Testing Docker Images Security -NcN
En esta conferencia se presentarán las mejores praćticas a nivel de revisiones de seguridad en las imágenes de docker. En primer lugar, se verá una descripción general del proceso de despliegue de una imagen en el repositorio oficial docker hub. En segundo lugar, se comentarán las principales superficies de ataque y las amenazas sobre dichas imágenes. Por último, se verá cómo se puede detectar vulnerabilidades en las imágenes con herramientas que permite automatizar éste proceso y otras técnicas de análisis de código junto con las mejores prácticas que explican cómo remediar estas vulnerabilidades. Se harán demos con herramientas Opensource y algunos casos de uso con python.
6. WhoamI
● Docker uses several mechanisms:
○ Linux kernel namespaces
○ Linux Control Groups (cgroups)
○ The Docker daemon
○ Linux capabilities (libcap)
○ Linux security mechanisms like
○ AppArmor,SELinux,Seccomp
7. WhoamI
● Provides an isolated view of the system where
processes cannot see other processes in other
containers
● Each container also gets its own network stack.
● A container doesn’t get privileged access to
the sockets or interfaces of another container.
8. WhoamI
● Cgroups: kernel feature that limits and
isolates the resource usage (CPU, memory,
network) of a collection of processes.
● Linux Capabilities: divides the privileges of
root into distinct units and smaller groups of
privileges
19. WhoamI
● We can verify the integrity of the image
● Checksum validation when pulling image
from docker hub
● Pulling by digest to enforce consistent
23. WhoamI
● A capability is a unix action a user can perform
● Goal is to restrict “capabilities”
● Privileged process = all the capabilities!
● Unprivileged process = check individual user
capabilities
● Example Capabilities:
○ CAP_CHOWN
○ CAP_SETUID
○ CAP_NET_RAW
○ CAP_SYS_ADMIN
31. WhoamI
● Do not run processes in a container as root to avoid
root access from attackers.
● Enable User-namespace (disabled by default.)
● Run filesystems as read-only so that attackers can
not overwrite data or save malicious scripts to file.
● Cut down the kernel calls that a container can make
to reduce the potential attack surface.
● Limit the resources that a container can use
(SELinux/AppArmor)
32. WhoamI
● Set a specific user.
● Don’t run your applications as root in
containers.
35. WhoamI
● AppArmor is a Mandatory Access Control (MAC) system
which is a kernel (LSM) enhancement to confine
programs to a limited set of resources. AppArmor's
security model is to bind access control attributes to
programs rather than to users.
● Security-Enhanced Linux (SELinux) is a Linux kernel
security module that provides a mechanism for supporting
access control security policies, including United States
Department of Defense
36. WhoamI
● Restricts system calls based on a policy
● Block things like
○ Kernel manipulation (init_module,
finit_module, delete_module)
○ Executing mount options
○ Change permissions
○ Change owner and groups
43. WhoamI
● Auditing docker environment and containers
● Open-source tool for running automated tests
● Inspired by the CIS Docker 1.11 benchmark
● Runs against containers currently running on same host
● Checks for AppArmor, read-only volumes, etc...
● https://github.com/docker/docker-bench-security
50. WhoamI
● https://github.com/CISOfy/lynis-docker
● Lynis is a Linux, Mac and Unix security
auditing and system hardening tool that
includes a module to audit Dockerfiles.
● lynis audit system
● lynis audit dockerfile <file>