Download as PDF, PPTX
Uploaded byMichael Boelen
Docker Security - Secure Container Deployment on Linux
The document discusses Docker security, emphasizing the importance of securing container deployment on Linux. It outlines various risks associated with Docker, such as software vulnerabilities and knowledge gaps, and proposes best practices for enhancing security through tool usage, risk management, and container hardening techniques. The author also provides insights on Docker's benefits and the significance of data confidentiality in a containerized environment.
More Related Content
Similar to Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
- 1. Docker Security Secure containerdeployment on Linux openSUSE conference, The Hague, 3 May 2015 Michael Boelen michael.boelen@cisofy.com
- 2. Michael Boelen ● Founderof CISOfy ● Security + Open Source ○ Rootkit Hunter (malware scan) ○ Lynis (security scan) ● Analysis → Simplify 2
- 3. Docker and Me ●Understanding ● Development ● Using it 3
- 4. Results of Research ●Limited resources ● Outdated articles ● Conflicting information ● Security not important? Proposal: Let's fix (some of) these issues 4
- 5. Proposal Security proposals ● Toolingto simplify Linux security → Lynis ● Articles about Docker security → Blog posts ● Provide input to (GitHub) projects → You ● Presentations → In progress 5
- 6. What ● Stabilize thevessel ● Secure containers 6
- 7. How ➔ Benefits ➔ Risks ➔Defenses ➔ Best Practices 7 Photo credits: imagebase.net
- 8.
- 9. Why Security? Data! ● Docker+ Software = Data Sharing ● Keep it confidential 9
- 10. Warning From this pointon, there might be lies... 10
- 11.
- 12. Primary Benefits ● Flexibility ●Scalability ● Better testing 12
- 13. Segregation ● The artof splitting up things ● The "Holy Grail" of security ● Smaller units = more control 13
- 14. Granular Control ● Limitusers, access and data ● Easier to understand ● Easier to defend 14
- 15. Information Disclosure ● Decreasedchance of data leakage ● Less resources accessible 15
- 16.
- 17. Risk: Software Issues Softwaresecurity ● Bugs ● Security vulnerabilities ● Regular updates needed ● Backdoors? Auditing? 17
- 18. Risk: Knowledge gap Quicklyevolving ● IT auditor ● Your colleagues ● You...? 18
- 19. Risk: "Does notcontain" No full isolation (yet) ● Treat containers as a host ● Know strengths and weaknesses 19
- 20.
- 21. Docker Website Start atthe download ● HTTPS ● Digital signatures ● Images verified after downloading 21
- 22. Docker Containers ● Namespacesand cgroups ● Seccomp ● Capabilities ● Frameworks 22
- 23. Namespaces Isolates parts ofthe OS ● PID namespaces ● Network namespaces ● User namespaces → Not really! 23
- 24. Namespaces More spaces ● IPCnamespaces (process communication) ● UTS namespaces (hostname/NIS) ● Mount namespaces 24
- 25. Seccomp ● Secure computingmode ● Filters syscalls with BPF ● Isolation, not virtualization ● Used in software like: ○ Chrome, OpenSSH, vsftpd ○ LXD and Mbox 25
- 26. Seccomp Default list ofblocked calls ● kexec_load ● open_by_handle_at ● init_module ● finit_module ● delete_module 26
- 27. Control Groups (cgroups) ●Restrict resources ● Prioritize ● Accounting ● Control 27
- 28. Capabilities ● Root user→ split into roles ● Default list of allowed capabilities ● --cap-add / --cap-drop ● Combine (e.g. add all, drop a few) 28
- 29. Capabilities Examples ● CAP_NET_ADMIN -Configure networking ● CAP_SETPCAP - Process capabilities ● CAP_SYS_MODULE - Insert and remove kernel modules 29
- 30. Frameworks AppArmor / SELinux ●MAC frameworks ● Help with containment ● Learning them now, will pay off later 30
- 31. Audit Subsystem ● Developedby Red Hat ● Files / system calls ● Monitors the (system | file) integrity 31
- 32. Auditing Audit (example) # Timerelated calls -a always,exit -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -S clock_settime -k time-change # Hostname and domain -a always,exit -S sethostname -S setdomainname -k system-locale # Password files -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/sudoers -p wa -k identity 32
- 33.
- 34. Docker Host Hardening1/2 ● Security = Defense in Depth ● Use AppArmor / SELinux / GRSEC ● Limit ○ users / services / network 34
- 35. Docker Host Hardening2/2 ● Update your kernel on a regular basis ● Stay up-to-date with Docker ● Limit Docker permissions 35
- 36. Containers Harden your Containers ●Use AppArmor / SELinux ● Drop capabilities (man capabilities) ● Filter syscalls (seccomp) ● Network filtering (iptables) 36
- 37. Read-Only Containers Least amountof privileges ● Docker 1.5 ● --read-only ● Restrict writing to volumes 37
- 38. Logging Don't let containersbe a black box ● Docker 1.6 ● --log-driver ○ none ○ syslog ○ json-file 38
- 39. Limit Resources Ulimit ● Defaulttoo high ● Set new container default ○ Docker 1.6 ○ --default-ulimit ● On run: --ulimit 39
- 40. Docker Management "Invisibilize" ● Encryptconnections ● Configure and use TLS, set variables: ○ DOCKER_HOST ○ DOCKER_TLS_VERIFY 40
- 41. Docker Management SSH incontainers ● Don't use this.. ● Use “docker exec -it mycontainer bash” 41
- 42. Read-Only ● Mounts ● Data ●Configuration ● Use --read-only 42
- 43. Using Mappings ● Mapusers to non-privileged ○ /etc/subuid ○ /etc/subgid 43
- 44. Trust Or Don't... ● Verifydownloads ● Be careful with images from others ● Measure, monitor, audit 44
- 45.
- 46. Docker News Things goquick with Docker ● Stay informed ● Follow the Docker blog ● Keep an eye on Docker (/LXC/LXD) news 46
- 47.
- 48. More Docker Security ●Blog: linux-audit.com ● Twitter: @mboelen 48