Automated Container Security

Dima Stopeldima@twistlock.com

•••••••••

Who is the guy on stage?

Container lifecycle

● CI integration● Package

vulnerability management

● Library vulnerability management

● Registry scan● Image compliance● Image trust

● RBAC● Identity

management● Container

compliance● Runtime

protection

Changes in the attack vector

New security challengesDocker Virtual Machine / Bare Metal

No update mechanism Update mechanism keeps the OS up to date

No antivirus (device mapper) Typical Antivirus

Compliance (CIS vulnerabilities) --

OS kernel is shared between containers

Hypervisor is the interface point

•••

••••

•••••• docker run ubuntu

FROM buildpack-deps:wheezy

# gpg keys listed at https://github.com/nodejs/node

RUN set -ex \

&& for key in \

9554F04D7259F04124DE6B476D5A82AC7E37093B \

...

; do \

gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \

done

RUN curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64.tar.xz" \

...

&& gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \

...

CMD [ "node" ]

dima@icecream:~$ sudo docker history node

IMAGE CREATED CREATED BY SIZE COMMENT

940065556150 6 days ago /bin/sh -c #(nop) CMD ["node"] 0 B

5f4d45468b32 6 days ago /bin/sh -c curl -SLO "https://nodejs.org/dist 37.42 MB

30f05ea42c64 6 days ago /bin/sh -c #(nop) ENV NODE_VERSION=5.7.1 0 B

15224b5905c8 7 days ago /bin/sh -c #(nop) ENV NPM_CONFIG_LOGLEVEL=inf 0 B

ac2b28ee0fd4 7 days ago /bin/sh -c set -ex && for key in 9554F0 51.75 kB

7aad83ccd4c5 7 days ago /bin/sh -c apt-get update && apt-get install 314.7 MB

575901a9b28b 7 days ago /bin/sh -c apt-get update && apt-get install 122.6 MB

6b3946d5b323 7 days ago /bin/sh -c apt-get update && apt-get install 44.32 MB

040bf8e08425 7 days ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0 B

73e8d4f6bf84 7 days ago /bin/sh -c #(nop) ADD file:b5391cb13172fb513d 125.1 MB

•

•

•

•

CVE-2016-0798 & CVE-2016-0798 is the DROWN Attack

•••

••••

user@host ~ $ docker kill a83Error response from daemon: [Twistlock] The command 'container_kill' denied for user 'jake' by rule 'Default - Deny all'

•••

Vulnerable

••

••

••

1.a.b.c.d.

2.3.4.5.