SlideShare une entreprise Scribd logo

CONTAINER SECURITY TECHNIQUES

Sysdig
Sysdig

Comparison of security tools for dynamic scanning Docker container with a focus on Sysdig Falco

Logiciels
1  sur  28
Télécharger pour lire hors ligne
Jorge Salamero Sanz @bencerillo WTF my container just spawned a shell!
Sysdig Open Source system troubleshooting with native container support (htop, vmstat, netstat, lsof, tcpdump…) Monitoring, alerting, troubleshooting tool for Docker, Kubernetes, Mesos, RancherOS, GCE, ECS
Securing Microservices Defense in depth Microservices Single responsibility principle: • Principle of least privileges • Principle of least surprise • Principle of least access
Container Security Techniques • New workflows (docker pull vs previous apt update/yum update) • CI/CD Pipeline (Jenkins, Openshift, etc: rebuilds, rolling updates) • Access management, logging & auditing (Kubernetes, Openshift: user roles, namespaces, centralized logging, authn & authz, etc) • Trust boundaries (do you trust entire Docker Hub? Image signing, Docker Notary) • Simplify container OS, tons of useless stuff (RancherOS, Atomic, CoreOS, Alpine Linux, etc) • Network security (Weave, etc) • Secret management (Vaults instead of environment vars, etc)
Docker Security Techniques • Drop privileges • Limit capabilities • Do not run as root! containers are not VMs! • cgroups • Limit resources share, not access restriction • namespaces • Useful for not complete security model • User namespaces • Kubernetes/Openshift security contexts • Host security and access (Docker bench, RO access, etc)
Scanning What are my containers doing? • Static scanning • Dynamic scanning
Static Scanning Yay, this was soo easy to deploy! I Docker Hub! (your developers too, actually they were already using it :P) uhm… wait, is someone maintaining this image? RUN apt-get install -y wget build-essential python python-dev python-pip python-virtualenv RUN wget http://nodejs.org/dist/node-latest.tar.gz RUN tar xvzf node-latest.tar.gz RUN cd node-v* && ./configure && CXX="g++ -Wno-unused-local-typedefs" make && CXX="g++ -Wno-unused-local-typedefs" make install • Static Scanning: • CoreOS Clair, Docker Nautilus, Red Hat CloudForms, etc
Image Vulnerability Scanning • Scan contents of images looking for software versions with known defects • Container image layering can make this efficient (exploits immutable nature of images) Ubuntu: 14.04 Apache: 2.2 Wordpress: 4.6 PHP: 7.0
Image Vulnerability Scanning • Scan contents of images looking for software versions with known defects • Container image layering can make this efficient (exploits immutable nature of images) • Ubuntu: 14.04 Apache: 2.2 Wordpress: 4.6 PHP: 7.0
Image Vulnerability Scanning • Scan contents of images looking for software versions with known defects • Container image layering can make this efficient (exploits immutable nature of images) • Ubuntu: 14.04 Apache: 2.2 Wordpress: 4.6 PHP: 7.0
Image Vulnerability Scanning • Scan contents of images looking for software versions with known defects • Container image layering can make this efficient (exploits immutable nature of images) • Ubuntu: 14.04 Apache: 2.2 Wordpress: 4.6 PHP: 7.0
Container Security Techniques OK, no known vulnerabilities, still secure? Containers are black boxes exposing a behaviour, is something misbehaving? • Dynamic Scanning: • Enforcement • Auditing
Tools • Basic sandboxing: seccomp • Sandboxing with policies: seccomp-bpf • Mandatory access control systems: SELinux, AppArmor • System auditing: Auditd • Behavioral monitoring: Falco
Seccomp • Seccomp: application system call “sandboxing” • One-way transition to a restricted state • Limited set of system calls • SECCOMP_MODE_STRICT: read(), write(), _exit(), and sigreturn() • Process SIGKILLed when doing anything else • No wide real use
Seccomp-bpf • Security profiles per application/container: • Create filter (BPF program ) with lists of allowed syscalls • Each syscall matched against filter • Multiple actions: SIGKILL, SIGSYS, failing the syscall, notify an attached tracer process to skip/change it, allow it • Docker runs containerized process under a seccomp profile, multiple available • Notable disallowed syscalls: • clone (creating new namespaces) • reboot (reboot the host) • setns (change namespaces)
Mandatory Access Control • SELinux or AppArmor • Same mechanisms: kernel-level interception/filtering • features++ && complexity++ • Above syscalls: • Actors (process) • Actions (read/write on files/sockets) • Targets (files, IPs, ports) • Mandatory while seccomp is voluntary • But what if I only want to put some surveillance in?
Auditd • Access monitoring system • Logger for SELinux • Rules based on files and syscalls: # Alert whenever anyone performs an unlink() for a file below /usr/bin -a always,exit -S unlink -S unlinkat -F dir=/usr/bin -F success=1 # Watch any invocation of /usr/bin/passwd -w /usr/bin/passwd -p x -k passwd_mgmt
Sysdig Falco An anomaly detection system built on top of the sysdig engine
Sysdig Kernel Docker Container 1 Container 2 Container 3 App App rkt LXC Kernel module Instrumentation
Event stream Open Read Close Connect Read Write Read Read Write Close Dump to Disk Filter Analyze
Events context • Syscalls are turned into events with context: • the process name performing the system call • the process’s parents, grandparents, etc • the remote IP address to which the process is communicating • the directory of the file being read/written • the current memory usage of the process
What is Sysdig Falco? • Detects suspicious activity defined by a set of easy rules • Uses sysdig’s flexible and powerful filtering expressions (in userspace -single point of failure-) • Container support (Docker, Kubernetes, Mesos, etc) • Flexible notification methods • Open Source
Quick Examples A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
Falco Rules • .yaml file containing Macros, Lists, and Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: package_mgmt_binaries items: [dpkg, dpkg-preconfigu, rpm, rpmkey, yum, frontend] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
Alerts and Outputs • Events that match filter expression (rule) result in alerts • output field used to format event into alert message • Sending to: • syslog • file • stdout • shell (e.g. mail -s "Falco Notification" alerts@example.com) • Sysdig Cloud
Falco Demo
Further reading ● Documentation: ○ https://sysdig.com/blog/selinux-seccomp-falco-technical-dis cussion/ ○ https://sysdig.com/blog/friends-dont-let-friends-curl-bash/ ● http://www.sysdig.org/falco/ ● https://github.com/draios/falco
Thank You!

