Docker is hot, Docker security is not? In this talk the risks, benefits and defenses of Docker are discussed. They are followed up by some best practices, which can you use in your daily activities. What is clear is that there is still a lot to do to get your containers secured. Event: Docker Amsterdam Meetup - January 2015 This presentation was given by Michael Boelen, January 23rd at Schuberg Philis. The event was organized by Mark Robert Coleman with help of Harm Boertien. With a full house of people, Docker security was discussed. About the author: Michael Boelen is founder of CISOfy and researches Linux security to build tools and documentation, to simplify it for others. Examples are tools like Rootkit Hunter and Lynis, blog posts and presentations.

1. Docker Amsterdam Meetup - January 2015 1
Docker Security
Are Your Containers Tightly Secured To The Ship?
Michael Boelen
CISOfy

2. 2
whoami
Michael Boelen
◼ Founder of CISOfy
◼ Open Source developer:
Rootkit Hunter and Lynis
◼ Passion for Linux security / auditing
◼ Blogging about it: Linux-Audit.com

3. 3
Docker and Me
My Reasons
 Understanding: New technology
 Development: Docker security scan
(Lynis plugin)
 Using it: Server deployments

4. 4
Docker and Security
The Research...
 Limited resources
 Outdated articles
 Security not important?
 Proposal: Let's fix these issues

5. 5
Docker and Security
Proposal
 Tooling: simplify Linux security
 Articles about Docker security
 Provide input to projects
 Presentations
→ Lynis
→ Blog post
→ You!
→ In progress

6. 6
Goal
What
 Stabilize the vessel
 Secure the containers

7. 7
Goal
Photo credits: imagebase.net
How
 Benefits
 Risks
 Defenses
 Best Practices

8. 8
Goal
Why?

9. 9
Goal
Data!
 Docker + Software = Data Sharing
 And... Protect it

10. 10
Warning
From this point, there might
be lies...

11. 11
Security Benefits of Docker

12. 12
Security Benefits
Segregation
◼ The „Holy Grail“ of security
◼ Smaller units means more control

13. 13
Security Benefits
Granular control
◼ Limit users, access and data
◼ Easier to understand
◼ Easier to defend

14. 14
Security Benefits
Information Disclosure
◼ Decreased data leakage
◼ Less resources available

15. 15
Docker Risks

16. 16
Docker Risks
Software security
◼ Bugs
◼ Security vulnerabilities
◼ Regular updates needed
◼ Backdoors? Auditing?

17. 17
Docker Risks
Knowledge gap
◼ IT auditor
◼ Your colleagues
◼ You...?

18. 18
Docker Risks
Does Not Contain
◼ No full isolation (yet)
◼ Handle containers as a host
◼ Know strengths and weaknesses

19. 19
Docker Defenses

20. 20
Docker Defenses
Docker Website
◼ HTTPS
◼ Digital signatures
◼ Images verified after downloading

21. 21
Docker Defenses
Docker Containers
◼ Namespaces and cgroups
◼ Seccomp
◼ Capabilities
◼ Frameworks
Copyright Docker, Inc

22. 22
Docker Defenses
Namespaces
◼ Isolates parts of the OS
◼ PID namespaces
◼ Network namespaces
◼ User namespaces → Not really!

23. 23
Docker Defenses
Namespaces (cont.)
◼ IPC namespaces (process communication)
◼ UTS namespaces (hostname/NIS)
◼ Mount namespaces

24. 24
Docker Defenses
Seccomp
◼ Secure computing mode
◼ Filters syscalls with BPF
◼ Isolation, not virtualization
◼ Used in Chrome, OpenSSH, vsftpd,
LXD and Mbox

25. 25
Docker Defenses
Seccomp
◼ Default list of blocked calls
◼ kexec_load
◼ open_by_handle_at
◼ init_module
◼ finit_module
◼ delete_module

26. 26
Docker Defenses
Control Groups (cgroups)
◼ Restrict resources
◼ Prioritize
◼ Accounting
◼ Control

27. 27
Docker Defenses
Capabilities
◼ = Root user, split into roles
◼ Default list of allowed capabilities
◼ --cap-add / --cap-drop
◼ Combine (e.g. add all, drop a few)

28. 28
Docker Defenses
Capability Functionality
CAP_AUDIT_WRITE Audit log write access
CAP_AUDIT_CONTROL Configure Linux Audit subsystem
CAP_MAC_OVERRIDE Override kernel MAC policy
CAP_MAC_ADMIN Configure kernel MAC policy
CAP_NET_ADMIN Configure networking
CAP_SETPCAP Process capabilities
CAP_SYS_MODULE Insert and remove kernel modules
CAP_SYS_NICE Priority of processes
CAP_SYS_PACCT Process accounting
CAP_SYS_RAWIO Modify kernel memory
CAP_SYS_RESOURCE Resource Limits
CAP_SYS_TIME System clock alteration
CAP_SYS_TTY_CONFIG Configure tty devices
CAP_SYSLOG Kernel syslogging (printk)
CAP_SYS_ADMIN All others

29. 29
Docker Defenses
AppArmor / SELinux
◼ MAC frameworks
◼ Help with containment
◼ Learning them now, will pay off later

30. 30
Docker Defenses
Audit subsystem
◼ Developed by Red Hat
◼ Files / system calls
◼ Monitors the (system | file) integrity

31. 31
Docker Defenses
Audit (example)
# Time related calls
-a always,exit -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -S clock_settime -k time-change
# Hostname and domain
-a always,exit -S sethostname -S setdomainname -k system-locale
# Password files
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k identity

32. 32
Best Practices

33. 33
Best Practices
Harden your Host
◼ Security = Defense in Depth
◼ Use AppArmor / SELinux / GRSEC
◼ Limit users / services / network

34. 34
Best Practices
Harden your Host (cont.)
◼ Update your kernel on a regular basis
◼ Stay up-to-date with Docker
◼ Limit Docker permissions

35. 35
Best Practices
Harden your Containers
◼ Use AppArmor / SELinux
◼ Drop capabilities (man capabilities)
◼ Filter syscalls (seccomp)
◼ Network filtering (iptables)

36. 36
Best Practices
Docker News
◼ Stay informed
◼ Follow the Docker blog
◼ Keep an eye on Docker/LXC news

37. 37
Best Practices
Docker Management
◼ Encrypt connections
◼ Configure and use TLS
◼ Set the DOCKER_HOST and
DOCKER_TLS_VERIFY variable

38. 38
Best Practices
SSH in containers
◼ Don't use this..
◼ Use “docker exec -it mycontainer bash”
instead

39. 39
Best Practices
Read-Only
◼ Mounts
◼ Data
◼ Configuration

40. 40
Best Practices
User Mappings*
◼ Map users to non-privileged
◼ /etc/subuid
◼ /etc/subgid
* when available

41. 41
Best Practices
Don't Trust
◼ Verify downloads
◼ Be careful with images from others
◼ Measure / monitor

42. 42
Next Step..
Check out Linux-Audit.com
Scan your systems → Lynis
Connect with me:
E-mail michael@cisofy.com
Twitter @mboelen
Google+ +MichaelBoelen
Web https://cisofy.com
Blog http://linux-audit.com

43. 43
Feedback / Questions?

44. 44