Docker Amsterdam Meetup - January 2015 1
Docker Security
Are Your Containers Tightly Secured To The Ship?
Michael Boelen
C...
2
whoami
Michael Boelen
◼ Founder of CISOfy
◼ Open Source developer:
Rootkit Hunter and Lynis
◼ Passion for Linux security...
3
Docker and Me
My Reasons
 Understanding: New technology
 Development: Docker security scan
(Lynis plugin)
 Using it: ...
4
Docker and Security
The Research...
 Limited resources
 Outdated articles
 Security not important?
 Proposal: Let's ...
5
Docker and Security
Proposal
 Tooling: simplify Linux security
 Articles about Docker security
 Provide input to proj...
6
Goal
What
 Stabilize the vessel
 Secure the containers
7
Goal
Photo credits: imagebase.net
How
 Benefits
 Risks
 Defenses
 Best Practices
8
Goal
Why?
9
Goal
Data!
 Docker + Software = Data Sharing
 And... Protect it
10
Warning
From this point, there might
be lies...
11
Security Benefits of Docker
12
Security Benefits
Segregation
◼ The „Holy Grail“ of security
◼ Smaller units means more control
13
Security Benefits
Granular control
◼ Limit users, access and data
◼ Easier to understand
◼ Easier to defend
14
Security Benefits
Information Disclosure
◼ Decreased data leakage
◼ Less resources available
15
Docker Risks
16
Docker Risks
Software security
◼ Bugs
◼ Security vulnerabilities
◼ Regular updates needed
◼ Backdoors? Auditing?
17
Docker Risks
Knowledge gap
◼ IT auditor
◼ Your colleagues
◼ You...?
18
Docker Risks
Does Not Contain
◼ No full isolation (yet)
◼ Handle containers as a host
◼ Know strengths and weaknesses
19
Docker Defenses
20
Docker Defenses
Docker Website
◼ HTTPS
◼ Digital signatures
◼ Images verified after downloading
21
Docker Defenses
Docker Containers
◼ Namespaces and cgroups
◼ Seccomp
◼ Capabilities
◼ Frameworks
Copyright Docker, Inc
22
Docker Defenses
Namespaces
◼ Isolates parts of the OS
◼ PID namespaces
◼ Network namespaces
◼ User namespaces → Not rea...
23
Docker Defenses
Namespaces (cont.)
◼ IPC namespaces (process communication)
◼ UTS namespaces (hostname/NIS)
◼ Mount nam...
24
Docker Defenses
Seccomp
◼ Secure computing mode
◼ Filters syscalls with BPF
◼ Isolation, not virtualization
◼ Used in C...
25
Docker Defenses
Seccomp
◼ Default list of blocked calls
◼ kexec_load
◼ open_by_handle_at
◼ init_module
◼ finit_module
◼...
26
Docker Defenses
Control Groups (cgroups)
◼ Restrict resources
◼ Prioritize
◼ Accounting
◼ Control
27
Docker Defenses
Capabilities
◼ = Root user, split into roles
◼ Default list of allowed capabilities
◼ --cap-add / --cap...
28
Docker Defenses
Capability Functionality
CAP_AUDIT_WRITE Audit log write access
CAP_AUDIT_CONTROL Configure Linux Audit...
29
Docker Defenses
AppArmor / SELinux
◼ MAC frameworks
◼ Help with containment
◼ Learning them now, will pay off later
30
Docker Defenses
Audit subsystem
◼ Developed by Red Hat
◼ Files / system calls
◼ Monitors the (system | file) integrity
31
Docker Defenses
Audit (example)
# Time related calls
-a always,exit -S adjtimex -S settimeofday -S stime -k time-change...
32
Best Practices
33
Best Practices
Harden your Host
◼ Security = Defense in Depth
◼ Use AppArmor / SELinux / GRSEC
◼ Limit users / services...
34
Best Practices
Harden your Host (cont.)
◼ Update your kernel on a regular basis
◼ Stay up-to-date with Docker
◼ Limit D...
35
Best Practices
Harden your Containers
◼ Use AppArmor / SELinux
◼ Drop capabilities (man capabilities)
◼ Filter syscalls...
36
Best Practices
Docker News
◼ Stay informed
◼ Follow the Docker blog
◼ Keep an eye on Docker/LXC news
37
Best Practices
Docker Management
◼ Encrypt connections
◼ Configure and use TLS
◼ Set the DOCKER_HOST and
DOCKER_TLS_VER...
38
Best Practices
SSH in containers
◼ Don't use this..
◼ Use “docker exec -it mycontainer bash”
instead
39
Best Practices
Read-Only
◼ Mounts
◼ Data
◼ Configuration
40
Best Practices
User Mappings*
◼ Map users to non-privileged
◼ /etc/subuid
◼ /etc/subgid
* when available
41
Best Practices
Don't Trust
◼ Verify downloads
◼ Be careful with images from others
◼ Measure / monitor
42
Next Step..
Check out Linux-Audit.com
Scan your systems → Lynis
Connect with me:
E-mail michael@cisofy.com
Twitter @mbo...
43
Feedback / Questions?
44
Prochain SlideShare
Chargement dans…5
×

