SlideShare a Scribd company logo

Docker security

Janos Suto, profile picture
Janos Suto

Docker images can pose security risks if not properly secured. Key steps to improve Docker security include: 1) Carefully curate official images and scan all images for vulnerabilities; 2) Implement Docker Content Trust (DCT) to verify image integrity and publisher; 3) Restrict container access to resources and capabilities to only what is necessary.

Software
1 of 57
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Docker security SOFTWARE FREEDOM DAY, 2019, SZEGED Janos SUTO, sj@acts.hu
Isn't docker secure? Ars Technica: Infected images mined digital coins "17 images posted by a single account over10 months may have generated $90,000." "For ordinary users, just pulling a Docker image from Docker Hub is like pulling arbitrary binary data from somewhere, executing it, and hoping for the best without really knowing what’s in it.” https://arstechnica.com/information- technology/2018/06/backdoored-images-downloaded-5-million-times- finally-removed-from-docker-hub/
CVE-2019-5736 "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveragingthe ability to execute a command as root within one of these types of containers: (1) a new container withan attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file- descriptor mishandling, related to /proc/self/exe.
Important stuff I won't talk this time Physical security Host security (patched OS, only necessary packages, OS hardening, ...) Networksecurity (open ports, firewalls, strict SSH access, …) Educating users ...
Securing images
Official images Essential base OS repositoriesas the starting point for users Lead examples of Dockerfile best practices Security updates are applied in a timely manner Scanned for vulnerabilities https://docs.docker.com/docker-hub/official_images/
Docker security
Docker Content Trust (DCT) Use digital signatures for data sent to and receivedfrom remote Docker registries. These signatures allow client-sideor runtime verification of the integrity and publisher of specific image tags. Through DCT, image publishers can sign their images and image consumers can ensure that the images they use are signed.
DCT #2 export DOCKER_CONTENT_TRUST="1" docker pull user/someimage Error: remote trust data does not exist for docker.io/user/someimage: notary.docker.io does not have trust data for docker.io/user/someimage https://docs.docker.com/engine/security/trust/content_trust/
Runtime Enforcement with DCT Applies to Docker Enterprise only
Personal Access Tokens for Docker HUB
Use your own registry Docker registry Harbor Quay (automatic security scanning) JFrog Artifactory (PRO edition)
Don't use insecure registries By default it's not enabled
Build your own images Start from official images Use a reasonable distro (eg. alpine) Include only what's really required (eg. --no-install-recommends) USER someuser No sudo No sshd
Don't bake any secrets to the image ENV MYSQL_PASSWORD "aaaa"
Scan your images Microscanner: https://github.com/aquasecurity/microscanner FROM debian:jessie-slim RUN apt-get update && apt-get -y install ca-certificates ADD https://get.aquasec.com/microscanner / ARG token RUN chmod +x /microscanner && /microscanner ${token}
"vulnerabilities": [ { "name": "CVE-2017-8398", "description": "dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary …". "nvd_score": 5, "nvd_score_version": "CVSS v2", "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "nvd_severity": "medium", "nvd_url": https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE- 2017-8398, ….. },
Other image scanner products Clair Docker Trusted Registry JFrog Xray ...
Virus scanning $ docker create --name erlang_scan erlang # Create container from image $ docker export –output "live_system.tar" erlang_scan # Push the container fs to tar file $ clamscan live_system.tar live_system.tar: OK ----------- SCAN SUMMARY ----------- Known viruses: 6590083 Engine version: 0.100.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 1029.54 MB (ratio 0.00:1) Time: 9.586 sec (0 m 9 s) $ docker rm erlang_scan https://medium.com/@cwgem/thoughts-about-docker-security-8e0df4b43650
Docker bench security Checking for best practices: 1. Host configuration 2. Docker daemon configuration 3. Docker daemon configuration files 4. Container Images and Build File 5. Container Runtime 6. Docker Security Operations 7. Docker Swarm Configuration https://github.com/docker/docker-bench-security
