A Security State of Mind: Container Security. Chris Van Tuin Chief Technologist, West

Similar documents
A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES. Chris Van Tuin Chief Technologist, West

Practical OpenSCAP, Security Standard Compliance and Reporting Part 1: CLI (command-line)

June 8th, 2017 Washington D.C. Security Compliance for modern infrastructures with OpenSCAP

We have very limited time Won t cover extensive theory Won t cover writing SCAP policies - out of scope

Practical OpenSCAP Security Standard Compliance and Reporting. Robin Price II Senior Solutions Architect Martin Preisler Senior Software Engineer

Applied SCAP: Automating Security Compliance and Remediation. Shawn Wells Maintainer, SCAP Security Guide 31-JULY-2014

RED HAT'S CONTAINER STRATEGY. Lars Herrmann General Manager, RHEL, RHEV and Containers June 24, 2015

SCAP Security Guide Questions / Answers. Ján Lieskovský Contributor WorkShop November 2015

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

SCAP Security Guide Questions / Answers. Contributor WorkShop Volume #2

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Red Hat Container Strategy Ahmed El-Rayess

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Deployment Patterns using Docker and Chef

Container Security. Marc Skinner Principal Solutions Architect

Red Hat Enterprise Linux 6 Security Feature Overview. Steve Grubb Principal Engineer, Red Hat June 23, 2010

S Automating security compliance for physical, virtual, cloud, and container environments

FISMA COMPLIANCE FOR CONTAINERIZED APPS

TEN LAYERS OF CONTAINER SECURITY

Chapter 5: Vulnerability Analysis

A PRACTICAL INTRODUCTION TO CONTAINER SECURITY

Automating Security and Compliance for Hybrid Environments

L105190: Proactive Security Compliance Automation with CloudForms, Satellite, OpenSCAP, Insights, and Ansible Tower

Logging, Monitoring, and Alerting

Container Deployment and Security Best Practices

Nessus v6 SCAP Assessments. November 18, 2014 (Revision 1)

Secure Foundations: Why RHEL isn t just another Linux distribution

AUTOMATED PROCESSES IN COMPUTER SECURITY

Red Hat Enterprise Linux 6.4 Security-enhanced. Linux User Guide >>>CLICK HERE<<<

Multi-tenancy Virtualization Challenges & Solutions. Daniel J Walsh Mr SELinux, Red Hat Date

SYMANTEC DATA CENTER SECURITY

Red Hat Container Catalog Consuming Container Images from Red Hat and its Ecosystem. Dirk Herrmann Product Owner Container Catalog May 2nd 2017

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

Docker and Security. September 28, 2017 VASCAN Michael Irwin

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

K12 Cybersecurity Roadmap

Amir Zipory Senior Solutions Architect, Redhat Israel, Greece & Cyprus

Containers: Exploits, Surprises, And Security

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

Red Hat System Administration I - RH124

System Hardening From concepts into details

Secure Configuration Manager SCAP Module User's Guide. January 2018

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

RED HAT CONTAINER CATALOG

Red Hat Certified System Administrator (RHCSA) RHCSA 7 Requirements and Syllabus

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center

FlashGrid Cloud Area Network Version 17.05

GL-280: Red Hat Linux 7 Update. Course Description. Course Outline

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

SecurityCenter 5.0 SCAP Assessments. May 28, 2015 (Revision 2)

AGENDA. 13:30-14:25 Gestion des patches, du provisionning et de la configuration de RHEL avec Satellite 6.1, par Michael Lessard, Red Hat

Travis Cardwell Technical Meeting

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT

Thinking the Open Source way

TEN LAYERS OF CONTAINER SECURITY

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Surviving in the wilderness integrity protection and system update. Patrick Ohly, Intel Open Source Technology Center Preliminary version

HOW TO SECURELY CONFIGURE A LINUX HOST TO RUN CONTAINERS

TRACKVIA SECURITY OVERVIEW

Red Hat Quay 2.9 Deploy Red Hat Quay - Basic

Patching and Updating your VM SUSE Manager. Donald Vosburg, Sales Engineer, SUSE

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Establishing Technology Trust in a Containerised World

