CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT
|
|
- Joella Moody
- 6 years ago
- Views:
Transcription
1 CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT
2 Chief Container Solutions Wrote "Using Docker" for O'Reilly 40% Discount with AUTHD code Free Docker Security minibook
3 OVERVIEW The Benefits of Security Container Attack Vectors Security Philosophy Demo Tips & Techniques
4 THE BENEFITS OF SECURITY
5
6
7
8
9
10 CONTAINER ATTACK VECTORS
11 KERNEL ATTACKS
12 DENIAL OF SERVICE
13 CONTAINER BREAKOUTS
14 POISONED IMAGES
15 SNIFFING SECRETS
16 SECURITY PARADIGMS
17 DEFENCE-IN-DEPTH Multiple layers of security
18 LEAST PRIVILEGE Only access data and resources essential to function "Least Privilege Microservices" by Nathan McCauley and Diogo Mónica
19 DEMO
20 SO WHAT NOW? Ideally have guidelines for procedure Need to isolate container (and probably host) docker network disconnect Don't delete, preferably don't stop if safe docker diff
21 HOW TO MITIGATE Run container with less privileges --read-only Use non-privileged user...
22 NOT A SOLUTION! Still allows remote execution of arbitrary JS Real solution is to replace vulnerable library Image should be scanned for known vulns
23 IMAGE SCANNING Docker Security Scanning Other solutions Clair from CoreOS Peekr from Aqua Security Twistlock Atomic Scan from Red Hat
24 DEPENDENCY CHECKERS OWASP Dependency Checker Node Security Project (NSP)
25 TIPS & TECHNIQUES
26 USE CONTAINERS AND VMS Use VMs to segregate groups of containers For multitenancy Each user's containers in separate VM For different security levels Containers processing CC details in own VM
27 ASIDE: DIRTY COW (CVE ) Recent vulnerability found in the kernel Allows privilege escalation Can be used to break out of containers Also breaks read-only filesystems docker run --rm amouat/dirty-cow-test
28 SEGREGATE BY NETWORK Use multiple "logical" networks e.g. backend, frontend frontend should not be able to backend network "link" container will be in both docker network create frontend
29 DOCKER PRIVILEGES == ROOT PRIVILEGES
30 Can mount any directory Can create and copy out "backdoors" docker run -v $PWD:/data debian /bin/sh -c \ 'cp /bin/sh /data/ && chown root.root /data/sh && chmod a+s /data/sh'
31 USER NAMESPACING By default, there is no user namespacing Root in container is root on host Don't run apps in a VM as root Same goes for containers
32 USER NAMESPACING Can be turned on since 1.10 Maps users in containers to high-numbered users on host Set on daemon, not per container Due to complications with ownership of image layers
33 GOTCHAS Problems with volumes and plugins Can't use --pid=host or --net=host Can't use read-only Restrictions on some operations (e.g. mknod)
34 SET A USER Create a user in your Dockerfile Change to the user via USER or su/sudo/gosu RUN groupadd -r user && useradd -r -g user user USER user
35 BE CAREFUL WHEN DELETING DATA IN DOCKERFILES
36 THIS DOESN'T WORK FROM debian RUN apt-get update && apt-get install -y curl RUN curl -o /file.tgz RUN tar xzf /file.tgz && make RUN rm /file.tgz
37 THIS DOES FROM debian RUN apt-get update && apt-get install -y curl RUN curl -o /file.tgz && tar xzf /file.tgz && make && rm /file.tgz
38 # Copy github ssh key COPY github_rsa /root/.ssh/id_rsa... # Remove ssh key RUN rm /root/.ssh/id_rsa AND THIS IS REALLY BAD
39 SET CONTAINER FS TO READ-ONLY $ docker run --read-only debian touch x touch: cannot touch 'x': Read-only file system
40 SET VOLUMES TO READ-ONLY $ docker run -v $(pwd)/secrets:/secrets:ro \ debian touch /secrets/x touch: cannot touch '/secrets/x': Read-only file system
