ironing out docker
play

ironing out Docker at ironPeak services ironpeak.be 1. $ whoami - PowerPoint PPT Presentation

Oct 24, 2023 •29 likes •189 views

ironing out Docker at ironPeak services ironpeak.be 1. $ whoami Niels Hofmans role Independent Cybersecurity Consultant work Code Security, App Security, Hardening, F5 BIG-IP interest Go, Docker, Cloud, Media contact hello@ironpeak.be

  1. ironing out Docker at ironPeak services ironpeak.be

  2. 1. $ whoami Niels Hofmans role Independent Cybersecurity Consultant work Code Security, App Security, Hardening, F5 BIG-IP interest Go, Docker, Cloud, Media contact hello@ironpeak.be github github.com/HazCod 1 - whoami ironpeak.be

  3. 2. $ tree user host image Runtime 2 - tree ironpeak.be

  4. 3. $ client The Client (you!) - Hidden attack surface - Several attack vectors - Phishing - Hardware - Software - Open-Source - Social Networks - Reused/shared Passwords 3 - client ironpeak.be

  5. 3. $ client The Client (you!) - Awareness - Phishing - Common Sense - E-mail headers, content, DMARC - Hardware - Disk encryption - Lock-down BIOS/SMC - Trustless with 2FA - Lock your session 3 - client ironpeak.be

  6. 3. $ client The Client (you!) - Software - OS Hardening - Non-privileged User - Firewall - Patching - Verify & Tag Open-Source - Additional - Information leakage: e.g. LinkedIn, Github - Password manager with 2FA 3 - client ironpeak.be

  7. 4. $ host Host hardening - CIS Benchmarks - Firewall Daemon hardening - CIS Benchmarks, docker-bench-security, kube-bench - User Namespace Remapping - Live Restore - No experimental features - Swarm autolock - Kernel hardening: github.com/google/gvisor - Enable SELinux/AppArmor + seccomp 4 - host ironpeak.be

  8. 4. $ host Daemon Access - UNIX Socket over SSH - HTTP+TLS auth Host Auditing - Off-site log server over TLS/SSH - Log forging / Denial of Service - Audit tracing e.g. sysdig.org + falco.org, github.com/netdata/netdata Private Registry - client: DOCKER_CONTENT_TRUST=1 - daemon: content_trust: enforced 4 - host ironpeak.be

  9. 5. $ image - DIY & Commercial - Base images: alpine (!), minideb, centos github.com/GoogleContainerTools/distroless - docker-slim - Image Signing - Leakage - .dockerignore - docker secrets/vault - Remove defaults - Network: bridge - Storage: AUFS 5 - image ironpeak.be

  10. 5. $ image Dockerfile - Linters; hadolint, … - Pin os/package versions - FROM & Multi-stage builds - Least Privilege - $user & root without shells - tighten permissions - remove unnecessary tooling - USER - COPY --chown=x:x instead of ADD - Scan for package vulnerabilities 5 - image ironpeak.be

  11. 5. $ image.findWally() 5 - image ironpeak.be

  12. 5. $ image.findWally() USER? 5 - image ironpeak.be

  13. 5. $ image.getFixed() 5 - image ironpeak.be

  14. 6. $ runtime: container Container Runtime Properties - Read-Only filesystem - mounts: noexec, nodev, nosuid, mode, size, uid/gid - pids-limit=1 - cgroup limits: cpu, memory/swap, network, size, disk i/o, ... - restart: on-failure:5 - cap_drop: ALL - security_opt: - no_new_privileges - SELinux/AppArmor + seccomp - Environment variables vs. Secrets 6 - runtime ironpeak.be

  15. 6. $ runtime: app Application Security - OWASP ASVS: Level 1 - Level 3 - web: github.com/OWASP/ASVS - mobile: github.com/OWASP/owasp-masvs - Static Application Security Testing (SAST) - linters - OSS + commercial - Dynamic Application Security Testing (DAST) - OpenVAS, OWASP ZAP, … - Training & Awareness! 6 - runtime ironpeak.be

