SlideShare a Scribd company logo

Testing Docker Images Security

Jose Manuel Ortega Candel
Jose Manuel Ortega Candel

Testing Docker Images Security

Software
1 of 60
Download to read offline
Testing Docker Images Security Bsides Manchester, August 2017
Jose Manuel Ortega Software Engineer & Security Researcher @jmortegac jmortega.github.io
Agenda ● Introduction to docker security ● Security best practices ● Tools for auditing docker images
Docker ● “Docker containers wrap up a piece of software in a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in.”
Docker Security ● Docker provides an additional layer of isolation, making your infrastructure safer by default. ● Makes the application lifecycle fast and easier,reducing risks in your applications
Docker Security ● Docker uses several mechanisms for security: ○ Linux kernel namespaces ○ Linux Control Groups (cgroups) ○ The Docker daemon ○ Linux capabilities (libcap) ○ Linux security mechanisms like AppArmor or SELinux
Docker Security ● Namespaces:provides an isolated view of the system where processes cannot see other processes in other containers ● Each container also gets its own network stack. ● A container doesn’t get privileged access to the sockets or interfaces of another container.
Docker Security ● Cgroups: kernel feature that limits and isolates the resource usage(CPU,memory,network) of a collection of processes. ● Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges.
DockerHub
DockerFile https://github.com/CenturyLinkLabs/dockerfile-from-image
Docker images ● Images are extracted in a chrooted sub process, being the first-step in a wider effort toward privilege separation. ● From Docker 1.10, all images are stored and accessed by the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image Docker Content Trust.
Docker Content Trust ● Protects against untrusted images ● Can enable signing checks on every managed host ● Signature verification transparent to users ● Guarantee integrity of your images when pulled ● Provides trust from publisher to consumer ● export DOCKER_CONTENT_TRUST=1 ● ~/.docker/trust/trusted-certificates/
Security Best Practices
DockerFile Security ● Do not write secrets(users and passwords). ● Remove unnecessary setuid, setgid permissions (Privilege escalation) ● Download packages securely using GPG and certificates ● Try to restrict an image or container to one service
Security best practices ● To disable setuid rights, add the following to the Dockerfile of your image
Security best practices ● Don’t run containers with --privileged flag ● The --privileged flag gives all capabilities to the container. ● docker run --privileged ... ● docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN ...
Security best practices capabilities ● How do we add/remove capabilities? ● Use cap-add and cap-drop with docker run/create ● Drop all capabilities which are not required ● docker run --cap-drop ALL --cap-add $CAP
Security best practices capabilities ● Manual management within the container: docker run --cap-add ALL ● Restricted capabilities with root: docker run --cap-drop ALL --cap-add $CAP ● No capabilities: docker run --user
Security best practices capabilities
Security best practices ● Set a specific user. ● Don’t run your applications as root in containers.
Security best practices ● We can verify the integrity of the image ● Checksum validation when pulling image from docker hub ● Pulling by digest to enforce consistent
Security best practices ● Check packages installed in the container
Docker security is about limiting and controlling the attack surface on the kernel.
Docker least privileges ● Do not run processes in a container as root to avoid root access from attackers. ● Enable User-namespace (disabled by default) ● Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to the image. ● Cut down the kernel calls that a container can make to reduce the potential attack surface. ● Limit the resources that a container can use (SELinux/AppArmor)
Containers and volumes read-only 15
Checklist Dockerfile
Checklist building/maintaining/consuming
AUDITING TOOLS