41 DROP CAPABILITIES $ docker run --cap-drop SETUID --cap-drop SETGID myimage $ docker run --cap-drop ALL --cap-add...
42 $ docker run -d myimage $ docker run -d -c 512 myimage $ docker run -d -c 512 myimage SET CPUSHARES
43 $ docker run -m 512m myimage SET MEMORY LIMITS
44 DEFANG SETUID/SETGID BINARIES Applications probably don't need them So don't run them in production
45 TO FIND THEM $ docker run debian \ find / -perm type f -exec ls -ld {} \; 2> /dev/null -rwsr-xr-x 1 root root Apr 15 00:02 /usr/lib/pt_chown -rwxr-sr-x 1 root shadow Nov /usr/bin/chage -rwsr-xr-x 1 root root Nov /usr/bin/gpasswd -rwsr-xr-x 1 root root Nov /usr/bin/chfn...
46 TO DEFANG THEM FROM debian:wheezy RUN find / -perm type f -exec chmod a-s {} \; \ true
47 RESULT $ docker build -t defanged-debian.... Successfully built cf1bc1 $ docker run --rm defanged-debian \ find / -perm type f -exec ls -ld {} \; \ 2> /dev/null wc -l 0 $
48 USE MINIMAL IMAGES Less software Less attack surface
49 Alpine Linux Static binaries Go makes this easy
50 USE LINUX SECURITY MODULES
51 SELINUX By NSA! Policy based MAC not DAC File access, sockets, interfaces
52 PITA Hard to define own policies Have to use devicemapper Extra work to use volumes
53 $ sestatus grep mode Current mode: enforcing $ mkdir data $ echo "hello" > data/file $ docker run -v $(pwd)/data:/data debian cat /data/file cat: /data/file: Permission denied
54 $ ls --scontext data unconfined_u:object_r:user_home_t:s0 file $ chcon -Rt svirt_sandbox_file_t data $ docker run -v $(pwd)/data:/data debian cat /data/file hello
55 APPARMOR Used by Debian & Ubuntu On by default Limits container access to host files and kernel capabilities Can pass in own policy for a container Process based; not as fine-grained as SELinux
56 ALSO A PITA, BUT...
57 BANE Project by Jessie Frazelle Simplifies creating AppArmor profiles
58 SECURITY HARDENED KERNEL Patched kernel with security enhancements grsecurity PaX Lag behind latest kernel version
59 VERIFY IMAGES Know what you're running And where it came from Only use automated builds, check Dockerfile Docker Content Trust Pull by digest
60 AUDITING Immutable infrastructure Audit images, not containers Docker diff Scanning tools scalock, twistlock, clair
61 SHARING SECRETS
62 BAKE IT INTO THE IMAGE
63 ENVIRONMENT VARIABLES $ docker run -e API_TOKEN=MY_SECRET myimage Suggested by 12 factor apps Can be seen too many places linked containers, inspect Can't be deleted Get included in reports
64 MOUNTED VOLUMES OR DATA VOLUME CONTAINERS $ docker run -v /secretdir/keyfile:/keyfile:ro myimage $ docker run --volumes-from my-secret-container myimage Works, but icky Files can get checked in by accident
65 SECURE KEY-VALUE STORE Docker 1.13 in Swarm Mode Kubernetes Secrets Vault Can control leases, store encrypted
66 CONCLUSION Containers Add isolation Provide tools for restricting attackers Use with VMs if concerned Think Defence-In-Depth & Least Privilege
67 THANK YOU!
68 Chief Container Solutions Wrote "Using Docker" for O'Reilly Free Docker Security minibook
Securing Containers on the High Seas. Jack OWASP Belgium September 2018
Securing Containers on the High Seas Jack Mannino @ OWASP Belgium September 2018 Who Am I? Jack Mannino CEO at nvisium, since 2009 Former OWASP Northern Virginia chapter leader Hobbies: Scala, Go and Kubernetes
More informationTricks of the Captains. Adrian Mouat. Chief Scientist Container Solutions
Tricks of the Captains Adrian Mouat Chief Scientist Container Solutions Tricks of the Captains A hodgepodge of tips for Docker nirvana compiled from the brains in the Docker Captains program. And me. Who
More informationViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project
ViryaOS RFC: Secure Containers for Embedded and IoT A proposal for a new Xen Project sub-project Stefano Stabellini @stabellinist The problem Package applications for the target Contain all dependencies
More informationContainer Security. Marc Skinner Principal Solutions Architect
Container Security Marc Skinner mskinner@redhat.com Principal Solutions Architect A bit about me... 2 Marc Skinner 10 years at Red Hat Live in Minneapolis, MN Married, 2 kids, 1 cat 1st time in Calgary
More informationHow to run NoMachine server inside Docker
How to run NoMachine server inside Docker Page 1 of 5 Given that Docker is installed on the host machine, to run NoMachine server inside Docker it's enough to build an image from the Dockerfile and launch
More informationDocker Security. Mika Vatanen
Docker Security Mika Vatanen 13.6.2017 About me Mika Vatanen, Solution Architect @ Digia 18 years at the industry, 6 months at Digia Established ii2 a Finnish MySpace, top-5 most used web service in Finland
More informationHarbor Registry. VMware VMware Inc. All rights reserved.