Recommandé

Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoSysdig
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing ToolsSysdig
 
Sysdig Meetup - San Francisco, December 2014
Sysdig Meetup - San Francisco, December 2014Sysdig Meetup - San Francisco, December 2014
Sysdig Meetup - San Francisco, December 2014Sysdig
 
Trace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsTrace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsSysdig
 
Sysdig
SysdigSysdig
Sysdiggnosek
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
ContainerCon sysdig Slides
ContainerCon sysdig Slides ContainerCon sysdig Slides
ContainerCon sysdig Slides Loris Degioanni
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 

Recommandé

Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoSysdig
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing ToolsSysdig
 
Sysdig Meetup - San Francisco, December 2014
Sysdig Meetup - San Francisco, December 2014Sysdig Meetup - San Francisco, December 2014
Sysdig Meetup - San Francisco, December 2014Sysdig
 
Trace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsTrace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsSysdig
 
Sysdig
SysdigSysdig
Sysdiggnosek
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
ContainerCon sysdig Slides
ContainerCon sysdig Slides ContainerCon sysdig Slides
ContainerCon sysdig Slides Loris Degioanni
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Docker, Inc.
 
Find the Hacker
Find the HackerFind the Hacker
Find the HackerSysdig
 
Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringRamit Surana
 
15 kubernetes failure points you should watch
15 kubernetes failure points you should watch15 kubernetes failure points you should watch
15 kubernetes failure points you should watchSysdig
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoringVinay Krishna
 
Make Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsMake Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsKernel TLV
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scanLalatendu Mohanty
 
Docker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profitDocker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profitMaxime Petazzoni
 
Introduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneIntroduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneD
 
Shipping python project by docker
Shipping python project by dockerShipping python project by docker
Shipping python project by dockerWei-Ting Kuo
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamCodemotion
 
Virtualization inside kubernetes
Virtualization inside kubernetesVirtualization inside kubernetes
Virtualization inside kubernetesinwin stack
 
Logging & Docker - Season 2
Logging & Docker - Season 2Logging & Docker - Season 2
Logging & Docker - Season 2Christian Beedgen
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerRamit Surana
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolationallingeek
 
The State of Logging on Docker
The State of Logging on DockerThe State of Logging on Docker
The State of Logging on DockerTrevor Parsons
 
Docker: Behind the API
Docker: Behind the APIDocker: Behind the API
Docker: Behind the APIKarl Matthias
 
Containers and Cloud: From LXC to Docker to Kubernetes
Containers and Cloud: From LXC to Docker to KubernetesContainers and Cloud: From LXC to Docker to Kubernetes
Containers and Cloud: From LXC to Docker to KubernetesShreyas MM
 
Stateless Hypervisors at Scale
Stateless Hypervisors at ScaleStateless Hypervisors at Scale
Stateless Hypervisors at ScaleAntony Messerl
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime SecuritySysdig
 

Contenu connexe

Tendances

Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Docker, Inc.
 