Docker images scanning ● You can scan your images for known vulnerabilities ● There are tools for that, like Docker Security Scanning, Docker Bench Security and CoreOS Clair ● Find known vulnerable binaries
Docker Security Scanning https://docs.docker.com/docker-cloud/builds/image-scan/ ● Checks based on best practices for hosts and containers ● Find Common Vulnerabilities and Exposures (CVEs)
Docker Security Scanning ● Checks against CVE database for image layers ● Binary scanning of all components in the image ● Performs binary scan to pick up on statically linked binaries ● Analyses libraries statically compiled in the image ● Generates a reports that shows if there are CVE in the libraries inside the image
Docker Security Scanning 15 25
Docker Security Scanning
Docker CVE https://www.docker.com/docker-cve-database
Security pipeline
Clair (Container Vulnerability Analysis Service) https://github.com/coreos/clair Vulnerability Static Analysis for Containers
Clair Use cases ● You've found an image by searching the internet and want to determine if it's safe enough for you to use in production. ● You're regularly deploying into a containerized production environment and want operations to alert or block deployments on insecure software.
Docker Bench Security https://github.com/docker/docker-bench-security Checks based on best practices for hosts and containers
Docker bench security ● Open-source tool for running automated tests ● Inspired by the CIS Docker 1.11 benchmark ● Runs against containers currently running on same host ● Checks for AppArmor, read-only volumes, etc...
Docker bench security
Docker bench security ● The host configuration ● The Docker daemon configuration ● The Docker daemon configuration files ● Container images and build files ● Container runtime ● Docker security operations
Docker bench security ● The Docker daemon configuration ● [WARN] 2.1- Restrict network traffic between containers ● [WARN] 4.1 - Create a user for the container [WARN] * Running as root: ● [WARN] 5.4 - Restrict Linux Kernel Capabilities within containers [WARN] * Capabilities added: CapAdd=[audit_control] ● [WARN] 5.13 - Mount container's root filesystem as readonly [WARN] * Container running with root FS mounted R/W:
15 25 22
Docker Slim https://github.com/docker-slim/docker-slim Optimize and secure your Docker containers
Other tools ● OpenSCAP Container Compliance ● Lynis ● Twistlock ● Dockscan ● Aqua Security ● Dagda
OpenScap Clair Lynis TwistLock DockScan Images and Containers Images and Containers DockerFile Images, containers, packages. Kubernetes Mesos. Docker server RedHat /Fedora /CentOS based containers Debian /Ubuntu /CentOS based containers Linux and Unix based Systems Linux and Unix based Systems Docker and container installations
Lynis ● Lynis is a Linux, Mac and Unix security auditing and system hardening tool that includes a module to audit Dockerfiles. ● lynis audit dockerfile <file>
● https://github.com/CISOfy/lynis-docker
Dagda ● Static analysis of known vulnerabilities on Docker containers ● Allows monitoring Docker containers for detecting anomalous activities
Dagda ● Python 3 ● MongoDB ● PyMongo ● Requests ● Python-dateutil ● Joblib ● Docker-py ● Flask ● Flask-cors ● PyYAML
● python3 dagda.py check --docker_image <image_name> ● python3 dagda.py history <image_name> --id <Id_Scan>
Conclusions Signing ● Secure & sign your source Dependences ● Pin & verify your dependencies Content Trust ● Sign your artifacts with Docker Content Trust Privileges ● Least Privilege configurations
References ● https://docs.docker.com/engine/security ● http://www.oreilly.com/webops-perf/free/files/dock er-security.pdf ● http://container-solutions.com/content/uploads/201 5/06/15.06.15_DockerCheatSheet_A2.pdf ● https://www.openshift.com/promotions/docker-sec urity.html
References ● Docker Content Trust ● https://docs.docker.com/engine/security/trust/content_trust ● Docker Security Scanning ● https://docs.docker.com/docker-cloud/builds/image-scan ● https://blog.docker.com/2016/04/docker-security ● http://softwaretester.info/docker-audit/
Books

