How secure is your Docker Container pipeline?

How secure is your container pipeline?
Manideep Konakandla
www.manideepk.com (@manideep_k1)
Feb 22, 2017

2
Who am I? Hmm, yeah - Shameless Bragging
• J.N Tata Scholar, ISC2 Scholar, RSA Conference Security Scholar etc.
• Masters Student (Graduating in May’17) + Security Researcher at CMU
• Authored a book on Info Sec & Ethical Hacking at the age of 21
• Featured in INDIA’s largest news papers and news channels
• 10 certifications + Trained 15,000+ people in Information Security
• Ex “Team Lead – Core Security & Data Analytics” at TCS
• Interest areas : Container Security, Application Security, System Security etc.
More details about me on www.manideepk.com

3
What am I up to with Containers?
• Co-author, Contributor for CIS Docker 1.12 & 1.13 benchmarks
• Extensive research at Carnegie Mellon (CMU)
• Presented findings at OWASP AppsecUSA, Bsides SF, RSA (Poster), Grehack etc.
• Cloud Security Research Intern @Adobe last Summer

4
Security skills can be taught
but
Security mindset comes only with passion

6
What are we doing for next 40 mins?
 A.B.C.D….
• Containers in 45 seconds
• Container Pipeline, Risk Areas and our Scope
 Security
• Images
• Runtime
• Other components
• Enterprise zone
 Misc.
 Wrap up

7
What are we doing for next 40 mins?
 A.B.C.D….
 Security
• Images
• Runtime
• Enterprise zone
 Misc.
 Wrap up

8
Quick “60 second” Intro
Containers?
 Lightweight
 Application centric
 No more - “it works on my machine”
 Micro-services
Namespaces : Isolation (PID, User, Network, IPC,
Mount, UTS)
Cgroups : Isolates, limits and accounts resource
usage (CPU, memory etc.)
BUZZ……….!
Are containers
brand new?
Img Ref: www.docker.com
Containers in 45 seconds

9
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon security
Containers Images
Container Pipeline, Risk Areas and our Scope
Ref: Modified version of image on www.docker.com

10
What’s next?
 A.B.C.D….
 Security
• Images
• Runtime
• Enterprise zone
 Misc.
 Wrap up

11
Client <=> daemon
communication
Containers Images

12
Life cycle of an “Image”
Build Spin
Dockerfile Image Container
Maintaining images

13
Security in “Dockerfile” - Golden Rules
• Do not write secrets in Dockerfile (Info Disclosure - Twitter’s Vine). Use secret
management solutions
• Create a USER or else container will run as a root (Privilege escalation)
• Follow version pinning for images, packages (no ‘latest’) etc. (Caching Issue)
• Remove unnecessary setuid, setgid permissions (Privilege escalation)
• Download packages securely using GPG (MITM) and also do not download
unnecessary packages (Increased attack surface)
• Do not write any kind of update instructions alone in the Dockerfile (Caching)
• Use COPY instead of ADD (Increased attack surface)
• Use HEALTHCHECK command (Best practice)
• Use gosu instead of sudo wherever possible
• Try to restrict a image (/container) to one service

15
Maintaining/ Consuming Images - Golden Rules
• Docker Content Trust
- Provides authenticity, integrity and freshness guarantees
- Takes some time to understand & prepare your own setup (worth it!)
• Vulnerability–free Images
- Tool selection : binary level analysis + hash based
• Except compatibility issues, all images and packages must be up-to-date

16
Client <=> daemon
communication
Containers Images

17
Container Runtime - Golden Rules
• Do not disable/misconfigure seccomp, apparmor/selinux, capabilities
• Change the default memory limits, CPU shares (else DOS)
• Do not use default docker0 bridge (ARP spoofing, MITM etc.)
• Enable PIDs cgroup per container (fork bomb)
• Do not use privileged containers and try to set no new privileges flag (priv. issues)
• Beware of non namespaced components : kernel keyring etc. (Container breakout)
• Bind incoming traffic to any specific interface (Info disclosure etc.)
• Do not share host’s namespaces to containers (Info disclosure etc.)
• Mounts (Violation of least privilege)
• Ensure Docker commands get latest images (Caching issue)

18
Client <=> daemon
communication
Containers Images

19
Other components - Golden Rules
• Daemon Security
- Fix dangerous defaults such as allowing communication between containers
- Enable/use/implement much needed security controls (user namespaces,
ulimits, authorization plugins, restricting daemon access)
• Communication Security
• Registry’s Security (Did not explore specifically)
• Host Security
- Maintain latest Linux kernel (PIDs cgroup only in > 4.3) and Docker version
- Apply kernel hardening policies (GRSecurity, PaX etc.)
- Harden the host as per CIS / SANS / your custom hardening guidelines

20
Enterprise zone (Personal users ALLOWED!)
• Images
- Say “no” to Docker Hub (definitely not general images)
- Maintain your own in-house registries (What security controls?)
- Base image selection and also using image optimization techniques
• Runtime
- Customize seccomp, apparmor/selinux etc. profiles
• Misc.
- Create container specific standards and guidelines
- Use commercial tools (useful features like Image Lockdown, RBAC, profiling,
monitoring, anomaly detection, secret management etc.)
- Customize CIS Docker benchmarks as per your requirements and adhere to it
- Use file monitoring solutions
- Container specific SIEM rules
- Group containers on VM’s (categories?)
- Your general security controls 

21
Client <=> daemon
communication
Containers Images

22
 A.B.C.D….
 Security
• Images
• Runtime
• Enterprise zone
 Misc.
 Wrap up
What’s next?

23
Misc.
• Tool recommendations (Meet me!)
- Images
- Network level
- Container Ecosystem
• Hardware isolation to containers (Clear containers – are they really containers?)
• Future expectation of containers (My 2¢)
• Virtual machines security to containers (view of kernel)

24
What’s next?
 A.B.C.D….
 Security
• Images
• Runtime
• Enterprise zone
 Misc.
 Wrap up

25
So, what did you learn today?

26
It’s not good to keep questions in your mind
Throw them out and I am here to catch 

27
References
1. CIS Docker Benchmarks - 1.12 and 1.13
2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf
3. www.oreilly.com/webops-perf/free/files/docker-security.pdf
4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf
5. http://www.slideshare.net/Docker/docker-security-workshop-slides
6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231
7. https://docs.docker.com/engine/security/
8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence

28TCS Confidential
That’s it…!
You can collect my V-Card
Reach me on www.manideepk.com for any questions

How secure is your Docker Container pipeline?

More Related Content

What's hot (20)

Viewers also liked (16)

Similar to How secure is your Docker Container pipeline? (20)

Recently uploaded (20)

How secure is your Docker Container pipeline?