WhoamI Testing Docker Images Security José Manuel Ortega Noviembre 2017
WhoamI
Testing Docker Images Security
José Manuel OrtegaNoviembre 2017
WhoamI
@jmortegac
jmortega.github.io
about.me/jmortegac
WhoamI
Introduction to docker securitySecurity best practices
3. Tools for auditing docker hostTools for auditing docker imagesDemo
WhoamI
WhoamI
WhoamI
● Docker uses several mechanisms:○ Linux kernel namespaces○ Linux Control Groups (cgroups)○ The Docker daemon○ Linux capabilities (libcap)○ Linux security mechanisms like○ AppArmor,SELinux,Seccomp
WhoamI
● Provides an isolated view of the system where
processes cannot see other processes in other
containers
● Each container also gets its own network stack.
● A container doesn’t get privileged access to the sockets or interfaces of another container.
WhoamI
● Cgroups: kernel feature that limits and
isolates the resource usage (CPU, memory,
network) of a collection of processes.
● Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
● We can verify the integrity of the image● Checksum validation when pulling image
from docker hub● Pulling by digest to enforce consistent
WhoamI
WhoamI
WhoamI
WhoamI
● A capability is a unix action a user can perform● Goal is to restrict “capabilities”● Privileged process = all the capabilities!● Unprivileged process = check individual user
capabilities● Example Capabilities:
○ CAP_CHOWN○ CAP_SETUID○ CAP_NET_RAW○ CAP_SYS_ADMIN
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
Docker security is about limiting and controlling the attack surface on the kernel.
WhoamI
Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to the image.
WhoamI
● Do not run processes in a container as root to avoid root access from attackers.
● Enable User-namespace (disabled by default.)● Run filesystems as read-only so that attackers can
not overwrite data or save malicious scripts to file.● Cut down the kernel calls that a container can make
to reduce the potential attack surface.● Limit the resources that a container can use
(SELinux/AppArmor)
WhoamI
● Set a specific user.● Don’t run your applications as root in
containers.
WhoamI
WhoamI
WhoamI
● AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users.
● Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense
WhoamI
● Restricts system calls based on a policy● Block things like
○ Kernel manipulation (init_module, finit_module, delete_module)
○ Executing mount options○ Change permissions○ Change owner and groups
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
Auditing Docker Host
WhoamI
● Auditing docker environment and containers● Open-source tool for running automated tests
● Inspired by the CIS Docker 1.11 benchmark● Runs against containers currently running on same host● Checks for AppArmor, read-only volumes, etc...
● https://github.com/docker/docker-bench-security
WhoamI
WhoamI
● The host configuration
● The Docker daemon configuration
● The Docker daemon configuration
files
● Container images and build files
● Container runtime
● Docker security operations
WhoamI
● The Docker daemon configuration● [WARN] 2.1- Restrict network traffic between containers● [WARN] 4.1 - Create a user for the container● [WARN] * Running as root:● [WARN] 5.4 - Restrict Linux Kernel Capabilities within
containers● [WARN] * Capabilities added: CapAdd=[audit_control]● [WARN] 5.13 - Mount container's root filesystem as
readonly● [WARN] * Container running with root FS mounted R/W:
WhoamI
WhoamI
WhoamI
WhoamI
● https://github.com/CISOfy/lynis-docker● Lynis is a Linux, Mac and Unix security
auditing and system hardening tool that includes a module to audit Dockerfiles.
● lynis audit system● lynis audit dockerfile <file>
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
https://github.com/CISOfy/lynis/blob/master/include/helper_audit_dockerfile
WhoamI
WhoamI
WhoamI
WhoamI
Demo time
WhoamI
Auditing Docker Images
WhoamI● You can scan your images for known
vulnerabilities● Find known vulnerable binaries● Docker Security Scanning● OWASP Dependency checker● Anchore Cloud● Tenable.io Container Security● Dagda
WhoamI
WhoamI
WhoamI
WhoamI
WhoamIhttps://hub.docker.com/r/deepfenceio/deepfence_depcheck/
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
WhoamI
Python 3MongoDB
PyMongoRequests
Python-dateutil
Joblib
Docker-pyFlaskFlask-cors
PyYAML
WhoamI
WhoamI
WhoamI
WhoamI
WhoamIDocker Images for Malware Analysis
WhoamI
Demo time
WhoamI
Signing ● Secure & sign your source
Dependences ● Pin & verify your dependencies
Content Trust● Sign your artifacts with Docker
Content Trust
Privileges ● Least Privilege configurations
WhoamI
● https://docs.docker.com/engine/security● http://www.oreilly.com/webops-perf/free/files/docker-securit
y.pdf● http://container-solutions.com/content/uploads/2015/06/15.
06.15_DockerCheatSheet_A2.pdf
● Docker Content Trusthttps://docs.docker.com/engine/security/trust/content_trust
● Docker Security Scanninghttps://docs.docker.com/docker-cloud/builds/image-scanhttps://blog.docker.com/2016/04/docker-securityhttp://softwaretester.info/docker-audit
WhoamI
WhoamI jmortega.github.io@jmortegac