[INFO] 2 - Docker daemon configuration [PASS] 2.1 - Ensure network traffic is restricted between containers on the default bridge [PASS] 2.2 - Ensure the logging level is set to 'info' [PASS] 2.3 - Ensure Docker is allowed to make changes to iptables [PASS] 2.4 - Ensure insecure registries are not used [PASS] 2.5 - Ensure aufs storage driver is not used [INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured [INFO] * Docker daemon not listening on TCP [INFO] 2.7 - Ensure the default ulimit is configured appropriately [INFO] * Default ulimit doesn't appear to be set
Securing the daemon
Protect the socket srw-rw----1 root docker 0 Sep 10 21:04 /var/run/docker.sock= Don't put just anyone to the docker group
Accessing docker over the network TLS encryption (don't enable port 2375) Certificate authentication Firewall the docker host DOCKER_HOST=tcp://docker.yourdomain.com:2376 DOCKER_TLS_VERIFY=1 https://docs.docker.com/engine/security/https/ https://docs.docker.com/engine/security/certificates/
Securing containers
Resource limits --memory 2G: The maximum amount of memory the container can use --memory-swap 2G: The amount of memory the container is allowed to swap to disk --shm-size 64M: Size of /dev/shm --cpus=1.5 how much of the available CPU resources a container can use. --cpuset-cpus=0,1,2: Limit the specific CPUs or cores a container can use --gpus device=0,2: nvidia gpu access --pids-limit: Limit number of processes started inside docker container --ulimit <options>, eg. --ulimit nproc=256:512 https://docs.docker.com/config/containers/resource_constraints/
Stopping a fork bomb $ docker run --rm --name aaa --pids-limit 30 ubuntu bash -c ":() { : | : & }; :; while [[ true ]]; do sleep 1; done" environment: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable ... bash: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable environment: fork: Resource temporarily unavailable bash: fork: Interrupted system call
Stopping a fork bomb #2 $ docker stats aaa NAME CPU % MEM USAGE / LIMIT MEM % PIDS aaa 0.14% 9.172MiB / 23.41GiB 0.04% 30
Make the root fs read-only $ docker run --rm -ti --read-only ubuntu bash root@4f8d760aa70b:/# touch /tmp/iii touch: cannot touch '/tmp/iii': Read-only file system root@4f8d760aa70b:/#
Use tmpfs to allow write access $ docker run --rm -ti --read-only --tmpfs /tmp ubuntu bash root@e28b09f46878:/# touch /tmp/akaka root@e28b09f46878:/#
Remove all capabilities ... $ docker run --rm --cap-drop=ALL nginx 2019/09/22 09:37:45 [emerg] 1#1: chown("/var/cache/nginx/client_temp", 101) failed (1: Operation not permitted) nginx: [emerg] chown("/var/cache/nginx/client_temp", 101) failed (1: Operation not permitted) man 7 capabilities
… add only what's required $ docker run --rm --cap-add=chown --cap-drop=ALL nginx 2019/09/22 09:39:28 [emerg] 1#1: bind() to 0.0.0.0:80 failed (13: Permission denied) nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
… add only what's required #2 $ docker run --rm --cap-add=chown --cap-add=net_bind_service -- cap-drop=ALL nginx 2019/09/22 09:43:22 [emerg] 6#6: setgid(101)failed (1: Operation not permitted) 2019/09/22 09:43:22 [alert] 1#1: workerprocess 6 exitedwithfatal code 2 and cannot be respawned
… add only what's required #3 $ docker run --rm --cap-add=chown --cap-add=net_bind_service -- cap-add=setgid --cap-drop=ALL nginx 2019/09/22 09:43:54 [emerg] 6#6: setuid(101)failed (1: Operation not permitted) 2019/09/22 09:43:54 [alert] 1#1: workerprocess 6 exitedwithfatal code 2 and cannot be respawned
… add only what's required #4 $ docker run --rm --cap-add=chown --cap-add=net_bind_service --cap-add=setgid --cap-add=setuid --cap-drop=ALL nginx
User remapping $ docker run --rm -ti -v /etc:/etc ubuntu bash root@6ac62e5eb40c:/# touch /etc/hello-world root@6ac62e5eb40c:/# exit $ ls -la /etc/hello-world -rw-r--r-- 1 root root 0 Sep 22 11:53 /etc/hello-world
User remapping #2 $ whoami john $ id -u 1000 $id -g 100
User remapping #3 /etc/docker/daemon.json: { "userns-remap": "john" } /etc/subuid: john:1000:65536 /etc/subgid: john:100:65536
User remapping #4 $ docker run --rm -ti -v /etc:/etc ubuntu bash root@deb50f4847e6:/# touch /etc/hello-world2 touch: cannot touch '/etc/hello-world2': Permission denied
