Date post: | 06-Aug-2015 |
Category: |
Technology |
Upload: | michael-boelen |
View: | 538 times |
Download: | 1 times |
Docker SecuritySecure container deployment on Linux
openSUSE conference, The Hague, 3 May 2015
Michael [email protected]
Michael Boelen
● Founder of CISOfy
● Security + Open Source○ Rootkit Hunter (malware scan)
○ Lynis (security scan)
● Analysis → Simplify
2
Docker and Me
● Understanding
● Development
● Using it
3
Results of Research
● Limited resources● Outdated articles● Conflicting information● Security not important?
Proposal: Let's fix (some of) these issues4
ProposalSecurity proposals
● Tooling to simplify Linux security → Lynis
● Articles about Docker security → Blog posts
● Provide input to (GitHub) projects → You
● Presentations → In progress
5
What
● Stabilize the vessel
● Secure containers
6
How
➔ Benefits
➔ Risks
➔ Defenses
➔ Best Practices
7
Photo credits: imagebase.net
Why?
Data!
8
Why Security?
Data!
● Docker + Software = Data Sharing
● Keep it confidential
9
Warning
From this point on,there might be lies...
10
Docker Benefits
11
Primary Benefits
● Flexibility
● Scalability
● Better testing
12
Segregation
● The art of splitting up things
● The "Holy Grail" of security
● Smaller units = more control
13
Granular Control
● Limit users, access and data
● Easier to understand
● Easier to defend
14
Information Disclosure
● Decreased chance of data leakage
● Less resources accessible
15
Risks
16
Risk: Software Issues
Software security● Bugs● Security vulnerabilities● Regular updates needed● Backdoors? Auditing?
17
Risk: Knowledge gap
Quickly evolving● IT auditor● Your colleagues● You...?
18
Risk: "Does not contain"
No full isolation (yet)● Treat containers as a host● Know strengths and weaknesses
19
Defenses
20
Docker Website
Start at the download● HTTPS● Digital signatures● Images verified after downloading
21
Docker Containers
● Namespaces and cgroups
● Seccomp
● Capabilities
● Frameworks
22
Namespaces
Isolates parts of the OS● PID namespaces● Network namespaces● User namespaces → Not really!
23
Namespaces
More spaces● IPC namespaces (process communication)● UTS namespaces (hostname/NIS)● Mount namespaces
24
Seccomp
● Secure computing mode● Filters syscalls with BPF● Isolation, not virtualization● Used in software like:
○ Chrome, OpenSSH, vsftpd○ LXD and Mbox
25
Seccomp
Default list of blocked calls● kexec_load● open_by_handle_at● init_module● finit_module● delete_module
26
Control Groups (cgroups)
● Restrict resources
● Prioritize
● Accounting
● Control
27
Capabilities
● Root user → split into roles
● Default list of allowed capabilities
● --cap-add / --cap-drop
● Combine (e.g. add all, drop a few)
28
Capabilities
Examples● CAP_NET_ADMIN - Configure networking● CAP_SETPCAP - Process capabilities● CAP_SYS_MODULE - Insert and remove
kernel modules
29
Frameworks
AppArmor / SELinux● MAC frameworks● Help with containment● Learning them now, will pay off later
30
Audit Subsystem
● Developed by Red Hat● Files / system calls● Monitors the (system | file) integrity
31
AuditingAudit (example)# Time related calls-a always,exit -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -S clock_settime -k time-change# Hostname and domain-a always,exit -S sethostname -S setdomainname -k system-locale
# Password files-w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/sudoers -p wa -k identity
32
Best Practices
33
Docker Host Hardening 1/2
● Security = Defense in Depth
● Use AppArmor / SELinux / GRSEC
● Limit○ users / services / network
34
Docker Host Hardening 2/2
● Update your kernel on a regular basis
● Stay up-to-date with Docker
● Limit Docker permissions
35
Containers
Harden your Containers● Use AppArmor / SELinux● Drop capabilities (man capabilities)● Filter syscalls (seccomp)● Network filtering (iptables)
36
Read-Only Containers
Least amount of privileges● Docker 1.5● --read-only● Restrict writing to volumes
37
Logging
Don't let containers be a black box● Docker 1.6● --log-driver
○ none○ syslog○ json-file
38
Limit Resources
Ulimit● Default too high● Set new container default
○ Docker 1.6○ --default-ulimit
● On run: --ulimit
39
Docker Management
"Invisibilize"● Encrypt connections● Configure and use TLS, set variables:
○ DOCKER_HOST○ DOCKER_TLS_VERIFY
40
Docker Management
SSH in containers● Don't use this..● Use “docker exec -it mycontainer bash”
41
Read-Only
● Mounts● Data● Configuration● Use --read-only
42
Using Mappings
● Map users to non-privileged○ /etc/subuid○ /etc/subgid
43
Trust
Or Don't...● Verify downloads● Be careful with images from others● Measure, monitor, audit
44
Auditing
Tools● Lynis● OpenSCAP
45
Docker News
Things go quick with Docker● Stay informed● Follow the Docker blog● Keep an eye on Docker (/LXC/LXD) news
46
Questions?
47
More Docker Security
● Blog: linux-audit.com
● Twitter: @mboelen
48