Find the Hacker
Find the HackerFind the Hacker
Find the HackerSysdig
 
Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringRamit Surana
 
15 kubernetes failure points you should watch
15 kubernetes failure points you should watch15 kubernetes failure points you should watch
15 kubernetes failure points you should watchSysdig
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoringVinay Krishna
 
Make Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsMake Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsKernel TLV
 
Docker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profitDocker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profitMaxime Petazzoni
 
Introduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneIntroduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneD
 
Shipping python project by docker
Shipping python project by dockerShipping python project by docker
Shipping python project by dockerWei-Ting Kuo
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamCodemotion
 
Virtualization inside kubernetes
Virtualization inside kubernetesVirtualization inside kubernetes
Virtualization inside kubernetesinwin stack
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerRamit Surana
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolationallingeek
 
The State of Logging on Docker
The State of Logging on DockerThe State of Logging on Docker
The State of Logging on DockerTrevor Parsons
 
Docker: Behind the API
Docker: Behind the APIDocker: Behind the API
Docker: Behind the APIKarl Matthias
 
Containers and Cloud: From LXC to Docker to Kubernetes
Containers and Cloud: From LXC to Docker to KubernetesContainers and Cloud: From LXC to Docker to Kubernetes
Containers and Cloud: From LXC to Docker to KubernetesShreyas MM
 
Stateless Hypervisors at Scale
Stateless Hypervisors at ScaleStateless Hypervisors at Scale
Stateless Hypervisors at ScaleAntony Messerl
 

Tendances (20)

Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?
 
Find the Hacker
Find the HackerFind the Hacker
Find the Hacker
 
Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of Monitoring
 
15 kubernetes failure points you should watch
15 kubernetes failure points you should watch15 kubernetes failure points you should watch
15 kubernetes failure points you should watch
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoring
 
Make Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsMake Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance Tools
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scan
 
Docker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profitDocker and Maestro for fun, development and profit
Docker and Maestro for fun, development and profit
 
Introduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneIntroduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group Cologne
 
Shipping python project by docker
Shipping python project by dockerShipping python project by docker
Shipping python project by docker
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time stream
 
Virtualization inside kubernetes
Virtualization inside kubernetesVirtualization inside kubernetes
Virtualization inside kubernetes
 
Logging & Docker - Season 2
Logging & Docker - Season 2Logging & Docker - Season 2
Logging & Docker - Season 2
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by Docker
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolation
 
The State of Logging on Docker
The State of Logging on DockerThe State of Logging on Docker
The State of Logging on Docker
 
Docker: Behind the API
Docker: Behind the APIDocker: Behind the API
Docker: Behind the API
 
Containers and Cloud: From LXC to Docker to Kubernetes
Containers and Cloud: From LXC to Docker to KubernetesContainers and Cloud: From LXC to Docker to Kubernetes
Containers and Cloud: From LXC to Docker to Kubernetes
 
Stateless Hypervisors at Scale
Stateless Hypervisors at ScaleStateless Hypervisors at Scale
Stateless Hypervisors at Scale
 

Similaire à CONTAINER SECURITY TECHNIQUES

Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime SecuritySysdig
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Continuous Security
Continuous SecurityContinuous Security
Continuous SecuritySysdig
 
Containers and security
Containers and securityContainers and security
Containers and securitysriram_rajan
 
Containerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationContainerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationC4Media
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Jérôme Petazzoni
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetesDongwon Kim
 

Similaire à CONTAINER SECURITY TECHNIQUES (20)

Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime Security
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
Container Security
Container SecurityContainer Security
Container Security
 
Continuous Security
Continuous SecurityContinuous Security
Continuous Security
 
Containers and security
Containers and securityContainers and security
Containers and security
 
Containerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationContainerization Is More than the New Virtualization
Containerization Is More than the New Virtualization
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 

Plus de Sysdig

Wordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccionWordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccionSysdig
 
What Prometheus means for monitoring vendors
What Prometheus means for monitoring vendorsWhat Prometheus means for monitoring vendors
What Prometheus means for monitoring vendorsSysdig
 
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorThe top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorSysdig
 
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorThe top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorSysdig
 
