Docker SecuritySecure container deployment on Linux

openSUSE conference, The Hague, 3 May 2015

Michael Boelenmichael.boelen@cisofy.com

Michael Boelen

● Founder of CISOfy

● Security + Open Source○ Rootkit Hunter (malware scan)

○ Lynis (security scan)

● Analysis → Simplify

2

Docker and Me

● Understanding

● Development

● Using it

3

Results of Research

● Limited resources● Outdated articles● Conflicting information● Security not important?

Proposal: Let's fix (some of) these issues4

ProposalSecurity proposals

● Tooling to simplify Linux security → Lynis

● Articles about Docker security → Blog posts

● Provide input to (GitHub) projects → You

● Presentations → In progress

5

What

● Stabilize the vessel

● Secure containers

6

How

➔ Benefits

➔ Risks

➔ Defenses

➔ Best Practices

7

Photo credits: imagebase.net

Why?

Data!

8

Why Security?

Data!

● Docker + Software = Data Sharing

● Keep it confidential

9

Warning

From this point on,there might be lies...

10

Docker Benefits

11

Primary Benefits

● Flexibility

● Scalability

● Better testing

12

Segregation

● The art of splitting up things

● The "Holy Grail" of security

● Smaller units = more control

13

Granular Control

● Limit users, access and data

● Easier to understand

● Easier to defend

14

Information Disclosure

● Decreased chance of data leakage

● Less resources accessible

15

Risks

16

Risk: Software Issues

Software security● Bugs● Security vulnerabilities● Regular updates needed● Backdoors? Auditing?

17

Risk: Knowledge gap

Quickly evolving● IT auditor● Your colleagues● You...?

18

Risk: "Does not contain"

No full isolation (yet)● Treat containers as a host● Know strengths and weaknesses

19

Defenses

20

Docker Website

Start at the download● HTTPS● Digital signatures● Images verified after downloading

21

Docker Containers

● Namespaces and cgroups

● Seccomp

● Capabilities

● Frameworks

22

Namespaces

Isolates parts of the OS● PID namespaces● Network namespaces● User namespaces → Not really!

23

Namespaces

More spaces● IPC namespaces (process communication)● UTS namespaces (hostname/NIS)● Mount namespaces

24

Seccomp

● Secure computing mode● Filters syscalls with BPF● Isolation, not virtualization● Used in software like:

○ Chrome, OpenSSH, vsftpd○ LXD and Mbox

25

Seccomp

Default list of blocked calls● kexec_load● open_by_handle_at● init_module● finit_module● delete_module

26

Control Groups (cgroups)

● Restrict resources

● Prioritize

● Accounting

● Control

27

Capabilities

● Root user → split into roles

● Default list of allowed capabilities

● --cap-add / --cap-drop

● Combine (e.g. add all, drop a few)

28

Capabilities

Examples● CAP_NET_ADMIN - Configure networking● CAP_SETPCAP - Process capabilities● CAP_SYS_MODULE - Insert and remove

kernel modules

29

Frameworks

AppArmor / SELinux● MAC frameworks● Help with containment● Learning them now, will pay off later

30

Audit Subsystem

● Developed by Red Hat● Files / system calls● Monitors the (system | file) integrity

31

AuditingAudit (example)# Time related calls-a always,exit -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -S clock_settime -k time-change# Hostname and domain-a always,exit -S sethostname -S setdomainname -k system-locale

# Password files-w /etc/group -p wa -k identity-w /etc/passwd -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/sudoers -p wa -k identity

32

Best Practices

33

Docker Host Hardening 1/2

● Security = Defense in Depth

● Use AppArmor / SELinux / GRSEC

● Limit○ users / services / network

34

Docker Host Hardening 2/2

● Update your kernel on a regular basis

● Stay up-to-date with Docker

● Limit Docker permissions

35

Containers

Harden your Containers● Use AppArmor / SELinux● Drop capabilities (man capabilities)● Filter syscalls (seccomp)● Network filtering (iptables)

36

Read-Only Containers

Least amount of privileges● Docker 1.5● --read-only● Restrict writing to volumes

37

Logging

Don't let containers be a black box● Docker 1.6● --log-driver

○ none○ syslog○ json-file

38

Limit Resources

Ulimit● Default too high● Set new container default

○ Docker 1.6○ --default-ulimit

● On run: --ulimit

39

Docker Management

"Invisibilize"● Encrypt connections● Configure and use TLS, set variables:

○ DOCKER_HOST○ DOCKER_TLS_VERIFY

40

Docker Management

SSH in containers● Don't use this..● Use “docker exec -it mycontainer bash”

41

Read-Only

● Mounts● Data● Configuration● Use --read-only

42

Using Mappings

● Map users to non-privileged○ /etc/subuid○ /etc/subgid

43

Trust

Or Don't...● Verify downloads● Be careful with images from others● Measure, monitor, audit

44

Auditing

Tools● Lynis● OpenSCAP

45

Docker News

Things go quick with Docker● Stay informed● Follow the Docker blog● Keep an eye on Docker (/LXC/LXD) news

46

Questions?

47

More Docker Security

● Blog: linux-audit.com

● Twitter: @mboelen

48