RED HAT INSIGHTS. Security & Proactive Response with Insights

A PRACTICAL INTRODUCTION TO CONTAINER SECURITY

Securing the Data Center against

Investigating Containers for Future Services and User Application Support

OPEN SOURCE SECURITY ANALYSIS The State of Open Source Security in Commercial Applications

Downloading and installing Db2 Developer Community Edition on Red Hat Enterprise Linux Roger E. Sanders Yujing Ke Published on October 24, 2018

Oracle Ksplice for Oracle Linux

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

CS 356 Operating System Security. Fall 2013

Tenable SCAP Standards Declarations. June 4, 2015 (Revision 11)

BigFix 2018 Roadmap. Aram Eblighatian. Product Manager IBM BigFix. 14 May, 2018

Red Hat CloudForms 4.6

UNCLASSIFIED. SCAP & STIG Workshop. Page 1 of 42 UNCLASSIFIED

Strategic Infrastructure Security

HOW TO MAKE THE CASE TO MANAGEMENT: PAYING FOR OPEN SOURCE

A guide to managing hosts in a Red Hat Satellite 6 environment. Edition 1.0

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

Operating system hardening

Current and Future Issues in Security

The Center for Internet Security

Reinvent Your 2013 Security Management Strategy

W11 Hyper-V security. Jesper Krogh.

SECURING DOCKER: What You Need to Know

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

How to Restrict a Login Shell Using Linux Namespaces

Securing Microservices Containerized Security in AWS

Tanium Comply User Guide. Version 1.7.3

Harbor Registry. VMware VMware Inc. All rights reserved.

Secure Containers with EPT Isolation

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Symantec Endpoint Protection Family Feature Comparison

Security: The Key to Affordable Unmanned Aircraft Systems

Docker Security. Mika Vatanen

DGX SOFTWARE WITH RED HAT ENTERPRISE LINUX 7

Transcription:

A Security State of Mind: Container Security Chris Van Tuin Chief Technologist, West cvantuin@redhat.com

AGENDA Why Linux Containers? CONTAINER What are Linux Containers? APP LIBS Container Security HOST OS OpenSCAP SERVER 2

THE NEED FOR SPEED THE ACCELERATION OF APPLICATION DELIVERY FOR THE BUSINESS

5 THE PROBLEM: FRICTION

6 APPLICATION DELIVERY VIA CONTAINERS

LINUX CONTAINERS

WHAT ARE LINUX CONTAINERS? Package Once Deploy Anywhere CONTAINER Containers provide lightweight isolation of process, network, APP LIBS filesystem spaces HOST OS Docker builds on Linux SERVER containers, adds an API, image format, runtime, and a delivery and sharing model 8

9

10 BUILD, SHIP, RUN

TRADITIONAL OS VS CONTAINERS Traditional OS Containers CONTAINER CONTAINER APP A APP B APP A APP B LIBS A LIBS B LIBS LIBS LIBS LIBS HOST OS HARDWARE HOST OS HARDWARE 11

UNDERLYING TECHNOLOGY Containers Containers Containers DOCKER CLI Docker Image SYSTEMD Unit File Cgroups Namespaces SELinux Drivers RHEL Kernel Hardware (Intel, AMD) or Virtual Machine 12

IMAGE-BASED CONTAINERS WITH DOCKER TECHNOLOGY Docker container images have layers All image layers are read only When a container is run the topmost layer is read-write 13

CONTAINER SECURITY

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

16

Patch? The servers are behind the firewall. - Anonymous (far too many to name), 2005 -

CONTAINERS DO NOT CONTAIN - Dan Walsh, Red Hat 18

RESOURCES NOT NAMESPACED Kernel keyring Kernel itself and modules Devices System time UIDs* *RHEL 7.2 Tech Preview *Kernel boot option, user_namespace.enable=1 19

CONTAINER SECURITY RISKS Kernel exploits Denial of Service attacks Container breakouts Poisoned images Compromised secrets 20

