CONTAINERANDMICROSERVICESECURITY
ADRIANMOUAT
ChiefScientist@ContainerSolutions
Wrote"UsingDocker"forO'Reilly
40%DiscountwithAUTHDcode
FreeDockerSecurityminibook
@adrianmouat
http://www.oreilly.com/webops-perf/free/docker-security.csp
OVERVIEWTheBenefitsofSecurityContainerAttackVectorsSecurityPhilosophyDemoTips&Techniques
THEBENEFITSOFSECURITY
CONTAINERATTACKVECTORS
KERNELATTACKS
DENIALOFSERVICE
CONTAINERBREAKOUTS
POISONEDIMAGES
SNIFFINGSECRETS
SECURITYPARADIGMS
DEFENCE-IN-DEPTHMultiplelayersofsecurity
LEASTPRIVILEGE
Onlyaccessdataandresourcesessentialtofunction"LeastPrivilegeMicroservices"byNathanMcCauleyandDiogoMónica
DEMO
SOWHATNOW?IdeallyhaveguidelinesforprocedureNeedtoisolatecontainer(andprobablyhost)dockernetworkdisconnect
Don'tdelete,preferablydon'tstopifsafedockerdiff
HOWTOMITIGATERuncontainerwithlessprivileges
--read-onlyUsenon-privilegeduser...
NOTASOLUTION!StillallowsremoteexecutionofarbitraryJSRealsolutionistoreplacevulnerablelibraryImageshouldbescannedforknownvulns
IMAGESCANNINGDockerSecurityScanningOthersolutionsClairfromCoreOSPeekrfromAquaSecurityTwistlockAtomicScanfromRedHat
DEPENDENCYCHECKERSOWASPDependencyCheckerNodeSecurityProject(NSP)
TIPS&TECHNIQUES
USECONTAINERSANDVMSUseVMstosegregategroupsofcontainersFormultitenancyEachuser'scontainersinseparateVM
FordifferentsecuritylevelsContainersprocessingCCdetailsinownVM
ASIDE:DIRTYCOW(CVE-2016-5195)RecentvulnerabilityfoundinthekernelAllows“privilegeescalation”CanbeusedtobreakoutofcontainersAlsobreaksread-onlyfilesystemshttps://dirtycow.ninja/https://blog.paranoidsoftware.com/dirty-cow-cve-2016-5195-docker-container-escape/
dockerrun--rmamouat/dirty-cow-test
SEGREGATEBYNETWORKUsemultiple"logical"networkse.g.backend,frontend
frontendshouldnotbeabletobackendnetwork"link"containerwillbeinboth
dockernetworkcreatefrontend
DOCKERPRIVILEGES==
ROOTPRIVILEGES
CanmountanydirectoryCancreateandcopyout"backdoors"
dockerrun-v$PWD:/datadebian/bin/sh-c\'cp/bin/sh/data/&&chownroot.root/data/sh&&chmoda+s/data/sh'
USERNAMESPACING
Bydefault,thereisnousernamespacingRootincontainerisrootonhostDon'trunappsinaVMasrootSamegoesforcontainers
USERNAMESPACINGCanbeturnedonsince1.10Mapsusersincontainerstohigh-numberedusersonhostSetondaemon,notpercontainerDuetocomplicationswithownershipofimagelayers
GOTCHASProblemswithvolumesandpluginsCan'tuse--pid=hostor--net=hostCan'tuseread-onlyRestrictionsonsomeoperations(e.g.mknod)
SETAUSERCreateauserinyourDockerfileChangetotheuserviaUSERorsu/sudo/gosu
RUNgroupadd-ruser&&useradd-r-guseruserUSERuser
BECAREFULWHENDELETINGDATAINDOCKERFILES
THISDOESN'TWORKFROMdebianRUNapt-getupdate&&apt-getinstall-ycurlRUNcurlhttp://sourcecode.com/file.tgz-o/file.tgzRUNtarxzf/file.tgz&&makeRUNrm/file.tgz
THISDOESFROMdebianRUNapt-getupdate&&apt-getinstall-ycurlRUNcurlhttp://sourcecode.com/file.tgz-o/file.tgz&&tarxzf/file.tgz&&make&&rm/file.tgz
ANDTHISISREALLYBAD#CopygithubsshkeyCOPYgithub_rsa/root/.ssh/id_rsa...#RemovesshkeyRUNrm/root/.ssh/id_rsa
SETCONTAINERFSTOREAD-ONLY$dockerrun--read-onlydebiantouchxtouch:cannottouch'x':Read-onlyfilesystem
SETVOLUMESTOREAD-ONLY$dockerrun-v$(pwd)/secrets:/secrets:ro\debiantouch/secrets/xtouch:cannottouch'/secrets/x':Read-onlyfilesystem
DROPCAPABILITIES$dockerrun--cap-dropSETUID--cap-dropSETGIDmyimage$dockerrun--cap-dropALL--cap-add...