Recommended

Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
 
Testing Docker Images Security -NcN edition
Testing Docker Images Security -NcN editionTesting Docker Images Security -NcN edition
Testing Docker Images Security -NcN editionJose Manuel Ortega Candel
 
Everything you need to know about containers security
Everything you need to know about containers securityEverything you need to know about containers security
Everything you need to know about containers securityJose Manuel Ortega Candel
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Jose Manuel Ortega Candel
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
 
What you most likely did not know about sudo…
What you most likely did not know about sudo…What you most likely did not know about sudo…
What you most likely did not know about sudo…All Things Open
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization WSO2
 

Recommended

Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
 
Testing Docker Images Security -NcN edition
Testing Docker Images Security -NcN editionTesting Docker Images Security -NcN edition
Testing Docker Images Security -NcN editionJose Manuel Ortega Candel
 
Everything you need to know about containers security
Everything you need to know about containers securityEverything you need to know about containers security
Everything you need to know about containers securityJose Manuel Ortega Candel
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Jose Manuel Ortega Candel
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
 
What you most likely did not know about sudo…
What you most likely did not know about sudo…What you most likely did not know about sudo…
What you most likely did not know about sudo…All Things Open
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization WSO2
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 
Linux Distribution Automated Testing
Linux Distribution Automated Testing Linux Distribution Automated Testing
Linux Distribution Automated TestingAleksander Baranowski
 
Docker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps winsDocker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps winsSharath Kumar
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesYigal Elefant
 
MR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationMR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationFFRI, Inc.
 
PIC your malware
PIC your malwarePIC your malware
PIC your malwareCODE WHITE GmbH
 
JOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to dockerJOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to dockerJordan Open Source Association
 
Docker introduction
Docker introductionDocker introduction
Docker introductionLayne Peng
 
Introduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in betweenIntroduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in betweenAll Things Open
 
JOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to ProductionJOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to ProductionJordan Open Source Association
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker IntroductionSparkbit
 
Docker & ci
Docker & ciDocker & ci
Docker & ciPatxi Gortázar
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepCLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepAll Things Open
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
 
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsElasTest Project
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security OverviewKernel TLV
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAll Things Open
 
Common Docker Problems and Solutions
Common Docker Problems and SolutionsCommon Docker Problems and Solutions
Common Docker Problems and SolutionsJoel Chen
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Best Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerBest Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerEric Smalling
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline Docker, Inc.
 

More Related Content

What's hot

Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 
Linux Distribution Automated Testing
Linux Distribution Automated Testing Linux Distribution Automated Testing
Linux Distribution Automated TestingAleksander Baranowski
 
Docker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps winsDocker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps winsSharath Kumar
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesYigal Elefant
 
MR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationMR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationFFRI, Inc.
 
Docker introduction
Docker introductionDocker introduction
Docker introductionLayne Peng
 
Introduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in betweenIntroduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in betweenAll Things Open
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker IntroductionSparkbit
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepCLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepAll Things Open
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
 
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsElasTest Project
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security OverviewKernel TLV
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAll Things Open
 
Common Docker Problems and Solutions
Common Docker Problems and SolutionsCommon Docker Problems and Solutions
Common Docker Problems and SolutionsJoel Chen
 
Container security
Container securityContainer security
Container securityAnthony Chow
 

What's hot (20)

Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
 
Linux Distribution Automated Testing
Linux Distribution Automated Testing Linux Distribution Automated Testing
Linux Distribution Automated Testing
 
Docker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps winsDocker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps wins
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbies
 
MR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationMR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separation
 
PIC your malware
PIC your malwarePIC your malware
PIC your malware
 
JOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to dockerJOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to docker
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Introduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in betweenIntroduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in between
 
JOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to ProductionJOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to Production
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 
Docker & ci
Docker & ciDocker & ci
Docker & ci
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepCLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grep
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
 
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security Overview
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and Scalability
 
Common Docker Problems and Solutions
Common Docker Problems and SolutionsCommon Docker Problems and Solutions
Common Docker Problems and Solutions
 
Container security
Container securityContainer security
Container security
 

Similar to Testing Docker Images Security

Best Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerBest Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerEric Smalling
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline Docker, Inc.
 
