Date post: | 14-Jul-2015 |
Category: |
Software |
Upload: | michael-boelen |
View: | 894 times |
Download: | 0 times |
Docker Amsterdam Meetup - January 2015 1
Docker Security
Are Your Containers Tightly Secured To The Ship?
Michael BoelenCISOfy
2
whoami
Michael Boelen
◼ Founder of CISOfy
◼ Open Source developer:Rootkit Hunter and Lynis
◼ Passion for Linux security / auditing
◼ Blogging about it: Linux-Audit.com
3
Docker and Me
My Reasons
Understanding: New technology
Development: Docker security scan (Lynis plugin)
Using it: Server deployments
4
Docker and Security
The Research...
Limited resources
Outdated articles
Security not important?
Proposal: Let's fix these issues
5
Docker and Security
Proposal
Tooling: simplify Linux security
Articles about Docker security
Provide input to projects
Presentations
→ Lynis
→ Blog post
→ You!
→ In progress
6
Goal
What
Stabilize the vessel
Secure the containers
7
Goal
Photo credits: imagebase.net
How
Benefits
Risks
Defenses
Best Practices
8
Goal
Why?
9
Goal
Data!
Docker + Software = Data Sharing
And... Protect it
10
Warning
From this point, there might be lies...
11
Security Benefits of Docker
12
Security Benefits
Segregation
◼ The „Holy Grail“ of security
◼ Smaller units means more control
13
Security Benefits
Granular control
◼ Limit users, access and data
◼ Easier to understand
◼ Easier to defend
14
Security Benefits
Information Disclosure
◼ Decreased data leakage
◼ Less resources available
15
Docker Risks
16
Docker Risks
Software security
◼ Bugs
◼ Security vulnerabilities
◼ Regular updates needed
◼ Backdoors? Auditing?
17
Docker Risks
Knowledge gap
◼ IT auditor
◼ Your colleagues
◼ You...?
18
Docker Risks
Does Not Contain
◼ No full isolation (yet)
◼ Handle containers as a host
◼ Know strengths and weaknesses
19
Docker Defenses
20
Docker Defenses
Docker Website
◼ HTTPS
◼ Digital signatures
◼ Images verified after downloading
21
Docker Defenses
Docker Containers
◼ Namespaces and cgroups
◼ Seccomp
◼ Capabilities
◼ Frameworks
Copyright Docker, Inc
22
Docker Defenses
Namespaces
◼ Isolates parts of the OS
◼ PID namespaces
◼ Network namespaces
◼ User namespaces → Not really!
23
Docker Defenses
Namespaces (cont.)
◼ IPC namespaces (process communication)
◼ UTS namespaces (hostname/NIS)
◼ Mount namespaces
24
Docker Defenses
Seccomp
◼ Secure computing mode
◼ Filters syscalls with BPF
◼ Isolation, not virtualization
◼ Used in Chrome, OpenSSH, vsftpd, LXD and Mbox
25
Docker Defenses
Seccomp
◼ Default list of blocked calls
◼ kexec_load◼ open_by_handle_at◼ init_module◼ finit_module◼ delete_module
26
Docker Defenses
Control Groups (cgroups)
◼ Restrict resources
◼ Prioritize
◼ Accounting
◼ Control
27
Docker Defenses
Capabilities
◼ = Root user, split into roles
◼ Default list of allowed capabilities
◼ --cap-add / --cap-drop
◼ Combine (e.g. add all, drop a few)
28
Docker Defenses
Capability Functionality
CAP_AUDIT_WRITE Audit log write access
CAP_AUDIT_CONTROL Configure Linux Audit subsystem
CAP_MAC_OVERRIDE Override kernel MAC policy
CAP_MAC_ADMIN Configure kernel MAC policy
CAP_NET_ADMIN Configure networking
CAP_SETPCAP Process capabilities
CAP_SYS_MODULE Insert and remove kernel modules
CAP_SYS_NICE Priority of processes
CAP_SYS_PACCT Process accounting
CAP_SYS_RAWIO Modify kernel memory
CAP_SYS_RESOURCE Resource Limits
CAP_SYS_TIME System clock alteration
CAP_SYS_TTY_CONFIG Configure tty devices
CAP_SYSLOG Kernel syslogging (printk)
CAP_SYS_ADMIN All others
29
Docker Defenses
AppArmor / SELinux
◼ MAC frameworks
◼ Help with containment
◼ Learning them now, will pay off later
30
Docker Defenses
Audit subsystem
◼ Developed by Red Hat
◼ Files / system calls
◼ Monitors the (system | file) integrity
31
Docker Defenses
Audit (example)
# Time related calls-a always,exit -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -S clock_settime -k time-change
# Hostname and domain-a always,exit -S sethostname -S setdomainname -k system-locale
# Password files-w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/sudoers -p wa -k identity
32
Best Practices
33
Best Practices
Harden your Host
◼ Security = Defense in Depth
◼ Use AppArmor / SELinux / GRSEC
◼ Limit users / services / network
34
Best Practices
Harden your Host (cont.)
◼ Update your kernel on a regular basis
◼ Stay up-to-date with Docker
◼ Limit Docker permissions
35
Best Practices
Harden your Containers
◼ Use AppArmor / SELinux
◼ Drop capabilities (man capabilities)
◼ Filter syscalls (seccomp)
◼ Network filtering (iptables)
36
Best Practices
Docker News
◼ Stay informed
◼ Follow the Docker blog
◼ Keep an eye on Docker/LXC news
37
Best Practices
Docker Management
◼ Encrypt connections
◼ Configure and use TLS
◼ Set the DOCKER_HOST and DOCKER_TLS_VERIFY variable
38
Best Practices
SSH in containers
◼ Don't use this..
◼ Use “docker exec -it mycontainer bash” instead
39
Best Practices
Read-Only
◼ Mounts
◼ Data
◼ Configuration
40
Best Practices
User Mappings*
◼ Map users to non-privileged
◼ /etc/subuid
◼ /etc/subgid
* when available
41
Best Practices
Don't Trust
◼ Verify downloads
◼ Be careful with images from others
◼ Measure / monitor
42
Next Step..
Check out Linux-Audit.com
Scan your systems → Lynis
Connect with me:
E-mail [email protected] @mboelenGoogle+ +MichaelBoelenWeb https://cisofy.comBlog http://linux-audit.com
43
Feedback / Questions?
44