Docker security configuration

DOCKER SECURITY CONFIGURATIONReal-World Examples and Troubleshooting

OVERVIEW Capabilities

Seccomp

Demo demo demo!

THEME

None of my demos should “work” the first time.

CAPABILITIESWorst to best:

Run with --privileged=true

Run with –cap-add ALL

Run with --cap-drop ALL --cap-add <only needed>

Run as non-root user, unprivileged

Useful: capabilities section of https://docs.docker.com/engine/reference/run/

https://docs.docker.com/engine/reference/run/


DEMO SECTION ONE

REMEMBER THIS?From my Monday talk. Even in dev you should do this. Break the bad habit.

Do as I say, not as I do!

SECCOMP3 sections:

Default Action Target architectures Filter rules

Like firewall rules, but harder to debug!

DEMO SECTION TWO

SECCOMP RETURN VALUES SECCOMP_RET_KILL SECCOMP_RET_TRAP SECCOMP_RET_ERRNO SECCOMP_RET_TRACE SECCOMP_RET_ALLOW

SECCOMP RETURN VALUES SECCOMP_RET_KILL SECCOMP_RET_TRAP SECCOMP_RET_ERRNO SECCOMP_RET_TRACE SECCOMP_RET_ALLOW

https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt



DOCKER SECCOMP ACTIONS SECCOMP_RET_KILL SECCOMP_RET_TRAP SECCOMP_RET_ERRNO SCMP_ACT_ERRNO SECCOMP_RET_TRACE SECCOMP_RET_ALLOW SCMP_ACT_ALLOW




HOW TO BUILD A SECCOMP PROFILE?We need to build a list of system calls called by the program…

…that we want to succeed

Guess (preferably educated) RTFM (thanks John!) Capture behavior – maybe /usr/sbin/strace Disassembly?

DEMO SECTION THREE

LAW OF DIMINISHING RETURNSGetting that last 1% can be expensive

DEMO SECTION FOUR

SET IT AND FORGET IT! no-new-privileges

TOOLS Modern OS objdump (from binutils) nm strace auditd (some day…)

RECOMMENDED READING

Study: https://docs.docker.com/engine/reference/run/ https://github.com/docker/docker/blob/master/profiles/seccomp/default.json




https://github.com/docker/docker/blob/master/profiles/seccomp/default.json



WAS THIS USEFUL? @johnlkinsella

http://layeredinsight.com

http://github.com/jlk

http://layeredinsight.com/

http://github.com/jlk

REFERENCES https://github.com/docker/docker/blob/master/docs/security/seccomp.md http://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html http://linux.die.net/man/1/capsh https://

github.com/jfrazelle/blog/blob/master/content/post/how-to-use-new-docker-seccomp-profiles.md

http://www.slideshare.net/Docker/docker-security-workshop-slides https://filippo.io/linux-syscall-table/ http://dockersl.im

https://github.com/docker/docker/blob/master/docs/security/seccomp.md

https://github.com/docker/docker/blob/master/docs/security/seccomp.md

http://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html

http://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html

http://linux.die.net/man/1/capsh

http://linux.die.net/man/1/capsh

https://github.com/jfrazelle/blog/blob/master/content/post/how-to-use-new-docker-seccomp-profiles.md



http://www.slideshare.net/Docker/docker-security-workshop-slides

http://www.slideshare.net/Docker/docker-security-workshop-slides

https://filippo.io/linux-syscall-table/

https://filippo.io/linux-syscall-table/

http://dockersl.im/

Date post:	13-Apr-2017
Category:	Technology
Upload:	john-kinsella
View:	95 times
Download:	0 times

Docker security configuration

Technology