User remapping #5 $ docker run --rm -ti -v /tmp:/tmp ubuntu bash root@7b66cc086eb4:/# touch /tmp/aaa root@7b66cc086eb4:/# ls -la /tmp/aaa -rw-r--r--1 root root 0 Sep 22 10:13 /tmp/aaa root@7b66cc086eb4:/# exit $ ls -la /tmp/aaa -rw-r--r-- 1 john users 0 Sep 22 12:13 /tmp/aaa https://ilya-bystrov.github.io/posts/docker-daemon-remapping/
Don't use privileged mode "Privileged mode enables access to all deviceson the host as wellas set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host."
Don't use the host's namespaces $ docker run --userns=host -ti --rm -v /tmp:/tmpubuntu bash root@a78119823836:/# touch /tmp/hahaha root@a78119823836:/# ls -la /tmp/hahaha -rw-r--r--1 root root 0 Oct 3 10:08 /tmp/hahaha root@a78119823836:/# exit $ ls -la /tmp/hahaha -rw-r--r-- 1 root root 0 Oct 3 12:08 /tmp/hahaha
Authorization plugin dockerd --authorization-plugin=someplugin Could run locally on a Unix domain socket, or anywhere on http(s)
Authorization plugin #2 https://docs.docker.com/engine/extend/plugins_authorization/ PoC implementation: https://pastebin.com/SFUWdP08
Secrets in container $ docker run --rm –ti –e SOME_PASSWORD=aaaa ubuntu bash root@7b66cc086eb4:/#echo $SOME_PASSWORD aaaa root@7b66cc086eb4:/# Environments are often logged! #less /proc/29487/task/29487/environ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin^@HOSTN AME=7b66cc086eb4^@TERM=xterm^@SOME_PASSWORD=aaaa^@H OME=/root
Secrets in config files in container docker run –v /path/to/1.cfg:/etc/yourapp/1.cfg:royourimage
Docker secrets Container orchestrationsystems offer some basic secret management Kubernetes: secrets, configmaps (Namespaces, RBAC) Docker Swarm: secrets Not for a standalone docker installation :-( Setup a single node swarm or k8s deployment:-) https://www.hashicorp.com/resources/securing-container-secrets-vault
Elevating privileges FROM ubuntu:latest RUN apt-get update && apt-get install –y sudo && echo "sj ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sj && echo "sj:x:1000:100::/home/sj:/bin/bash" >> /etc/passwd USER 1000
Elevating privileges #2 $ docker run --rm -ti aaa bash sj@177cd44c70c0:/$ id uid=1000(sj) gid=100(users) groups=100(users) sj@177cd44c70c0:/$ sudo bash root@177cd44c70c0:/# id uid=0(root) gid=0(root) groups=0(root)
Elevating privileges #3 /etc/docker/daemon.json: { "no-new-privileges": true }
Elevating privileges #4 $ docker run --rm -ti aaa bash sj@177cd44c70c0:/$ id uid=1000(sj) gid=100(users) groups=100(users) sj@177cd44c70c0:/$ sudo bash sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
More daemon.json settings { "icc": false, // Disable inter container communication "userland-proxy": false, // Disable userland proxy for loopback traffic …. }
Activity monitoring with sysdig/falco Notify other systems or humans of abnormal behavior. https://sysdig.com/opensource/falco/
Activity monitoring with sysdig/falco #2 ***Actionchange_thread_namespace Calling setns() to change namespaces... ***Actioncreate_files_below_dev Creating /dev/created-by-event-generator-sh... ***Actiondb_program_spawn_process Becomingthe program "mysql" and then running ls ***Actionexec_ls bin dev etc … ***Actionexfiltration Reading /etc/shadow and sending to 10.5.2.6:8197...
Activity monitoring with sysdig/falco #3 2019-10-03T13:17:21.968443650+0000: Notice Namespace change (setns) by unexpected program (user=root command=event_generator parent=<NA> <NA> (id=2f5a7b42362a) container_id=2f5a7b42362a image=<NA>) 2019-10-03T13:17:22.968679872+0000: Error File created below /dev by untrusted program (user=root command=event_generator file=/dev/created-by-event-generator-sh container_id=2f5a7b42362a image=sysdig/falco-event-generator) 2019-10-03T13:17:23.971571824+0000: Notice Database-related program spawned process other than itself (user=root program=ls parent=mysqld container_id=2f5a7b42362a image=sysdig/falco-event-generator) 2019-10-03T13:17:24.972983032+0000: Warning Sensitive file opened for reading by non-trusted program (user=root program=event_generator command=event_generator file=/etc/shadow parent=<NA> gparent=<NA> ggparent=<NA> gggparent=<NA> container_id=2f5a7b42362a image=sysdig/falco-event-generator)
Host encryption Don't use fscrypt: no support for namespaces Use LUKS
Final words Apply what makes sense in your environment At the end of the day security must not kill productivity

