Docker security configuration

Post on 13-Apr-2017

95 views 0 download

transcript

DOCKER SECURITY CONFIGURATIONReal-World Examples and Troubleshooting

OVERVIEW Capabilities

Seccomp

Demo demo demo!

THEME

None of my demos should “work” the first time.

CAPABILITIESWorst to best:

Run with --privileged=true

Run with –cap-add ALL

Run with --cap-drop ALL --cap-add <only needed>

Run as non-root user, unprivileged

Useful: capabilities section of https://docs.docker.com/engine/reference/run/

DEMO SECTION ONE

REMEMBER THIS?From my Monday talk. Even in dev you should do this. Break the bad habit.

Do as I say, not as I do!

SECCOMP3 sections:

Default Action Target architectures Filter rules

Like firewall rules, but harder to debug!

DEMO SECTION TWO

SECCOMP RETURN VALUES SECCOMP_RET_KILL SECCOMP_RET_TRAP SECCOMP_RET_ERRNO SECCOMP_RET_TRACE SECCOMP_RET_ALLOW

SECCOMP RETURN VALUES SECCOMP_RET_KILL SECCOMP_RET_TRAP SECCOMP_RET_ERRNO SECCOMP_RET_TRACE SECCOMP_RET_ALLOW

https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt

DOCKER SECCOMP ACTIONS SECCOMP_RET_KILL SECCOMP_RET_TRAP SECCOMP_RET_ERRNO SCMP_ACT_ERRNO SECCOMP_RET_TRACE SECCOMP_RET_ALLOW SCMP_ACT_ALLOW

https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt

HOW TO BUILD A SECCOMP PROFILE?We need to build a list of system calls called by the program…

…that we want to succeed

Guess (preferably educated) RTFM (thanks John!) Capture behavior – maybe /usr/sbin/strace Disassembly?

DEMO SECTION THREE

LAW OF DIMINISHING RETURNSGetting that last 1% can be expensive

DEMO SECTION FOUR

SET IT AND FORGET IT! no-new-privileges

TOOLS Modern OS objdump (from binutils) nm strace auditd (some day…)

WAS THIS USEFUL? @johnlkinsella

http://layeredinsight.com

http://github.com/jlk