SlideShare a Scribd company logo

Testing Docker Images Security

Jose Manuel Ortega Candel
Jose Manuel Ortega Candel

Testing Docker Images Security

Software
1 of 60
Download to read offline
Testing Docker Images Security Bsides Manchester, August 2017
Jose Manuel Ortega Software Engineer & Security Researcher @jmortegac jmortega.github.io
Agenda ● Introduction to docker security ● Security best practices ● Tools for auditing docker images
Docker ● “Docker containers wrap up a piece of software in a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in.”
Docker Security ● Docker provides an additional layer of isolation, making your infrastructure safer by default. ● Makes the application lifecycle fast and easier,reducing risks in your applications
Docker Security ● Docker uses several mechanisms for security: ○ Linux kernel namespaces ○ Linux Control Groups (cgroups) ○ The Docker daemon ○ Linux capabilities (libcap) ○ Linux security mechanisms like AppArmor or SELinux
Docker Security ● Namespaces:provides an isolated view of the system where processes cannot see other processes in other containers ● Each container also gets its own network stack. ● A container doesn’t get privileged access to the sockets or interfaces of another container.
Docker Security ● Cgroups: kernel feature that limits and isolates the resource usage(CPU,memory,network) of a collection of processes. ● Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges.
DockerHub
DockerFile https://github.com/CenturyLinkLabs/dockerfile-from-image
Docker images ● Images are extracted in a chrooted sub process, being the first-step in a wider effort toward privilege separation. ● From Docker 1.10, all images are stored and accessed by the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image Docker Content Trust.
Docker Content Trust ● Protects against untrusted images ● Can enable signing checks on every managed host ● Signature verification transparent to users ● Guarantee integrity of your images when pulled ● Provides trust from publisher to consumer ● export DOCKER_CONTENT_TRUST=1 ● ~/.docker/trust/trusted-certificates/
Security Best Practices
DockerFile Security ● Do not write secrets(users and passwords). ● Remove unnecessary setuid, setgid permissions (Privilege escalation) ● Download packages securely using GPG and certificates ● Try to restrict an image or container to one service
Security best practices ● To disable setuid rights, add the following to the Dockerfile of your image
Security best practices ● Don’t run containers with --privileged flag ● The --privileged flag gives all capabilities to the container. ● docker run --privileged ... ● docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN ...
Security best practices capabilities ● How do we add/remove capabilities? ● Use cap-add and cap-drop with docker run/create ● Drop all capabilities which are not required ● docker run --cap-drop ALL --cap-add $CAP
Security best practices capabilities ● Manual management within the container: docker run --cap-add ALL ● Restricted capabilities with root: docker run --cap-drop ALL --cap-add $CAP ● No capabilities: docker run --user
Security best practices capabilities
Security best practices ● Set a specific user. ● Don’t run your applications as root in containers.
Security best practices ● We can verify the integrity of the image ● Checksum validation when pulling image from docker hub ● Pulling by digest to enforce consistent
Security best practices ● Check packages installed in the container
Docker security is about limiting and controlling the attack surface on the kernel.
Docker least privileges ● Do not run processes in a container as root to avoid root access from attackers. ● Enable User-namespace (disabled by default) ● Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to the image. ● Cut down the kernel calls that a container can make to reduce the potential attack surface. ● Limit the resources that a container can use (SELinux/AppArmor)
Containers and volumes read-only 15
Checklist Dockerfile
Checklist building/maintaining/consuming
AUDITING TOOLS
Docker images scanning ● You can scan your images for known vulnerabilities ● There are tools for that, like Docker Security Scanning, Docker Bench Security and CoreOS Clair ● Find known vulnerable binaries
Docker Security Scanning https://docs.docker.com/docker-cloud/builds/image-scan/ ● Checks based on best practices for hosts and containers ● Find Common Vulnerabilities and Exposures (CVEs)
Docker Security Scanning ● Checks against CVE database for image layers ● Binary scanning of all components in the image ● Performs binary scan to pick up on statically linked binaries ● Analyses libraries statically compiled in the image ● Generates a reports that shows if there are CVE in the libraries inside the image
Docker Security Scanning 15 25
Docker Security Scanning
Docker CVE https://www.docker.com/docker-cve-database
Security pipeline
Clair (Container Vulnerability Analysis Service) https://github.com/coreos/clair Vulnerability Static Analysis for Containers
Clair Use cases ● You've found an image by searching the internet and want to determine if it's safe enough for you to use in production. ● You're regularly deploying into a containerized production environment and want operations to alert or block deployments on insecure software.
Docker Bench Security https://github.com/docker/docker-bench-security Checks based on best practices for hosts and containers
Docker bench security ● Open-source tool for running automated tests ● Inspired by the CIS Docker 1.11 benchmark ● Runs against containers currently running on same host ● Checks for AppArmor, read-only volumes, etc...
Docker bench security
Docker bench security ● The host configuration ● The Docker daemon configuration ● The Docker daemon configuration files ● Container images and build files ● Container runtime ● Docker security operations
Docker bench security ● The Docker daemon configuration ● [WARN] 2.1- Restrict network traffic between containers ● [WARN] 4.1 - Create a user for the container [WARN] * Running as root: ● [WARN] 5.4 - Restrict Linux Kernel Capabilities within containers [WARN] * Capabilities added: CapAdd=[audit_control] ● [WARN] 5.13 - Mount container's root filesystem as readonly [WARN] * Container running with root FS mounted R/W:
15 25 22
Docker Slim https://github.com/docker-slim/docker-slim Optimize and secure your Docker containers
Other tools ● OpenSCAP Container Compliance ● Lynis ● Twistlock ● Dockscan ● Aqua Security ● Dagda
OpenScap Clair Lynis TwistLock DockScan Images and Containers Images and Containers DockerFile Images, containers, packages. Kubernetes Mesos. Docker server RedHat /Fedora /CentOS based containers Debian /Ubuntu /CentOS based containers Linux and Unix based Systems Linux and Unix based Systems Docker and container installations
Lynis ● Lynis is a Linux, Mac and Unix security auditing and system hardening tool that includes a module to audit Dockerfiles. ● lynis audit dockerfile <file>
● https://github.com/CISOfy/lynis-docker
Dagda ● Static analysis of known vulnerabilities on Docker containers ● Allows monitoring Docker containers for detecting anomalous activities
Dagda ● Python 3 ● MongoDB ● PyMongo ● Requests ● Python-dateutil ● Joblib ● Docker-py ● Flask ● Flask-cors ● PyYAML
● python3 dagda.py check --docker_image <image_name> ● python3 dagda.py history <image_name> --id <Id_Scan>
Conclusions Signing ● Secure & sign your source Dependences ● Pin & verify your dependencies Content Trust ● Sign your artifacts with Docker Content Trust Privileges ● Least Privilege configurations
References ● https://docs.docker.com/engine/security ● http://www.oreilly.com/webops-perf/free/files/dock er-security.pdf ● http://container-solutions.com/content/uploads/201 5/06/15.06.15_DockerCheatSheet_A2.pdf ● https://www.openshift.com/promotions/docker-sec urity.html
References ● Docker Content Trust ● https://docs.docker.com/engine/security/trust/content_trust ● Docker Security Scanning ● https://docs.docker.com/docker-cloud/builds/image-scan ● https://blog.docker.com/2016/04/docker-security ● http://softwaretester.info/docker-audit/
Books

