Testing Docker Images Security

Bsides Manchester, August 2017

Jose Manuel

Ortega

Software Engineer & Security Researcher

@jmortegac

jmortega.github.io

Agenda

● Introduction to docker security● Security best practices● Tools for auditing docker images

Docker

● “Docker containers wrap up a piece ofsoftware in a complete filesystem thatcontains everything it needs to run: code,runtime, system tools, system libraries –anything you can install on a server. Thisguarantees that it will always run the same,regardless of the environment it is running in.”

Docker Security

● Docker provides an additional layer of isolation, making your infrastructure safer by default.

● Makes the application lifecycle fast and easier,reducing risks in your applications

Docker Security

● Docker uses several mechanisms for security:

○ Linux kernel namespaces

○ Linux Control Groups (cgroups)

○ The Docker daemon

○ Linux capabilities (libcap)

○ Linux security mechanisms like AppArmor or

SELinux

Docker Security

● Namespaces:provides an isolated view of the

system where processes cannot see other

processes in other containers

● Each container also gets its own network stack.

● A container doesn’t get privileged access to the

sockets or interfaces of another container.

Docker Security

● Cgroups: kernel feature that limits and isolates the resource usage(CPU,memory,network) of a collection of processes.

● Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges.

DockerHub

DockerFilehttps://github.com/CenturyLinkLabs/dockerfile-from-image

Docker images

● Images are extracted in a chrooted sub process, being the first-step in a wider effort toward privilege separation.

● From Docker 1.10, all images are stored and accessed by the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image Docker Content Trust.

Docker Content Trust

● Protects against untrusted images

● Can enable signing checks on every managed host

● Signature verification transparent to users

● Guarantee integrity of your images when pulled● Provides trust from publisher to consumer● export DOCKER_CONTENT_TRUST=1

● ~/.docker/trust/trusted-certificates/

Security Best Practices

DockerFile Security

● Do not write secrets(users and passwords).● Remove unnecessary setuid, setgid permissions

(Privilege escalation)● Download packages securely using GPG and certificates● Try to restrict an image or container to one service

Security best practices

● To disable setuid rights, add the following to the Dockerfile of your image

Security best practices

● Don’t run containers with --privileged flag

● The --privileged flag gives all capabilities to the

container.

● docker run --privileged ...● docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN

...

Security best practices capabilities

● How do we add/remove capabilities?

● Use cap-add and cap-drop with docker run/create

● Drop all capabilities which are not required

● docker run --cap-drop ALL --cap-add $CAP

Security best practices capabilities

● Manual management within the container:docker run --cap-add ALL

● Restricted capabilities with root:docker run --cap-drop ALL --cap-add $CAP

● No capabilities:docker run --user

Security best practices capabilities

Security best practices

● Set a specific user.● Don’t run your applications as root in containers.

Security best practices

● We can verify the integrity of the image● Checksum validation when pulling image from docker hub● Pulling by digest to enforce consistent

Security best practices

● Check packages installed in the container

Docker security is about limiting and controlling the attack surface on the kernel.

Docker least privileges● Do not run processes in a container as root to avoid root

access from attackers.● Enable User-namespace (disabled by default)● Run filesystems as read-only so that attackers can not

overwrite data or save malicious scripts to the image.● Cut down the kernel calls that a container can make to

reduce the potential attack surface.● Limit the resources that a container can use (SELinux/AppArmor)

Containers and volumes read-only

15

Checklist Dockerfile

Checklist building/maintaining/consuming

AUDITING

TOOLS

Docker images scanning● You can scan your images for known vulnerabilities● There are tools for that, like Docker Security Scanning,

Docker Bench Security and CoreOS Clair● Find known vulnerable binaries

Docker Security Scanning

https://docs.docker.com/docker-cloud/builds/image-scan/

● Checks based on best practices for hosts and containers

● Find Common Vulnerabilities and Exposures (CVEs)

Docker Security Scanning● Checks against CVE database for image layers● Binary scanning of all components in the image● Performs binary scan to pick up on statically linked binaries● Analyses libraries statically compiled in the image● Generates a reports that shows if there are CVE in the

libraries inside the image

Docker Security Scanning

15

25

Docker Security Scanning

Docker CVEhttps://www.docker.com/docker-cve-database

Security pipeline

Clair (Container Vulnerability Analysis Service)

https://github.com/coreos/clair

Vulnerability Static Analysis for Containers

Clair Use cases● You've found an image by searching the internet and want

to determine if it's safe enough for you to use in production.

● You're regularly deploying into a containerized production environment and want operations to alert or block deployments on insecure software.

Docker Bench Security

https://github.com/docker/docker-bench-security

Checks based on best practices for hosts and containers

Docker bench security● Open-source tool for running automated tests ● Inspired by the CIS Docker 1.11 benchmark● Runs against containers currently running on same host● Checks for AppArmor, read-only volumes, etc...

Docker bench security

Docker bench security● The host configuration● The Docker daemon configuration● The Docker daemon configuration files● Container images and build files● Container runtime● Docker security operations

Docker bench security● The Docker daemon configuration● [WARN] 2.1- Restrict network traffic between containers● [WARN] 4.1 - Create a user for the container

[WARN] * Running as root:● [WARN] 5.4 - Restrict Linux Kernel Capabilities within containers

[WARN] * Capabilities added: CapAdd=[audit_control]

● [WARN] 5.13 - Mount container's root filesystem as readonly

[WARN] * Container running with root FS mounted R/W:

15

25 22

Docker Slim

https://github.com/docker-slim/docker-slim

Optimize and secure your Docker containers

Other tools● OpenSCAP Container Compliance● Lynis● Twistlock● Dockscan● Aqua Security● Dagda

OpenScap Clair Lynis TwistLock DockScan

Images and Containers

Images and Containers

DockerFile Images, containers, packages. Kubernetes Mesos.

Docker server

RedHat/Fedora/CentOS based containers

Debian/Ubuntu/CentOS based containers

Linux and Unix based Systems

Linux and Unix based Systems

Docker and container installations

Lynis● Lynis is a Linux, Mac and Unix security auditing

and system hardening tool that includes a module to audit Dockerfiles.

● lynis audit dockerfile <file>

● https://github.com/CISOfy/lynis-docker

Dagda● Static analysis of known vulnerabilities on

Docker containers● Allows monitoring Docker containers for

detecting anomalous activities

Dagda● Python 3● MongoDB● PyMongo● Requests● Python-dateutil● Joblib● Docker-py● Flask● Flask-cors● PyYAML

● python3 dagda.py check --docker_image <image_name>● python3 dagda.py history <image_name> --id <Id_Scan>

Conclusions

Signing ● Secure & sign your source

Dependences ● Pin & verify your dependencies

Content Trust● Sign your artifacts with Docker

Content Trust

Privileges ● Least Privilege configurations

References

● https://docs.docker.com/engine/security● http://www.oreilly.com/webops-perf/free/files/dock

er-security.pdf● http://container-solutions.com/content/uploads/201

5/06/15.06.15_DockerCheatSheet_A2.pdf● https://www.openshift.com/promotions/docker-sec

urity.html

References

● Docker Content Trust

● https://docs.docker.com/engine/security/trust/content_trust

● Docker Security Scanning

● https://docs.docker.com/docker-cloud/builds/image-scan● https://blog.docker.com/2016/04/docker-security● http://softwaretester.info/docker-audit/

Books