everything you need to know about containers security
play

Everything you need to know about Containers Security Track - PowerPoint PPT Presentation

Jan 31, 2023 •222 likes •807 views

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container

  1. Everything you need to know about Containers Security Track Containers José Manuel Ortega

  2. @jmortegac

  3. Agenda ● Introduction to containers security ● Linux Containers(LXC) ● Docker Security ● Security pipeline && Container threats ● Tools for auditing container images

  4. Virtualization vs containers

  5. Virtualization vs containers

  6. Security mechanims

  7. Namespaces ● Provides an isolated view of the system where processes cannot see other processes in other containers ● Each container also gets its own network stack. ● A container doesn’t get privileged access to the sockets or interfaces of another container.

  8. Cgroups && capabilities ● Cgroups: kernel feature that limits and isolates the resource usage (CPU, memory, network) of a collection of processes. ● Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges

  9. Linux Containers(LXC)

  10. LXC ● Lightweight virtual machines ● VMs without the hypervisor ● Kernel namespaces ● Apparmor and SELinux profiles ● Seccomp policies ● Kernel capabilities and Control groups

  11. LXC

  12. LXC:limit resources

  13. LXC:limit resources

  14. Docker

  16. Container pipeline

  17. Docker images

  18. Docker security ● Isolation via kernel namespaces ● Aditional layer of security Apparmor, SELinux, GRSEC ● Each container gets its own network stack ● Control groups for resources limiting ● Other interesting features….

  19. Docker Content Trust ● We can verify the integrity of the image ● Checksum validation when pulling image from docker hub ● Pulling by digest to enforce consistent

  22. Docker Capabilites ● A capability is a unix action a user can perform ● Goal is to restrict “capabilities” ● Privileged process = all the capabilities! ● Unprivileged process = check individual user capabilities ● Example Capabilities: ○ CAP_CHOWN ○ CAP_NET_RAW

  25. Containers security is about limiting and controlling the attack surface on the kernel.

  26. Least privilege principle ● Do not run processes in a container as root to avoid root access from attackers. ● Enable User-namespace ● Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to file. ● Cut down the kernel calls that a container can make to reduce the potential attack surface.

  27. Read only containers & volumes

  28. Seccomp ● Restricts system calls based on a policy ● Block/limit things like: ○ Kernel manipulation (init_module, finit_module, delete_module) ○ Executing mount options ○ Change permissions ○ Change owner and groups

  30. Docker bench security ● Auditing docker environment and containers ● Open-source tool for running automated tests ● Inspired by the CIS Docker 1.11 benchmark ● Runs against containers currently running on same host ● Checks for AppArmor, read-only volumes, etc... https://github.com/docker/docker-bench-securit y

  31. Docker bench security ● The host configuration ● The Docker daemon configuration ● The Docker daemon configuration files ● Container images and build files ● Container runtime ● Docker security operations

  33. Lynis ● https://github.com/CISOfy/lynis-docker ● Lynis is a Linux, Mac and Unix security auditing and system hardening tool that includes a module to audit Dockerfiles. ● lynis audit system ● lynis audit dockerfile <file>

  35. Security Pipeline

  36. CI/CD

  37. CI/CD

  38. Container threats

  39. ● Kernel Exploits(Dirty Cow exploit) ● Vulnerabilities like the glibc buffer overflow ● SQL injection attacks ● MongoDB and ElasticSearch ransomware attacks

  40. Remember ● Don’t run containers as root ● Drop all capabilities and enable only needed ● Enable user namespaces ● Use seccomp for limit syscalls for avoid kernel exploits ● Keep the host kernel updated with last patches ● Mount volumes with read only

  41. Audit Container Images

  42. ● You can scan your images for known vulnerabilities ● Find known vulnerable binaries ○ Docker Security Scanning ○ Anchore Cloud ○ Dagda ○ Tenable.io Container Security ●

  43. Docker security scanning

  44. Docker security scanning

  46. Anchore

  47. Anchore

  48. Anchore

  50. Dagda

  51. Tenable.io container security

  55. References https://docs.docker.com/engine/security ● http://www.oreilly.com/webops-perf/free/files/docker-securi ● ty.pdf http://container-solutions.com/content/uploads/2015/06/15.0 ● 6.15_DockerCheatSheet_A2.pdf Docker Content Trust ● https://docs.docker.com/engine/security/trust/content_trust Docker Security Scanning ● https://docs.docker.com/docker-cloud/builds/image-scan ● https://blog.docker.com/2016/04/docker-security ● http://softwaretester.info/docker-audit ● ●

  57. Thanks! Contact: @jmortegac jmortega.github.io about.me/jmortegac

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs Editor of Lean Out #RVASec @ElissaBeth on twitter @Elissa_is_offmessage on Instagram this was Silicon Valley in 2011 Containers are eating

954 views • 66 slides
Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False? Containers are inherently insecure. Some Learnings from an Enterprise Study 94%: Containers have security implications 31%: Worried

490 views • 24 slides
Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12 2019 Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Objection: My security team is opposed to containers and Kubernetes 3

649 views • 41 slides
Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com Containers are great Containers are resource efficient Containers make deployment easy Containers can be monitored easily Containers are secure But are

508 views • 38 slides
Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson

Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson

Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson &lt;ian.jackson@eu.citrix.com&gt; FOSDEM 2015 originally based on a talk and research by George Dunlap &quot;Some people make the mistake of thinking