Docker container security
Docker container securityDocker container security
Docker container securityThoughtworks
 
Introduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxDataIntroduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxDataInfluxData
 
Docker up and Running For Web Developers
Docker up and Running For Web DevelopersDocker up and Running For Web Developers
Docker up and Running For Web DevelopersBADR
 
Docker Up and Running for Web Developers
Docker Up and Running for Web DevelopersDocker Up and Running for Web Developers
Docker Up and Running for Web DevelopersAmr Fawzy
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekwiTTyMinds1
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
Docker Fundamentals
Docker FundamentalsDocker Fundamentals
Docker FundamentalsAnshul Patel
 
Powercoders · Docker · Fall 2021.pptx
Powercoders · Docker · Fall 2021.pptxPowercoders · Docker · Fall 2021.pptx
Powercoders · Docker · Fall 2021.pptxIgnacioTamayo2
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerRonak Kogta
 
Docker for developers
Docker for developersDocker for developers
Docker for developersandrzejsydor
 
[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101Naukri.com
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Docker on Power Systems
Docker on Power SystemsDocker on Power Systems
Docker on Power SystemsCesar Maciel
 
Docker primer and tips
Docker primer and tipsDocker primer and tips
Docker primer and tipsSamuel Chow
 

Similar to Testing Docker Images Security (20)

Best Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerBest Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with Docker
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
 
Docker container security
Docker container securityDocker container security
Docker container security
 
Introduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxDataIntroduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxData
 
Docker up and Running For Web Developers
Docker up and Running For Web DevelopersDocker up and Running For Web Developers
Docker up and Running For Web Developers
 
Docker Up and Running for Web Developers
Docker Up and Running for Web DevelopersDocker Up and Running for Web Developers
Docker Up and Running for Web Developers
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to Geek
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
Docker Fundamentals
Docker FundamentalsDocker Fundamentals
Docker Fundamentals
 
Powercoders · Docker · Fall 2021.pptx
Powercoders · Docker · Fall 2021.pptxPowercoders · Docker · Fall 2021.pptx
Powercoders · Docker · Fall 2021.pptx
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
 
Docker for developers
Docker for developersDocker for developers
Docker for developers
 
[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Docker on Power Systems
Docker on Power SystemsDocker on Power Systems
Docker on Power Systems
 
Docker
DockerDocker
Docker
 
Docker quick start
Docker quick startDocker quick start
Docker quick start
 
Docker best Practices
Docker best PracticesDocker best Practices
Docker best Practices
 
Docker primer and tips
Docker primer and tipsDocker primer and tips
Docker primer and tips
 

More from Jose Manuel Ortega Candel

Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfAsegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfJose Manuel Ortega Candel
 
PyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfPyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfJose Manuel Ortega Candel
 
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Jose Manuel Ortega Candel
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Jose Manuel Ortega Candel
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfJose Manuel Ortega Candel
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfJose Manuel Ortega Candel
 
Seguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloudSeguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloudJose Manuel Ortega Candel
 
Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud Jose Manuel Ortega Candel
 
Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python Jose Manuel Ortega Candel
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sJose Manuel Ortega Candel
 
Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)Jose Manuel Ortega Candel
 
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodanShodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodanJose Manuel Ortega Candel
 
ELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue TeamELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue TeamJose Manuel Ortega Candel
 
Monitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source toolsMonitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source toolsJose Manuel Ortega Candel
 
Python memory managment. Deeping in Garbage collector
Python memory managment. Deeping in Garbage collectorPython memory managment. Deeping in Garbage collector
Python memory managment. Deeping in Garbage collectorJose Manuel Ortega Candel
 

More from Jose Manuel Ortega Candel (20)

Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfAsegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
 
PyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfPyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdf
 
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdf
 
Computación distribuida usando Python
Computación distribuida usando PythonComputación distribuida usando Python
Computación distribuida usando Python
 
Seguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloudSeguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloud
 
Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud
 
Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
 
Implementing cert-manager in K8s
Implementing cert-manager in K8sImplementing cert-manager in K8s
Implementing cert-manager in K8s
 
Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)
 
Python para equipos de ciberseguridad
Python para equipos de ciberseguridad Python para equipos de ciberseguridad
Python para equipos de ciberseguridad
 
