Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen.

Using Open Source Tools to Secure Containers and Clouds

Derek Thurston@derekthurston

Nirmal Mehta@normalfaults

Booz Allen Open Tech

@boozallen

About Derek Started working with open source in 1997 with Red Hat Linux 4.×.

I have been an advocate for Open Source since that day

I have worked on a wide variety of projects for both government and commercial businesses.

Love playing board and video games

Constantly looking for a way to innovate everything!

IANASE (I Am Not A Security Expert)

@derekthurston @normalfaults

About Nirmal 7 years of system integration in Government IT systems

Manually STIG’d 100s of systems in multiple environments (Still recovering)

Red Hat Innovation Award 2013

I enjoy:

- Automating all the things

- PC Gaming

- Hacking

- Getting excited about new technology

- Docker

- Learning Go

- Pythonista


Booz Allen Open Tech


Booz Allen Open Tech Open Source continues to drive the latest information technology trends, making a

significant impact on Cloud, Big Data, and IoT.

Booz Allen has been active in driving open standards, architectures, data, and technology for some time, and it has now formalized it's commitment by creating BOT: Booz Allen Open Tech.

BOT is a specialized practice focused on:

- Acceleration: building and contributing to open technology

- Application: helping clients effectively and securely use Open Source

- Assembly: applying the latest framework and technologies to build open systems


Why are we here? How devastating would your identity being stolen be?

What if someone drained your bank account today?

What about your families identities?


Open Source software can helpWhy Open Source?Security FoundationsUsing OpenSCAP for maintaining securityContainer securityDocker image governance/provenanceSecrets in containers with KeywhizProactive monitoring and management


Why Open Source software?Evolution through community (OpenSSL/TLS vs S2N)TransparencyCostValue is in heuristics and analysis


Security Foundations

- Protect! Encrypt, Patch, Layers of Defense, Educate, Secure

- Automate! Deployments, Event management, Infrastructure (as code)

- Test! Code, Infrastructure, Backups


Using OpenSCAP for maintaining securitySecurity Content Automation Protocol (SCAP) was created to standardize the approach to automatically verifying:- The presence of patches- Checking system security configuration settings- Examining systems for signs of compromise.

OpenSCAP supports the following formats: XCCDF, OVAL®, Asset Identification (ver. 1.1), ARF, CCE™, CPE™, CVE®, CVSS


Using OpenSCAP for maintaining securityWhy OpenSCAP?- OpenSCAP provides the ability to monitor, maintain, and remediate your container or instance’s security posture

- OpenSCAP can be run from the command line! \o/- The community! The OpenSCAP community, the related projects, and the security compliance communities make it easy to use OpenSCAP

- You get PAT… Protect, Automate, Test


Using OpenSCAP for maintaining security (Demo)

OpenSCAP is made of:- Library – The OpenSCAP library is the API - Toolkit – oscap is a command line tool

SCE – the Script Check Engine (run your bash or whatever scripts!)


Using OpenSCAP for maintaining security (Demo) We have containerized our demo of the OpenSCAP using the GovReady scripts

git clone https://github.com/normalfaults/docker-oscap-demo

cd docker-oscap-demo

docker build –t docker-oscap-demo .

docker run -it docker-oscap-demo /bin/bash /root/govready.sh

docker cp <container-id>:/myfisma <local directory>

open the local directory and view the report in a browser


https://github.com/normalfaults/docker-oscap-demo

Using OpenSCAP for maintaining security (Demo)

OpenSCAP Related Projectshttps://bugs.centos.org/view.php?id=8178 (CPE definitions are wrong)- scap-workbench

- yum install epel-release.noarch- yum install scap-workbench- yum install scap-security-guide


https://bugs.centos.org/view.php?id=8178

Container security (the quick stuff) Use TLS for communication between the Docker Engine and clients

AppArmor <- built into docker

- is in the upstream Kernel as of 2.6.36

- Distros that include app armor: Annvix, Arch Linux, Debian, Gentoo, Mandriva, openSUSE, Pardus Linux, PLD, Ubuntu

SELinux <- built into docker

- --selinux flag on Docker Daemon

- setenforce 1 (http://stopdisablingselinux.com/)

Only trusted users should be allowed to control your Docker daemon

Don’t run as root in container (will be fixed in future release of Docker)

Run up-to-date kernel


http://stopdisablingselinux.com/

Container security (Demo) Docker CIS benchmark - demo run

https://github.com/docker/docker-bench-security

https://dockerbench.com

Immutable containers recycle in groups- compromised application connections are dropped

go statically linked language, no shell, ssh


https://github.com/docker/docker-bench-security

Docker image governance/provenance The Notary project comprises a server and a client for running and interacting with trusted

collections.

With Notary, publishers can sign their content offline using keys kept highly secure. Once the publisher is ready to make the content available, they can push their signed trusted collection to a Notary Server.

Sign Docker images, establish provenance

https://github.com/docker/notary


Secrets in containers with Keywhiz Keywhiz is a system for managing and distributing secrets.

Every organization has services or systems that require secrets. Secrets like: TLS certificates/keys, GPG keys, API tokens, database credentials

Common practices include putting secrets in config files next to code or copying files to servers out-of-band. The former is likely to be leaked and the latter difficult to track.

Keywhiz servers in a cluster centrally store secrets encrypted in a database.

Clients use mutually authenticated TLS (mTLS) to retrieve secrets they have access to. Authenticated users administer Keywhiz via CLI or web app UI.

To enable workflows, Keywhiz has automation APIs over mTLS and support for simple secret generation plugins.

https://github.com/square/keywhiz-fs


Proactive monitoring and management cAdvisor (native support for docker) https://github.com/google/cadvisor

Elastic, Kibana, Logstash (ELK) https://www.elastic.co/

Nagios https://www.nagios.org

prometheus http://prometheus.io/

sensu https://sensuapp.org/

sysdig http://www.sysdig.org

The assimilation project http://assimproj.org


Proactive monitoring and management Test your code for vulnerabilities

- breakman Rails security Scanner http://brakemanscanner.org/

- Open Web Application Security Project (OWASP) https://www.owasp.org/

- Lots of tools here!

- findbugs – for java http://findbugs.sourceforge.net

Cloud Application Security Brokers

- Sit between your gateway and the cloud gateway

- security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention

- Is this a gap in Open Source?


Please talk to us!


Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen.

Documents

normalfaults slide

open systems

open source software

open standards

open source tools

open source assembly

open technology application

security foundations