Docker Security: Are Your Containers Tightly Secured to the Ship?

3 756 vues

Publié le

Docker is hot, Docker security is not? In this talk the risks, benefits and defenses of Docker are discussed. They are followed up by some best practices, which can you use in your daily activities. What is clear is that there is still a lot to do to get your containers secured.

Event: Docker Amsterdam Meetup - January 2015
This presentation was given by Michael Boelen, January 23rd at Schuberg Philis. The event was organized by Mark Robert Coleman with help of Harm Boertien. With a full house of people, Docker security was discussed.

About the author:
Michael Boelen is founder of CISOfy and researches Linux security to build tools and documentation, to simplify it for others. Examples are tools like Rootkit Hunter and Lynis, blog posts and presentations.

Publié dans : Logiciels
0 commentaire
9 j’aime
Statistiques
Remarques
  • Soyez le premier à commenter

Aucun téléchargement
Vues
Nombre de vues
3 756
Sur SlideShare
0
Issues des intégrations
0
Intégrations
18
Actions
Partages
0
Téléchargements
87
Commentaires
0
J’aime
9
Intégrations 0
Aucune incorporation

Aucune remarque pour cette diapositive

Docker Security: Are Your Containers Tightly Secured to the Ship?

  1. 1. Docker Amsterdam Meetup - January 2015 1 Docker Security Are Your Containers Tightly Secured To The Ship? Michael Boelen CISOfy
  2. 2. 2 whoami Michael Boelen ◼ Founder of CISOfy ◼ Open Source developer: Rootkit Hunter and Lynis ◼ Passion for Linux security / auditing ◼ Blogging about it: Linux-Audit.com
  3. 3. 3 Docker and Me My Reasons  Understanding: New technology  Development: Docker security scan (Lynis plugin)  Using it: Server deployments
  4. 4. 4 Docker and Security The Research...  Limited resources  Outdated articles  Security not important?  Proposal: Let's fix these issues
  5. 5. 5 Docker and Security Proposal  Tooling: simplify Linux security  Articles about Docker security  Provide input to projects  Presentations → Lynis → Blog post → You! → In progress
  6. 6. 6 Goal What  Stabilize the vessel  Secure the containers
  7. 7. 7 Goal Photo credits: imagebase.net How  Benefits  Risks  Defenses  Best Practices
  8. 8. 8 Goal Why?
  9. 9. 9 Goal Data!  Docker + Software = Data Sharing  And... Protect it
  10. 10. 10 Warning From this point, there might be lies...
  11. 11. 11 Security Benefits of Docker
  12. 12. 12 Security Benefits Segregation ◼ The „Holy Grail“ of security ◼ Smaller units means more control
  13. 13. 13 Security Benefits Granular control ◼ Limit users, access and data ◼ Easier to understand ◼ Easier to defend
  14. 14. 14 Security Benefits Information Disclosure ◼ Decreased data leakage ◼ Less resources available
  15. 15. 15 Docker Risks
  16. 16. 16 Docker Risks Software security ◼ Bugs ◼ Security vulnerabilities ◼ Regular updates needed ◼ Backdoors? Auditing?
  17. 17. 17 Docker Risks Knowledge gap ◼ IT auditor ◼ Your colleagues ◼ You...?
  18. 18. 18 Docker Risks Does Not Contain ◼ No full isolation (yet) ◼ Handle containers as a host ◼ Know strengths and weaknesses
  19. 19. 19 Docker Defenses
  20. 20. 20 Docker Defenses Docker Website ◼ HTTPS ◼ Digital signatures ◼ Images verified after downloading
  21. 21. 21 Docker Defenses Docker Containers ◼ Namespaces and cgroups ◼ Seccomp ◼ Capabilities ◼ Frameworks Copyright Docker, Inc
  22. 22. 22 Docker Defenses Namespaces ◼ Isolates parts of the OS ◼ PID namespaces ◼ Network namespaces ◼ User namespaces → Not really!