More Related Content

PPTX
Real World Lessons on the Pain Points of Node.js Applications
Ben Hall
 
PPTX
Running Docker in Development & Production (#ndcoslo 2015)
Ben Hall
 
PPTX
Lessons from running potentially malicious code inside containers
Ben Hall
 
PPTX
Running Docker in Development & Production (DevSum 2015)
Ben Hall
 
PPTX
Running .NET on Docker
Ben Hall
 
PPTX
Real World Lessons on the Pain Points of Node.JS Application
Ben Hall
 
PPTX
Real World Experience of Running Docker in Development and Production
Ben Hall
 
PPTX
Lessons from running potentially malicious code inside Docker containers
Ben Hall
 
Real World Lessons on the Pain Points of Node.js Applications
Ben Hall
 
Running Docker in Development & Production (#ndcoslo 2015)
Ben Hall
 
Lessons from running potentially malicious code inside containers
Ben Hall
 
Running Docker in Development & Production (DevSum 2015)
Ben Hall
 
Running .NET on Docker
Ben Hall
 
Real World Lessons on the Pain Points of Node.JS Application
Ben Hall
 
Real World Experience of Running Docker in Development and Production
Ben Hall
 
Lessons from running potentially malicious code inside Docker containers
Ben Hall
 

What's hot (20)

PDF
DCSF19 Tips and Tricks of the Docker Captains
Docker, Inc.
 
PPTX
The How and Why of Windows containers
Ben Hall
 
DOCX
Component pack 6006 install guide
Roberto Boccadoro
 
PPTX
Docker practice
wonyong hwang
 
PDF
DCSF 19 Deploying Rootless buildkit on Kubernetes
Docker, Inc.
 
PDF
Docker, c'est bonheur !
Alexandre Salomé
 
PDF
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
raccoony
 
PPTX
Continuous delivery with docker
Johan Janssen
 
PDF
kubernetes practice
wonyong hwang
 
PDF
Vincent Ruijter - ~Securing~ Attacking Kubernetes
hacktivity
 
PDF
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
Ruoshi Ling
 
PDF
Lab docker
Bruno Cornec
 
PDF
Hyperledger composer
wonyong hwang
 
PDF
Docker Runtime Security
Sysdig
 
PDF
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Docker, Inc.
 
PDF
DeveloperWeek 2015: A Practical Introduction to Docker
Steve Smith
 
PDF
手把手帶你學Docker 03042017
Paul Chao
 
PDF
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
PROIDEA
 
PDF
Vagrant for real (codemotion rome 2016)
Michele Orselli
 
PDF
Docker remote-api
Eric Ahn
 
DCSF19 Tips and Tricks of the Docker Captains
Docker, Inc.
 
The How and Why of Windows containers
Ben Hall
 
Component pack 6006 install guide
Roberto Boccadoro
 
Docker practice
wonyong hwang
 
DCSF 19 Deploying Rootless buildkit on Kubernetes
Docker, Inc.
 
Docker, c'est bonheur !
Alexandre Salomé
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
raccoony
 
Continuous delivery with docker
Johan Janssen
 
kubernetes practice
wonyong hwang
 
Vincent Ruijter - ~Securing~ Attacking Kubernetes
hacktivity
 
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
Ruoshi Ling
 
Lab docker
Bruno Cornec
 
Hyperledger composer
wonyong hwang
 
Docker Runtime Security
Sysdig
 
Plug-ins: Building, Shipping, Storing, and Running - Nandhini Santhanam and T...
Docker, Inc.
 
DeveloperWeek 2015: A Practical Introduction to Docker
Steve Smith
 
手把手帶你學Docker 03042017
Paul Chao
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
PROIDEA
 
Vagrant for real (codemotion rome 2016)
Michele Orselli
 
Docker remote-api
Eric Ahn
 
Ad

Similar to Docker security (20)

PDF
Testing Docker Images Security -All day dev ops 2017
Jose Manuel Ortega Candel
 
PDF
Docker Security in Production Overview
Delve Labs
 
PDF
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
PDF
Testing Docker Images Security
Jose Manuel Ortega Candel
 
PDF
Securité des container
Rachid Zarouali
 
PPTX
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
DataArt
 
PDF
Docker for developers
andrzejsydor
 
PPTX
Docker Security workshop slides
Docker, Inc.
 
PPTX
Docker Security and Orchestration for DevSecOps wins
Sharath Kumar
 
PDF
Docker London: Container Security
Phil Estes
 
PPTX
Docker Security Overview
Sreenivas Makam
 
PDF
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
 
PDF
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
 
PDF
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni
 
PDF
Docker Security Deep Dive by Ying Li and David Lawrence
Docker, Inc.
 
PDF
Operating Docker
Jen Andre
 
PDF
Start your container journey safely
Rachid Zarouali
 
PDF
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Manideep Konakandla
 
PDF
PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...
Puppet
 
PDF
Challenges of container configuration
lutter
 
Testing Docker Images Security -All day dev ops 2017
Jose Manuel Ortega Candel
 
Docker Security in Production Overview
Delve Labs
 
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
Testing Docker Images Security
Jose Manuel Ortega Candel
 
Securité des container
Rachid Zarouali
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
DataArt
 
Docker for developers
andrzejsydor
 
Docker Security workshop slides
Docker, Inc.
 
