84
WhoamI Testing Docker Images Security José Manuel Ortega Noviembre 2017
WhoamI
Testing Docker Images Security
José Manuel OrtegaNoviembre 2017
WhoamI
@jmortegac
jmortega.github.io
about.me/jmortegac
WhoamI
1. Introduction to docker security2. Security best practices3. Tools for auditing docker host4. Tools for auditing docker images5. Demo
WhoamIVirtualization vs containers
WhoamIContainer pipeline
WhoamISecurity mechanisms
● Docker uses several mechanisms:○ Linux kernel namespaces○ Linux Control Groups (cgroups)○ The Docker daemon○ Linux capabilities (libcap)○ Linux security mechanisms like○ AppArmor,SELinux,Seccomp
WhoamINamespaces
● Provides an isolated view of the system where
processes cannot see other processes in other
containers
● Each container also gets its own network stack.
● A container doesn’t get privileged access to the sockets or interfaces of another container.
WhoamICgroups && capabilities
● Cgroups: kernel feature that limits and
isolates the resource usage (CPU, memory,
network) of a collection of processes.
● Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges
WhoamIDocker images
WhoamI
WhoamIDockerfile
WhoamIDockerFile
WhoamIDockerFile
WhoamIDockerFile
WhoamIDocker inspect
WhoamIDocker inspect
WhoamIMicroBadger
WhoamIDocker Content Trust
WhoamIDocker Content Trust
● We can verify the integrity of the image● Checksum validation when pulling image
from docker hub● Pulling by digest to enforce consistent
WhoamIDocker Content Trust
WhoamIDocker Content Trust
WhoamIDockerFile security
WhoamIDocker Capabilities
● A capability is a unix action a user can perform● Goal is to restrict “capabilities”● Privileged process = all the capabilities!● Unprivileged process = check individual user
capabilities● Example Capabilities:
○ CAP_CHOWN○ CAP_SETUID○ CAP_NET_RAW○ CAP_SYS_ADMIN
WhoamIDocker Capabilities
WhoamIDocker Capabilities.Disable ping
WhoamIDocker Capabilities.CHOWN.
WhoamIDocker Capabilities.network
WhoamIDocker Network Capabilities
WhoamI
Docker security is about limiting and controlling the attack surface on the kernel.
WhoamI
Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to the image.
WhoamILeast privilege
● Do not run processes in a container as root to avoid root access from attackers.
● Enable User-namespace (disabled by default.)● Run filesystems as read-only so that attackers can
not overwrite data or save malicious scripts to file.● Cut down the kernel calls that a container can make
to reduce the potential attack surface.● Limit the resources that a container can use
(SELinux/AppArmor)
WhoamIDockerFile Security
● Set a specific user.● Don’t run your applications as root in
containers.
WhoamIRead only container & volumes
WhoamIPrivileged vs non privileged
WhoamIOther tools
● AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users.
● Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense
WhoamISeccomp
● Restricts system calls based on a policy● Block things like
○ Kernel manipulation (init_module, finit_module, delete_module)
○ Executing mount options○ Change permissions○ Change owner and groups
WhoamISeccomp
WhoamIChecklist
WhoamIChecklist
WhoamICheck packages container
WhoamICheck packages container
WhoamI
Auditing Docker Host
WhoamIDockerBench Security
● Auditing docker environment and containers● Open-source tool for running automated tests
● Inspired by the CIS Docker 1.11 benchmark● Runs against containers currently running on same host● Checks for AppArmor, read-only volumes, etc...
● https://github.com/docker/docker-bench-security
WhoamIDockerBench Security
WhoamIDockerBench Security
● The host configuration
● The Docker daemon configuration
● The Docker daemon configuration
files
● Container images and build files
● Container runtime
● Docker security operations
WhoamIDockerBench Security
● The Docker daemon configuration● [WARN] 2.1- Restrict network traffic between containers● [WARN] 4.1 - Create a user for the container● [WARN] * Running as root:● [WARN] 5.4 - Restrict Linux Kernel Capabilities within
containers● [WARN] * Capabilities added: CapAdd=[audit_control]● [WARN] 5.13 - Mount container's root filesystem as
readonly● [WARN] * Container running with root FS mounted R/W:
WhoamIDockerBench Security
WhoamIDockerBench Security
WhoamIDockerBench Security
WhoamILynis
● https://github.com/CISOfy/lynis-docker● Lynis is a Linux, Mac and Unix security
auditing and system hardening tool that includes a module to audit Dockerfiles.
● lynis audit system● lynis audit dockerfile <file>
WhoamILynis
WhoamILynis
WhoamILynis
WhoamILynis audit dockerfile
WhoamILynis audit dockerfile
https://github.com/CISOfy/lynis/blob/master/include/helper_audit_dockerfile
WhoamILynis audit dockerfile
WhoamILynis audit dockerfile
WhoamILynis audit dockerfile
WhoamI
Demo time
WhoamI
Auditing Docker Images
WhoamI● You can scan your images for known
vulnerabilities● Find known vulnerable binaries● Docker Security Scanning● OWASP Dependency checker● Anchore Cloud● Tenable.io Container Security● Dagda
WhoamIDocker Security Scanning
WhoamIDocker Security Scanning
WhoamIDocker Security Scanning
WhoamIDocker Security Scanning
WhoamIOWASP Dependency checker
https://hub.docker.com/r/deepfenceio/deepfence_depcheck/
WhoamIAnchore
WhoamIAnchore cli
WhoamIAnchore cli
WhoamIAnchore cloud
WhoamIAnchore CVE list
WhoamIAnchore cloud notifications
WhoamIDagda
Python 3MongoDB
PyMongoRequests
Python-dateutil
Joblib
Docker-pyFlaskFlask-cors
PyYAML
WhoamICommercial tools
WhoamICommercial tools
WhoamICommercial tools
WhoamICommercial tools
WhoamIDocker Images for Malware Analysis
WhoamI
Demo time
WhoamIConclussions
Signing ● Secure & sign your source
Dependences ● Pin & verify your dependencies
Content Trust● Sign your artifacts with Docker
Content Trust
Privileges ● Least Privilege configurations
WhoamIReferences
● https://docs.docker.com/engine/security● http://www.oreilly.com/webops-perf/free/files/docker-securit
y.pdf● http://container-solutions.com/content/uploads/2015/06/15.
06.15_DockerCheatSheet_A2.pdf
● Docker Content Trusthttps://docs.docker.com/engine/security/trust/content_trust
● Docker Security Scanninghttps://docs.docker.com/docker-cloud/builds/image-scanhttps://blog.docker.com/2016/04/docker-securityhttp://softwaretester.info/docker-audit
WhoamI
WhoamI jmortega.github.io@jmortegac
