SlideShare une entreprise Scribd logo

Down by the Docker

NotSoSecure Global Services
NotSoSecure Global Services

Docker is the new kool kid in town. This presentation covers some of the common goof-ups and what should be kept in mind when dealing with docker configurations. Download the Vulnerable Docker VM : https://www.notsosecure.com/vulnerable-docker-vm/

Technologie
1  sur  14
Télécharger pour lire hors ligne
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Down by the Docker
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Anant Shrivastava (@anantshri) ● Regional Director - NotSoSecure Global Services Limited ● 9 yrs of corporate experience ● Expertise in Network, Mobile, Application and Linux Security ● Speaker / Trainer : BlackHat, Nullcon, RootConf, c0c0n ● Co-author for OWASP Testing guide version 4 ● Project Lead : Code Vigilant, Android Tamer About Presenter
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Docker Overview
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Why Docker • Allows to get rid of “It works on my System” syndrome • Easy & Quick to setup environments and test beds • Loved by start-up's and for PoC Development teams • Loved by Google and likes for scalability and deployment ease • Secure: as secure as you configure it.
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. How does it differs for pentesters • From outside it will all be the same • /proc/1/cgroup will show docker references • pid 1 != init / launchd
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. How does it differs for pentesters • Bash / Python / Perl isn’t usually available • Containers are disposable hence no Persistence ensured • Containers can have different resources shared • Container crash === new spawn anywhere • Docker Internal Network (172.17.0.0/16) – https://docs.docker.com/engine/userguide/networking/ • Video: https://youtu.be/V42OQd7p-7Y
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Docker goof up: Running container process as root • By default host UID == container UID • Root in container == root on base box. • If a file system or part of it is shared, you have direct path to write privileges files and get root • docker run -itv /:/host alpine /bin/sh DEMO
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Docker goof up: Exposing docker sock / tcp • Docker socket == access to docker daemon • Docker could listen on port 2375 (noauth) 2376 (tls) • Generally: Dashboard or reporting application containers • Misconfiguration, (un)intended exposure = compromise • Video: https://youtu.be/6q7TBbUylbw DEMO
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Docker goof up: Unpatched host / guest • Docker shares kernel with the host • Kernel bugs will result in host compromise • Unpatched guest will result in guest compromise • Video: https://youtu.be/y7XoIOhWStc DEMO
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Security is by secure configuration • Docker security relies on secure configuration at all levels – Scrutinize “docker” group – Docker Socket : only available to root and docker group users – Docker daemon: only available to root and docker group users – Docker containers: run processes via limited users – Docker host + Guest: Keep then up-to-date • Scan Docker configuration files
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Docker configuration Review • Docker Security Scanning via DockerHub • Clair : https://github.com/coreos/clair • Atomic Scan: https://developers.redhat.com/blog/2016/05/02/introducing-atomic- scan-container-vulnerability-detection/ • https://anchore.com/ • Dockerscan : https://github.com/cr0hn/dockerscan • Dockscan: https://github.com/kost/dockscan • Nessus: https://www.tenable.com/blog/auditing-docker-with-nessus-66
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Docker VM • We have created a vulnerable docker VM that suffers from many of the vulnerabilities discussed throughout this session. This is available to download from the following URL: https://www.notsosecure.com/vulnerable-docker-vm/
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Questions?
© Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. END PRESENTATION

Recommandé

IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for PentestersNotSoSecure Global Services
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken ToolsNotSoSecure Global Services
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basicsAnant Shrivastava
 
Open Source Software - Please Drink Responsibly
Open Source Software - Please Drink ResponsiblyOpen Source Software - Please Drink Responsibly
Open Source Software - Please Drink ResponsiblyDaniel Sauble
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift Origin
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 

Recommandé

IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for PentestersNotSoSecure Global Services
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken ToolsNotSoSecure Global Services
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basicsAnant Shrivastava
 
Open Source Software - Please Drink Responsibly
Open Source Software - Please Drink ResponsiblyOpen Source Software - Please Drink Responsibly
Open Source Software - Please Drink ResponsiblyDaniel Sauble
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift Origin
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 
Exploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemExploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemAnant Shrivastava
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali LinuxJason Murray
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesinaz2
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014TGodfrey
 