Harbor Registry VMware 2017 VMware Inc. All rights reserved. VMware Harbor Registry Cloud Foundry Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image
More informationA PRACTICAL INTRODUCTION TO CONTAINER SECURITY
A PRACTICAL INTRODUCTION TO CONTAINER SECURITY Thursday, June 30, 2016, 3:30PM 5:30PM, Room 3018, Lab 3 Presenters Bob Kozdemba, Principal Solutions Architect, Red Hat, Inc. Bob Kozdemba is a field architect
More informationContainers: Exploits, Surprises, And Security
Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs Editor of Lean Out #RVASec @ElissaBeth on twitter @Elissa_is_offmessage on Instagram this was Silicon Valley in
More informationInfrastructure Security 2.0
Infrastructure Security 2.0 $ whoami Infrastructure Security Engineer @ Shopify Certified Kubernetes Administrator twitter.com/jonpulsifer github.com/jonpulsifer Previously Team Lead at CFNOC Network Defense
More informationHacking and Hardening Kubernetes
SESSION ID: HT-W02 Hacking and Hardening Kubernetes Jay Beale CTO InGuardians, Inc @jaybeale and @inguardians Adam Crompton Senior Security Analyst InGuardians, Inc. @3nc0d3r and @inguardians Table of
More informationContainer Security. Docker London July 20, Everything You Probably Should Know
Docker London July 20, 2016 Container Security Everything You Probably Should Know...but most of which I m neither an expert on nor could we ever cover in the time allotted... 1 Who am I? (skipping the
More informationIntroduction to Containers
Introduction to Containers Shawfeng Dong Principal Cyberinfrastructure Engineer University of California, Santa Cruz What are Containers? Containerization, aka operating-system-level virtualization, refers
More informationRed Hat Enterprise Linux Atomic Host 7 Container Security Guide
Red Hat Enterprise Linux Atomic Host 7 Container Security Guide Container Security Guide Red Hat Atomic Host Documentation Team Red Hat Enterprise Linux Atomic Host 7 Container Security Guide Container
More informationSecuring Microservices Containerized Security in AWS
Securing Microservices Containerized Security in AWS Mike Gillespie, Solutions Architect, Amazon Web Services Splitting Monoliths Ten Years Ago Splitting Monoliths Ten Years Ago XML & SOAP Splitting Monoliths
More informationTEN LAYERS OF CONTAINER SECURITY
TEN LAYERS OF CONTAINER SECURITY A Deeper Dive 2 WHAT ARE CONTAINERS? It depends on who you ask... INFRASTRUCTURE APPLICATIONS Sandboxed application processes on a shared Linux OS kernel Simpler, lighter,
More informationOperating systems fundamentals - B10
Operating systems fundamentals - B10 David Kendall Northumbria University David Kendall (Northumbria University) Operating systems fundamentals - B10 1 / 12 Introduction Basics of protection and security
More informationTravis Cardwell Technical Meeting
.. Introduction to Docker Travis Cardwell Tokyo Linux Users Group 2014-01-18 Technical Meeting Presentation Motivation OS-level virtualization is becoming accessible Docker makes it very easy to experiment
More informationDistribution Kernel Security Hardening with ftrace
Distribution Kernel Security Hardening with ftrace Because sometimes your OS vendor just doesn't have the security features that you want. Written by: Corey Henderson Exploit Attack Surface Hardening system
More informationOperating system hardening
Operating system Comp Sci 3600 Security Outline 1 2 3 4 5 6 What is OS? Hardening process that includes planning, ation, uration, update, and maintenance of the operating system and the key applications
More informationWell, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor via
Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor via Shadow Containers. Michael Cherny @chernymi Sagie Dulce @SagieSec
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path Race conditions NOTE: filenames may differ between OS/distributions Principals
More informationContainer Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He
Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He Containers are amazing! Year 2013: Docker Inc. released its container engine Million downloads and about 8,000 docker
More informationA PRACTICAL INTRODUCTION TO CONTAINER SECURITY
A PRACTICAL INTRODUCTION TO CONTAINER SECURITY Bob Kozdemba Principal Domain Architect Dan Walsh Senior Consulting Engineer May 2017 ABSTRACT Linux containers provide convenient application packing and