Recommended

Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017
Jose Manuel Ortega Candel
 
Testing Docker Images Security -NcN edition
Testing Docker Images Security -NcN editionTesting Docker Images Security -NcN edition
Testing Docker Images Security -NcN edition
Jose Manuel Ortega Candel
 
Everything you need to know about containers security
Everything you need to know about containers securityEverything you need to know about containers security
Everything you need to know about containers security
Jose Manuel Ortega Candel
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017
Jose Manuel Ortega Candel
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
 
What you most likely did not know about sudo…
What you most likely did not know about sudo…What you most likely did not know about sudo…
What you most likely did not know about sudo…
All Things Open
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
WSO2
 

Recommended

Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017
Jose Manuel Ortega Candel
 
Testing Docker Images Security -NcN edition
Testing Docker Images Security -NcN editionTesting Docker Images Security -NcN edition
Testing Docker Images Security -NcN edition
Jose Manuel Ortega Candel
 
Everything you need to know about containers security
Everything you need to know about containers securityEverything you need to know about containers security
Everything you need to know about containers security
Jose Manuel Ortega Candel
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017
Jose Manuel Ortega Candel
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
 
What you most likely did not know about sudo…
What you most likely did not know about sudo…What you most likely did not know about sudo…
What you most likely did not know about sudo…
All Things Open
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
WSO2
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
James Morris
 
Linux Distribution Automated Testing
Linux Distribution Automated Testing Linux Distribution Automated Testing
Linux Distribution Automated Testing
Aleksander Baranowski
 
Docker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps winsDocker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps wins
Sharath Kumar
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbies
Yigal Elefant
 
MR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationMR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separation
FFRI, Inc.
 