Tools kali
Tools kaliTools kali
Tools kaliketban0702
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Kali presentation
Kali presentationKali presentation
Kali presentationZain Ul abadin
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxChanchal Dabriya
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Enjoying k8s cluster with Minikube and Helm
Enjoying k8s cluster with Minikube and HelmEnjoying k8s cluster with Minikube and Helm
Enjoying k8s cluster with Minikube and Helmロフト くん
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsAndrew Carr
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!Maciej Lasyk
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux pptAbhayNaik8
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)NGINX, Inc.
 
Docker Concepts for Oracle/MySQL DBAs and DevOps
Docker Concepts for Oracle/MySQL DBAs and DevOpsDocker Concepts for Oracle/MySQL DBAs and DevOps
Docker Concepts for Oracle/MySQL DBAs and DevOpsZohar Elkayam
 
Being a Moby maintainer
Being a Moby maintainerBeing a Moby maintainer
Being a Moby maintainerAkihiro Suda
 

Contenu connexe

Tendances

Exploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemExploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemAnant Shrivastava
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali LinuxJason Murray
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesinaz2
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014TGodfrey
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Enjoying k8s cluster with Minikube and Helm
Enjoying k8s cluster with Minikube and HelmEnjoying k8s cluster with Minikube and Helm
Enjoying k8s cluster with Minikube and Helmロフト くん
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsAndrew Carr
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!Maciej Lasyk
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux pptAbhayNaik8
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)NGINX, Inc.
 

Tendances (20)

Exploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemExploiting publically exposed Version Control System
Exploiting publically exposed Version Control System
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needles
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014
 
Tools kali
Tools kaliTools kali
Tools kali
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Kali presentation
Kali presentationKali presentation
Kali presentation
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Enjoying k8s cluster with Minikube and Helm
Enjoying k8s cluster with Minikube and HelmEnjoying k8s cluster with Minikube and Helm
Enjoying k8s cluster with Minikube and Helm
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security Considerations
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux ppt
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
 

Similaire à Down by the Docker

Docker Concepts for Oracle/MySQL DBAs and DevOps
Docker Concepts for Oracle/MySQL DBAs and DevOpsDocker Concepts for Oracle/MySQL DBAs and DevOps
Docker Concepts for Oracle/MySQL DBAs and DevOpsZohar Elkayam
 
Being a Moby maintainer
Being a Moby maintainerBeing a Moby maintainer
Being a Moby maintainerAkihiro Suda
 
Introducing resinOS: An Operating System Tailored for Containers and Built fo...
Introducing resinOS: An Operating System Tailored for Containers and Built fo...Introducing resinOS: An Operating System Tailored for Containers and Built fo...
Introducing resinOS: An Operating System Tailored for Containers and Built fo...Balena
 
Use Docker to Enhance Your Testing
Use Docker to Enhance Your TestingUse Docker to Enhance Your Testing
Use Docker to Enhance Your TestingTechWell
 
Microservices with Terraform, Docker and the Cloud. JavaOne 2017 2017-10-02
Microservices with Terraform, Docker and the Cloud. JavaOne 2017 2017-10-02Microservices with Terraform, Docker and the Cloud. JavaOne 2017 2017-10-02
Microservices with Terraform, Docker and the Cloud. JavaOne 2017 2017-10-02Derek Ashmore
 
Oracle Database on Docker - Best Practices
Oracle Database on Docker - Best PracticesOracle Database on Docker - Best Practices
Oracle Database on Docker - Best Practicesgvenzl
 
Detailed Introduction To Docker
Detailed Introduction To DockerDetailed Introduction To Docker
Detailed Introduction To Dockernklmish
 
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps ZNetLive
 
Leveraging docker for hadoop build automation and big data stack provisioning
Leveraging docker for hadoop build automation and big data stack provisioningLeveraging docker for hadoop build automation and big data stack provisioning
Leveraging docker for hadoop build automation and big data stack provisioningEvans Ye
 