More informationEstablishing Image Provenance and Security in Kubernetes
Establishing Image Provenance and Security in Kubernetes Adrian Mouat info@container-solutions.com www.container-solutions.com Photo by Eddie Howell CC BY SA 3.0 Dr-text KWTFIGOIYC @adrianmouat Container
More informationSingularity: Containers for High-Performance Computing. Grigory Shamov Nov 21, 2017
Singularity: Containers for High-Performance Computing Grigory Shamov Nov 21, 2017 Outline Software and High Performance Computing: Installation/Maintenance of the HPC Software stack Why containers and
More informationThe Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency
The Case for Security Enhanced (SE) Android Stephen Smalley Trusted Systems Research National Security Agency Background / Motivation Increasing desire to use mobile devices throughout the US government.
More informationContents. Note: pay attention to where you are. Note: Plaintext version. Note: pay attention to where you are... 1 Note: Plaintext version...
Contents Note: pay attention to where you are........................................... 1 Note: Plaintext version................................................... 1 Hello World of the Bash shell 2 Accessing
More informationDockerfile Best Practices
Dockerfile Best Practices OpenRheinRuhr 2015 November 07th, 2015 1 Dockerfile Best Practices Outline About Dockerfile Best Practices Building Images This work is licensed under the Creative Commons Attribution-ShareAlike
More informationContainer Deployment and Security Best Practices
Container Deployment and Security Best Practices How organizations are leveraging OpenShift, Quay, and Twistlock to deploy, manage, and secure a cloud native environment. John Morello CTO Twistlock Dirk
More informationOverview LEARN. History of Linux Linux Architecture Linux File System Linux Access Linux Commands File Permission Editors Conclusion and Questions
Lanka Education and Research Network Linux Architecture, Linux File System, Linux Basic Commands 28 th November 2016 Dilum Samarasinhe () Overview History of Linux Linux Architecture Linux File System
More informationAndroid Things Security Research in Developer Preview 2
1 Monthly Research 2017.2 Android Things Security Research in Developer Preview 2 E-Mail: research-feedback[at]ffri.jp Twitter: @FFRI_Research FFRI, Inc. http://www.ffri.jp/en Table of Contents Background
More informationWho is Docker and how he can help us? Heino Talvik
Who is Docker and how he can help us? Heino Talvik heino.talvik@seb.ee heino.talvik@gmail.com What is Docker? Software guy view: Marriage of infrastucture and Source Code Management Hardware guy view:
More informationArup Nanda VP, Data Services Priceline.com
Jumpstarting Docker Arup Nanda VP, Data Services Priceline.com My application worked in Dev but not in QA Will it work in production? I need an environment right now No, I can t wait for 2 weeks I just
More informationDocker and Security. September 28, 2017 VASCAN Michael Irwin
Docker and Security September 28, 2017 VASCAN Michael Irwin Quick Intro - Michael Irwin 2011 - Graduated (CS@VT); started full-time at VT Sept 2015 - Started using Docker for QA June 2016 - Attended first
More informationIntroduction to Linux
Introduction to Linux Prof. Jin-Soo Kim( jinsookim@skku.edu) TA - Kisik Jeong (kisik@csl.skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu What is Linux? A Unix-like operating
More informationBasic Linux Security. Roman Bohuk University of Virginia
Basic Linux Security Roman Bohuk University of Virginia What is Linux? An open source operating system Project started by Linus Torvalds kernel Kernel: core program that controls everything else (controls
More informationCIS Docker Community Edition Benchmark
CIS Docker Community Edition Benchmark v1.1.0-07-06-2017 This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International Public License. The link to the license terms
More informationIntroduction to Unix May 24, 2008
Introduction to Unix May 24, 2008 Exercises: Privileges REFERENCE Reference: Shah, Steve, "Linux Administration: A Beginner's Guide", 2nd. ed., Osborne press, New York, NY. If you look at files in a directory
More informationfind Command as Admin Security Tool
find Command as Admin Security Tool Dr. Bill Mihajlovic INCS-620 Operating Systems Security find Command find command searches for the file or files that meet certain condition. like: Certain name Certain
More informationPractical Techniques to Obviate Setuid-to-Root Binaries
Operating Systems, Security, Concurrency and Architecture Research Practical Techniques to Obviate Setuid-to-Root Binaries Bhushan Jain, Chia-Che Tsai, Jitin John, Donald Porter OSCAR Lab Computer Science
More informationDocker A FRAMEWORK FOR DATA INTENSIVE COMPUTING
Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING Agenda Intro / Prep Environments Day 1: Docker Deep Dive Day 2: Kubernetes Deep Dive Day 3: Advanced Kubernetes: Concepts, Management, Middleware Day 4:
More informationConfinement. Steven M. Bellovin November 1,
Confinement Steven M. Bellovin November 1, 2016 1 Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many
More informationIntroduction: What is Unix?
Introduction Introduction: What is Unix? An operating system Developed at AT&T Bell Labs in the 1960 s Command Line Interpreter GUIs (Window systems) are now available Introduction: Unix vs. Linux Unix
More information1. What statistic did the wc -l command show? (do man wc to get the answer) A. The number of bytes B. The number of lines C. The number of words
More Linux Commands 1 wc The Linux command for acquiring size statistics on a file is wc. This command provides the line count, word count and number of bytes in a file. Open up a terminal, make sure you
More informationKubernetes Integration Guide
Kubernetes Integration Guide Cloud-Native Security www.aporeto.com Aporeto Kubernetes Integration Guide The purpose of this document is to describe the features of Aporeto that secure application services
More informationISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training
ISLET: An Attempt to Improve Linux-based Software Training Jon Schipp, AIDE 2015 jonschipp@gmail.com, @Jonschipp, jonschipp.com About me: Security Engineer for the National Center for Supercomputing Applications
More informationOverlayfs And Containers. Miklos Szeredi, Red Hat Vivek Goyal, Red Hat
Overlayfs And Containers Miklos Szeredi, Red Hat Vivek Goyal, Red Hat Introduction to overlayfs Union or? Union: all layers made equal How do you take the union of two files? Or a file and a directory?
More informationTHE ROUTE TO ROOTLESS
THE ROUTE TO ROOTLESS THE ROUTE TO ROOTLESS BILL AND TED'S ROOTLESS ADVENTURE THE ROUTE TO ROOTLESS WHAT SECURITY PROBLEM IS GARDEN SOLVING IN CLOUD FOUNDRY? THE PROBLEM IN CLOUD FOUNDRY Public Multi-Tenant
More informationIntroduction to Linux
Introduction to Linux Prof. Jin-Soo Kim( jinsookim@skku.edu) TA - Dong-Yun Lee (dylee@csl.skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu What is Linux? A Unix-like operating
More informationLinux Essentials Objectives Topics:
Linux Essentials Linux Essentials is a professional development certificate program that covers basic knowledge for those working and studying Open Source and various distributions of Linux. Exam Objectives
More informationA Security State of Mind: Container Security. Chris Van Tuin Chief Technologist, West
A Security State of Mind: Container Security Chris Van Tuin Chief Technologist, West cvantuin@redhat.com AGENDA Why Linux Containers? CONTAINER What are Linux Containers? APP LIBS Container Security HOST
More informationUnix Basics. UNIX Introduction. Lecture 14
Unix Basics Lecture 14 UNIX Introduction The UNIX operating system is made up of three parts; the kernel, the shell and the programs. The kernel of UNIX is the hub of the operating system: it allocates
More informationEngineering Robust Server Software
Engineering Robust Server Software Containers Isolation Isolation: keep different programs separate Good for security Might also consider performance isolation Also has security implications (side channel
More informationOptimizing Docker Images
Optimizing Docker Images Brian DeHamer - CenturyLink Labs bdehamer CenturyLinkLabs @bdehamer @centurylinklabs Overview Images & Layers Minimizing Image Size Leveraging the Image Cache Dockerfile Tips
More informationPermissions and Links
Permissions and Links The root account Setuid and Setgid Permissions Setting Setuid and Setgid with chmod Directory Access Permissions Links o Two Types of Links o The ln command o Removing a link The
