2. Isn't docker secure?
Ars Technica: Infected images mined digital coins
"17 images posted by a single account over10 months may have
generated $90,000."
"For ordinary users, just pulling a Docker image from Docker Hub is like
pulling arbitrary binary data from somewhere, executing it, and hoping
for the best without really knowing what’s in it.”
https://arstechnica.com/information-
technology/2018/06/backdoored-images-downloaded-5-million-times-
finally-removed-from-docker-hub/
3. CVE-2019-5736
"runc through 1.0-rc6, as used in Docker before 18.09.2 and other
products, allows attackers to overwrite the host runc binary (and
consequently obtain host root access) by leveragingthe ability to
execute a command as root within one of these types of containers:
(1) a new container withan attacker-controlled image, or (2) an
existing container, to which the attacker previously had write access,
that can be attached with docker exec. This occurs because of file-
descriptor mishandling, related to /proc/self/exe.
4. Important stuff I won't talk this time
Physical security
Host security (patched OS, only necessary packages, OS hardening, ...)
Networksecurity (open ports, firewalls, strict SSH access, …)
Educating users
...
6. Official images
Essential base OS repositoriesas the starting point for users
Lead examples of Dockerfile best practices
Security updates are applied in a timely manner
Scanned for vulnerabilities
https://docs.docker.com/docker-hub/official_images/
7.
8. Docker Content Trust (DCT)
Use digital signatures for data sent to and receivedfrom remote
Docker registries.
These signatures allow client-sideor runtime verification of the integrity
and publisher of specific image tags.
Through DCT, image publishers can sign their images and image
consumers can ensure that the images they use are signed.
9. DCT #2
export DOCKER_CONTENT_TRUST="1"
docker pull user/someimage
Error: remote trust data does not exist for docker.io/user/someimage:
notary.docker.io does not have trust data for
docker.io/user/someimage
https://docs.docker.com/engine/security/trust/content_trust/
14. Build your own images
Start from official images
Use a reasonable distro (eg. alpine)
Include only what's really required (eg. --no-install-recommends)
USER someuser
No sudo
No sshd
15. Don't bake any secrets to the image
ENV MYSQL_PASSWORD "aaaa"
16. Scan your images
Microscanner: https://github.com/aquasecurity/microscanner
FROM debian:jessie-slim
RUN apt-get update && apt-get -y install ca-certificates
ADD https://get.aquasec.com/microscanner /
ARG token
RUN chmod +x /microscanner && /microscanner ${token}
17. "vulnerabilities": [
{
"name": "CVE-2017-8398",
"description": "dwarf.c in GNU Binutils 2.28 is vulnerable to an
invalid read of size 1 during dumping of debug information from a
corrupt binary …".
"nvd_score": 5,
"nvd_score_version": "CVSS v2",
"nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"nvd_severity": "medium",
"nvd_url": https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-
2017-8398,
…..
},
21. [INFO] 2 - Docker daemon configuration
[PASS] 2.1 - Ensure network traffic is restricted between containers on the
default bridge
[PASS] 2.2 - Ensure the logging level is set to 'info'
[PASS] 2.3 - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4 - Ensure insecure registries are not used
[PASS] 2.5 - Ensure aufs storage driver is not used
[INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured
[INFO] * Docker daemon not listening on TCP
[INFO] 2.7 - Ensure the default ulimit is configured appropriately
[INFO] * Default ulimit doesn't appear to be set
26. Resource limits
--memory 2G: The maximum amount of memory the container can use
--memory-swap 2G: The amount of memory the container is allowed to
swap to disk
--shm-size 64M: Size of /dev/shm
--cpus=1.5 how much of the available CPU resources a container can use.
--cpuset-cpus=0,1,2: Limit the specific CPUs or cores a container can use
--gpus device=0,2: nvidia gpu access
--pids-limit: Limit number of processes started inside docker container
--ulimit <options>, eg. --ulimit nproc=256:512
https://docs.docker.com/config/containers/resource_constraints/
40. User remapping #5
$ docker run --rm -ti -v /tmp:/tmp ubuntu bash
root@7b66cc086eb4:/# touch /tmp/aaa
root@7b66cc086eb4:/# ls -la /tmp/aaa
-rw-r--r--1 root root 0 Sep 22 10:13 /tmp/aaa
root@7b66cc086eb4:/# exit
$ ls -la /tmp/aaa
-rw-r--r-- 1 john users 0 Sep 22 12:13 /tmp/aaa
https://ilya-bystrov.github.io/posts/docker-daemon-remapping/
41. Don't use privileged mode
"Privileged mode enables access to all deviceson the host as wellas
set some configuration in AppArmor or SELinux to allow the container
nearly all the same access to the host as processes running outside
containers on the host."
