CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT

Transcription

1 CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT

2 Chief Container Solutions Wrote "Using Docker" for O'Reilly 40% Discount with AUTHD code Free Docker Security minibook

3 OVERVIEW The Benefits of Security Container Attack Vectors Security Philosophy Demo Tips & Techniques

4 THE BENEFITS OF SECURITY

5

6

7

8

9

10 CONTAINER ATTACK VECTORS

11 KERNEL ATTACKS

12 DENIAL OF SERVICE

13 CONTAINER BREAKOUTS

14 POISONED IMAGES

15 SNIFFING SECRETS

16 SECURITY PARADIGMS

17 DEFENCE-IN-DEPTH Multiple layers of security

18 LEAST PRIVILEGE Only access data and resources essential to function "Least Privilege Microservices" by Nathan McCauley and Diogo Mónica

19 DEMO

20 SO WHAT NOW? Ideally have guidelines for procedure Need to isolate container (and probably host) docker network disconnect Don't delete, preferably don't stop if safe docker diff

21 HOW TO MITIGATE Run container with less privileges --read-only Use non-privileged user...

22 NOT A SOLUTION! Still allows remote execution of arbitrary JS Real solution is to replace vulnerable library Image should be scanned for known vulns

23 IMAGE SCANNING Docker Security Scanning Other solutions Clair from CoreOS Peekr from Aqua Security Twistlock Atomic Scan from Red Hat

24 DEPENDENCY CHECKERS OWASP Dependency Checker Node Security Project (NSP)

25 TIPS & TECHNIQUES

26 USE CONTAINERS AND VMS Use VMs to segregate groups of containers For multitenancy Each user's containers in separate VM For different security levels Containers processing CC details in own VM

27 ASIDE: DIRTY COW (CVE ) Recent vulnerability found in the kernel Allows privilege escalation Can be used to break out of containers Also breaks read-only filesystems docker run --rm amouat/dirty-cow-test

28 SEGREGATE BY NETWORK Use multiple "logical" networks e.g. backend, frontend frontend should not be able to backend network "link" container will be in both docker network create frontend

29 DOCKER PRIVILEGES == ROOT PRIVILEGES

30 Can mount any directory Can create and copy out "backdoors" docker run -v $PWD:/data debian /bin/sh -c \ 'cp /bin/sh /data/ && chown root.root /data/sh && chmod a+s /data/sh'

31 USER NAMESPACING By default, there is no user namespacing Root in container is root on host Don't run apps in a VM as root Same goes for containers

32 USER NAMESPACING Can be turned on since 1.10 Maps users in containers to high-numbered users on host Set on daemon, not per container Due to complications with ownership of image layers

33 GOTCHAS Problems with volumes and plugins Can't use --pid=host or --net=host Can't use read-only Restrictions on some operations (e.g. mknod)

34 SET A USER Create a user in your Dockerfile Change to the user via USER or su/sudo/gosu RUN groupadd -r user && useradd -r -g user user USER user

35 BE CAREFUL WHEN DELETING DATA IN DOCKERFILES

36 THIS DOESN'T WORK FROM debian RUN apt-get update && apt-get install -y curl RUN curl -o /file.tgz RUN tar xzf /file.tgz && make RUN rm /file.tgz

37 THIS DOES FROM debian RUN apt-get update && apt-get install -y curl RUN curl -o /file.tgz && tar xzf /file.tgz && make && rm /file.tgz

38 # Copy github ssh key COPY github_rsa /root/.ssh/id_rsa... # Remove ssh key RUN rm /root/.ssh/id_rsa AND THIS IS REALLY BAD

39 SET CONTAINER FS TO READ-ONLY $ docker run --read-only debian touch x touch: cannot touch 'x': Read-only file system

40 SET VOLUMES TO READ-ONLY $ docker run -v $(pwd)/secrets:/secrets:ro \ debian touch /secrets/x touch: cannot touch '/secrets/x': Read-only file system

41 DROP CAPABILITIES $ docker run --cap-drop SETUID --cap-drop SETGID myimage $ docker run --cap-drop ALL --cap-add...

42 $ docker run -d myimage $ docker run -d -c 512 myimage $ docker run -d -c 512 myimage SET CPUSHARES

43 $ docker run -m 512m myimage SET MEMORY LIMITS

44 DEFANG SETUID/SETGID BINARIES Applications probably don't need them So don't run them in production

45 TO FIND THEM $ docker run debian \ find / -perm type f -exec ls -ld {} \; 2> /dev/null -rwsr-xr-x 1 root root Apr 15 00:02 /usr/lib/pt_chown -rwxr-sr-x 1 root shadow Nov /usr/bin/chage -rwsr-xr-x 1 root root Nov /usr/bin/gpasswd -rwsr-xr-x 1 root root Nov /usr/bin/chfn...

46 TO DEFANG THEM FROM debian:wheezy RUN find / -perm type f -exec chmod a-s {} \; \ true

47 RESULT $ docker build -t defanged-debian.... Successfully built cf1bc1 $ docker run --rm defanged-debian \ find / -perm type f -exec ls -ld {} \; \ 2> /dev/null wc -l 0 $

48 USE MINIMAL IMAGES Less software Less attack surface

49 Alpine Linux Static binaries Go makes this easy

50 USE LINUX SECURITY MODULES

51 SELINUX By NSA! Policy based MAC not DAC File access, sockets, interfaces

52 PITA Hard to define own policies Have to use devicemapper Extra work to use volumes

53 $ sestatus grep mode Current mode: enforcing $ mkdir data $ echo "hello" > data/file $ docker run -v $(pwd)/data:/data debian cat /data/file cat: /data/file: Permission denied

54 $ ls --scontext data unconfined_u:object_r:user_home_t:s0 file $ chcon -Rt svirt_sandbox_file_t data $ docker run -v $(pwd)/data:/data debian cat /data/file hello

55 APPARMOR Used by Debian & Ubuntu On by default Limits container access to host files and kernel capabilities Can pass in own policy for a container Process based; not as fine-grained as SELinux

56 ALSO A PITA, BUT...

57 BANE Project by Jessie Frazelle Simplifies creating AppArmor profiles

58 SECURITY HARDENED KERNEL Patched kernel with security enhancements grsecurity PaX Lag behind latest kernel version

59 VERIFY IMAGES Know what you're running And where it came from Only use automated builds, check Dockerfile Docker Content Trust Pull by digest

60 AUDITING Immutable infrastructure Audit images, not containers Docker diff Scanning tools scalock, twistlock, clair

61 SHARING SECRETS

62 BAKE IT INTO THE IMAGE

63 ENVIRONMENT VARIABLES $ docker run -e API_TOKEN=MY_SECRET myimage Suggested by 12 factor apps Can be seen too many places linked containers, inspect Can't be deleted Get included in reports

64 MOUNTED VOLUMES OR DATA VOLUME CONTAINERS $ docker run -v /secretdir/keyfile:/keyfile:ro myimage $ docker run --volumes-from my-secret-container myimage Works, but icky Files can get checked in by accident

65 SECURE KEY-VALUE STORE Docker 1.13 in Swarm Mode Kubernetes Secrets Vault Can control leases, store encrypted

66 CONCLUSION Containers Add isolation Provide tools for restricting attackers Use with VMs if concerned Think Defence-In-Depth & Least Privilege

67 THANK YOU!

68 Chief Container Solutions Wrote "Using Docker" for O'Reilly Free Docker Security minibook