SETCPUSHARES$dockerrun-dmyimage$dockerrun-d-c512myimage$dockerrun-d-c512myimage
SETMEMORYLIMITS$dockerrun-m512mmyimage
DEFANGSETUID/SETGIDBINARIESApplicationsprobablydon'tneedthemSodon'truntheminproduction
TOFINDTHEM$dockerrundebian\find/-perm+6000-typef-execls-ld{}\;2>/dev/null-rwsr-xr-x1rootroot10248Apr1500:02/usr/lib/pt_chown-rwxr-sr-x1rootshadow62272Nov202014/usr/bin/chage-rwsr-xr-x1rootroot75376Nov202014/usr/bin/gpasswd-rwsr-xr-x1rootroot53616Nov202014/usr/bin/chfn...
TODEFANGTHEMFROMdebian:wheezyRUNfind/-perm+6000-typef-execchmoda-s{}\;\||true
RESULT$dockerbuild-tdefanged-debian....Successfullybuilt526744cf1bc1$dockerrun--rmdefanged-debian\find/-perm+6000-typef-execls-ld{}\;\2>/dev/null|wc-l0$
USEMINIMALIMAGES
LesssoftwareLessattacksurface
AlpineLinux
StaticbinariesGomakesthiseasy
https://hub.docker.com/_/alpine/
https://medium.com/iron-io-blog/an-easier-way-to-create-tiny-golang-docker-images-7ba2893b160
USELINUXSECURITYMODULES
SELINUXByNSA!PolicybasedMACnotDACFileaccess,sockets,interfaces
PITAHardtodefineownpoliciesHavetousedevicemapperExtraworktousevolumes
$sestatus|grepmodeCurrentmode:enforcing$mkdirdata$echo"hello">data/file$dockerrun-v$(pwd)/data:/datadebiancat/data/filecat:/data/file:Permissiondenied
$ls--scontextdataunconfined_u:object_r:user_home_t:s0file$chcon-Rtsvirt_sandbox_file_tdata$dockerrun-v$(pwd)/data:/datadebiancat/data/filehello
APPARMORUsedbyDebian&UbuntuOnbydefaultLimitscontaineraccesstohostfilesandkernelcapabilitiesCanpassinownpolicyforacontainerProcessbased;notasfine-grainedasSELinux
ALSOAPITA,BUT...
BANEProjectbyJessieFrazelleSimplifiescreatingAppArmorprofiles
SECURITYHARDENEDKERNELPatchedkernelwithsecurityenhancementsgrsecurityPaXLagbehindlatestkernelversion
VERIFYIMAGESKnowwhatyou'rerunningAndwhereitcamefromOnlyuseautomatedbuilds,checkDockerfileDockerContentTrustPullbydigest
AUDITINGImmutableinfrastructureAuditimages,notcontainersDockerdiffScanningtoolsscalock,twistlock,clair
SHARINGSECRETS
BAKEITINTOTHEIMAGE
ENVIRONMENTVARIABLES
Suggestedby12factorappsCanbeseentoomanyplaceslinkedcontainers,inspect
Can'tbedeletedGetincludedinreports
$dockerrun-eAPI_TOKEN=MY_SECRETmyimage
MOUNTEDVOLUMESORDATAVOLUMECONTAINERS
Works,butickyFilescangetcheckedinbyaccident
$dockerrun-v/secretdir/keyfile:/keyfile:romyimage$dockerrun--volumes-frommy-secret-containermyimage
SECUREKEY-VALUESTOREDocker1.13inSwarmMode
KubernetesSecrets
Vault
Cancontrolleases,storeencrypted
https://github.com/docker/docker/pull/27794
https://hashicorp.com/blog/vault.html
CONCLUSIONContainersAddisolationProvidetoolsforrestrictingattackers
UsewithVMsifconcernedThinkDefence-In-Depth&LeastPrivilege
THANKYOU!
ChiefScientist@ContainerSolutions
Wrote"UsingDocker"forO'Reilly
FreeDockerSecurityminibook
@adrianmouat
https://www.openshift.com/promotions/docker-security.html