Docker is hot, Docker security is not? In this talk the risks, benefits and defenses of Docker are discussed. They are followed up by some best practices, which can you use in your daily activities. What is clear is that there is still a lot to do to get your containers secured.
Event: Docker Amsterdam Meetup - January 2015
This presentation was given by Michael Boelen, January 23rd at Schuberg Philis. The event was organized by Mark Robert Coleman with help of Harm Boertien. With a full house of people, Docker security was discussed.
About the author:
Michael Boelen is founder of CISOfy and researches Linux security to build tools and documentation, to simplify it for others. Examples are tools like Rootkit Hunter and Lynis, blog posts and presentations.
Docker Security: Are Your Containers Tightly Secured to the Ship?
1. Docker Amsterdam Meetup - January 2015 1
Docker Security
Are Your Containers Tightly Secured To The Ship?
Michael Boelen
CISOfy
2. 2
whoami
Michael Boelen
◼ Founder of CISOfy
◼ Open Source developer:
Rootkit Hunter and Lynis
◼ Passion for Linux security / auditing
◼ Blogging about it: Linux-Audit.com
3. 3
Docker and Me
My Reasons
Understanding: New technology
Development: Docker security scan
(Lynis plugin)
Using it: Server deployments
4. 4
Docker and Security
The Research...
Limited resources
Outdated articles
Security not important?
Proposal: Let's fix these issues
5. 5
Docker and Security
Proposal
Tooling: simplify Linux security
Articles about Docker security
Provide input to projects
Presentations
→ Lynis
→ Blog post
→ You!
→ In progress
27. 27
Docker Defenses
Capabilities
◼ = Root user, split into roles
◼ Default list of allowed capabilities
◼ --cap-add / --cap-drop
◼ Combine (e.g. add all, drop a few)
28. 28
Docker Defenses
Capability Functionality
CAP_AUDIT_WRITE Audit log write access
CAP_AUDIT_CONTROL Configure Linux Audit subsystem
CAP_MAC_OVERRIDE Override kernel MAC policy
CAP_MAC_ADMIN Configure kernel MAC policy
CAP_NET_ADMIN Configure networking
CAP_SETPCAP Process capabilities
CAP_SYS_MODULE Insert and remove kernel modules
CAP_SYS_NICE Priority of processes
CAP_SYS_PACCT Process accounting
CAP_SYS_RAWIO Modify kernel memory
CAP_SYS_RESOURCE Resource Limits
CAP_SYS_TIME System clock alteration
CAP_SYS_TTY_CONFIG Configure tty devices
CAP_SYSLOG Kernel syslogging (printk)
CAP_SYS_ADMIN All others
29. 29
Docker Defenses
AppArmor / SELinux
◼ MAC frameworks
◼ Help with containment
◼ Learning them now, will pay off later
42. 42
Next Step..
Check out Linux-Audit.com
Scan your systems → Lynis
Connect with me:
E-mail michael@cisofy.com
Twitter @mboelen
Google+ +MichaelBoelen
Web https://cisofy.com
Blog http://linux-audit.com