using open source tools to secure containers and clouds derek thurston @derekthurston nirmal mehta...
TRANSCRIPT
![Page 1: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/1.jpg)
Using Open Source Tools to Secure Containers and Clouds
Derek Thurston@derekthurston
Nirmal Mehta@normalfaults
Booz Allen Open Tech
@boozallen
![Page 2: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/2.jpg)
About Derek Started working with open source in 1997 with Red Hat Linux 4.×.
I have been an advocate for Open Source since that day
I have worked on a wide variety of projects for both government and commercial businesses.
Love playing board and video games
Constantly looking for a way to innovate everything!
IANASE (I Am Not A Security Expert)
@derekthurston @normalfaults
![Page 3: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/3.jpg)
About Nirmal 7 years of system integration in Government IT systems
Manually STIG’d 100s of systems in multiple environments (Still recovering)
Red Hat Innovation Award 2013
I enjoy:
- Automating all the things
- PC Gaming
- Hacking
- Getting excited about new technology
- Docker
- Learning Go
- Pythonista
@derekthurston @normalfaults
![Page 4: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/4.jpg)
Booz Allen Open Tech
@derekthurston @normalfaults
![Page 5: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/5.jpg)
Booz Allen Open Tech Open Source continues to drive the latest information technology trends, making a
significant impact on Cloud, Big Data, and IoT.
Booz Allen has been active in driving open standards, architectures, data, and technology for some time, and it has now formalized it's commitment by creating BOT: Booz Allen Open Tech.
BOT is a specialized practice focused on:
- Acceleration: building and contributing to open technology
- Application: helping clients effectively and securely use Open Source
- Assembly: applying the latest framework and technologies to build open systems
@derekthurston @normalfaults
![Page 6: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/6.jpg)
Why are we here? How devastating would your identity being stolen be?
What if someone drained your bank account today?
What about your families identities?
@derekthurston @normalfaults
![Page 7: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/7.jpg)
Open Source software can helpWhy Open Source?Security FoundationsUsing OpenSCAP for maintaining securityContainer securityDocker image governance/provenanceSecrets in containers with KeywhizProactive monitoring and management
@derekthurston @normalfaults
![Page 8: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/8.jpg)
Why Open Source software?Evolution through community (OpenSSL/TLS vs S2N)TransparencyCostValue is in heuristics and analysis
@derekthurston @normalfaults
![Page 9: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/9.jpg)
Security Foundations
- Protect! Encrypt, Patch, Layers of Defense, Educate, Secure
- Automate! Deployments, Event management, Infrastructure (as code)
- Test! Code, Infrastructure, Backups
@derekthurston @normalfaults
![Page 10: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/10.jpg)
Using OpenSCAP for maintaining securitySecurity Content Automation Protocol (SCAP) was created to standardize the approach to automatically verifying:- The presence of patches- Checking system security configuration settings- Examining systems for signs of compromise.
OpenSCAP supports the following formats: XCCDF, OVAL®, Asset Identification (ver. 1.1), ARF, CCE™, CPE™, CVE®, CVSS
@derekthurston @normalfaults
![Page 11: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/11.jpg)
Using OpenSCAP for maintaining securityWhy OpenSCAP?- OpenSCAP provides the ability to monitor, maintain, and remediate your container or instance’s security posture
- OpenSCAP can be run from the command line! \o/- The community! The OpenSCAP community, the related projects, and the security compliance communities make it easy to use OpenSCAP
- You get PAT… Protect, Automate, Test
@derekthurston @normalfaults
![Page 12: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/12.jpg)
Using OpenSCAP for maintaining security (Demo)
OpenSCAP is made of:- Library – The OpenSCAP library is the API - Toolkit – oscap is a command line tool
SCE – the Script Check Engine (run your bash or whatever scripts!)