More informationInformation System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000)
Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) armahmood786@yahoo.com alphasecure@gmail.com alphapeeler.sf.net/pubkeys/pkey.htm http://alphapeeler.sourceforge.net pk.linkedin.com/in/armahmood
More informationCS631 - Advanced Programming in the UNIX Environment
CS631 - Advanced Programming in the UNIX Environment Slide 1 CS631 - Advanced Programming in the UNIX Environment Files and Directories Department of Computer Science Stevens Institute of Technology Jan
More informationCase Study: Access Control. Steven M. Bellovin October 4,
Case Study: Access Control Steven M. Bellovin October 4, 2015 1 Case Studies in Access Control Joint software development Mail Steven M. Bellovin October 4, 2015 2 Situations Small team on a single machine
More informationRootless Containers with runc. Aleksa Sarai Software Engineer
Rootless Containers with runc Aleksa Sarai Software Engineer asarai@suse.de Who am I? Software Engineer at SUSE. Student at University of Sydney. Physics and Computer Science. Maintainer of runc. Long-time
More informationMANDATORY ACCESS CONTROL SECURITY ENHANCED LINUX (SELINUX)
OPERATING SYSTEM SECURITY GUEST LECTURE MANDATORY ACCESS CONTROL SECURITY ENHANCED LINUX (SELINUX) PATRICK UITERWIJK PUITERWIJK@REDHAT.COM / PATRICK.UITERWIJK.ORG GPG KEY: 4096R/0X9AB51E50 0 MANDATORY
More informationOperating system security models
Operating system security models Unix security model Windows security model MEELIS ROOS 1 General Unix model Everything is a file under a virtual root diretory Files Directories Sockets Devices... Objects
More informationCS Programming Languages Fall Homework #2
CS 345 - Programming Languages Fall 2010 Homework #2 Due: 2pm CDT (in class), September 30, 2010 Collaboration policy This assignment can be done in teams at most two students. Any cheating (e.g., submitting
More informationIntroduction to Linux. Woo-Yeong Jeong Computer Systems Laboratory Sungkyunkwan University
Introduction to Linux Woo-Yeong Jeong (wooyeong@csl.skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu What is Linux? A Unix-like operating system of a computer What is an
More informationSecure Programming Learning objectives. and Best Practices. Windows shells Launches programs, including other shells Provides
2 Learning objectives 1 Secure Programming Shell and Environment Flaws Ahmet Burak Can Hacettepe University Understand how shells interpret commands, launch and provide environments for processes Understand
More informationSecure Programming. Shell and Environment Flaws. Ahmet Burak Can Hacettepe University
Secure Programming Shell and Environment Flaws 1 Ahmet Burak Can Hacettepe University 2 Learning objectives Understand how shells interpret commands, launch and provide environments for processes Understand
More informationCapability and System Hardening
P a g e 1 Date Assigned: mm/dd/yyyy Date Due: mm/dd/yyyy by hh:mm Educational Objectives Capability and System Hardening This lab is designed to help you gain a better understanding of system hardening
More informationSecurity Architecture
Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many applications, running on separate machines We need
More informationAppArmor crash course
AppArmor crash course Christian Boltz opensuse AppArmor maintainer AppArmor (utils) developer cboltz@opensuse.org What does AppArmor do? The answer is simple ;-) allow applications to do only what they
More informationSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux James Morris jmorris@namei.org FOSS.my 2009 Kuala Lumpur, Malaysia Overview Sandboxing SELinux Sandbox design and implementation Use examples Status and future directions
More informationCS197U: A Hands on Introduction to Unix
CS197U: A Hands on Introduction to Unix Lecture 4: My First Linux System Tian Guo University of Massachusetts Amherst CICS 1 Reminders Assignment 2 was due before class Assignment 3 will be posted soon
More informationInfoblox Kubernetes1.0.0 IPAM Plugin
2h DEPLOYMENT GUIDE Infoblox Kubernetes1.0.0 IPAM Plugin NIOS version 8.X August 2018 2018 Infoblox Inc. All rights reserved. Infoblox Kubernetes 1.0.0 IPAM Deployment Guide August 2018 Page 1 of 18 Overview...