Docker Security and Orchestration for DevSecOps wins
Sharath Kumar
 
Docker London: Container Security
Phil Estes
 
Docker Security Overview
Sreenivas Makam
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
 
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
 
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni
 
Docker Security Deep Dive by Ying Li and David Lawrence
Docker, Inc.
 
Operating Docker
Jen Andre
 
Start your container journey safely
Rachid Zarouali
 
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Manideep Konakandla
 
PuppetConf 2016: The Challenges with Container Configuration – David Lutterko...
Puppet
 
Challenges of container configuration
lutter
 
Ad

More from Janos Suto (6)

PDF
Open source email archivalas
Janos Suto
 
ODP
Why email archiving is good for you
Janos Suto
 
PDF
Vállalati spamszűrés open source célhardveren (SFD 2011, Szeged)
Janos Suto
 
PPTX
Spam? Már szinte el is felejtettem, mi az
Janos Suto
 
PDF
Clapf Egy Irto Jo Spamszuro
Janos Suto
 
PDF
Statisztikai Spamszurok 2008
Janos Suto
 
Open source email archivalas
Janos Suto
 
Why email archiving is good for you
Janos Suto
 
Vállalati spamszűrés open source célhardveren (SFD 2011, Szeged)
Janos Suto
 
Spam? Már szinte el is felejtettem, mi az
Janos Suto
 
Clapf Egy Irto Jo Spamszuro
Janos Suto
 
Statisztikai Spamszurok 2008
Janos Suto
 

Recently uploaded (20)

PPTX
Odoo Integration Services by Candidroot Solutions
CandidRoot Solutions Private Limited
 
PPTX
Web Testing.pptx528278vshbuqffqhhqiwnwuq
studylike474
 
PPTX
Can You Build Dashboards Using Open Source Visualization Tool.pptx
Varsha Nayak
 
PPTX
Maximizing Revenue with Marketo Measure: A Deep Dive into Multi-Touch Attribu...
bbedford2
 
PPTX
slidesgo-unlocking-the-code-the-dynamic-dance-of-variables-and-constants-2024...
kr2589474
 
DOCX
Can You Build Dashboards Using Open Source Visualization Tool.docx
Varsha Nayak
 
PDF
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
PDF
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
PDF
49784907924775488180_LRN2959_Data_Pump_23ai.pdf
Abilash868456
 
PPTX
ASSIGNMENT_1[1][1][1][1][1] (1) variables.pptx
kr2589474
 
PDF
Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025
imang66g
 
PDF
Applitools Platform Pulse: What's New and What's Coming - July 2025
Applitools
 
PDF
advancepresentationskillshdhdhhdhdhdhhfhf
jasmenrojas249
 
PDF
Bandai Playdia The Book - David Glotz
BluePanther6
 
PDF
MiniTool Power Data Recovery Crack New Pre Activated Version Latest 2025
imang66g
 
PDF
WatchTraderHub - Watch Dealer software with inventory management and multi-ch...
WatchDealer Pavel
 
PDF
Immersive experiences: what Pharo users do!
ESUG
 
PDF
Balancing Resource Capacity and Workloads with OnePlan – Avoid Overloading Te...
OnePlan Solutions
 
PPTX
AI-Ready Handoff: Auto-Summaries & Draft Emails from MQL to Slack in One Flow
bbedford2
 
PPT
Why Reliable Server Maintenance Service in New York is Crucial for Your Business
Sam Vohra
 
Odoo Integration Services by Candidroot Solutions
CandidRoot Solutions Private Limited
 
Web Testing.pptx528278vshbuqffqhhqiwnwuq
studylike474
 
Can You Build Dashboards Using Open Source Visualization Tool.pptx
Varsha Nayak
 
Maximizing Revenue with Marketo Measure: A Deep Dive into Multi-Touch Attribu...
bbedford2
 
slidesgo-unlocking-the-code-the-dynamic-dance-of-variables-and-constants-2024...
kr2589474
 
Can You Build Dashboards Using Open Source Visualization Tool.docx
Varsha Nayak
 
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
49784907924775488180_LRN2959_Data_Pump_23ai.pdf
Abilash868456
 
ASSIGNMENT_1[1][1][1][1][1] (1) variables.pptx
kr2589474
 
Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025
imang66g
 
Applitools Platform Pulse: What's New and What's Coming - July 2025
Applitools
 
advancepresentationskillshdhdhhdhdhdhhfhf
jasmenrojas249
 
Bandai Playdia The Book - David Glotz
BluePanther6
 
MiniTool Power Data Recovery Crack New Pre Activated Version Latest 2025
imang66g
 
WatchTraderHub - Watch Dealer software with inventory management and multi-ch...
WatchDealer Pavel
 