  23. 23. 23 Docker Defenses Namespaces (cont.) ◼ IPC namespaces (process communication) ◼ UTS namespaces (hostname/NIS) ◼ Mount namespaces
  24. 24. 24 Docker Defenses Seccomp ◼ Secure computing mode ◼ Filters syscalls with BPF ◼ Isolation, not virtualization ◼ Used in Chrome, OpenSSH, vsftpd, LXD and Mbox
  25. 25. 25 Docker Defenses Seccomp ◼ Default list of blocked calls ◼ kexec_load ◼ open_by_handle_at ◼ init_module ◼ finit_module ◼ delete_module
  26. 26. 26 Docker Defenses Control Groups (cgroups) ◼ Restrict resources ◼ Prioritize ◼ Accounting ◼ Control
  27. 27. 27 Docker Defenses Capabilities ◼ = Root user, split into roles ◼ Default list of allowed capabilities ◼ --cap-add / --cap-drop ◼ Combine (e.g. add all, drop a few)
  28. 28. 28 Docker Defenses Capability Functionality CAP_AUDIT_WRITE Audit log write access CAP_AUDIT_CONTROL Configure Linux Audit subsystem CAP_MAC_OVERRIDE Override kernel MAC policy CAP_MAC_ADMIN Configure kernel MAC policy CAP_NET_ADMIN Configure networking CAP_SETPCAP Process capabilities CAP_SYS_MODULE Insert and remove kernel modules CAP_SYS_NICE Priority of processes CAP_SYS_PACCT Process accounting CAP_SYS_RAWIO Modify kernel memory CAP_SYS_RESOURCE Resource Limits CAP_SYS_TIME System clock alteration CAP_SYS_TTY_CONFIG Configure tty devices CAP_SYSLOG Kernel syslogging (printk) CAP_SYS_ADMIN All others
  29. 29. 29 Docker Defenses AppArmor / SELinux ◼ MAC frameworks ◼ Help with containment ◼ Learning them now, will pay off later
  30. 30. 30 Docker Defenses Audit subsystem ◼ Developed by Red Hat ◼ Files / system calls ◼ Monitors the (system | file) integrity
  31. 31. 31 Docker Defenses Audit (example) # Time related calls -a always,exit -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -S clock_settime -k time-change # Hostname and domain -a always,exit -S sethostname -S setdomainname -k system-locale # Password files -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/sudoers -p wa -k identity
  32. 32. 32 Best Practices
  33. 33. 33 Best Practices Harden your Host ◼ Security = Defense in Depth ◼ Use AppArmor / SELinux / GRSEC ◼ Limit users / services / network
  34. 34. 34 Best Practices Harden your Host (cont.) ◼ Update your kernel on a regular basis ◼ Stay up-to-date with Docker ◼ Limit Docker permissions
  35. 35. 35 Best Practices Harden your Containers ◼ Use AppArmor / SELinux ◼ Drop capabilities (man capabilities) ◼ Filter syscalls (seccomp) ◼ Network filtering (iptables)
  36. 36. 36 Best Practices Docker News ◼ Stay informed ◼ Follow the Docker blog ◼ Keep an eye on Docker/LXC news
  37. 37. 37 Best Practices Docker Management ◼ Encrypt connections ◼ Configure and use TLS ◼ Set the DOCKER_HOST and DOCKER_TLS_VERIFY variable
  38. 38. 38 Best Practices SSH in containers ◼ Don't use this.. ◼ Use “docker exec -it mycontainer bash” instead
  39. 39. 39 Best Practices Read-Only ◼ Mounts ◼ Data ◼ Configuration
  40. 40. 40 Best Practices User Mappings* ◼ Map users to non-privileged ◼ /etc/subuid ◼ /etc/subgid * when available
  41. 41. 41 Best Practices Don't Trust ◼ Verify downloads ◼ Be careful with images from others ◼ Measure / monitor
  42. 42. 42 Next Step.. Check out Linux-Audit.com Scan your systems → Lynis Connect with me: E-mail michael@cisofy.com Twitter @mboelen Google+ +MichaelBoelen Web https://cisofy.com Blog http://linux-audit.com
  43. 43. 43 Feedback / Questions?
  44. 44. 44

×