PIC your malware
PIC your malwarePIC your malware
PIC your malware
CODE WHITE GmbH
 
JOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to dockerJOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to docker
Jordan Open Source Association
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Layne Peng
 
Introduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in betweenIntroduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in between
All Things Open
 
JOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to ProductionJOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to Production
Jordan Open Source Association
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
Sparkbit
 
Docker & ci
Docker & ciDocker & ci
Docker & ci
Patxi Gortázar
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepCLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grep
All Things Open
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
DataArt
 
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ElasTest Project
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security Overview
Kernel TLV
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
smart_bit
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and Scalability
All Things Open
 
Common Docker Problems and Solutions
Common Docker Problems and SolutionsCommon Docker Problems and Solutions
Common Docker Problems and Solutions
Joel Chen
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Best Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerBest Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with Docker
Eric Smalling
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
Docker, Inc.
 

More Related Content

What's hot

Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
James Morris
 
Linux Distribution Automated Testing
Linux Distribution Automated Testing Linux Distribution Automated Testing
Linux Distribution Automated Testing
Aleksander Baranowski
 
Docker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps winsDocker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps wins
Sharath Kumar
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbies
Yigal Elefant
 
MR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationMR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separation
FFRI, Inc.
 
PIC your malware
PIC your malwarePIC your malware
PIC your malware
CODE WHITE GmbH
 
JOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to dockerJOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to docker
Jordan Open Source Association
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Layne Peng
 
Introduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in betweenIntroduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in between
All Things Open
 
JOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to ProductionJOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to Production
Jordan Open Source Association
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
Sparkbit
 
Docker & ci
Docker & ciDocker & ci
Docker & ci
Patxi Gortázar
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepCLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grep
All Things Open
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
DataArt
 
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ElasTest Project
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security Overview
Kernel TLV
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
smart_bit
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and Scalability
All Things Open
 
Common Docker Problems and Solutions
Common Docker Problems and SolutionsCommon Docker Problems and Solutions
Common Docker Problems and Solutions
Joel Chen
 
Container security
Container securityContainer security
Container security
Anthony Chow
 

What's hot (20)

Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
 
Linux Distribution Automated Testing
Linux Distribution Automated Testing Linux Distribution Automated Testing
Linux Distribution Automated Testing
 
Docker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps winsDocker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps wins
 
Hands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbiesHands on introduction to docker security for docker newbies
Hands on introduction to docker security for docker newbies
 
MR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationMR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separation
 
PIC your malware
PIC your malwarePIC your malware
PIC your malware
 
JOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to dockerJOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to docker
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Introduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in betweenIntroduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in between
 
JOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to ProductionJOSA TechTalk: Taking Docker to Production
JOSA TechTalk: Taking Docker to Production
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 
Docker & ci
Docker & ciDocker & ci
Docker & ci
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepCLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grep
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
 
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security Overview
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
 
Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and Scalability
 
Common Docker Problems and Solutions
Common Docker Problems and SolutionsCommon Docker Problems and Solutions
Common Docker Problems and Solutions
 
Container security
Container securityContainer security
Container security
 

Similar to Testing Docker Images Security

Best Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerBest Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with Docker
Eric Smalling
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
Docker, Inc.
 