More informationHands-on Keyboard: Cyber Experiments for Strategists and Policy Makers
Hands-on Keyboard: Cyber Experiments for Strategists and Policy Makers Review of the Linux File System and Linux Commands 1. Introduction Becoming adept at using the Linux OS requires gaining familiarity
More informationSELinux Basics. Clint Savage Fedora Ambassador. Fedora Classroom November 9, 2008
SELinux Basics Clint Savage Fedora Ambassador Fedora Classroom November 9, 2008 What is SELinux? Another layer of security Created by the NSA / Red Hat Helps add to the multiple layers of defense Generally
More informationGeneral Pr0ken File System
General Pr0ken File System Hacking IBM s GPFS Felix Wilhelm & Florian Grunow 11/2/2015 GPFS Felix Wilhelm && Florian Grunow #2 Agenda Technology Overview Digging in the Guts of GPFS Remote View Getting
More informationUnix, History
Operating systems Examples from Unix, VMS, Windows NT on user authentication, memory protection and file and object protection. Trusted Operating Systems, example from PitBull Unix, History Unix, History
More informationDocker 101 Workshop. Eric Smalling - Solution Architect, Docker
Docker 101 Workshop Eric Smalling - Solution Architect, Docker Inc. @ericsmalling Who Am I? Eric Smalling Solution Architect Docker Customer Success Team ~25 years in software development, architecture,
More informationFiles
http://www.cs.fsu.edu/~langley/cop3353-2013-1/reveal.js-2013-02-11/02.html?print-pdf 02/11/2013 10:55 AM Files A normal "flat" file is a collection of information. It's usually stored somewhere reasonably
More informationDevelopment Environment Embedded Linux Primer Ch 1&2
Development Environment Embedded Linux Primer Ch 1&2 Topics 1) Systems: Host and Target 2) Host setup 3) Host-Target communication CMPT 433 Slides #3 Dr. B. Fraser 18-05-05 2 18-05-05 1 Host & Target Host
More informationMicroservices a security nightmare? GOTO Nights Zürich - March 3, 2016 Maximilian Container Solutions Switzerland
Microservices a security nightmare? GOTO Nights Zürich - March 3, 2016 Maximilian Schöfmann @schoefmann Container Solutions Switzerland Microservices (2016) small, hence many services talking over
More informationOpen up a terminal, make sure you are in your home directory, and run the command.