42. Don't use the host's namespaces
$ docker run --userns=host -ti --rm -v /tmp:/tmpubuntu bash
root@a78119823836:/# touch /tmp/hahaha
root@a78119823836:/# ls -la /tmp/hahaha
-rw-r--r--1 root root 0 Oct 3 10:08 /tmp/hahaha
root@a78119823836:/# exit
$ ls -la /tmp/hahaha
-rw-r--r-- 1 root root 0 Oct 3 12:08 /tmp/hahaha
45. Secrets in container
$ docker run --rm –ti –e SOME_PASSWORD=aaaa ubuntu bash
root@7b66cc086eb4:/#echo $SOME_PASSWORD
aaaa
root@7b66cc086eb4:/#
Environments are often logged!
#less /proc/29487/task/29487/environ
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin^@HOSTN
AME=7b66cc086eb4^@TERM=xterm^@SOME_PASSWORD=aaaa^@H
OME=/root
46. Secrets in config files in container
docker run –v /path/to/1.cfg:/etc/yourapp/1.cfg:royourimage
47. Docker secrets
Container orchestrationsystems offer some basic secret management
Kubernetes: secrets, configmaps (Namespaces, RBAC)
Docker Swarm: secrets
Not for a standalone docker installation :-(
Setup a single node swarm or k8s deployment:-)
https://www.hashicorp.com/resources/securing-container-secrets-vault
48. Elevating privileges
FROM ubuntu:latest
RUN apt-get update &&
apt-get install –y sudo &&
echo "sj ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sj &&
echo "sj:x:1000:100::/home/sj:/bin/bash" >> /etc/passwd
USER 1000
49. Elevating privileges #2
$ docker run --rm -ti aaa bash
sj@177cd44c70c0:/$ id
uid=1000(sj) gid=100(users) groups=100(users)
sj@177cd44c70c0:/$ sudo bash
root@177cd44c70c0:/# id
uid=0(root) gid=0(root) groups=0(root)
51. Elevating privileges #4
$ docker run --rm -ti aaa bash
sj@177cd44c70c0:/$ id
uid=1000(sj) gid=100(users) groups=100(users)
sj@177cd44c70c0:/$ sudo bash
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the
'nosuid' option set or an NFS file system without root privileges?
52. More daemon.json settings
{
"icc": false, // Disable inter container communication
"userland-proxy": false, // Disable userland proxy for loopback traffic
….
}
53. Activity monitoring with sysdig/falco
Notify other systems or humans of abnormal behavior.
https://sysdig.com/opensource/falco/
54. Activity monitoring with sysdig/falco #2
***Actionchange_thread_namespace
Calling setns() to change namespaces...
***Actioncreate_files_below_dev
Creating /dev/created-by-event-generator-sh...
***Actiondb_program_spawn_process
Becomingthe program "mysql" and then running ls
***Actionexec_ls
bin dev etc …
***Actionexfiltration
Reading /etc/shadow and sending to 10.5.2.6:8197...
55. Activity monitoring with sysdig/falco #3
2019-10-03T13:17:21.968443650+0000: Notice Namespace change (setns) by
unexpected program (user=root command=event_generator
parent=<NA> <NA> (id=2f5a7b42362a) container_id=2f5a7b42362a
image=<NA>)
2019-10-03T13:17:22.968679872+0000: Error File created below /dev by
untrusted program (user=root command=event_generator
file=/dev/created-by-event-generator-sh container_id=2f5a7b42362a
image=sysdig/falco-event-generator)
2019-10-03T13:17:23.971571824+0000: Notice Database-related program
spawned process other than itself (user=root program=ls parent=mysqld
container_id=2f5a7b42362a image=sysdig/falco-event-generator)
2019-10-03T13:17:24.972983032+0000: Warning Sensitive file opened for
reading by non-trusted program (user=root program=event_generator
command=event_generator file=/etc/shadow parent=<NA>
gparent=<NA> ggparent=<NA> gggparent=<NA>
container_id=2f5a7b42362a image=sysdig/falco-event-generator)