Leveraging Docker for Hadoop build automation and Big Data stack provisioning
Leveraging Docker for Hadoop build automation and Big Data stack provisioningLeveraging Docker for Hadoop build automation and Big Data stack provisioning
Leveraging Docker for Hadoop build automation and Big Data stack provisioningDataWorks Summit
 
Dockerizing Oracle Database
Dockerizing Oracle Database Dockerizing Oracle Database
Dockerizing Oracle Database gvenzl
 
Hacking with ARM Mobile devices on Linux
Hacking with ARM Mobile devices on LinuxHacking with ARM Mobile devices on Linux
Hacking with ARM Mobile devices on LinuxNetwalker lab kapper
 
Parallelizing CI using Docker Swarm-Mode
Parallelizing CI using Docker Swarm-ModeParallelizing CI using Docker Swarm-Mode
Parallelizing CI using Docker Swarm-ModeAkihiro Suda
 
Webinar: End-to-End CI/CD with GitLab and DC/OS
Webinar: End-to-End CI/CD with GitLab and DC/OSWebinar: End-to-End CI/CD with GitLab and DC/OS
Webinar: End-to-End CI/CD with GitLab and DC/OSMesosphere Inc.
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker建澄 吳
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfOpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfssuser9e06a61
 
Operating Neo4j Fabric in Multi-Zone Kubernetes Cluster.pptx
Operating Neo4j Fabric in Multi-Zone Kubernetes Cluster.pptxOperating Neo4j Fabric in Multi-Zone Kubernetes Cluster.pptx
Operating Neo4j Fabric in Multi-Zone Kubernetes Cluster.pptxNeo4j
 

Similaire à Down by the Docker (20)

Docker Concepts for Oracle/MySQL DBAs and DevOps
Docker Concepts for Oracle/MySQL DBAs and DevOpsDocker Concepts for Oracle/MySQL DBAs and DevOps
Docker Concepts for Oracle/MySQL DBAs and DevOps
 
Being a Moby maintainer
Being a Moby maintainerBeing a Moby maintainer
Being a Moby maintainer
 
Introducing resinOS: An Operating System Tailored for Containers and Built fo...
Introducing resinOS: An Operating System Tailored for Containers and Built fo...Introducing resinOS: An Operating System Tailored for Containers and Built fo...
Introducing resinOS: An Operating System Tailored for Containers and Built fo...
 
Use Docker to Enhance Your Testing
Use Docker to Enhance Your TestingUse Docker to Enhance Your Testing
Use Docker to Enhance Your Testing
 
Microservices with Terraform, Docker and the Cloud. JavaOne 2017 2017-10-02
Microservices with Terraform, Docker and the Cloud. JavaOne 2017 2017-10-02Microservices with Terraform, Docker and the Cloud. JavaOne 2017 2017-10-02
Microservices with Terraform, Docker and the Cloud. JavaOne 2017 2017-10-02
 
Core os dna_oscon
Core os dna_osconCore os dna_oscon
Core os dna_oscon
 
Oracle Database on Docker - Best Practices
Oracle Database on Docker - Best PracticesOracle Database on Docker - Best Practices
Oracle Database on Docker - Best Practices
 
Detailed Introduction To Docker
Detailed Introduction To DockerDetailed Introduction To Docker
Detailed Introduction To Docker
 
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
 
Leveraging docker for hadoop build automation and big data stack provisioning
Leveraging docker for hadoop build automation and big data stack provisioningLeveraging docker for hadoop build automation and big data stack provisioning
Leveraging docker for hadoop build automation and big data stack provisioning
 
Leveraging Docker for Hadoop build automation and Big Data stack provisioning
Leveraging Docker for Hadoop build automation and Big Data stack provisioningLeveraging Docker for Hadoop build automation and Big Data stack provisioning
Leveraging Docker for Hadoop build automation and Big Data stack provisioning
 
Dockerizing Oracle Database
Dockerizing Oracle Database Dockerizing Oracle Database
Dockerizing Oracle Database
 
Hacking with ARM Mobile devices on Linux
Hacking with ARM Mobile devices on LinuxHacking with ARM Mobile devices on Linux
Hacking with ARM Mobile devices on Linux
 