Docker container security
Docker container securityDocker container security
Docker container security
Thoughtworks
 
Introduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxDataIntroduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxData
InfluxData
 
Docker up and Running For Web Developers
Docker up and Running For Web DevelopersDocker up and Running For Web Developers
Docker up and Running For Web Developers
BADR
 
Docker Up and Running for Web Developers
Docker Up and Running for Web DevelopersDocker Up and Running for Web Developers
Docker Up and Running for Web Developers
Amr Fawzy
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
Pubudu Jayawardana
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to Geek
wiTTyMinds1
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
Docker Fundamentals
Docker FundamentalsDocker Fundamentals
Docker Fundamentals
Anshul Patel
 
Powercoders · Docker · Fall 2021.pptx
Powercoders · Docker · Fall 2021.pptxPowercoders · Docker · Fall 2021.pptx
Powercoders · Docker · Fall 2021.pptx
IgnacioTamayo2
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
Ronak Kogta
 
Docker for developers
Docker for developersDocker for developers
Docker for developers
andrzejsydor
 
[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101
Naukri.com
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Docker on Power Systems
Docker on Power SystemsDocker on Power Systems
Docker on Power Systems
Cesar Maciel
 
Docker quick start
Docker quick startDocker quick start
Docker quick start
Lalatendu Mohanty
 
Docker best Practices
Docker best PracticesDocker best Practices
Docker best Practices
jeetendra mandal
 
Docker primer and tips
Docker primer and tipsDocker primer and tips
Docker primer and tips
Samuel Chow
 

Similar to Testing Docker Images Security (20)

Best Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerBest Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with Docker
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
 
Docker container security
Docker container securityDocker container security
Docker container security
 
Introduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxDataIntroduction to Docker and Monitoring with InfluxData
Introduction to Docker and Monitoring with InfluxData
 
Docker up and Running For Web Developers
Docker up and Running For Web DevelopersDocker up and Running For Web Developers
Docker up and Running For Web Developers
 
Docker Up and Running for Web Developers
Docker Up and Running for Web DevelopersDocker Up and Running for Web Developers
Docker Up and Running for Web Developers
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Dockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to GeekDockers & kubernetes detailed - Beginners to Geek
Dockers & kubernetes detailed - Beginners to Geek
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
Docker Fundamentals
Docker FundamentalsDocker Fundamentals
Docker Fundamentals
 
Powercoders · Docker · Fall 2021.pptx
Powercoders · Docker · Fall 2021.pptxPowercoders · Docker · Fall 2021.pptx
Powercoders · Docker · Fall 2021.pptx
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
 
Docker for developers
Docker for developersDocker for developers
Docker for developers
 
[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Docker on Power Systems
Docker on Power SystemsDocker on Power Systems
Docker on Power Systems
 
Docker
DockerDocker
Docker
 
Docker quick start
Docker quick startDocker quick start
Docker quick start
 
Docker best Practices
Docker best PracticesDocker best Practices
Docker best Practices
 
Docker primer and tips
Docker primer and tipsDocker primer and tips
Docker primer and tips
 

More from Jose Manuel Ortega Candel

Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
Jose Manuel Ortega Candel
 
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfAsegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Jose Manuel Ortega Candel
 
PyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfPyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdf
Jose Manuel Ortega Candel
 
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Jose Manuel Ortega Candel
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
Jose Manuel Ortega Candel
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
Jose Manuel Ortega Candel
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdf
Jose Manuel Ortega Candel
 
Computación distribuida usando Python
Computación distribuida usando PythonComputación distribuida usando Python
Computación distribuida usando Python
Jose Manuel Ortega Candel
 
Seguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloudSeguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloud
Jose Manuel Ortega Candel
 
Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud
Jose Manuel Ortega Candel
 
Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python
Jose Manuel Ortega Candel
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
Jose Manuel Ortega Candel
 
Implementing cert-manager in K8s
Implementing cert-manager in K8sImplementing cert-manager in K8s
Implementing cert-manager in K8s
Jose Manuel Ortega Candel
 
Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)
Jose Manuel Ortega Candel
 
Python para equipos de ciberseguridad
Python para equipos de ciberseguridad Python para equipos de ciberseguridad
Python para equipos de ciberseguridad
Jose Manuel Ortega Candel
 
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodanShodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Jose Manuel Ortega Candel
 
ELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue TeamELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue Team
Jose Manuel Ortega Candel
 
Monitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source toolsMonitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source tools
Jose Manuel Ortega Candel
 
Python Memory Management 101(Europython)
Python Memory Management 101(Europython)Python Memory Management 101(Europython)
Python Memory Management 101(Europython)
Jose Manuel Ortega Candel
 