  16. 7. $ exit https://ironpeak.be/slides/190319-ironing-out-docker.pdf 7 - exit ironpeak.be

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y install docker s ystemctl start docker systemctl enable docker docker images - Launch pre-canned container: hello-world (busybox is another good

480 views • 4 slides
docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer / mgoelzer@docker.com / @mgoelzer Docker Inc. docker service is the new docker run docker run nginx 2013-14 docker run -p 3375:2375 swarm ; 2014-15

688 views • 34 slides
INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both provide isolated environments Docker is much more efficient 64-bit Linux only (currently) CONTAINERIZATION A Docker container is a portable store for a

674 views • 29 slides
Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses the Docker API to manage the lifecycle of Docker containers. Because the Docker provider uses the Docker API, it is immediately compatible not only

553 views • 34 slides
CS599: Algorithm Design in Strategic Settings Fall 2012 Lecture 11: Ironing and Approximate

CS599: Algorithm Design in Strategic Settings Fall 2012 Lecture 11: Ironing and Approximate

CS599: Algorithm Design in Strategic Settings Fall 2012 Lecture 11: Ironing and Approximate Mechanism Design in Single-Parameter Bayesian Settings Instructor: Shaddin Dughmi Outline Recap 1 Non-regular Distributions: Ironing 2 Implications

569 views • 33 slides
Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Eric Holm Skyler Manzanares Yuxin (Kelly) Wang http://gerardable.com/wp-content/uploads/2014/12/docker-whale-home-logo.png Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing this Whale! Free,

997 views • 28 slides
Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me Software engineer at Docker Maintainer on SwarmKit and Docker Engine open source projects Focusing on distributed state, task scheduling,

1.29k views • 62 slides
Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner Data Science Consultant accantec group | Alstertor 17 | 20095 Hamburg | Tel.: +49 (40) 67 59 59 0 | Fax.: +49 (40) 67 59 59 29 | www.accantec.de |

664 views • 29 slides
Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker container ls # list running containers docker run <image_name> # run an image as a container docker exec <container> <command> # run a

1.1k views • 6 slides
Our apartments come with all mod cons Apartments with separate bedroom (iron and ironing

Our apartments come with all mod cons Apartments with separate bedroom (iron and ironing

Welcome to La Paudze Apartment Hotel Paudex, Lausanne Our apartments come with all mod cons Apartments with separate bedroom (iron and ironing board available) Living room with 65" HD TV Fully fitted kitchenette with tea-

303 views • 13 slides
Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno

Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno

Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno cgimeno@bifi.es Instituto de Biocomputacin y Fsica de Sistemas Complejos info@bifi.es http://bifi.es 0. Index Introduction What is Docker? A

401 views • 14 slides
Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the

Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the

Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the Internet won't shut up about it." (LinuxCon 2014 keynote) *Founder of dotcloud and creator of the Docker project What are Linux containers or

206 views • 19 slides
Docker for Developers Michael Hrivnak Principal Software Engineer - Red Hat Inc.

Docker for Developers Michael Hrivnak Principal Software Engineer - Red Hat Inc.

Docker for Developers Michael Hrivnak Principal Software Engineer - Red Hat Inc. @michael_hrivnak Docker is Popular Deployment gets most of the attention. 1 Developer 1 Laptop 3 Skills Exit Codes $ sudo docker run -it --rm centos:centos7

347 views • 17 slides
Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotCloud) more than 4 years ago (I was at Docker before it was cool! ) I built

420 views • 38 slides
USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY "Containers Don't Contain" Daniel Walsh, RedHat https://opensource.com/business/14/7/docker- security-selinux "... total systemic

502 views • 48 slides
Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer

Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer

Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer Devops / Golang artist The Docker ecosystem Docker Engine : run containerized processes (aka: containers) Docker Compose : run multi-container