Immersive experiences: what Pharo users do!
ESUG
 
Balancing Resource Capacity and Workloads with OnePlan – Avoid Overloading Te...
OnePlan Solutions
 
AI-Ready Handoff: Auto-Summaries & Draft Emails from MQL to Slack in One Flow
bbedford2
 
Why Reliable Server Maintenance Service in New York is Crucial for Your Business
Sam Vohra
 

Docker security

  • 1. Docker security SOFTWARE FREEDOM DAY, 2019, SZEGED Janos SUTO, [email protected]
  • 2. Isn't docker secure? Ars Technica: Infected images mined digital coins "17 images posted by a single account over10 months may have generated $90,000." "For ordinary users, just pulling a Docker image from Docker Hub is like pulling arbitrary binary data from somewhere, executing it, and hoping for the best without really knowing what’s in it.” https://arstechnica.com/information- technology/2018/06/backdoored-images-downloaded-5-million-times- finally-removed-from-docker-hub/
  • 3. CVE-2019-5736 "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveragingthe ability to execute a command as root within one of these types of containers: (1) a new container withan attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file- descriptor mishandling, related to /proc/self/exe.
  • 4. Important stuff I won't talk this time Physical security Host security (patched OS, only necessary packages, OS hardening, ...) Networksecurity (open ports, firewalls, strict SSH access, …) Educating users ...
  • 6. Official images Essential base OS repositoriesas the starting point for users Lead examples of Dockerfile best practices Security updates are applied in a timely manner Scanned for vulnerabilities https://docs.docker.com/docker-hub/official_images/
  • 8. Docker Content Trust (DCT) Use digital signatures for data sent to and receivedfrom remote Docker registries. These signatures allow client-sideor runtime verification of the integrity and publisher of specific image tags. Through DCT, image publishers can sign their images and image consumers can ensure that the images they use are signed.
  • 9. DCT #2 export DOCKER_CONTENT_TRUST="1" docker pull user/someimage Error: remote trust data does not exist for docker.io/user/someimage: notary.docker.io does not have trust data for docker.io/user/someimage https://docs.docker.com/engine/security/trust/content_trust/
  • 10. Runtime Enforcement with DCT Applies to Docker Enterprise only
  • 11. Personal Access Tokens for Docker HUB
  • 12. Use your own registry Docker registry Harbor Quay (automatic security scanning) JFrog Artifactory (PRO edition)
  • 13. Don't use insecure registries By default it's not enabled
  • 14. Build your own images Start from official images Use a reasonable distro (eg. alpine) Include only what's really required (eg. --no-install-recommends) USER someuser No sudo No sshd
  • 15. Don't bake any secrets to the image ENV MYSQL_PASSWORD "aaaa"
  • 16. Scan your images Microscanner: https://github.com/aquasecurity/microscanner FROM debian:jessie-slim RUN apt-get update && apt-get -y install ca-certificates ADD https://get.aquasec.com/microscanner / ARG token RUN chmod +x /microscanner && /microscanner ${token}
  • 17. "vulnerabilities": [ { "name": "CVE-2017-8398", "description": "dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary …". "nvd_score": 5, "nvd_score_version": "CVSS v2", "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "nvd_severity": "medium", "nvd_url": https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE- 2017-8398, ….. },
  • 18. Other image scanner products Clair Docker Trusted Registry JFrog Xray ...
  • 19. Virus scanning $ docker create --name erlang_scan erlang # Create container from image $ docker export –output "live_system.tar" erlang_scan # Push the container fs to tar file $ clamscan live_system.tar live_system.tar: OK ----------- SCAN SUMMARY ----------- Known viruses: 6590083 Engine version: 0.100.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 1029.54 MB (ratio 0.00:1) Time: 9.586 sec (0 m 9 s) $ docker rm erlang_scan https://medium.com/@cwgem/thoughts-about-docker-security-8e0df4b43650
  • 20. Docker bench security Checking for best practices: 1. Host configuration 2. Docker daemon configuration 3. Docker daemon configuration files 4. Container Images and Build File 5. Container Runtime 6. Docker Security Operations 7. Docker Swarm Configuration https://github.com/docker/docker-bench-security
  • 21. [INFO] 2 - Docker daemon configuration [PASS] 2.1 - Ensure network traffic is restricted between containers on the default bridge [PASS] 2.2 - Ensure the logging level is set to 'info' [PASS] 2.3 - Ensure Docker is allowed to make changes to iptables [PASS] 2.4 - Ensure insecure registries are not used [PASS] 2.5 - Ensure aufs storage driver is not used [INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured [INFO] * Docker daemon not listening on TCP [INFO] 2.7 - Ensure the default ulimit is configured appropriately [INFO] * Default ulimit doesn't appear to be set
  • 23. Protect the socket srw-rw----1 root docker 0 Sep 10 21:04 /var/run/docker.sock= Don't put just anyone to the docker group
  • 24. Accessing docker over the network TLS encryption (don't enable port 2375) Certificate authentication Firewall the docker host DOCKER_HOST=tcp://docker.yourdomain.com:2376 DOCKER_TLS_VERIFY=1 https://docs.docker.com/engine/security/https/ https://docs.docker.com/engine/security/certificates/
  • 26. Resource limits --memory 2G: The maximum amount of memory the container can use --memory-swap 2G: The amount of memory the container is allowed to swap to disk --shm-size 64M: Size of /dev/shm --cpus=1.5 how much of the available CPU resources a container can use. --cpuset-cpus=0,1,2: Limit the specific CPUs or cores a container can use --gpus device=0,2: nvidia gpu access --pids-limit: Limit number of processes started inside docker container --ulimit <options>, eg. --ulimit nproc=256:512 https://docs.docker.com/config/containers/resource_constraints/
  • 27. Stopping a fork bomb $ docker run --rm --name aaa --pids-limit 30 ubuntu bash -c ":() { : | : & }; :; while [[ true ]]; do sleep 1; done" environment: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable ... bash: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable environment: fork: Resource temporarily unavailable bash: fork: Interrupted system call
  • 28. Stopping a fork bomb #2 $ docker stats aaa NAME CPU % MEM USAGE / LIMIT MEM % PIDS aaa 0.14% 9.172MiB / 23.41GiB 0.04% 30
  • 29. Make the root fs read-only $ docker run --rm -ti --read-only ubuntu bash root@4f8d760aa70b:/# touch /tmp/iii touch: cannot touch '/tmp/iii': Read-only file system root@4f8d760aa70b:/#
  • 30. Use tmpfs to allow write access $ docker run --rm -ti --read-only --tmpfs /tmp ubuntu bash root@e28b09f46878:/# touch /tmp/akaka root@e28b09f46878:/#
  • 31. Remove all capabilities ... $ docker run --rm --cap-drop=ALL nginx 2019/09/22 09:37:45 [emerg] 1#1: chown("/var/cache/nginx/client_temp", 101) failed (1: Operation not permitted) nginx: [emerg] chown("/var/cache/nginx/client_temp", 101) failed (1: Operation not permitted) man 7 capabilities
  • 32. … add only what's required $ docker run --rm --cap-add=chown --cap-drop=ALL nginx 2019/09/22 09:39:28 [emerg] 1#1: bind() to 0.0.0.0:80 failed (13: Permission denied) nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
  • 33. … add only what's required #2 $ docker run --rm --cap-add=chown --cap-add=net_bind_service -- cap-drop=ALL nginx 2019/09/22 09:43:22 [emerg] 6#6: setgid(101)failed (1: Operation not permitted) 2019/09/22 09:43:22 [alert] 1#1: workerprocess 6 exitedwithfatal code 2 and cannot be respawned
  • 34. … add only what's required #3 $ docker run --rm --cap-add=chown --cap-add=net_bind_service -- cap-add=setgid --cap-drop=ALL nginx 2019/09/22 09:43:54 [emerg] 6#6: setuid(101)failed (1: Operation not permitted) 2019/09/22 09:43:54 [alert] 1#1: workerprocess 6 exitedwithfatal code 2 and cannot be respawned
  • 35. … add only what's required #4 $ docker run --rm --cap-add=chown --cap-add=net_bind_service --cap-add=setgid --cap-add=setuid --cap-drop=ALL nginx
  • 36. User remapping $ docker run --rm -ti -v /etc:/etc ubuntu bash root@6ac62e5eb40c:/# touch /etc/hello-world root@6ac62e5eb40c:/# exit $ ls -la /etc/hello-world -rw-r--r-- 1 root root 0 Sep 22 11:53 /etc/hello-world
  • 37. User remapping #2 $ whoami john $ id -u 1000 $id -g 100
  • 38. User remapping #3 /etc/docker/daemon.json: { "userns-remap": "john" } /etc/subuid: john:1000:65536 /etc/subgid: john:100:65536
  • 39. User remapping #4 $ docker run --rm -ti -v /etc:/etc ubuntu bash root@deb50f4847e6:/# touch /etc/hello-world2 touch: cannot touch '/etc/hello-world2': Permission denied
  • 40. User remapping #5 $ docker run --rm -ti -v /tmp:/tmp ubuntu bash root@7b66cc086eb4:/# touch /tmp/aaa root@7b66cc086eb4:/# ls -la /tmp/aaa -rw-r--r--1 root root 0 Sep 22 10:13 /tmp/aaa root@7b66cc086eb4:/# exit $ ls -la /tmp/aaa -rw-r--r-- 1 john users 0 Sep 22 12:13 /tmp/aaa https://ilya-bystrov.github.io/posts/docker-daemon-remapping/
  • 41. Don't use privileged mode "Privileged mode enables access to all deviceson the host as wellas set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host."
  • 42. Don't use the host's namespaces $ docker run --userns=host -ti --rm -v /tmp:/tmpubuntu bash root@a78119823836:/# touch /tmp/hahaha root@a78119823836:/# ls -la /tmp/hahaha -rw-r--r--1 root root 0 Oct 3 10:08 /tmp/hahaha root@a78119823836:/# exit $ ls -la /tmp/hahaha -rw-r--r-- 1 root root 0 Oct 3 12:08 /tmp/hahaha
  • 43. Authorization plugin dockerd --authorization-plugin=someplugin Could run locally on a Unix domain socket, or anywhere on http(s)
  • 44. Authorization plugin #2 https://docs.docker.com/engine/extend/plugins_authorization/ PoC implementation: https://pastebin.com/SFUWdP08
  • 45. Secrets in container $ docker run --rm –ti –e SOME_PASSWORD=aaaa ubuntu bash root@7b66cc086eb4:/#echo $SOME_PASSWORD aaaa root@7b66cc086eb4:/# Environments are often logged! #less /proc/29487/task/29487/environ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin^@HOSTN AME=7b66cc086eb4^@TERM=xterm^@SOME_PASSWORD=aaaa^@H OME=/root
  • 46. Secrets in config files in container docker run –v /path/to/1.cfg:/etc/yourapp/1.cfg:royourimage
  • 47. Docker secrets Container orchestrationsystems offer some basic secret management Kubernetes: secrets, configmaps (Namespaces, RBAC) Docker Swarm: secrets Not for a standalone docker installation :-( Setup a single node swarm or k8s deployment:-) https://www.hashicorp.com/resources/securing-container-secrets-vault
  • 48. Elevating privileges FROM ubuntu:latest RUN apt-get update && apt-get install –y sudo && echo "sj ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sj && echo "sj:x:1000:100::/home/sj:/bin/bash" >> /etc/passwd USER 1000
  • 49. Elevating privileges #2 $ docker run --rm -ti aaa bash sj@177cd44c70c0:/$ id uid=1000(sj) gid=100(users) groups=100(users) sj@177cd44c70c0:/$ sudo bash root@177cd44c70c0:/# id uid=0(root) gid=0(root) groups=0(root)
  • 51. Elevating privileges #4 $ docker run --rm -ti aaa bash sj@177cd44c70c0:/$ id uid=1000(sj) gid=100(users) groups=100(users) sj@177cd44c70c0:/$ sudo bash sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
  • 52. More daemon.json settings { "icc": false, // Disable inter container communication "userland-proxy": false, // Disable userland proxy for loopback traffic …. }
  • 53. Activity monitoring with sysdig/falco Notify other systems or humans of abnormal behavior. https://sysdig.com/opensource/falco/
  • 54. Activity monitoring with sysdig/falco #2 ***Actionchange_thread_namespace Calling setns() to change namespaces... ***Actioncreate_files_below_dev Creating /dev/created-by-event-generator-sh... ***Actiondb_program_spawn_process Becomingthe program "mysql" and then running ls ***Actionexec_ls bin dev etc … ***Actionexfiltration Reading /etc/shadow and sending to 10.5.2.6:8197...
  • 55. Activity monitoring with sysdig/falco #3 2019-10-03T13:17:21.968443650+0000: Notice Namespace change (setns) by unexpected program (user=root command=event_generator parent=<NA> <NA> (id=2f5a7b42362a) container_id=2f5a7b42362a image=<NA>) 2019-10-03T13:17:22.968679872+0000: Error File created below /dev by untrusted program (user=root command=event_generator file=/dev/created-by-event-generator-sh container_id=2f5a7b42362a image=sysdig/falco-event-generator) 2019-10-03T13:17:23.971571824+0000: Notice Database-related program spawned process other than itself (user=root program=ls parent=mysqld container_id=2f5a7b42362a image=sysdig/falco-event-generator) 2019-10-03T13:17:24.972983032+0000: Warning Sensitive file opened for reading by non-trusted program (user=root program=event_generator command=event_generator file=/etc/shadow parent=<NA> gparent=<NA> ggparent=<NA> gggparent=<NA> container_id=2f5a7b42362a image=sysdig/falco-event-generator)
  • 56. Host encryption Don't use fscrypt: no support for namespaces Use LUKS
  • 57. Final words Apply what makes sense in your environment At the end of the day security must not kill productivity