SecDevOps containers
SecDevOps containersSecDevOps containers
SecDevOps containers
Jose Manuel Ortega Candel
 

More from Jose Manuel Ortega Candel (20)

Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
 
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfAsegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
 
PyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfPyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdf
 
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdf
 
Computación distribuida usando Python
Computación distribuida usando PythonComputación distribuida usando Python
Computación distribuida usando Python
 
Seguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloudSeguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloud
 
Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud
 
Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
 
Implementing cert-manager in K8s
Implementing cert-manager in K8sImplementing cert-manager in K8s
Implementing cert-manager in K8s
 
Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)
 
Python para equipos de ciberseguridad
Python para equipos de ciberseguridad Python para equipos de ciberseguridad
Python para equipos de ciberseguridad
 
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodanShodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
 
ELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue TeamELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue Team
 
Monitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source toolsMonitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source tools
 
Python Memory Management 101(Europython)
Python Memory Management 101(Europython)Python Memory Management 101(Europython)
Python Memory Management 101(Europython)
 
SecDevOps containers
SecDevOps containersSecDevOps containers
SecDevOps containers
 

Recently uploaded

Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
abdulrafaychaudhry
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 

Recently uploaded (20)

Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 

Testing Docker Images Security

  • 1. Testing Docker Images Security Bsides Manchester, August 2017
  • 2. Jose Manuel Ortega Software Engineer & Security Researcher @jmortegac jmortega.github.io
  • 3. Agenda ● Introduction to docker security ● Security best practices ● Tools for auditing docker images
  • 4. Docker ● “Docker containers wrap up a piece of software in a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in.”
  • 5. Docker Security ● Docker provides an additional layer of isolation, making your infrastructure safer by default. ● Makes the application lifecycle fast and easier,reducing risks in your applications
  • 6. Docker Security ● Docker uses several mechanisms for security: ○ Linux kernel namespaces ○ Linux Control Groups (cgroups) ○ The Docker daemon ○ Linux capabilities (libcap) ○ Linux security mechanisms like AppArmor or SELinux
  • 7. Docker Security ● Namespaces:provides an isolated view of the system where processes cannot see other processes in other containers ● Each container also gets its own network stack. ● A container doesn’t get privileged access to the sockets or interfaces of another container.
  • 8. Docker Security ● Cgroups: kernel feature that limits and isolates the resource usage(CPU,memory,network) of a collection of processes. ● Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges.
  • 11. Docker images ● Images are extracted in a chrooted sub process, being the first-step in a wider effort toward privilege separation. ● From Docker 1.10, all images are stored and accessed by the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image Docker Content Trust.
  • 12. Docker Content Trust ● Protects against untrusted images ● Can enable signing checks on every managed host ● Signature verification transparent to users ● Guarantee integrity of your images when pulled ● Provides trust from publisher to consumer ● export DOCKER_CONTENT_TRUST=1 ● ~/.docker/trust/trusted-certificates/
  • 14. DockerFile Security ● Do not write secrets(users and passwords). ● Remove unnecessary setuid, setgid permissions (Privilege escalation) ● Download packages securely using GPG and certificates ● Try to restrict an image or container to one service
  • 15. Security best practices ● To disable setuid rights, add the following to the Dockerfile of your image
  • 16. Security best practices ● Don’t run containers with --privileged flag ● The --privileged flag gives all capabilities to the container. ● docker run --privileged ... ● docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN ...
  • 17. Security best practices capabilities ● How do we add/remove capabilities? ● Use cap-add and cap-drop with docker run/create ● Drop all capabilities which are not required ● docker run --cap-drop ALL --cap-add $CAP