How to Monitor Microservices
How to Monitor MicroservicesHow to Monitor Microservices
How to Monitor MicroservicesSysdig
 
You're monitoring Kubernetes Wrong
You're monitoring Kubernetes WrongYou're monitoring Kubernetes Wrong
You're monitoring Kubernetes WrongSysdig
 
The Dark Art of Container Monitoring - Spanish
The Dark Art of Container Monitoring - SpanishThe Dark Art of Container Monitoring - Spanish
The Dark Art of Container Monitoring - SpanishSysdig
 
Building Trustworthy Containers
Building Trustworthy ContainersBuilding Trustworthy Containers
Building Trustworthy ContainersSysdig
 
A brief history of system calls
A brief history of system callsA brief history of system calls
A brief history of system callsSysdig
 
Extending Sysdig with Chisel
Extending Sysdig with ChiselExtending Sysdig with Chisel
Extending Sysdig with ChiselSysdig
 
Intro to sysdig in 15 minutes
Intro to sysdig in 15 minutesIntro to sysdig in 15 minutes
Intro to sysdig in 15 minutesSysdig
 
Troubleshooting Kubernetes
Troubleshooting KubernetesTroubleshooting Kubernetes
Troubleshooting KubernetesSysdig
 

Plus de Sysdig (12)

Wordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccionWordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccion
 
What Prometheus means for monitoring vendors
What Prometheus means for monitoring vendorsWhat Prometheus means for monitoring vendors
What Prometheus means for monitoring vendors
 
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorThe top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitor
 
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorThe top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitor
 
How to Monitor Microservices
How to Monitor MicroservicesHow to Monitor Microservices
How to Monitor Microservices
 
You're monitoring Kubernetes Wrong
You're monitoring Kubernetes WrongYou're monitoring Kubernetes Wrong
You're monitoring Kubernetes Wrong
 
The Dark Art of Container Monitoring - Spanish
The Dark Art of Container Monitoring - SpanishThe Dark Art of Container Monitoring - Spanish
The Dark Art of Container Monitoring - Spanish
 
Building Trustworthy Containers
Building Trustworthy ContainersBuilding Trustworthy Containers
Building Trustworthy Containers
 
A brief history of system calls
A brief history of system callsA brief history of system calls
A brief history of system calls
 
Extending Sysdig with Chisel
Extending Sysdig with ChiselExtending Sysdig with Chisel
Extending Sysdig with Chisel
 
Intro to sysdig in 15 minutes
Intro to sysdig in 15 minutesIntro to sysdig in 15 minutes
Intro to sysdig in 15 minutes
 
Troubleshooting Kubernetes
Troubleshooting KubernetesTroubleshooting Kubernetes
Troubleshooting Kubernetes
 

Dernier

Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 

Dernier (20)

Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 

CONTAINER SECURITY TECHNIQUES

  • 1. Jorge Salamero Sanz @bencerillo WTF my container just spawned a shell!
  • 2. Sysdig Open Source system troubleshooting with native container support (htop, vmstat, netstat, lsof, tcpdump…) Monitoring, alerting, troubleshooting tool for Docker, Kubernetes, Mesos, RancherOS, GCE, ECS
  • 3. Securing Microservices Defense in depth Microservices Single responsibility principle: • Principle of least privileges • Principle of least surprise • Principle of least access
  • 4. Container Security Techniques • New workflows (docker pull vs previous apt update/yum update) • CI/CD Pipeline (Jenkins, Openshift, etc: rebuilds, rolling updates) • Access management, logging & auditing (Kubernetes, Openshift: user roles, namespaces, centralized logging, authn & authz, etc) • Trust boundaries (do you trust entire Docker Hub? Image signing, Docker Notary) • Simplify container OS, tons of useless stuff (RancherOS, Atomic, CoreOS, Alpine Linux, etc) • Network security (Weave, etc) • Secret management (Vaults instead of environment vars, etc)
  • 5. Docker Security Techniques • Drop privileges • Limit capabilities • Do not run as root! containers are not VMs! • cgroups • Limit resources share, not access restriction • namespaces • Useful for not complete security model • User namespaces • Kubernetes/Openshift security contexts • Host security and access (Docker bench, RO access, etc)
  • 6. Scanning What are my containers doing? • Static scanning • Dynamic scanning
  • 7. Static Scanning Yay, this was soo easy to deploy! I Docker Hub! (your developers too, actually they were already using it :P) uhm… wait, is someone maintaining this image? RUN apt-get install -y wget build-essential python python-dev python-pip python-virtualenv RUN wget http://nodejs.org/dist/node-latest.tar.gz RUN tar xvzf node-latest.tar.gz RUN cd node-v* && ./configure && CXX="g++ -Wno-unused-local-typedefs" make && CXX="g++ -Wno-unused-local-typedefs" make install • Static Scanning: • CoreOS Clair, Docker Nautilus, Red Hat CloudForms, etc
  • 8. Image Vulnerability Scanning • Scan contents of images looking for software versions with known defects • Container image layering can make this efficient (exploits immutable nature of images) Ubuntu: 14.04 Apache: 2.2 Wordpress: 4.6 PHP: 7.0
  • 9. Image Vulnerability Scanning • Scan contents of images looking for software versions with known defects • Container image layering can make this efficient (exploits immutable nature of images) • Ubuntu: 14.04 Apache: 2.2 Wordpress: 4.6 PHP: 7.0
  • 10. Image Vulnerability Scanning • Scan contents of images looking for software versions with known defects • Container image layering can make this efficient (exploits immutable nature of images) • Ubuntu: 14.04 Apache: 2.2 Wordpress: 4.6 PHP: 7.0
  • 11. Image Vulnerability Scanning • Scan contents of images looking for software versions with known defects • Container image layering can make this efficient (exploits immutable nature of images) • Ubuntu: 14.04 Apache: 2.2 Wordpress: 4.6 PHP: 7.0
  • 12. Container Security Techniques OK, no known vulnerabilities, still secure? Containers are black boxes exposing a behaviour, is something misbehaving? • Dynamic Scanning: • Enforcement • Auditing
  • 13. Tools • Basic sandboxing: seccomp • Sandboxing with policies: seccomp-bpf • Mandatory access control systems: SELinux, AppArmor • System auditing: Auditd • Behavioral monitoring: Falco
  • 14. Seccomp • Seccomp: application system call “sandboxing” • One-way transition to a restricted state • Limited set of system calls • SECCOMP_MODE_STRICT: read(), write(), _exit(), and sigreturn() • Process SIGKILLed when doing anything else • No wide real use
  • 15. Seccomp-bpf • Security profiles per application/container: • Create filter (BPF program ) with lists of allowed syscalls • Each syscall matched against filter • Multiple actions: SIGKILL, SIGSYS, failing the syscall, notify an attached tracer process to skip/change it, allow it • Docker runs containerized process under a seccomp profile, multiple available • Notable disallowed syscalls: • clone (creating new namespaces) • reboot (reboot the host) • setns (change namespaces)
  • 16. Mandatory Access Control • SELinux or AppArmor • Same mechanisms: kernel-level interception/filtering • features++ && complexity++ • Above syscalls: • Actors (process) • Actions (read/write on files/sockets) • Targets (files, IPs, ports) • Mandatory while seccomp is voluntary • But what if I only want to put some surveillance in?
  • 17. Auditd • Access monitoring system • Logger for SELinux • Rules based on files and syscalls: # Alert whenever anyone performs an unlink() for a file below /usr/bin -a always,exit -S unlink -S unlinkat -F dir=/usr/bin -F success=1 # Watch any invocation of /usr/bin/passwd -w /usr/bin/passwd -p x -k passwd_mgmt
  • 18. Sysdig Falco An anomaly detection system built on top of the sysdig engine
  • 21. Events context • Syscalls are turned into events with context: • the process name performing the system call • the process’s parents, grandparents, etc • the remote IP address to which the process is communicating • the directory of the file being read/written • the current memory usage of the process
  • 22. What is Sysdig Falco? • Detects suspicious activity defined by a set of easy rules • Uses sysdig’s flexible and powerful filtering expressions (in userspace -single point of failure-) • Container support (Docker, Kubernetes, Mesos, etc) • Flexible notification methods • Open Source
  • 23. Quick Examples A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
  • 24. Falco Rules • .yaml file containing Macros, Lists, and Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: package_mgmt_binaries items: [dpkg, dpkg-preconfigu, rpm, rpmkey, yum, frontend] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
  • 25. Alerts and Outputs • Events that match filter expression (rule) result in alerts • output field used to format event into alert message • Sending to: • syslog • file • stdout • shell (e.g. mail -s "Falco Notification" alerts@example.com) • Sysdig Cloud
  • 27. Further reading ● Documentation: ○ https://sysdig.com/blog/selinux-seccomp-falco-technical-dis cussion/ ○ https://sysdig.com/blog/friends-dont-let-friends-curl-bash/ ● http://www.sysdig.org/falco/ ● https://github.com/draios/falco