More Linux Commands 0.1 wc The Linux command for acquiring size statistics on a file is wc. This command can provide information from line count, to bytes in a file. Open up a terminal, make sure you are
More informationExploring UNIX: Session 3
Exploring UNIX: Session 3 UNIX file system permissions UNIX is a multi user operating system. This means several users can be logged in simultaneously. For obvious reasons UNIX makes sure users cannot
More informationContainer-based virtualization: Docker
Università degli Studi di Roma Tor Vergata Dipartimento di Ingegneria Civile e Ingegneria Informatica Container-based virtualization: Docker Corso di Sistemi Distribuiti e Cloud Computing A.A. 2018/19
More informationTEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist
TEN LAYERS OF CONTAINER SECURITY Kirsten Newcomer Security Strategist WHAT ARE CONTAINERS? Containers change how we develop, deploy and manage applications INFRASTRUCTURE Sandboxed application processes
More informationAppArmor crash course and workshop
AppArmor crash course and workshop Christian Boltz opensuse community opensuse AppArmor maintainer cboltz@opensuse.org What does AppArmor do? The answer is simple ;-) allow applications to do only what
More informationdocker & HEP: containerization of applications for development, distribution and preservation
docker & HEP: containerization of applications for development, distribution and preservation Sébastien Binet LAL/IN2P3 2015-04-13 S. Binet (LAL) docker-hep 2015-04-13 1 / 16 Docker: what is it? http://www.docker.io/
More informationManaging Configuration Drift and Auditing with Salt. Duncan Mac-Vicar P. Director, Data Center Management R&D, SUSE
Managing Configuration Drift and Auditing with Salt Duncan Mac-Vicar P. Director, Data Center Management R&D, SUSE dmacvicar@suse.com How to manage infrastructure? 2 Sysadmin Alexis #!/bin/bash cat
More informationThe State of Rootless Containers
The State of Rootless Containers Aleksa Sarai / SUSE Akihiro Suda / NTT @lordcyphar @_AkihiroSuda_ Who are we? Aleksa Sarai Senior Software Engineer at SUSE. Maintainer of runc and several other Open Container
More informationCopyright Heraflux Technologies. Do not redistribute or copy as your own. 1
@kleegeek davidklee.net heraflux.com in/davidaklee Specialties / Focus Areas / Passions: Performance Tuning Business Continuity Virtualization & Cloud Infrastructure Architecture Health & Efficiency Capacity
More informationBest Practices for Developing & Deploying Java Applications with Docker
JavaOne 2017 CON7957 Best Practices for Developing & Deploying Java Applications with Docker Eric Smalling - Solution Architect, Docker Inc. @ericsmalling Who Am I? Eric Smalling Solution Architect Docker
More information$ wget V SOLUTIONS.tar.bz2 \ --user=lftraining --password=penguin2014
3.5. LABS 1 Exercise 3.1: Install Kubernetes Overview There are several Kubernetes installation tools provided by various vendors. In this lab we will learn to use kubeadm As an independent tool, it is
More informationDocker & why we should use it
Docker & why we should use it Vicențiu Ciorbaru Software Engineer @ MariaDB Foundation * * Agenda What is Docker? What Docker brings to the table compared to KVM and Vagrant? Docker tutorial What is Docker
More information7.3 Install on Linux and Initial Configurations
7.3 Install on Linux and Initial Configurations This section describes how to install SoftEther VPN Server to a Linux operating system. This assumes that in the Linux operating system, no extra application
More informationSQL Server Administration on Linux 2017
@kleegeek davidklee.net heraflux.com davidaklee Specialties / Focus Areas / Passions: Performance Tuning Business Continuity Virtualization & Cloud Infrastructure Architecture Health & Efficiency Capacity
More informationDocker Cheat Sheet. Table of Contents. Why Docker
Docker Cheat Sheet https://github.com/sunilake/docker-cheat-sheet.git Table of Contents Why Docker Prerequisites Installation Containers Images Networks Registry and Repository Dockerfile Layers Links
More informationCase Studies in Access Control
Joint software development Mail 1 / 38 Situations Roles Permissions Why Enforce Access Controls? Unix Setup Windows ACL Setup Reviewer/Tester Access Medium-Size Group Basic Structure Version Control Systems
More informationIntroduction To. Barry Grant
Introduction To Barry Grant bjgrant@umich.edu http://thegrantlab.org Introduction to Biocomputing http://bioboot.github.io/web-2016/ Monday Tuesday Wednesday Thursday Friday Introduction to UNIX* Introduction
More information~Deep dive into Windows Containers and Docker~
~Deep dive into Windows Containers and Docker~ Blog: Twitter: http://www.solidalm.com https://twitter.com/cornellknulst Are we doing the right things? In managing infrastructure? In deployment? Desired
More informationIntroduction To Linux. Rob Thomas - ACRC
Introduction To Linux Rob Thomas - ACRC What Is Linux A free Operating System based on UNIX (TM) An operating system originating at Bell Labs. circa 1969 in the USA More of this later... Why Linux? Free
More information[S9I ] gtmsecshr vulnerability Security Advisory Page 1 of 6
[S9I10-002703] gtmsecshr vulnerability Security Advisory Page 1 of 6 Background The GT.M Group at Fidelity National Information Services (FIS) recently received a report of a GT.M security vulnerability.
More information