381 views • 13 slides
Authentication CS 4720 Mobile Application Development CS 4720 System Security Human:

Authentication CS 4720 Mobile Application Development CS 4720 System Security Human:

Authentication CS 4720 Mobile Application Development CS 4720 System Security Human: social engineering attacks Physical: steal the server itself Network: treat your server like a 2 year old Operating System: the war

574 views • 22 slides
Josh Bloch Charlie Garrod 17-214 1 Administrivia Reading due today: UML and Patterns

Josh Bloch Charlie Garrod 17-214 1 Administrivia Reading due today: UML and Patterns

Principles of Software Construction: Objects, Design, and Concurrency Part 1: Designing classes Design patterns for reuse Josh Bloch Charlie Garrod 17-214 1 Administrivia Reading due today: UML and Patterns Chapters 9 and 10 Optional

673 views • 53 slides
Infrastructure Design For The Professionally Paranoid Or: Ticking The Boxes For Fun And Profit

Infrastructure Design For The Professionally Paranoid Or: Ticking The Boxes For Fun And Profit

Infrastructure Design For The Professionally Paranoid Or: Ticking The Boxes For Fun And Profit Mika Bostrm <mika.bostrom@smarkets.com> Infrastructure Engineer, Information Security Officer[], semi-professional interviewer, Systems

411 views • 19 slides
Security Por$ons courtesy Ellen Liu CSE/ISE 311: Systems

Security Por$ons courtesy Ellen Liu CSE/ISE 311: Systems

CSE/ISE 311: Systems Administra5on Security Por$ons courtesy Ellen Liu CSE/ISE 311: Systems Administra5on Outline Introduc$on How security is compromised

649 views • 50 slides
WordPress Day 1 1 About Me Jonathon Leathers - WordPress Developer TWD 4 Student (2013)

WordPress Day 1 1 About Me Jonathon Leathers - WordPress Developer TWD 4 Student (2013)

TWD 25 WordPress Day 1 1 About Me Jonathon Leathers - WordPress Developer TWD 4 Student (2013) weCreate Design (2014 - now) Vancouver WordPress Meetup Organizer (2017 - now) WordCamp Vancouver Lead Organizer (2018 & 2019) TWD

1.52k views • 119 slides
I'am'' Prof.'Reid'Holmes' email:'rtholmes@cs.uwaterloo.ca' CS246:''Object.Oriented''

I'am'' Prof.'Reid'Holmes' email:'rtholmes@cs.uwaterloo.ca' CS246:''Object.Oriented''

I'am'' Prof.'Reid'Holmes' email:'rtholmes@cs.uwaterloo.ca' CS246:''Object.Oriented'' URL:''hRp://www.uwaterloo.ca/~rtholmes' Office:''DC3551,'hours'TBD'(send'email)' So4ware'Development'

345 views • 5 slides
Managing a growing fmeet of WiFi routers combining OpenWRT, WireGuard, Salt and Zabbix Kenan

Managing a growing fmeet of WiFi routers combining OpenWRT, WireGuard, Salt and Zabbix Kenan

Managing a growing fmeet of WiFi routers combining OpenWRT, WireGuard, Salt and Zabbix Kenan Ibrovi 03/07/19 Presentation 1 Managing a growing fmeet of WiFi routers combining OpenWRT, WireGuard, Salt and Zabbix Problems

410 views • 23 slides
Concepts of programming languages Something El(m)se Paolo Servillo, Enzo van Kessel, Jesse de

Concepts of programming languages Something El(m)se Paolo Servillo, Enzo van Kessel, Jesse de

[Faculty of Science Information and Computing Sciences] Concepts of programming languages Something El(m)se Paolo Servillo, Enzo van Kessel, Jesse de Ruijter . . 1 [Faculty of Science Information and Computing Sciences] Contents What

901 views • 58 slides

More recommend