Testing Docker Images Security -NcN En esta conferencia se presentarán las mejores praćticas a nivel de revisiones de seguridad en las imágenes de docker. En primer lugar, se verá una descripción general del proceso de despliegue de una imagen en el repositorio oficial docker hub. En segundo lugar, se comentarán las principales superficies de ataque y las amenazas sobre dichas imágenes. Por último, se verá cómo se puede detectar vulnerabilidades en las imágenes con herramientas que permite automatizar éste proceso y otras técnicas de análisis de código junto con las mejores prácticas que explican cómo remediar estas vulnerabilidades. Se harán demos con herramientas Opensource y algunos casos de uso con python.

1. WhoamI
Testing Docker Images Security
José Manuel Ortega
Noviembre 2017

2. WhoamI
@jmortegac
jmortega.github.io
about.me/jmortegac

3. WhoamI
Introduction to docker security
Security best practices
3. Tools for auditing docker host
Tools for auditing docker images
Demo

4. WhoamI

5. WhoamI

6. WhoamI
● Docker uses several mechanisms:
○ Linux kernel namespaces
○ Linux Control Groups (cgroups)
○ The Docker daemon
○ Linux capabilities (libcap)
○ Linux security mechanisms like
○ AppArmor,SELinux,Seccomp

7. WhoamI
● Provides an isolated view of the system where
processes cannot see other processes in other
containers
● Each container also gets its own network stack.
● A container doesn’t get privileged access to
the sockets or interfaces of another container.

8. WhoamI
● Cgroups: kernel feature that limits and
isolates the resource usage (CPU, memory,
network) of a collection of processes.
● Linux Capabilities: divides the privileges of
root into distinct units and smaller groups of
privileges

9. WhoamI

10. WhoamI

11. WhoamI

12. WhoamI

13. WhoamI

14. WhoamI

15. WhoamI

16. WhoamI

17. WhoamI

18. WhoamI

19. WhoamI
● We can verify the integrity of the image
● Checksum validation when pulling image
from docker hub
● Pulling by digest to enforce consistent

20. WhoamI

21. WhoamI

22. WhoamI

23. WhoamI
● A capability is a unix action a user can perform
● Goal is to restrict “capabilities”
● Privileged process = all the capabilities!
● Unprivileged process = check individual user
capabilities
● Example Capabilities:
○ CAP_CHOWN
○ CAP_SETUID
○ CAP_NET_RAW
○ CAP_SYS_ADMIN

24. WhoamI

25. WhoamI

26. WhoamI

27. WhoamI

28. WhoamI

29. WhoamI
Docker security is about
limiting and controlling
the attack surface on the
kernel.

30. WhoamI
Run filesystems as
read-only so that attackers
can not overwrite data or
save malicious scripts to the
image.

31. WhoamI
● Do not run processes in a container as root to avoid
root access from attackers.
● Enable User-namespace (disabled by default.)
● Run filesystems as read-only so that attackers can
not overwrite data or save malicious scripts to file.
● Cut down the kernel calls that a container can make
to reduce the potential attack surface.
● Limit the resources that a container can use
(SELinux/AppArmor)

32. WhoamI
● Set a specific user.
● Don’t run your applications as root in
containers.

33. WhoamI

34. WhoamI

35. WhoamI
● AppArmor is a Mandatory Access Control (MAC) system
which is a kernel (LSM) enhancement to confine
programs to a limited set of resources. AppArmor's
security model is to bind access control attributes to
programs rather than to users.
● Security-Enhanced Linux (SELinux) is a Linux kernel
security module that provides a mechanism for supporting
access control security policies, including United States
Department of Defense

36. WhoamI
● Restricts system calls based on a policy
● Block things like
○ Kernel manipulation (init_module,
finit_module, delete_module)
○ Executing mount options
○ Change permissions
○ Change owner and groups

37. WhoamI

38. WhoamI

39. WhoamI

40. WhoamI

41. WhoamI

42. WhoamI
Auditing Docker Host

43. WhoamI
● Auditing docker environment and containers
● Open-source tool for running automated tests
● Inspired by the CIS Docker 1.11 benchmark
● Runs against containers currently running on same host
● Checks for AppArmor, read-only volumes, etc...
● https://github.com/docker/docker-bench-security

44. WhoamI

45. WhoamI
● The host configuration
● The Docker daemon configuration
● The Docker daemon configuration
files
● Container images and build files
● Container runtime
● Docker security operations

46. WhoamI
● The Docker daemon configuration
● [WARN] 2.1- Restrict network traffic between containers
● [WARN] 4.1 - Create a user for the container
● [WARN] * Running as root:
● [WARN] 5.4 - Restrict Linux Kernel Capabilities within
containers
● [WARN] * Capabilities added: CapAdd=[audit_control]
● [WARN] 5.13 - Mount container's root filesystem as
readonly
● [WARN] * Container running with root FS mounted R/W:

47. WhoamI

48. WhoamI

49. WhoamI

50. WhoamI
● https://github.com/CISOfy/lynis-docker
● Lynis is a Linux, Mac and Unix security
auditing and system hardening tool that
includes a module to audit Dockerfiles.
● lynis audit system
● lynis audit dockerfile <file>

51. WhoamI

52. WhoamI

53. WhoamI

54. WhoamI

55. WhoamI
https://github.com/CISOfy/lynis/blob/master/include/helper_audit_dockerfile

56. WhoamI

57. WhoamI

58. WhoamI

59. WhoamI
Demo time

60. WhoamI
Auditing Docker Images

61. WhoamI
● You can scan your images for known
vulnerabilities
● Find known vulnerable binaries
● Docker Security Scanning
● OWASP Dependency checker
● Anchore Cloud
● Tenable.io Container Security
● Dagda

62. WhoamI

63. WhoamI

64. WhoamI

65. WhoamI

66. WhoamI
https://hub.docker.com/r/deepfenceio/deepfence_depcheck/

67. WhoamI

68. WhoamI

69. WhoamI

70. WhoamI

71. WhoamI

72. WhoamI

73. WhoamI
https://github.com/eliasgranderubio/dagda

74. WhoamI
Python 3
MongoDB
PyMongo
Requests
Python-dateutil
Joblib
Docker-py
Flask
Flask-cors
PyYAML

75. WhoamI

76. WhoamI

77. WhoamI

78. WhoamI

79. WhoamIDocker Images for Malware Analysis

80. WhoamI
Demo time

81. WhoamI
Signing ● Secure & sign your source
Dependences ● Pin & verify your dependencies
Content Trust
● Sign your artifacts with Docker
Content Trust
Privileges ● Least Privilege configurations

82. WhoamI
● https://docs.docker.com/engine/security
● http://www.oreilly.com/webops-perf/free/files/docker-securit
y.pdf
● http://container-solutions.com/content/uploads/2015/06/15.
06.15_DockerCheatSheet_A2.pdf
● Docker Content Trust
https://docs.docker.com/engine/security/trust/content_trust
● Docker Security Scanning
https://docs.docker.com/docker-cloud/builds/image-scan
https://blog.docker.com/2016/04/docker-security
http://softwaretester.info/docker-audit

83. WhoamI

84. WhoamI
jmortega.github.io
@jmortegac