328 views • 6 slides
1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

12.03.2019 Docker security 1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami M.Sc Computer Security M.Sc Software Development Worked previously as an embedded software developer Actually

586 views • 54 slides
Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotCloud) more than 4 years ago (I was at Docker before it was cool! ) I built

420 views • 38 slides
SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54 What are Containers? A package/image that can be deployed anywhere (thats running a Linux Kernel) Developers create a layered image of their

996 views • 53 slides
Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at BlaBlaCar pgDay Paris, Mar 15, 2018 BlaBlaCar Overview Todays agenda PostgreSQL usage at BlaBlaCar Switching to a new implementation

844 views • 40 slides
General Services Administration Contractor Procurement of GSA-Approved Security Containers

General Services Administration Contractor Procurement of GSA-Approved Security Containers

General Services Administration Contractor Procurement of GSA-Approved Security Containers Procurement Steps 6/15/2020 2 1. Authorization to store classified information GSA Order OGP 4100.21 allows for contractors to procure through the

180 views • 17 slides
Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have become popular replacing many Physical / Virtual Machine use cases But: The persistent storage problem for containers is still not fully solved

1.01k views • 17 slides
Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change An Approach Required Software Processes Cultural Changes Additional Concerns Lessons Learned Why This Talk? Containers are

678 views • 49 slides
Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami

Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami

Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami BlueCoat-&gt; Symantec Director, DevSecOps @AquaSecTeam I know, Ill use Ruby on Rails! * Thanks To Jim Brickman@gruntwork.io &gt; gem install rails

960 views • 53 slides
our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can make us way more efficient containers can save us money on hosting containers sound interesting company founded in 2013

848 views • 30 slides
OASIS Electronic Trial Master File Standard Technical Committee April 13, 2015 9:00 10:30 AM

OASIS Electronic Trial Master File Standard Technical Committee April 13, 2015 9:00 10:30 AM

OASIS Electronic Trial Master File Standard Technical Committee April 13, 2015 9:00 10:30 AM PDT Agenda Topic Presenter 9:00 - 9:05 Call to Order Chair 9:05 - 9:10 Roll Call (secretary: Cathy ) Cathy 9:10 9:12 Mar 16 2015 minute

590 views • 12 slides
Proof of work, Hash chaining CS 161: Computer Security Prof. David Wagner April 13, 2016 A

Proof of work, Hash chaining CS 161: Computer Security Prof. David Wagner April 13, 2016 A

Crypto tricks: Proof of work, Hash chaining CS 161: Computer Security Prof. David Wagner April 13, 2016 A Tangent: How Can I Prove I Am Rich? Math Puzzle Proof of Work Problem. To prove to Bob Im not a spammer, Bob wants me to do 10

488 views • 29 slides
FY2019 DATA Act Working Group 1 Common Methodology CIGIE/GAO Financial Statements Audit

FY2019 DATA Act Working Group 1 Common Methodology CIGIE/GAO Financial Statements Audit

Federal Audit Executive Council FY2019 DATA Act Working Group 1 Common Methodology CIGIE/GAO Financial Statements Audit Conference May 7, 2019 Presenter: Pauletta Battle, Deputy AIGA, Treasury OIG Overview 2 Digital Accountability and

679 views • 20 slides
DRSI Sharepoint Monitoring and Audit Folders FOLDERS SAMPLE ATTACHMENTS: Monitoring/TA

DRSI Sharepoint Monitoring and Audit Folders FOLDERS SAMPLE ATTACHMENTS: Monitoring/TA

DRSI Sharepoint Monitoring and Audit Folders FOLDERS SAMPLE ATTACHMENTS: Monitoring/TA Correspondence &amp; Monitoring Reports Event Profiles Tracking of Individual Monitoring Exhibits Related to Individual Findings/Concerns

86 views • 5 slides
The New Partnership Audit Rules: The Beginning of a New Era State Bar of Texas Annual Advanced

The New Partnership Audit Rules: The Beginning of a New Era State Bar of Texas Annual Advanced

The New Partnership Audit Rules: The Beginning of a New Era State Bar of Texas Annual Advanced Tax Law Course August 17-18, 2017 Lee Meyercord, Thompson &amp; Knight August 18, 2017 Overview Background How did we get here?

826 views • 56 slides
Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT,

Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT,

Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT, PERFORMANCE The Brief. Extended Berkley Packet Filter (eBPF) is a new Linux feature which allows safe and efficient monitoring of kernel functions.

593 views • 27 slides
LSS 2017: linux-integrity subsystem update Mimi Zohar 1 IBM Research Linux Integrity Subsystem

LSS 2017: linux-integrity subsystem update Mimi Zohar 1 IBM Research Linux Integrity Subsystem

LSS 2017: linux-integrity subsystem update Mimi Zohar 1 IBM Research Linux Integrity Subsystem Status Update Review of IMA goals New IMA features and other changes TPM related work Possible IMA specific fixes for TPM

567 views • 17 slides
Rethinking File Security Then, Now &amp; Future Presenters: Moderator: Sharon Teo Gunes

Rethinking File Security Then, Now &amp; Future Presenters: Moderator: Sharon Teo Gunes

Rethinking File Security Then, Now &amp; Future Presenters: Moderator: Sharon Teo Gunes Altungunes Ting Teck Wei CEO Product Manager Marketing Manager Development Center About Us America South Asia Middle East International HQ

617 views • 39 slides

More recommend