-docker-container-escape/
dockerrun--rmamouat/dirty-cow-test
SegregatebyNetworkUsemultiple"logical"networkse.g.backend,frontend
frontendshouldnotbeabletobackendnetwork"link"containerwillbeinboth
dockernetworkcreatefrontend
CanmountanydirectoryCancreateandcopyout"backdoors"
dockerrun-v$PWD:/datadebian/bin/sh-c\'cp/bin/sh/data/&&chownroot.root/data/sh&&chmoda+s/data/sh'
UserNamespacing
Bydefault,thereisnousernamespacingRootincontainerisrootonhostDon'trunappsinaVMasrootSamegoesforcontainers
UserNamespacingCanbeturnedonsince1.10Mapsusersincontainerstohigh-numberedusersonhostSetondaemon,notpercontainerDuetocomplicationswithownershipofimagelayers
GotchasProblemswithvolumesandpluginsCan'tuse--pid=hostor--net=hostCan'tuseread-onlyRestrictionsonsomeoperations(e.g.mknod)
SetaUSERCreateauserinyourDocker leChangetotheuserviaUSERorsu/sudo/gosu
RUNgroupadd-ruser&&useradd-r-guseruserUSERuser
Thisdoesn'tworkFROMdebianRUNapt-getupdate&&apt-getinstall-ycurlRUNcurlhttp://sourcecode.com/file.tgz-o/file.tgzRUNtarxzf/file.tgz&&makeRUNrm/file.tgz
ThisdoesFROMdebianRUNapt-getupdate&&apt-getinstall-ycurlRUNcurlhttp://sourcecode.com/file.tgz-o/file.tgz&&tarxzf/file.tgz&&make&&rm/file.tgz
Andthisisreallybad#CopygithubsshkeyCOPYgithub_rsa/root/.ssh/id_rsa...#RemovesshkeyRUNrm/root/.ssh/id_rsa
SetVolumestoRead-Only$dockerrun-v$(pwd)/secrets:/secrets:ro\debiantouch/secrets/xtouch:cannottouch'/secrets/x':Read-onlyfilesystem
DropCapabilities$dockerrun--cap-dropSETUID--cap-dropSETGIDmyimage$dockerrun--cap-dropALL--cap-add...
To ndthem$dockerrundebian\find/-perm+6000-typef-execls-ld{}\;2>/dev/null-rwsr-xr-x1rootroot10248Apr1500:02/usr/lib/pt_chown-rwxr-sr-x1rootshadow62272Nov202014/usr/bin/chage-rwsr-xr-x1rootroot75376Nov202014/usr/bin/gpasswd-rwsr-xr-x1rootroot53616Nov202014/usr/bin/chfn...
Result$dockerbuild-tdefanged-debian....Successfullybuilt526744cf1bc1$dockerrun--rmdefanged-debian\find/-perm+6000-typef-execls-ld{}\;\2>/dev/null|wc-l0$
AlpineLinux
StaticbinariesGomakesthiseasy
https://hub.docker.com/_/alpine/
https://medium.com/iron-io-blog/an-easier-way-to-create-tiny-golang-docker-images-7ba2893b160
$sestatus|grepmodeCurrentmode:enforcing$mkdirdata$echo"hello">data/file$dockerrun-v$(pwd)/data:/datadebiancat/data/filecat:/data/file:Permissiondenied
$ls--scontextdataunconfined_u:object_r:user_home_t:s0file$chcon-Rtsvirt_sandbox_file_tdata$dockerrun-v$(pwd)/data:/datadebiancat/data/filehello
AppArmorUsedbyDebian&UbuntuOnbydefaultLimitscontaineraccesstohost lesandkernelcapabilitiesCanpassinownpolicyforacontainerProcessbased;notas ne-grainedasSELinux
SecurityHardenedKernelPatchedkernelwithsecurityenhancementsgrsecurityPaXLagbehindlatestkernelversion
VerifyImagesKnowwhatyou'rerunningAndwhereitcamefromOnlyuseautomatedbuilds,checkDocker leDockerContentTrustPullbydigest
AuditingImmutableinfrastructureAuditimages,notcontainersDockerdiScanningtoolsscalock,twistlock,clair
EnvironmentVariables
Suggestedby12factorappsCanbeseentoomanyplaceslinkedcontainers,inspect
Can'tbedeletedGetincludedinreports
$dockerrun-eAPI_TOKEN=MY_SECRETmyimage
MountedvolumesorDataVolumeContainers
Works,butickyFilescangetcheckedinbyaccident
$dockerrun-v/secretdir/keyfile:/keyfile:romyimage$dockerrun--volumes-frommy-secret-containermyimage
SecureKey-ValuestoreDocker1.13inSwarmMode
KubernetesSecrets
Vault
Cancontrolleases,storeencrypted
https://github.com/docker/docker/pull/27794
https://hashicorp.com/blog/vault.html
ConclusionContainersAddisolationProvidetoolsforrestrictingattackers
UsewithVMsifconcernedThinkDefence-In-Depth&LeastPrivilege
ChiefScientist@ContainerSolutions
Wrote"UsingDocker"forO'Reilly
FreeDockerSecurityminibook
@adrianmouat
https://www.openshift.com/promotions/docker-security.html