jmortega.github.io
about.me/jmortegac
Software Engineer & Security Researcher
Introduction to docker securitySecurity best practicesTools for auditing docker images
Three Takeaways
● “Docker containers wrap up a piece of
software in a complete filesystem
that contains everything it needs to
run: code,runtime, system tools,
system libraries –anything you can
install on a server. This guarantees
that it will always run the
same,regardless of the environment it
is running in.”
● Docker provides an additional layer of isolation,
making your infrastructure safer by default.
● Makes the application lifecycle fast and easier,
reducing risks in your applications
● Docker uses several mechanisms for security:
○ Linux kernel namespaces
○ Linux Control Groups (cgroups)
○ The Docker daemon
○ Linux capabilities (libcap)
○ Linux security mechanisms like AppArmor or
SELinux
● Namespaces:provides an isolated view of the
system where processes cannot see other
processes in other containers
● Each container also gets its own network stack.
● A container doesn’t get privileged access to the sockets or interfaces of another container.
● Cgroups: kernel feature that limits and isolates
the resource usage(CPU,memory,network) of a
collection of processes.
● Linux Capabilities: divides the privileges of root
into distinct units and smaller groups of privileges.
● The docker daemon (/usr/bin/docker) is responsible for managing the control groups, orchestrating the namespaces, and so on so that docker images can be run and secured.
● Because of the need to manage kernel functions, Docker runs with root privileges.
● Limit the users who have control of the Docker Daemon
● Restrict access to the daemon only to the ones really needing it (users, processes)
● Don’t expose the daemon to the outside your network ● If you do so, make sure you have put this behind a secure
proxy, like NGINX
https://github.com/CenturyLinkLabs/dockerfile-from-image
● Images are extracted in a chrooted sub process, being the
first-step in a wider effort toward privilege separation.
● From Docker 1.10, all images are stored and accessed by
the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image Docker Content Trust.
● Protects against untrusted images
● Can enable signing checks on every managed host
● Signature verification transparent to users
● Guarantee integrity of your images when pulled
● Provides trust from publisher to consumer
● export DOCKER_CONTENT_TRUST=1
● ~/.docker/trust/trusted-certificates/
● Do not write secrets(users and passwords).● Remove unnecessary setuid, setgid permissions
(Privilege escalation)● Download packages securely using GPG and certificates● Try to restrict an image or container to one service
● To disable setuid rights, add the following to the Dockerfile of your image
● Set a specific user.● Don’t run your applications as root in containers.
● Don’t run containers with --privileged flag
● The --privileged flag gives all capabilities to the
container.
● docker run --privileged …
● docker run --cap-drop=ALL --cap-add=
CAP_NET_ADMIN ...
● Manual management within the container:docker run --cap-add ALL
● Restricted capabilities with root:docker run --cap-drop ALL --cap-add $CAP
● No capabilities:docker run --user
● We can verify the integrity of the image● Checksum validation when pulling image from
docker hub● Pulling by digest to enforce consistent
● Pulling by Docker content trust
● $ export DOCKER_CONTENT_TRUST=1$ docker pull debian:latestPull (1 of 1): debian:latest@sha256:a25306f38…
● Check packages installed in the container
Docker security is about limiting and controlling the attack surface on the kernel.
Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to the image.
Auditing Docker Images
● You can scan your images for known vulnerabilities● There are tools for that, like Docker Security Scanning,
Docker Bench Security and CoreOS Clair● Find known vulnerable binaries
● Checks based on best practices for hosts and containers
● Find Common Vulnerabilities and Exposures (CVEs)
https://docs.docker.com/docker-cloud/builds/image-scan/
● Checks against CVE database for image layers● Binary scanning of all components in the image● Performs binary scan to pick up on statically linked
binaries● Analyses libraries statically compiled in the image● Generates a reports that shows if there are CVE in the
libraries inside the image
https://www.docker.com/docker-cve-database
● Vulnerability Static Analysis for Containers
● https://github.com/coreos/clair
● You've found an image by searching the internet and want to determine if it's safe enough for you to use in production.
● You're regularly deploying into a containerized production environment and want operations to alert or block deployments on insecure software.
● Checks based on best practices for hosts and containers● https://github.com/docker/docker-bench-security● Open-source tool for running automated tests ● Inspired by the CIS Docker 1.11 benchmark● Runs against containers currently running on same host● Checks for AppArmor, read-only volumes, etc...
● The host configuration
● The Docker daemon configuration
● The Docker daemon configuration files
● Container images and build files
● Container runtime
● Docker security operations
● The Docker daemon configuration● [WARN] 2.1- Restrict network traffic between containers● [WARN] 4.1 - Create a user for the container● [WARN] * Running as root:● [WARN] 5.4 - Restrict Linux Kernel Capabilities within
containers● [WARN] * Capabilities added: CapAdd=[audit_control]● [WARN] 5.13 - Mount container's root filesystem as readonly● [WARN] * Container running with root FS mounted R/W:
● Lynis● Dagda● Anchore
● https://github.com/CISOfy/lynis-docker● Lynis is a Linux, Mac and Unix security auditing and
system hardening tool that includes a module to audit
Dockerfiles.
● lynis audit dockerfile <file>
● https://github.com/eliasgranderubio/dagda● Static analysis of known vulnerabilities on
Docker containers● Allows monitoring Docker containers for
detecting anomalous activities
Python 3
MongoDB
PyMongo
Requests
Python-dateutil
Joblib
Docker-py
Flask
Flask-cors
PyYAML
● python3 dagda.py check --docker_image <image_name>● python3 dagda.py history <image_name> --id <Id_Scan>
Signing ● Secure & sign your source
Dependences ● Pin & verify your dependencies
Content Trust● Sign your artifacts with Docker
Content Trust
Privileges ● Least Privilege configurations
● https://docs.docker.com/engine/security● http://www.oreilly.com/webops-perf/free/files/dock
er-security.pdf● http://container-solutions.com/content/uploads/201
5/06/15.06.15_DockerCheatSheet_A2.pdf● https://www.openshift.com/promotions/docker-sec
urity.html
● Docker Content Trusthttps://docs.docker.com/engine/security/trust/content_trust
● Docker Security Scanninghttps://docs.docker.com/docker-cloud/builds/image-scanhttps://blog.docker.com/2016/04/docker-securityhttp://softwaretester.info/docker-audit
jmortega.github.io@jmortegac
Thanks!
bit.ly/addo-slackFind me on slack, right now!