@derekthurston @normalfaults
![Page 13: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/13.jpg)
Using OpenSCAP for maintaining security (Demo) We have containerized our demo of the OpenSCAP using the GovReady scripts
git clone https://github.com/normalfaults/docker-oscap-demo
cd docker-oscap-demo
docker build –t docker-oscap-demo .
docker run -it docker-oscap-demo /bin/bash /root/govready.sh
docker cp <container-id>:/myfisma <local directory>
open the local directory and view the report in a browser
@derekthurston @normalfaults
![Page 14: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/14.jpg)
Using OpenSCAP for maintaining security (Demo)
OpenSCAP Related Projectshttps://bugs.centos.org/view.php?id=8178 (CPE definitions are wrong)- scap-workbench
- yum install epel-release.noarch- yum install scap-workbench- yum install scap-security-guide
@derekthurston @normalfaults
![Page 15: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/15.jpg)
Container security (the quick stuff) Use TLS for communication between the Docker Engine and clients
AppArmor <- built into docker
- is in the upstream Kernel as of 2.6.36
- Distros that include app armor: Annvix, Arch Linux, Debian, Gentoo, Mandriva, openSUSE, Pardus Linux, PLD, Ubuntu
SELinux <- built into docker
- --selinux flag on Docker Daemon
- setenforce 1 (http://stopdisablingselinux.com/)
Only trusted users should be allowed to control your Docker daemon
Don’t run as root in container (will be fixed in future release of Docker)
Run up-to-date kernel
@derekthurston @normalfaults
![Page 16: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/16.jpg)
Container security (Demo) Docker CIS benchmark - demo run
https://github.com/docker/docker-bench-security
https://dockerbench.com
Immutable containers recycle in groups- compromised application connections are dropped
go statically linked language, no shell, ssh
@derekthurston @normalfaults
![Page 17: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/17.jpg)
Docker image governance/provenance The Notary project comprises a server and a client for running and interacting with trusted
collections.
With Notary, publishers can sign their content offline using keys kept highly secure. Once the publisher is ready to make the content available, they can push their signed trusted collection to a Notary Server.
Sign Docker images, establish provenance
https://github.com/docker/notary
@derekthurston @normalfaults
![Page 18: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/18.jpg)
Secrets in containers with Keywhiz Keywhiz is a system for managing and distributing secrets.
Every organization has services or systems that require secrets. Secrets like: TLS certificates/keys, GPG keys, API tokens, database credentials
Common practices include putting secrets in config files next to code or copying files to servers out-of-band. The former is likely to be leaked and the latter difficult to track.
Keywhiz servers in a cluster centrally store secrets encrypted in a database.
Clients use mutually authenticated TLS (mTLS) to retrieve secrets they have access to. Authenticated users administer Keywhiz via CLI or web app UI.
To enable workflows, Keywhiz has automation APIs over mTLS and support for simple secret generation plugins.
https://github.com/square/keywhiz-fs
@derekthurston @normalfaults
![Page 19: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/19.jpg)
Proactive monitoring and management cAdvisor (native support for docker) https://github.com/google/cadvisor
Elastic, Kibana, Logstash (ELK) https://www.elastic.co/
Nagios https://www.nagios.org
prometheus http://prometheus.io/
sensu https://sensuapp.org/
sysdig http://www.sysdig.org
The assimilation project http://assimproj.org
@derekthurston @normalfaults
![Page 20: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/20.jpg)
Proactive monitoring and management Test your code for vulnerabilities
- breakman Rails security Scanner http://brakemanscanner.org/
- Open Web Application Security Project (OWASP) https://www.owasp.org/
- Lots of tools here!
- findbugs – for java http://findbugs.sourceforge.net
Cloud Application Security Brokers
- Sit between your gateway and the cloud gateway
- security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention
- Is this a gap in Open Source?
@derekthurston @normalfaults
![Page 21: Using Open Source Tools to Secure Containers and Clouds Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen](https://reader035.vdocument.in/reader035/viewer/2022062421/56649e255503460f94b1434f/html5/thumbnails/21.jpg)
Please talk to us!
@derekthurston @normalfaults