  • 18. Security best practices capabilities ● Manual management within the container: docker run --cap-add ALL ● Restricted capabilities with root: docker run --cap-drop ALL --cap-add $CAP ● No capabilities: docker run --user
  • 19. Security best practices capabilities
  • 20. Security best practices ● Set a specific user. ● Don’t run your applications as root in containers.
  • 21. Security best practices ● We can verify the integrity of the image ● Checksum validation when pulling image from docker hub ● Pulling by digest to enforce consistent
  • 22. Security best practices ● Check packages installed in the container
  • 23. Docker security is about limiting and controlling the attack surface on the kernel.
  • 24. Docker least privileges ● Do not run processes in a container as root to avoid root access from attackers. ● Enable User-namespace (disabled by default) ● Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to the image. ● Cut down the kernel calls that a container can make to reduce the potential attack surface. ● Limit the resources that a container can use (SELinux/AppArmor)
  • 29. Docker images scanning ● You can scan your images for known vulnerabilities ● There are tools for that, like Docker Security Scanning, Docker Bench Security and CoreOS Clair ● Find known vulnerable binaries
  • 30. Docker Security Scanning https://docs.docker.com/docker-cloud/builds/image-scan/ ● Checks based on best practices for hosts and containers ● Find Common Vulnerabilities and Exposures (CVEs)
  • 31. Docker Security Scanning ● Checks against CVE database for image layers ● Binary scanning of all components in the image ● Performs binary scan to pick up on statically linked binaries ● Analyses libraries statically compiled in the image ● Generates a reports that shows if there are CVE in the libraries inside the image
  • 36. Clair (Container Vulnerability Analysis Service) https://github.com/coreos/clair Vulnerability Static Analysis for Containers
  • 37. Clair Use cases ● You've found an image by searching the internet and want to determine if it's safe enough for you to use in production. ● You're regularly deploying into a containerized production environment and want operations to alert or block deployments on insecure software.
  • 38.
  • 39.
  • 40. Docker Bench Security https://github.com/docker/docker-bench-security Checks based on best practices for hosts and containers
  • 41. Docker bench security ● Open-source tool for running automated tests ● Inspired by the CIS Docker 1.11 benchmark ● Runs against containers currently running on same host ● Checks for AppArmor, read-only volumes, etc...
  • 42.
  • 44. Docker bench security ● The host configuration ● The Docker daemon configuration ● The Docker daemon configuration files ● Container images and build files ● Container runtime ● Docker security operations
  • 45. Docker bench security ● The Docker daemon configuration ● [WARN] 2.1- Restrict network traffic between containers ● [WARN] 4.1 - Create a user for the container [WARN] * Running as root: ● [WARN] 5.4 - Restrict Linux Kernel Capabilities within containers [WARN] * Capabilities added: CapAdd=[audit_control] ● [WARN] 5.13 - Mount container's root filesystem as readonly [WARN] * Container running with root FS mounted R/W:
  • 48. Other tools ● OpenSCAP Container Compliance ● Lynis ● Twistlock ● Dockscan ● Aqua Security ● Dagda
  • 49. OpenScap Clair Lynis TwistLock DockScan Images and Containers Images and Containers DockerFile Images, containers, packages. Kubernetes Mesos. Docker server RedHat /Fedora /CentOS based containers Debian /Ubuntu /CentOS based containers Linux and Unix based Systems Linux and Unix based Systems Docker and container installations
  • 50. Lynis ● Lynis is a Linux, Mac and Unix security auditing and system hardening tool that includes a module to audit Dockerfiles. ● lynis audit dockerfile <file>
  • 52. Dagda ● Static analysis of known vulnerabilities on Docker containers ● Allows monitoring Docker containers for detecting anomalous activities
  • 53. Dagda ● Python 3 ● MongoDB ● PyMongo ● Requests ● Python-dateutil ● Joblib ● Docker-py ● Flask ● Flask-cors ● PyYAML
  • 54. ● python3 dagda.py check --docker_image <image_name> ● python3 dagda.py history <image_name> --id <Id_Scan>
  • 55.
  • 56.
  • 57. Conclusions Signing ● Secure & sign your source Dependences ● Pin & verify your dependencies Content Trust ● Sign your artifacts with Docker Content Trust Privileges ● Least Privilege configurations
  • 58. References ● https://docs.docker.com/engine/security ● http://www.oreilly.com/webops-perf/free/files/dock er-security.pdf ● http://container-solutions.com/content/uploads/201 5/06/15.06.15_DockerCheatSheet_A2.pdf ● https://www.openshift.com/promotions/docker-sec urity.html
  • 59. References ● Docker Content Trust ● https://docs.docker.com/engine/security/trust/content_trust ● Docker Security Scanning ● https://docs.docker.com/docker-cloud/builds/image-scan ● https://blog.docker.com/2016/04/docker-security ● http://softwaretester.info/docker-audit/
  • 60. Books