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodanShodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
 
ELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue TeamELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue Team
 
Monitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source toolsMonitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source tools
 
Python Memory Management 101(Europython)
Python Memory Management 101(Europython)Python Memory Management 101(Europython)
Python Memory Management 101(Europython)
 
SecDevOps containers
SecDevOps containersSecDevOps containers
SecDevOps containers
 
Python memory managment. Deeping in Garbage collector
Python memory managment. Deeping in Garbage collectorPython memory managment. Deeping in Garbage collector
Python memory managment. Deeping in Garbage collector
 

Recently uploaded

WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 

Recently uploaded (20)

WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 

Testing Docker Images Security

  • 1. Testing Docker Images Security Bsides Manchester, August 2017
  • 2. Jose Manuel Ortega Software Engineer & Security Researcher @jmortegac jmortega.github.io
  • 3. Agenda ● Introduction to docker security ● Security best practices ● Tools for auditing docker images
  • 4. Docker ● “Docker containers wrap up a piece of software in a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in.”
  • 5. Docker Security ● Docker provides an additional layer of isolation, making your infrastructure safer by default. ● Makes the application lifecycle fast and easier,reducing risks in your applications
  • 6. Docker Security ● Docker uses several mechanisms for security: ○ Linux kernel namespaces ○ Linux Control Groups (cgroups) ○ The Docker daemon ○ Linux capabilities (libcap) ○ Linux security mechanisms like AppArmor or SELinux
  • 7. Docker Security ● Namespaces:provides an isolated view of the system where processes cannot see other processes in other containers ● Each container also gets its own network stack. ● A container doesn’t get privileged access to the sockets or interfaces of another container.
  • 8. Docker Security ● Cgroups: kernel feature that limits and isolates the resource usage(CPU,memory,network) of a collection of processes. ● Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges.
  • 11. Docker images ● Images are extracted in a chrooted sub process, being the first-step in a wider effort toward privilege separation. ● From Docker 1.10, all images are stored and accessed by the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image Docker Content Trust.
  • 12. Docker Content Trust ● Protects against untrusted images ● Can enable signing checks on every managed host ● Signature verification transparent to users ● Guarantee integrity of your images when pulled ● Provides trust from publisher to consumer ● export DOCKER_CONTENT_TRUST=1 ● ~/.docker/trust/trusted-certificates/
  • 14. DockerFile Security ● Do not write secrets(users and passwords). ● Remove unnecessary setuid, setgid permissions (Privilege escalation) ● Download packages securely using GPG and certificates ● Try to restrict an image or container to one service
  • 15. Security best practices ● To disable setuid rights, add the following to the Dockerfile of your image
  • 16. Security best practices ● Don’t run containers with --privileged flag ● The --privileged flag gives all capabilities to the container. ● docker run --privileged ... ● docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN ...
  • 17. Security best practices capabilities ● How do we add/remove capabilities? ● Use cap-add and cap-drop with docker run/create ● Drop all capabilities which are not required ● docker run --cap-drop ALL --cap-add $CAP
  • 18. Security best practices capabilities ● Manual management within the container: docker run --cap-add ALL ● Restricted capabilities with root: docker run --cap-drop ALL --cap-add $CAP ● No capabilities: docker run --user
  • 19. Security best practices capabilities
  • 20. Security best practices ● Set a specific user. ● Don’t run your applications as root in containers.
  • 21. Security best practices ● We can verify the integrity of the image ● Checksum validation when pulling image from docker hub ● Pulling by digest to enforce consistent
  • 22. Security best practices ● Check packages installed in the container