CONTAINER IMAGES

WHAT S INSIDE THE CONTAINER MATTERS 64% of official images in Docker Hub contain high priority security vulnerabilities examples: ShellShock (bash) Heartbleed (OpenSSL) Poodle (OpenSSL) Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015 (http://www.banyanops.com/pdf/banyanops-analyzingdockerhub-whitepaper.pdf)

23

VULNERABILITIES PER PACKAGE TOP 20 (2014)

Compliance and Vulnerability Audits with OpenSCAP

National Institute of Standards and Technology automating vulnerability management, security management, and compliance checking

Common Vulnerability and Exposures (CVE)

Common Configuration Enumeration (CCE) CCE Database CCE-27002-5 Set Password Minimum Length in login.defs To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following lines: PASS_MIN_LEN The DoD requirement is 14. The FISMA requirement is 12. If a program consults /etc/login.defs and also another PAM module (such as pam_cracklib) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.

OpenSCAP Scan physical servers, virtual machines, docker images and containers for Compliance (CCEs) and known Vulnerabilities (CVEs) Content Scan Reports SCAP Security Guide for RHEL CCE-27002-5 Set Password Minimum Length

OpenSCAP Tools

USE CASE #1: Scan for Compliance Are password quality requirements set? Are obsolete services enabled, e.g. telnet? Is openssh properly configured? Is /tmp on a separate partition?

SCAN oscap xccdf eval --profile rht-ccp \ --report /var/www/html/report.html \ --results /var/www/html/results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

REPORT

REPORT

REPORT

REMEDIATION

USE CASE #2: Scan for Known Vulnerabilities What RPMs need updating? What is the criticality of the vulnerability? What is the vulnerability? What CVEs have and have not been addressed?

SCAN # obtain RHSA file from Red Hat for RHEL wget http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml # run Vulnerability scan oscap oval eval --results /var/www/html/rhsa-results-oval.xml \ --report /var/www/html/oval-report.html com.redhat.rhsa-all.xml # view the Report firefox /var/www/html/oval-report.html

REPORT

REPORT

USE CASE #3: Containers Is the docker image compliant? Is the docker image patched? Is the docker container compliant? Is the docker container patched?

INSTALL # install oscap-docker yum install openscap-utils # install docker subscription-manager repos --enable=rhel-7-server-extras-rpms subscription-manager repos --enable=rhel-7-server-optional-rpms yum install openscap-scanner docker systemctl stop firewalld.service systemctl disable firewalld.service systemctl start docker.service systemctl enable docker.service # get RHEL6.2 docker image docker pull docker.io/richxsl/rhel6.2

SCAN DOCKER IMAGES ( offline ) # Compliance Scan oscap-docker image docker.io/richxsl/rhel6.2 xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp \ /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml # Vulnerability Scan on RHEL 6.2 image oscap-docker image-cve docker.io/richxsl/rhel6.2 --results /var/www/html/image-oval.xml --report /var/www/html/image rhel62.html DOCKER CONTAINERS ( online ) # start a container named myrhel62 docker run --name myrhel62 -it docker.io/richxsl/rhel6.2 /bin/bash # Compliance Scan oscap-docker container myrhel62 xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp \ /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml # Vulnerability Scan oscap-docker container-cve docker.io/richxsl/rhel6.2 --results /var/www/html/container-oval.xml --report /var/www/ html/container-rhel62.html

https://fedorahosted.org/oscap-anaconda-addon

Without With VS 64% 99%

CONTAINER BEST PRACTICES Only run container images from trusted parties Container apps should drop privileges Host operating system matters Apply kernel security fixes Do not disable selinux Examine container images for security flaws 49

RESOURCES Best Practices RHEL Security Guide Hardening SELinux Audit Log syslog / systemd-journald Identity Management RHEL IdM Security Blog securityblog.redhat.com Three Pigs Coloring Book https://t.co/4kh6iszz2h

THANK YOU! Chris Van Tuin cvantuin@redhat.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback