SlideShare a Scribd company logo

Open source security tools for Kubernetes.

Download as PPTX, PDF
Michael Ducy, profile picture
Michael Ducy

The document provides an overview of open-source security tools for Kubernetes, focusing on container security across infrastructure, build, and runtime phases. It discusses various security measures, including policy management, image scanning, and anomaly detection, as well as the integration of tools like Anchore and Falco for runtime security monitoring. Additionally, it outlines deployment and implementation details for using these tools within CI/CD workflows and Kubernetes environments.

Technology
Related topics:
Information Security
1 of 46
Downloaded 44 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
@mfdii Michael Ducy, Sysdig Open Source Security Tools for Kubernetes
@mfdii Layers Container Security Infra, Build, Runtime Container Security Challenges Open Source Tools For: - Infra - Build - Runtime Agenda
@mfdii Layers of Container Security Runtime Build Infrastructure
@mfdii Infrastructure Host Security Networking Cluster Security Container Runtime
@mfdii Build Image/Software Provenance - Signed Images/Layers - Artifact Signing Vulnerability Management - Upstream OS - Application Vulnerabilities
@mfdii Runtime Service/Container Admittance Secure Secrets Anomaly Detection Forensics
@mfdii Decisions Pushed to Edge Ephemeral Nature of Containers Attack Surface Resource Isolation Challenges of Container Security
@mfdii Infrastructure Security Network Storage Host Cluster Container Runtime
@mfdii Infrastructure Security Cluster: - RBAC, Security Policies, Affinity Host/Container Runtime: - Seccomp, SELinux, AppArmor, Resource Constraints Network: - Service Mesh, Network Policy, Network Filtering Orchestrator: - kube-hunter, kube-bench, kubesec.io
@mfdii Security Policies Security Policies define: - Access to host resources: - Filesystem, Host Network, Namespaces - User/Group of Container - Read Only Filesystem - Linux capabilities available: - http://man7.org/linux/man-pages/man7/capabilities.7.html - Seccomp, AppArmor, or SELinux profiles
@mfdii Build Security Network Storage Host Cluster App Code App Runtime Libraries OS App Code App Runtime Libraries OS App Code App Runtime Libraries OS Container Runtime
@mfdii Container Security Developers and Source Code Build and Automated CI/CD Deploy and Runtime Secure Design and Architecture Static Code Analysis Source Code Dependency Checks Build Artifact Scanning Software Package Dependency Checks Configuration Checks Best Practices Checks Network Ingress and Egress Runtime Anomaly Detection Runtime Deployment Monitoring Many Other
@mfdii Container Security Developers and Source Code Build and Automated CI/CD Deploy and Runtime Secure Design and Architecture Static Code Analysis Source Code Dependency Checks Build Artifact Scanning Software Package Dependency Checks Configuration Checks Best Practices Checks Network Ingress and Egress Runtime Anomaly Detection Runtime Deployment Monitoring Many Other Container Image
@mfdii Container Image Scanning Tools and services that, at a high level, should: • Take as input (minimally) a built container image • Analyze/inspect the contents of the image itself • Perform various types of security, best practice, and compliance checks • Result in a report, notification, or control decision based on analysis and checks, mapped to identifiable container image content Various tools exist, today we present the OSS Anchore Engine • Container native • Runs as a service with a broad API • Distributed system • Powerful and customizable policy-based checks for security, best- practice, and other process compliance
@mfdii Anchore Policy Checks Image checks • OS Packages (RPM, DEB, APK) • 3rd party packages (NPM, GEM, JAVA, PY) • File names and contents • Build Metadata (DockerFile) Security checks • Software Vulnerabilities (OS Packages, 3rd party packages) • Secrets/Keys search Anchore policies are flexible - customizable and tunable by the user!
@mfdii Container Image Policy Scan in CI/CD
@mfdii docker.io/anchore/anchore-engine:latest Anchore Engine: Architecture External API Kubernetes Webhook Catalog Policy EngineSimpleQueue Analyzer Worker CI/CD Users (CLI/API) Database API Tier State Tier Analysis Tier
@mfdii Install Anchore: docker-compose mkdir anchore mkdir anchore/config mkdir anchore/db cd anchore curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/docker- compose.yaml > docker-compose.yaml curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/config.yaml > config/config.yaml docker-compose up -d docker run anchore/engine-cli:latest anchore-cli --u admin --p foobar --url http://172.18.0.1:8228/v1 system status Service analyzer (dockerhostid-anchore-engine, http://anchore-engine:8084): up Service simplequeue (dockerhostid-anchore-engine, http://anchore-engine:8083): up Service apiext (dockerhostid-anchore-engine, http://anchore-engine:8228): up Service kubernetes_webhook (dockerhostid-anchore-engine, http://anchore-engine:8338): up Service catalog (dockerhostid-anchore-engine, http://anchore-engine:8082): up Service policy_engine (dockerhostid-anchore-engine, http://anchore-engine:8087): up Engine DB Version: 0.0.7 Engine Code Version: 0.2.4
@mfdii Install Anchore: Helm helm install --name anchore-stack stable/anchore-engine kubectl get pods NAME READY STATUS RESTARTS AGE anchore-stack-anchore-engine-core-5bf44cb6cd-zxx2k 1/1 Running 0 38m anchore-stack-anchore-engine-worker-5f865c7bf-r72vs 1/1 Running 0 38m anchore-stack-postgresql-76c87599dc-bbnxn 1/1 Running 0 38m ANCHORE_CLI_USER=admin ANCHORE_CLI_PASS=$(kubectl get secret --namespace default anchore-stack-anchore-engine -o jsonpath="{.data.adminPassword}" | base64 --decode; echo) kubectl run -i --tty anchore-cli --restart=Always --image anchore/engine-cli --env ANCHORE_CLI_USER=admin --env ANCHORE_CLI_PASS=${ANCHORE_CLI_PASS} --env ANCHORE_CLI_URL=http://anchore-stack-anchore-engine.default.svc.cluster.local:8228/v1/ / anchore-cli system status
@mfdii Using Anchore: Jenkins CI/CD
@mfdii Using Anchore: Jenkins CI/CD
@mfdii Using Anchore: CLI(scripting) anchore-cli image add docker.io/library/debian:latest … anchore-cli --json image get docker.io/library/debian:latest | jq '.[0]["analysis_status"]' "analyzing" anchore-cli --json image get docker.io/library/debian:latest | jq '.[0]["analysis_status"]' "analyzed" anchore-cli evaluate check docker.io/library/debian:latest Image Digest: sha256:a0cd2c88c5cc65499e959ac33c8ebab45f24e6348b48d8c34fd2308fcb0cc138 Full Tag: docker.io/library/debian:latest Status: fail Last Eval: 2018-07-28T21:42:42Z Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060 anchore-cli image vuln docker.io/library/debian:latest all anchore-cli image content docker.io/library/debian:latest os anchore-cli image content docker.io/library/debian:latest npm …
@mfdii Using Anchore: Kubernetes Admission Control Kubernetes 1.9 and above supports VaildatingAdmissionWebhooks • Kubernetes Admission Controllers General Process • User sends deployment request to Kubernetes API • Kubernetes send admission control request to custom validator service • Service contacts Anchore Engine API to perform policy evaluation on each image specified in the request • Service responds with accept/deny Full detail: Policy-based Image Validation For Kubernetes With Anchore Engine by Vic Iglesias
@mfdii Image Scanning + Runtime: Sysdig Falco and Anchore Engine docker run --rm -e ANCHORE_CLI_USER=admin -e ANCHORE_CLI_PASS=foobar -e ANCHORE_CLI_URL=http://192.168.1.3:8228/v1 sysdig/anchore-falco - macro: anchore_stop_policy_evaluation_containers condition: container.image.id in ("52057de6c8d0d0143dfc71fde55e58edaf3ccc5c2212221a614f45283c5ab063","65bf726222e13b0ceff0bb20bb6f 0e99cbf403a7a1f611fdd2aadd0c8919bbcf","8626492fecd368469e92258dfcafe055f636cb9cbc321a5865a98a0a6c 99b8dd","e86d9bb526efa0b0401189d8df6e3856d0320a3d20045c87b4e49c8a8bdb22c1”) - rule: Run Anchore Containers with Stop Policy Evaluation desc: Detect containers which does not receive a positive Policy Evaluation from Anchore Engine. condition: evt.type=execve and proc.vpid=1 and container and anchore_stop_policy_evaluation_containers output: A stop policy evaluation container from anchore has started (%container.info image=%container.image) priority: INFO tags: [container]
@mfdii Image Scanning + Runtime: Anchore Webhook Notifications Anchore Catalog Service Image Update Monitor Policy Evaluation Monitor Vulnerability Scan Monitor … Anchore Webhook Consumer Email / Slack Notify New Build Trigger Block/Undeploy … Anchore Webhook Notification
@mfdii Runtime Security Network Storage Host Cluster App Code App Runtime Libraries OS App Code App Runtime Libraries OS App Code App Runtime Libraries OS Container Runtime
@mfdii Runtime Security Service/Container Admittance - What’s Allowed to Run/Join a Service Secure Secrets - How do applications authenticate Anomaly Detection - Is my runtime environment being tampered with? Forensics - What happened if something was compromised?
@mfdii Anomaly Detection - Containers are isolated processes. - Processes are “scoped” as to what’s expected. - Container images are immutable, runtime environments often aren’t. - How do you detect “abnormal” behavior.
@mfdii Falco: A CNCF Sandbox Project Runtime Security for Cloud Native Platforms. - Detect abnormal behavior in applications, containers, and hosts. - Audit system activity Cloud Native Computing Foundation Sandbox Level Project - https://sysdig.com/blog/falco-cncf-sandbox/
@mfdii Falco A behavioral activity monitor •Detects suspicious activity defined by a set of rules •Uses Sysdig’s flexible and powerful filtering expressions With full support for containers/orchestration •Utilizes sysdig’s container & orchestrator support And flexible notification methods •Alert to files, standard output, syslog, programs Open Source •Anyone can contribute rules or improvements
Quick examples A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
Falco architecture falco_probe Kernel Module Kernel User Syscalls Sysdig Libraries ` Events Alerting Falco Rules Suspicious Events File Syslog Stdout Filter Expression Shell
Falco Rules 25 common rules available OOTB Focused on common container best practices: ■ Writing files in bin or etc directories ■ Reading sensitive files ■ Binaries being executed other than CMD/ENTRYPOINT
Falco rules .yaml file containing Macros, Lists, and Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
@mfdii How can you use Falco?
@mfdii Response Engine & Security Playbooks ● Detect abnormal events with Falco ● Publish alerts to Pub/Sub service (NATS.io) ● Subscribers can subscribe to various FALCO topics to receive alerts: ○ FALCO.* - All alerts ○ FALCO.Notice - Alerts of priority “Notice” only ○ FALCO.Critical - Alerts of priority “Critical” only ● Subscribers can take action on alerts: ○ Kill offending Pod ○ Taint Nodes to prevent scheduling ○ Isolate Pod with Networking Policy ○ Send notification via Slack
@mfdii Response Engine & Security Playbooks
@mfdii Response Engine & Security Playbooks https://aws.amazon.com/blogs/opensource/securing-amazon-eks-lambda-falco/
@mfdii Response Engine & Security Playbooks Detects abnormal event, Publishes alert to NATS Subscribers receive Falco Alert through NATS Server Kubeless receives Falco Alert, firing a function to delete the offending Kubernetes Pod https://sysdig.com/blog/oss-container-security-runtime/
@mfdii Functions for Operations - Easily write simple functions to react to security events - Multiple subscribers can take multiple actions - One function to delete a pod - One function to notify teams - One function to log events - Small, reusable components
@mfdii SIEM with EFK ● Security Information and Event Management ○ Collect security events ○ Easily allow reporting and correlation of events across various data sources ● Elasticsearch, Fluentd, Kibana ○ Fluentd - Cloud Native log aggregation ○ Elasticsearch - Schema free JSON data store ○ Kibana - powerful data visualization tool for Elasticsearch ● https://sysdig.com/blog/kubernetes-security-logging-fluentd-falco/
@mfdii SIEM with EFK Detects abnormal event, Publishes alert to stdout Fluentd ships alerts to Elasticsearch Kibana dashboards can be used to aggregate, filter, and report on alerts.
@mfdii SIEM with EFK
Join the community • Website •https://falco.org •https://anchore.com/opensource • Public Slack •http://slack.sysdig.com/ •https://anchore.com/slack •https://sysdig.slack.com/messages/falco • Blog •https://sysdig.com/blog/tag/falco/ •https://anchore.com/opensource
Learn more Documentation • Anchore Documentation • Falco Documentation Github • https://github.com/falcosecurity/falco • https://github.com/anchore/anchore-engine Docker Hub • https://hub.docker.com/r/sysdig/falco/ • https://hub.docker.com/r/anchore/anchore-engine/
@mfdii Thank You. Questions? michael@sysdig.com nurmi@anchore.com bencer@sysdig.com

More Related Content

PDF
Securing your Container Environment with Open Source
Michael Ducy
 
PDF
Sysdig Open Source Intro
Michael Ducy
 
PDF
Automating Security Response with Serverless
Michael Ducy
 
PDF
Container Runtime Security with Falco
Michael Ducy
 
PDF
Monitoring & Securing Microservices in Kubernetes
Michael Ducy
 
PDF
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 
PDF
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
PDF
Veer's Container Security
Jim Barlow
 
Securing your Container Environment with Open Source
Michael Ducy
 
Sysdig Open Source Intro
Michael Ducy
 
Automating Security Response with Serverless
Michael Ducy
 
Container Runtime Security with Falco
Michael Ducy
 
Monitoring & Securing Microservices in Kubernetes
Michael Ducy
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Veer's Container Security
Jim Barlow
 

What's hot (20)

PDF
DevOps in a Cloud Native World
Michael Ducy
 
PPT
Container security
Anthony Chow
 
PDF
Ten layers of container security for CloudCamp Nov 2017
Gordon Haff
 
PDF
Sysdig Tokyo Meetup 2018 02-27
Michael Ducy
 
PDF
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
PPT
Container security
Anthony Chow
 
PPTX
Container security
Anthony Chow
 
PDF
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
PDF
Csw2016 wang docker_escapetechnology
CanSecWest
 
ODP
"Containers do not contain"
Maciej Lasyk
 
PDF
Kali tools list with short description
Jose Moruno Cadima
 
PDF
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
PDF
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
PDF
1000 to 0
Sunny Neo
 
PDF
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
PPTX
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
ODP
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift Origin
 
PDF
XFLTReat: a new dimension in tunnelling
Shakacon
 
ODP
CLI Wizardry - A Friendly Intro To sed/awk/grep
All Things Open
 
PPTX
Docker & Daily DevOps
Satria Ady Pradana
 
DevOps in a Cloud Native World
Michael Ducy
 
Container security
Anthony Chow
 
Ten layers of container security for CloudCamp Nov 2017
Gordon Haff
 
Sysdig Tokyo Meetup 2018 02-27
Michael Ducy
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Container security
Anthony Chow
 
Container security
Anthony Chow
 
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
Csw2016 wang docker_escapetechnology
CanSecWest
 
"Containers do not contain"
Maciej Lasyk
 
Kali tools list with short description
Jose Moruno Cadima
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
1000 to 0
Sunny Neo
 
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift Origin
 
XFLTReat: a new dimension in tunnelling
Shakacon
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
All Things Open
 
Docker & Daily DevOps
Satria Ady Pradana
 
Ad

Similar to Open source security tools for Kubernetes. (20)

PDF
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
NUS-ISS
 
PDF
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
PDF
Security Tips to run Docker in Production
Gianluca Arbezzano
 
PPTX
Securing the Infrastructure and the Workloads of Linux Containers
Massimiliano Mattetti
 
PDF
Containerizing your Security Operations Center
Jimmy Mesta
 
PDF
CloudNativeTurkey - Lines of Defence.pdf
Koray Oksay
 
PDF
Scaling your Automated Tests: Docker and Kubernetes
Manoj Kumar Kumar
 
PDF
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
PDF
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik
 
PDF
Code Factory avec GitLab CI et Rancher
SUSE
 
PDF
Implementing zero trust in IBM Cloud Pak for Integration
Kim Clark
 
PDF
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
PPTX
Containers and workload security an overview
Krishna-Kumar
 
PDF
Shift Right Security for EKS Webinar Slides
Anchore
 
PPT
20160221 va interconnect_pub
Canturk Isci
 
PDF
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
QAware GmbH
 
PPTX
Threat Hunting at Scale: Auditing Thousands of Clusters With Falco + Fluent ...
Furkan Turkal
 
PPTX
Private Apps in the Public Cloud - DevConTLV March 2016
Issac Goldstand
 
PDF
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
sparkfabrik
 
PDF
Best Practices To Secure Kubernetes Cluster
Urolime Technologies
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
NUS-ISS
 
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
Security Tips to run Docker in Production
Gianluca Arbezzano
 
Securing the Infrastructure and the Workloads of Linux Containers
Massimiliano Mattetti
 
Containerizing your Security Operations Center
Jimmy Mesta
 
CloudNativeTurkey - Lines of Defence.pdf
Koray Oksay
 
Scaling your Automated Tests: Docker and Kubernetes
Manoj Kumar Kumar
 
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik
 
Code Factory avec GitLab CI et Rancher
SUSE
 
Implementing zero trust in IBM Cloud Pak for Integration
Kim Clark
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
Containers and workload security an overview
Krishna-Kumar
 
Shift Right Security for EKS Webinar Slides
Anchore
 
20160221 va interconnect_pub
Canturk Isci
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
QAware GmbH
 
Threat Hunting at Scale: Auditing Thousands of Clusters With Falco + Fluent ...
Furkan Turkal
 
Private Apps in the Public Cloud - DevConTLV March 2016
Issac Goldstand
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
sparkfabrik
 
Best Practices To Secure Kubernetes Cluster
Urolime Technologies
 
Ad

More from Michael Ducy (20)

PDF
Rethinking Open Source in the Age of Cloud
Michael Ducy
 
PDF
Principles of Monitoring Microservices
Michael Ducy
 
PDF
Survey of Container Build Tools
Michael Ducy
 
PDF
Monoliths, Myths, and Microservices - CfgMgmtCamp
Michael Ducy
 
PDF
Monoliths, Myths, and Microservices
Michael Ducy
 
PPTX
Why Pipelines Matter
Michael Ducy
 
PPTX
The Future of Everything
Michael Ducy
 
PPTX
Improving Goat Production
Michael Ducy
 
PDF
Changing the Way Development and Operations Works
Michael Ducy
 
PDF
CloudStack Day 14 - Automation: The Key to Hybrid Cloud
Michael Ducy
 
PPTX
The Road to Hybrid Cloud is Paved with Automation
Michael Ducy
 
PPTX
The Velocity of Bureaucracy
Michael Ducy
 
PPTX
The Goat and the Silo
Michael Ducy
 
PPTX
Little Tech, Big Impact - Monktoberfest 2013
Michael Ducy
 
PPT
Object, measure thyself
Michael Ducy
 
PPTX
DevOps Columbus Meetup Kickoff - Infrastructure as Code
Michael Ducy
 
PPTX
DevOpsDays Amsterdam - DudeOps: Why The Big Lebowski is About Your IT Project
Michael Ducy
 
PPTX
I've Got 99 Problems But DevOps Ain't One
Michael Ducy
 
PPT
DudeOps - Why The Big Lebowski is About Building a Cloud
Michael Ducy
 
PPTX
Defrag - How Your Enterprise Software Vendor is Ripping You Off
Michael Ducy
 
Rethinking Open Source in the Age of Cloud
Michael Ducy
 
Principles of Monitoring Microservices
Michael Ducy
 
Survey of Container Build Tools
Michael Ducy
 
Monoliths, Myths, and Microservices - CfgMgmtCamp
Michael Ducy
 
Monoliths, Myths, and Microservices
Michael Ducy
 
Why Pipelines Matter
Michael Ducy
 
The Future of Everything
Michael Ducy
 
Improving Goat Production
Michael Ducy
 
Changing the Way Development and Operations Works
Michael Ducy
 
CloudStack Day 14 - Automation: The Key to Hybrid Cloud
Michael Ducy
 
The Road to Hybrid Cloud is Paved with Automation
Michael Ducy
 
The Velocity of Bureaucracy
Michael Ducy
 
The Goat and the Silo
Michael Ducy
 
Little Tech, Big Impact - Monktoberfest 2013
Michael Ducy
 
Object, measure thyself
Michael Ducy
 
DevOps Columbus Meetup Kickoff - Infrastructure as Code
Michael Ducy
 
DevOpsDays Amsterdam - DudeOps: Why The Big Lebowski is About Your IT Project
Michael Ducy
 
I've Got 99 Problems But DevOps Ain't One
Michael Ducy
 
DudeOps - Why The Big Lebowski is About Building a Cloud
Michael Ducy
 
Defrag - How Your Enterprise Software Vendor is Ripping You Off
Michael Ducy
 

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Approach and Philosophy of On baking technology
30anthuong17
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
A Presentation on Artificial Intelligence
memembruh336
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Encapsulation theory and applications.pdf
gurumoop
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
KodekX | Application Modernization Development
KodekX
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 

Open source security tools for Kubernetes.