Parallelizing CI using Docker Swarm-Mode
Parallelizing CI using Docker Swarm-ModeParallelizing CI using Docker Swarm-Mode
Parallelizing CI using Docker Swarm-Mode
 
Webinar: End-to-End CI/CD with GitLab and DC/OS
Webinar: End-to-End CI/CD with GitLab and DC/OSWebinar: End-to-End CI/CD with GitLab and DC/OS
Webinar: End-to-End CI/CD with GitLab and DC/OS
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfOpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
 
Operating Neo4j Fabric in Multi-Zone Kubernetes Cluster.pptx
Operating Neo4j Fabric in Multi-Zone Kubernetes Cluster.pptxOperating Neo4j Fabric in Multi-Zone Kubernetes Cluster.pptx
Operating Neo4j Fabric in Multi-Zone Kubernetes Cluster.pptx
 

Dernier

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 

Dernier (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

Down by the Docker

  • 1. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Down by the Docker
  • 2. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Anant Shrivastava (@anantshri) ● Regional Director - NotSoSecure Global Services Limited ● 9 yrs of corporate experience ● Expertise in Network, Mobile, Application and Linux Security ● Speaker / Trainer : BlackHat, Nullcon, RootConf, c0c0n ● Co-author for OWASP Testing guide version 4 ● Project Lead : Code Vigilant, Android Tamer About Presenter
  • 3. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Docker Overview
  • 4. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Why Docker • Allows to get rid of “It works on my System” syndrome • Easy & Quick to setup environments and test beds • Loved by start-up's and for PoC Development teams • Loved by Google and likes for scalability and deployment ease • Secure: as secure as you configure it.
  • 5. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. How does it differs for pentesters • From outside it will all be the same • /proc/1/cgroup will show docker references • pid 1 != init / launchd
  • 6. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. How does it differs for pentesters • Bash / Python / Perl isn’t usually available • Containers are disposable hence no Persistence ensured • Containers can have different resources shared • Container crash === new spawn anywhere • Docker Internal Network (172.17.0.0/16) – https://docs.docker.com/engine/userguide/networking/ • Video: https://youtu.be/V42OQd7p-7Y
  • 7. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Docker goof up: Running container process as root • By default host UID == container UID • Root in container == root on base box. • If a file system or part of it is shared, you have direct path to write privileges files and get root • docker run -itv /:/host alpine /bin/sh DEMO
  • 8. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Docker goof up: Exposing docker sock / tcp • Docker socket == access to docker daemon • Docker could listen on port 2375 (noauth) 2376 (tls) • Generally: Dashboard or reporting application containers • Misconfiguration, (un)intended exposure = compromise • Video: https://youtu.be/6q7TBbUylbw DEMO
  • 9. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Docker goof up: Unpatched host / guest • Docker shares kernel with the host • Kernel bugs will result in host compromise • Unpatched guest will result in guest compromise • Video: https://youtu.be/y7XoIOhWStc DEMO
  • 10. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Security is by secure configuration • Docker security relies on secure configuration at all levels – Scrutinize “docker” group – Docker Socket : only available to root and docker group users – Docker daemon: only available to root and docker group users – Docker containers: run processes via limited users – Docker host + Guest: Keep then up-to-date • Scan Docker configuration files
  • 11. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Docker configuration Review • Docker Security Scanning via DockerHub • Clair : https://github.com/coreos/clair • Atomic Scan: https://developers.redhat.com/blog/2016/05/02/introducing-atomic- scan-container-vulnerability-detection/ • https://anchore.com/ • Dockerscan : https://github.com/cr0hn/dockerscan • Dockscan: https://github.com/kost/dockscan • Nessus: https://www.tenable.com/blog/auditing-docker-with-nessus-66
  • 12. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Docker VM • We have created a vulnerable docker VM that suffers from many of the vulnerabilities discussed throughout this session. This is available to download from the following URL: https://www.notsosecure.com/vulnerable-docker-vm/
  • 13. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. Questions?
  • 14. © Copyright 2017 NotSoSecure Global Services Limited, all rights reserved. END PRESENTATION