  • 23. Docker security is about limiting and controlling the attack surface on the kernel.
  • 24. Docker least privileges ● Do not run processes in a container as root to avoid root access from attackers. ● Enable User-namespace (disabled by default) ● Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to the image. ● Cut down the kernel calls that a container can make to reduce the potential attack surface. ● Limit the resources that a container can use (SELinux/AppArmor)
  • 29. Docker images scanning ● You can scan your images for known vulnerabilities ● There are tools for that, like Docker Security Scanning, Docker Bench Security and CoreOS Clair ● Find known vulnerable binaries
  • 30. Docker Security Scanning https://docs.docker.com/docker-cloud/builds/image-scan/ ● Checks based on best practices for hosts and containers ● Find Common Vulnerabilities and Exposures (CVEs)
  • 31. Docker Security Scanning ● Checks against CVE database for image layers ● Binary scanning of all components in the image ● Performs binary scan to pick up on statically linked binaries ● Analyses libraries statically compiled in the image ● Generates a reports that shows if there are CVE in the libraries inside the image
  • 36. Clair (Container Vulnerability Analysis Service) https://github.com/coreos/clair Vulnerability Static Analysis for Containers
  • 37. Clair Use cases ● You've found an image by searching the internet and want to determine if it's safe enough for you to use in production. ● You're regularly deploying into a containerized production environment and want operations to alert or block deployments on insecure software.
  • 38.
  • 39.
  • 40. Docker Bench Security https://github.com/docker/docker-bench-security Checks based on best practices for hosts and containers
  • 41. Docker bench security ● Open-source tool for running automated tests ● Inspired by the CIS Docker 1.11 benchmark ● Runs against containers currently running on same host ● Checks for AppArmor, read-only volumes, etc...
  • 42.
  • 44. Docker bench security ● The host configuration ● The Docker daemon configuration ● The Docker daemon configuration files ● Container images and build files ● Container runtime ● Docker security operations
  • 45. Docker bench security ● The Docker daemon configuration ● [WARN] 2.1- Restrict network traffic between containers ● [WARN] 4.1 - Create a user for the container [WARN] * Running as root: ● [WARN] 5.4 - Restrict Linux Kernel Capabilities within containers [WARN] * Capabilities added: CapAdd=[audit_control] ● [WARN] 5.13 - Mount container's root filesystem as readonly [WARN] * Container running with root FS mounted R/W:
  • 48. Other tools ● OpenSCAP Container Compliance ● Lynis ● Twistlock ● Dockscan ● Aqua Security ● Dagda
  • 49. OpenScap Clair Lynis TwistLock DockScan Images and Containers Images and Containers DockerFile Images, containers, packages. Kubernetes Mesos. Docker server RedHat /Fedora /CentOS based containers Debian /Ubuntu /CentOS based containers Linux and Unix based Systems Linux and Unix based Systems Docker and container installations
  • 50. Lynis ● Lynis is a Linux, Mac and Unix security auditing and system hardening tool that includes a module to audit Dockerfiles. ● lynis audit dockerfile <file>
  • 52. Dagda ● Static analysis of known vulnerabilities on Docker containers ● Allows monitoring Docker containers for detecting anomalous activities
  • 53. Dagda ● Python 3 ● MongoDB ● PyMongo ● Requests ● Python-dateutil ● Joblib ● Docker-py ● Flask ● Flask-cors ● PyYAML
  • 54. ● python3 dagda.py check --docker_image <image_name> ● python3 dagda.py history <image_name> --id <Id_Scan>
  • 55.
  • 56.
  • 57. Conclusions Signing ● Secure & sign your source Dependences ● Pin & verify your dependencies Content Trust ● Sign your artifacts with Docker Content Trust Privileges ● Least Privilege configurations
  • 58. References ● https://docs.docker.com/engine/security ● http://www.oreilly.com/webops-perf/free/files/dock er-security.pdf ● http://container-solutions.com/content/uploads/201 5/06/15.06.15_DockerCheatSheet_A2.pdf ● https://www.openshift.com/promotions/docker-sec urity.html
  • 59. References ● Docker Content Trust ● https://docs.docker.com/engine/security/trust/content_trust ● Docker Security Scanning ● https://docs.docker.com/docker-cloud/builds/image-scan ● https://blog.docker.com/2016/04/docker-security ● http://softwaretester.info/docker-audit/
  • 60. Books