Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Docker Security Fundamentals

442 views

Published on

Dockers Security Fundamentals Hands on Session Null Bhopal Monthly Meet December 2016

Published in: Technology
  • Be the first to comment

Docker Security Fundamentals

  1. 1. Docker Security Fundamentals..
  2. 2. What Is Docker? Docker is an open-source project that  automates the deployment  of applications inside software  containers, by providing an additional  layer of abstraction and automation  of operating system–level  virtualization on Linux.
  3. 3. Virtual Machines Vs Containers? Villian 1.Isolation with less Overhead 2.Faster Deploy 3.Faster Development 4.Defence in-depth Mechanism
  4. 4. Terminology - Image @Persisted snapshot that can be run images: List all local images run: Create a container from an image and execute a command in it tag: Tag an image pull: Download image from repository rmi: Delete a local image This will also remove intermediate images if no longer used
  5. 5. Terminology - Container @Runnable instance of an image ps: List all running containers ps –a: List all containers (incl. stopped) top: Display processes of a container start: Start a stopped container stop: Stop a running container pause: Pause all processes within a container rm: Delete a container commit: Create an image from a container
  6. 6. How A Container is Born….
  7. 7. Docker Security ● Docker Daeomon a. Keep Docker Upto Date b. Harden Docker Daemon ● Docker Image a. Don’t put sensitive files in your image b. Audit Dockerfiles c. Avoid Images without Docker File d. Only install a image if you trust e. Run security Scanner on Images
  8. 8. ● Docker Container a. Don’t Run Container as root b. Reduce Container Capabilities c. Limit Container Usage (Avoid Ddos) d. Choose the right Network e. Consider Using Container Security Platform f. Additional Protections
  9. 9. Keep Docker Upto Date.. ● Docker is a Software and software can be vulnerable. ● Check https://www.docker.com/docker-cve- database
  10. 10. Harden Docker Daemon ● Use UNIX Socket Or if u need TCP use TLS.. ● Check https://docs.docker.com/engine/security/https/
  11. 11. Don’t put Sensitive File in your image…. ● Especially If you want to share your image.. ● Reverse Engg tool ● Check https://github.com/CenturyLinkLabs/dockerfile- from-image
  12. 12. Audit DockerFiles ● They may be using vulnerable component ● Or adding sensitive file ● It is similar to server recipe audit ● Dont expose SSH , Use docker run or Docker build
  13. 13. Avoid Docker image without Docker File ● Or you will have to reverse engg them so that you can check whats inside them….
  14. 14. Only Install Images you Trust ● And if possible verify ● Its hard to access security hence trust is essential… ● Trust is essential before installation…
  15. 15. Run Security Scanner on Image ● CoreOS Clair Opensource (Open Source) ● Docker security Scanner (PAID)
  16. 16. Don’t Run Container as root ● User 0 in container = User 0 in host ● Don’t let user easily become root ● Remove SUID Flags
  17. 17. Reduce Container Capabilities ● According to capabilities man page , capabilites are distincts unit of privilage that can independently enabled or disabled… ● Check www.rhelblog.redhat.com/2016/10/17/secure- your-containers-with-this-one-weird-trick/
  18. 18. Limit Container Usage ● Limit Memory ● Limit CPU ● Limit I/O Operation
  19. 19. Choose the right Network ● Bridge ● None ● Host
  20. 20. Consider using container security platform…... ● Aqua Security ● Cloud Passage ● Docker ● Magnetic io ● Twist Locks ● Weave Works
  21. 21. Additional Protection ● App-Armour ● Selinux
  22. 22. Queries……..
  23. 23. Thank You and Merry Christmas….

×