Embed Size (px)
Citation preview
1 TCS Confidential
Manideep Konakandla
Carnegie Mellon University @Bsides SF – Feb 13, 2017
How secure are your Docker Images?
2
Who am I? Hmm, yeah - Shameless Bragging
• J.N Tata Scholar, ISC2 Scholar, RSA Conference Security Scholar etc.
• Masters Student (Graduating in May’17) + Security Researcher at CMU
• Authored a book on Info Sec & Ethical Hacking at the age of 20
• Featured in INDIA’s largest news papers and news channels
• 10 certifications + Trained 15,000+ people in Information Security
• Ex “Team Lead – Core Security & Data Analytics” at TCS
• Interest areas : Container Security, Application Security, System Security etc.
More details about me on www.manideepk.com
3
What am I up to with Containers?
• Co-author, Contributor for CIS Docker 1.12 & 1.13 benchmarks
• Extensive research at Carnegie Mellon (CMU)
• Presented (/will be presenting) at OWASP AppsecUSA, Container World etc.
• Cloud Security Research Intern @Adobe last Summer
4
Before we start
5
What are we doing for next 30 mins?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
Benchmark to assess security of your Docker Images
Wrap up
6
What are we doing for next 30 mins?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
Benchmark to assess security of your Docker Images
Wrap up
7
Quick “60 second” Intro
Containers?
Lightweight
Application centric
No more - “it works on my machine” Micro-services
Namespaces : Isolation (PID, User, Network, IPC,
Mount, UTS)
Cgroups : Isolates, limits and accounts resource
usage (CPU, memory etc.)
BUZZ……….! Are containers
brand new?
Img Ref: www.docker.com
Containers in 45 seconds
8
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com
9
What’s next?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
Benchmark to assess security of your Docker Images
Wrap up
10
Life cycle of an “Image”
Build Spin
Dockerfile Image Container
Maintaining images securely
11
Security of “Dockerfile”
• Do not write secrets in Dockerfile (Info Disclosure). Use secret management
solutions (Twitter’s Vine)
• Create a USER or else container will run as a root (Privilege escalation)
• Follow version pinning for images, packages (no ‘latest’) etc. (Caching Issue)
• Remove unnecessary setuid, setgid permissions (Privilege escalation)
• Do not write any kind of update instructions alone in the Dockerfile (Caching)
• Download packages securely using GPG (MITM) and also do not download
unnecessary packages (Increased attack surface)
• Use COPY instead of ADD (Increased attack surface)
• Use HEALTHCHECK command (Best practice)
• Use gosu instead of sudo wherever possible
• Try to restrict a image (/container) to one service
12
Building Images
13
Maintaining/ Consuming Images
• Docker Content Trust
- Provides authenticity, integrity and freshness guarantees
- Takes some time to understand & prepare production setup (worth it!)
• Vulnerability–free Images
- Tool selection : binary level analysis + hash based
- Tool recommendation (Meet me!)
• Except compatibility issues, all images and packages must be up-to-date
14
Enterprise zone (Personal users ALLOWED!)
• Do not use Docker hub Images
- Why?
- How about Docker Store?
• Maintain your own in-house registries
• Perform image optimization techniques (I did not explore into this!)
• Use commercial tools (meet me for recommendations) which provide
- Image Lockdown
- RBAC etc.
• Use file monitoring solutions to monitor any malicious changes in image layers
• Have separate patch, vulnerability (any other) management procedures for
container ecosystems (including Images)
• Customize CIS Docker benchmarks as per your requirements and adhere to it
15
What’s next?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
Benchmark to assess security of your Docker Images
Wrap up
16
Benchmark to assess “Images Security”
17
What’s next?
A.B.C.D…. • Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
Images Security
• Dockerfile
• Building
• Maintaining/Consuming
• Enterprise zone
Benchmark to assess security of your Docker Images
Wrap up
18
So, what did you learn today?
19
It’s not good to keep questions in your mind
Throw them out and I am here to catch
20
References
1. CIS Docker Benchmarks - 1.12 and 1.13
2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf
3. www.oreilly.com/webops-perf/free/files/docker-security.pdf
4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf
5. http://www.slideshare.net/Docker/docker-security-workshop-slides
6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231
7. https://docs.docker.com/engine/security/
8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence
21 TCS Confidential
That’s it…!
You can collect my V-Card
Reach me on www.manideepk.com for any questions
