Docker Security - Secure Container Deployment on Linux
9 likes3,489 views
The document discusses Docker security, emphasizing the importance of securing container deployment on Linux. It outlines various risks associated with Docker, such as software vulnerabilities and knowledge gaps, and proposes best practices for enhancing security through tool usage, risk management, and container hardening techniques. The author also provides insights on Docker's benefits and the significance of data confidentiality in a containerized environment.
Docker Security - Secure Container Deployment on Linux
- 1. Docker Security Secure container deployment on Linux openSUSE conference, The Hague, 3 May 2015 Michael Boelen [email protected]
- 2. Michael Boelen ● Founder of CISOfy ● Security + Open Source ○ Rootkit Hunter (malware scan) ○ Lynis (security scan) ● Analysis → Simplify 2
- 3. Docker and Me ● Understanding ● Development ● Using it 3
- 4. Results of Research ● Limited resources ● Outdated articles ● Conflicting information ● Security not important? Proposal: Let's fix (some of) these issues 4
- 5. Proposal Security proposals ● Tooling to simplify Linux security → Lynis ● Articles about Docker security → Blog posts ● Provide input to (GitHub) projects → You ● Presentations → In progress 5
- 6. What ● Stabilize the vessel ● Secure containers 6
- 7. How ➔ Benefits ➔ Risks ➔ Defenses ➔ Best Practices 7 Photo credits: imagebase.net
- 8. Why? Data! 8
- 9. Why Security? Data! ● Docker + Software = Data Sharing ● Keep it confidential 9
- 10. Warning From this point on, there might be lies... 10
- 12. Primary Benefits ● Flexibility ● Scalability ● Better testing 12
- 13. Segregation ● The art of splitting up things ● The "Holy Grail" of security ● Smaller units = more control 13
- 14. Granular Control ● Limit users, access and data ● Easier to understand ● Easier to defend 14
- 15. Information Disclosure ● Decreased chance of data leakage ● Less resources accessible 15
- 16. Risks 16
- 17. Risk: Software Issues Software security ● Bugs ● Security vulnerabilities ● Regular updates needed ● Backdoors? Auditing? 17
- 18. Risk: Knowledge gap Quickly evolving ● IT auditor ● Your colleagues ● You...? 18
- 19. Risk: "Does not contain" No full isolation (yet) ● Treat containers as a host ● Know strengths and weaknesses 19
- 20. Defenses 20
- 21. Docker Website Start at the download ● HTTPS ● Digital signatures ● Images verified after downloading 21
- 22. Docker Containers ● Namespaces and cgroups ● Seccomp ● Capabilities ● Frameworks 22
- 23. Namespaces Isolates parts of the OS ● PID namespaces ● Network namespaces ● User namespaces → Not really! 23
- 24. Namespaces More spaces ● IPC namespaces (process communication) ● UTS namespaces (hostname/NIS) ● Mount namespaces 24
- 25. Seccomp ● Secure computing mode ● Filters syscalls with BPF ● Isolation, not virtualization ● Used in software like: ○ Chrome, OpenSSH, vsftpd ○ LXD and Mbox 25
- 26. Seccomp Default list of blocked calls ● kexec_load ● open_by_handle_at ● init_module ● finit_module ● delete_module 26
- 27. Control Groups (cgroups) ● Restrict resources ● Prioritize ● Accounting ● Control 27
- 28. Capabilities ● Root user → split into roles ● Default list of allowed capabilities ● --cap-add / --cap-drop ● Combine (e.g. add all, drop a few) 28
- 29. Capabilities Examples ● CAP_NET_ADMIN - Configure networking ● CAP_SETPCAP - Process capabilities ● CAP_SYS_MODULE - Insert and remove kernel modules 29
- 30. Frameworks AppArmor / SELinux ● MAC frameworks ● Help with containment ● Learning them now, will pay off later 30
- 31. Audit Subsystem ● Developed by Red Hat ● Files / system calls ● Monitors the (system | file) integrity 31
- 32. Auditing Audit (example) # Time related calls -a always,exit -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -S clock_settime -k time-change # Hostname and domain -a always,exit -S sethostname -S setdomainname -k system-locale # Password files -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/sudoers -p wa -k identity 32
- 34. Docker Host Hardening 1/2 ● Security = Defense in Depth ● Use AppArmor / SELinux / GRSEC ● Limit ○ users / services / network 34
- 35. Docker Host Hardening 2/2 ● Update your kernel on a regular basis ● Stay up-to-date with Docker ● Limit Docker permissions 35
- 36. Containers Harden your Containers ● Use AppArmor / SELinux ● Drop capabilities (man capabilities) ● Filter syscalls (seccomp) ● Network filtering (iptables) 36
- 37. Read-Only Containers Least amount of privileges ● Docker 1.5 ● --read-only ● Restrict writing to volumes 37
- 38. Logging Don't let containers be a black box ● Docker 1.6 ● --log-driver ○ none ○ syslog ○ json-file 38
- 39. Limit Resources Ulimit ● Default too high ● Set new container default ○ Docker 1.6 ○ --default-ulimit ● On run: --ulimit 39
- 40. Docker Management "Invisibilize" ● Encrypt connections ● Configure and use TLS, set variables: ○ DOCKER_HOST ○ DOCKER_TLS_VERIFY 40
- 41. Docker Management SSH in containers ● Don't use this.. ● Use “docker exec -it mycontainer bash” 41
- 42. Read-Only ● Mounts ● Data ● Configuration ● Use --read-only 42
- 43. Using Mappings ● Map users to non-privileged ○ /etc/subuid ○ /etc/subgid 43
- 44. Trust Or Don't... ● Verify downloads ● Be careful with images from others ● Measure, monitor, audit 44
- 46. Docker News Things go quick with Docker ● Stay informed ● Follow the Docker blog ● Keep an eye on Docker (/LXC/LXD) news 46
- 47. Questions? 47
- 48. More Docker Security ● Blog: linux-audit.com ● Twitter: @mboelen 48