Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
How secure is your Docker Container pipeline?
1. How secure is your container pipeline?
Manideep Konakandla
www.manideepk.com (@manideep_k1)
Feb 22, 2017
2. 2
Who am I? Hmm, yeah - Shameless Bragging
• J.N Tata Scholar, ISC2 Scholar, RSA Conference Security Scholar etc.
• Masters Student (Graduating in May’17) + Security Researcher at CMU
• Authored a book on Info Sec & Ethical Hacking at the age of 21
• Featured in INDIA’s largest news papers and news channels
• 10 certifications + Trained 15,000+ people in Information Security
• Ex “Team Lead – Core Security & Data Analytics” at TCS
• Interest areas : Container Security, Application Security, System Security etc.
More details about me on www.manideepk.com
3. 3
What am I up to with Containers?
• Co-author, Contributor for CIS Docker 1.12 & 1.13 benchmarks
• Extensive research at Carnegie Mellon (CMU)
• Presented findings at OWASP AppsecUSA, Bsides SF, RSA (Poster), Grehack etc.
• Cloud Security Research Intern @Adobe last Summer
6. 6
What are we doing for next 40 mins?
A.B.C.D….
• Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Security
• Images
• Runtime
• Other components
• Enterprise zone
Misc.
Wrap up
7. 7
What are we doing for next 40 mins?
A.B.C.D….
• Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Security
• Images
• Runtime
• Other components
• Enterprise zone
Misc.
Wrap up
8. 8
Quick “60 second” Intro
Containers?
Lightweight
Application centric
No more - “it works on my machine”
Micro-services
Namespaces : Isolation (PID, User, Network, IPC,
Mount, UTS)
Cgroups : Isolates, limits and accounts resource
usage (CPU, memory etc.)
BUZZ……….!
Are containers
brand new?
Img Ref: www.docker.com
Containers in 45 seconds
9. 9
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com
10. 10
What’s next?
A.B.C.D….
• Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Security
• Images
• Runtime
• Other components
• Enterprise zone
Misc.
Wrap up
11. 11
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com
12. 12
Life cycle of an “Image”
Build Spin
Dockerfile Image Container
Maintaining images
13. 13
Security in “Dockerfile” - Golden Rules
• Do not write secrets in Dockerfile (Info Disclosure - Twitter’s Vine). Use secret
management solutions
• Create a USER or else container will run as a root (Privilege escalation)
• Follow version pinning for images, packages (no ‘latest’) etc. (Caching Issue)
• Remove unnecessary setuid, setgid permissions (Privilege escalation)
• Download packages securely using GPG (MITM) and also do not download
unnecessary packages (Increased attack surface)
• Do not write any kind of update instructions alone in the Dockerfile (Caching)
• Use COPY instead of ADD (Increased attack surface)
• Use HEALTHCHECK command (Best practice)
• Use gosu instead of sudo wherever possible
• Try to restrict a image (/container) to one service
15. 15
Maintaining/ Consuming Images - Golden Rules
• Docker Content Trust
- Provides authenticity, integrity and freshness guarantees
- Takes some time to understand & prepare your own setup (worth it!)
• Vulnerability–free Images
- Tool selection : binary level analysis + hash based
• Except compatibility issues, all images and packages must be up-to-date
16. 16
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com
17. 17
Container Runtime - Golden Rules
• Do not disable/misconfigure seccomp, apparmor/selinux, capabilities
• Change the default memory limits, CPU shares (else DOS)
• Do not use default docker0 bridge (ARP spoofing, MITM etc.)
• Enable PIDs cgroup per container (fork bomb)
• Do not use privileged containers and try to set no new privileges flag (priv. issues)
• Beware of non namespaced components : kernel keyring etc. (Container breakout)
• Bind incoming traffic to any specific interface (Info disclosure etc.)
• Do not share host’s namespaces to containers (Info disclosure etc.)
• Mounts (Violation of least privilege)
• Ensure Docker commands get latest images (Caching issue)
18. 18
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com
19. 19
Other components - Golden Rules
• Daemon Security
- Fix dangerous defaults such as allowing communication between containers
- Enable/use/implement much needed security controls (user namespaces,
ulimits, authorization plugins, restricting daemon access)
• Communication Security
• Registry’s Security (Did not explore specifically)
• Host Security
- Maintain latest Linux kernel (PIDs cgroup only in > 4.3) and Docker version
- Apply kernel hardening policies (GRSecurity, PaX etc.)
- Harden the host as per CIS / SANS / your custom hardening guidelines
20. 20
Enterprise zone (Personal users ALLOWED!)
• Images
- Say “no” to Docker Hub (definitely not general images)
- Maintain your own in-house registries (What security controls?)
- Base image selection and also using image optimization techniques
• Runtime
- Customize seccomp, apparmor/selinux etc. profiles
• Misc.
- Create container specific standards and guidelines
- Use commercial tools (useful features like Image Lockdown, RBAC, profiling,
monitoring, anomaly detection, secret management etc.)
- Customize CIS Docker benchmarks as per your requirements and adhere to it
- Use file monitoring solutions
- Container specific SIEM rules
- Group containers on VM’s (categories?)
- Your general security controls
21. 21
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com
22. 22
A.B.C.D….
• Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Security
• Images
• Runtime
• Other components
• Enterprise zone
Misc.
Wrap up
What’s next?
23. 23
Misc.
• Tool recommendations (Meet me!)
- Images
- Network level
- Container Ecosystem
• Hardware isolation to containers (Clear containers – are they really containers?)
• Future expectation of containers (My 2¢)
• Virtual machines security to containers (view of kernel)
24. 24
What’s next?
A.B.C.D….
• Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Security
• Images
• Runtime
• Other components
• Enterprise zone
Misc.
Wrap up