Docker Amsterdam Meetup - January 2015 1

Docker Security

Are Your Containers Tightly Secured To The Ship?

Michael BoelenCISOfy

2

whoami

Michael Boelen

◼ Founder of CISOfy

◼ Open Source developer:Rootkit Hunter and Lynis

◼ Passion for Linux security / auditing

◼ Blogging about it: Linux-Audit.com

3

Docker and Me

My Reasons

Understanding: New technology

Development: Docker security scan (Lynis plugin)

Using it: Server deployments

4

Docker and Security

The Research...

Limited resources

Outdated articles

Security not important?

Proposal: Let's fix these issues

5

Docker and Security

Proposal

Tooling: simplify Linux security

Articles about Docker security

Provide input to projects

Presentations

→ Lynis

→ Blog post

→ You!

→ In progress

6

Goal

What

Stabilize the vessel

Secure the containers

7

Goal

Photo credits: imagebase.net

How

Benefits

Risks

Defenses

Best Practices

8

Goal

Why?

9

Goal

Data!

Docker + Software = Data Sharing

And... Protect it

10

Warning

From this point, there might be lies...

11

Security Benefits of Docker

12

Security Benefits

Segregation

◼ The „Holy Grail“ of security

◼ Smaller units means more control

13

Security Benefits

Granular control

◼ Limit users, access and data

◼ Easier to understand

◼ Easier to defend

14

Security Benefits

Information Disclosure

◼ Decreased data leakage

◼ Less resources available

15

Docker Risks

16

Docker Risks

Software security

◼ Bugs

◼ Security vulnerabilities

◼ Regular updates needed

◼ Backdoors? Auditing?

17

Docker Risks

Knowledge gap

◼ IT auditor

◼ Your colleagues

◼ You...?

18

Docker Risks

Does Not Contain

◼ No full isolation (yet)

◼ Handle containers as a host

◼ Know strengths and weaknesses

19

Docker Defenses

20

Docker Defenses

Docker Website

◼ HTTPS

◼ Digital signatures

◼ Images verified after downloading

21

Docker Defenses

Docker Containers

◼ Namespaces and cgroups

◼ Seccomp

◼ Capabilities

◼ Frameworks

Copyright Docker, Inc

22

Docker Defenses

Namespaces

◼ Isolates parts of the OS

◼ PID namespaces

◼ Network namespaces

◼ User namespaces → Not really!

23

Docker Defenses

Namespaces (cont.)

◼ IPC namespaces (process communication)

◼ UTS namespaces (hostname/NIS)

◼ Mount namespaces

24

Docker Defenses

Seccomp

◼ Secure computing mode

◼ Filters syscalls with BPF

◼ Isolation, not virtualization

◼ Used in Chrome, OpenSSH, vsftpd, LXD and Mbox

25

Docker Defenses

Seccomp

◼ Default list of blocked calls

◼ kexec_load◼ open_by_handle_at◼ init_module◼ finit_module◼ delete_module

26

Docker Defenses

Control Groups (cgroups)

◼ Restrict resources

◼ Prioritize

◼ Accounting

◼ Control

27

Docker Defenses

Capabilities

◼ = Root user, split into roles

◼ Default list of allowed capabilities

◼ --cap-add / --cap-drop

◼ Combine (e.g. add all, drop a few)

28

Docker Defenses

Capability Functionality

CAP_AUDIT_WRITE Audit log write access

CAP_AUDIT_CONTROL Configure Linux Audit subsystem

CAP_MAC_OVERRIDE Override kernel MAC policy

CAP_MAC_ADMIN Configure kernel MAC policy

CAP_NET_ADMIN Configure networking

CAP_SETPCAP Process capabilities

CAP_SYS_MODULE Insert and remove kernel modules

CAP_SYS_NICE Priority of processes

CAP_SYS_PACCT Process accounting

CAP_SYS_RAWIO Modify kernel memory

CAP_SYS_RESOURCE Resource Limits

CAP_SYS_TIME System clock alteration

CAP_SYS_TTY_CONFIG Configure tty devices

CAP_SYSLOG Kernel syslogging (printk)

CAP_SYS_ADMIN All others

29

Docker Defenses

AppArmor / SELinux

◼ MAC frameworks

◼ Help with containment

◼ Learning them now, will pay off later

30

Docker Defenses

Audit subsystem

◼ Developed by Red Hat

◼ Files / system calls

◼ Monitors the (system | file) integrity

31

Docker Defenses

Audit (example)

# Time related calls-a always,exit -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -S clock_settime -k time-change

# Hostname and domain-a always,exit -S sethostname -S setdomainname -k system-locale

# Password files-w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/sudoers -p wa -k identity

32

Best Practices

33

Best Practices

Harden your Host

◼ Security = Defense in Depth

◼ Use AppArmor / SELinux / GRSEC

◼ Limit users / services / network

34

Best Practices

Harden your Host (cont.)

◼ Update your kernel on a regular basis

◼ Stay up-to-date with Docker

◼ Limit Docker permissions

35

Best Practices

Harden your Containers

◼ Use AppArmor / SELinux

◼ Drop capabilities (man capabilities)

◼ Filter syscalls (seccomp)

◼ Network filtering (iptables)

36

Best Practices

Docker News

◼ Stay informed

◼ Follow the Docker blog

◼ Keep an eye on Docker/LXC news

37

Best Practices

Docker Management

◼ Encrypt connections

◼ Configure and use TLS

◼ Set the DOCKER_HOST and DOCKER_TLS_VERIFY variable

38

Best Practices

SSH in containers

◼ Don't use this..

◼ Use “docker exec -it mycontainer bash” instead

39

Best Practices

Read-Only

◼ Mounts

◼ Data

◼ Configuration

40

Best Practices

User Mappings*

◼ Map users to non-privileged

◼ /etc/subuid

◼ /etc/subgid

* when available

41

Best Practices

Don't Trust

◼ Verify downloads

◼ Be careful with images from others

◼ Measure / monitor

42

Next Step..

Check out Linux-Audit.com

Scan your systems → Lynis

Connect with me:

E-mail michael@cisofy.comTwitter @mboelenGoogle+ +MichaelBoelenWeb https://cisofy.comBlog http://linux-audit.com

43

Feedback / Questions?

44