  • 1. @mfdii Michael Ducy, Sysdig Open Source Security Tools for Kubernetes
  • 2. @mfdii Layers Container Security Infra, Build, Runtime Container Security Challenges Open Source Tools For: - Infra - Build - Runtime Agenda
  • 3. @mfdii Layers of Container Security Runtime Build Infrastructure
  • 5. @mfdii Build Image/Software Provenance - Signed Images/Layers - Artifact Signing Vulnerability Management - Upstream OS - Application Vulnerabilities
  • 7. @mfdii Decisions Pushed to Edge Ephemeral Nature of Containers Attack Surface Resource Isolation Challenges of Container Security
  • 9. @mfdii Infrastructure Security Cluster: - RBAC, Security Policies, Affinity Host/Container Runtime: - Seccomp, SELinux, AppArmor, Resource Constraints Network: - Service Mesh, Network Policy, Network Filtering Orchestrator: - kube-hunter, kube-bench, kubesec.io
  • 10. @mfdii Security Policies Security Policies define: - Access to host resources: - Filesystem, Host Network, Namespaces - User/Group of Container - Read Only Filesystem - Linux capabilities available: - http://man7.org/linux/man-pages/man7/capabilities.7.html - Seccomp, AppArmor, or SELinux profiles
  • 11. @mfdii Build Security Network Storage Host Cluster App Code App Runtime Libraries OS App Code App Runtime Libraries OS App Code App Runtime Libraries OS Container Runtime
  • 12. @mfdii Container Security Developers and Source Code Build and Automated CI/CD Deploy and Runtime Secure Design and Architecture Static Code Analysis Source Code Dependency Checks Build Artifact Scanning Software Package Dependency Checks Configuration Checks Best Practices Checks Network Ingress and Egress Runtime Anomaly Detection Runtime Deployment Monitoring Many Other
  • 13. @mfdii Container Security Developers and Source Code Build and Automated CI/CD Deploy and Runtime Secure Design and Architecture Static Code Analysis Source Code Dependency Checks Build Artifact Scanning Software Package Dependency Checks Configuration Checks Best Practices Checks Network Ingress and Egress Runtime Anomaly Detection Runtime Deployment Monitoring Many Other Container Image
  • 14. @mfdii Container Image Scanning Tools and services that, at a high level, should: • Take as input (minimally) a built container image • Analyze/inspect the contents of the image itself • Perform various types of security, best practice, and compliance checks • Result in a report, notification, or control decision based on analysis and checks, mapped to identifiable container image content Various tools exist, today we present the OSS Anchore Engine • Container native • Runs as a service with a broad API • Distributed system • Powerful and customizable policy-based checks for security, best- practice, and other process compliance
  • 15. @mfdii Anchore Policy Checks Image checks • OS Packages (RPM, DEB, APK) • 3rd party packages (NPM, GEM, JAVA, PY) • File names and contents • Build Metadata (DockerFile) Security checks • Software Vulnerabilities (OS Packages, 3rd party packages) • Secrets/Keys search Anchore policies are flexible - customizable and tunable by the user!
  • 17. @mfdii docker.io/anchore/anchore-engine:latest Anchore Engine: Architecture External API Kubernetes Webhook Catalog Policy EngineSimpleQueue Analyzer Worker CI/CD Users (CLI/API) Database API Tier State Tier Analysis Tier
  • 18. @mfdii Install Anchore: docker-compose mkdir anchore mkdir anchore/config mkdir anchore/db cd anchore curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/docker- compose.yaml > docker-compose.yaml curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/config.yaml > config/config.yaml docker-compose up -d docker run anchore/engine-cli:latest anchore-cli --u admin --p foobar --url http://172.18.0.1:8228/v1 system status Service analyzer (dockerhostid-anchore-engine, http://anchore-engine:8084): up Service simplequeue (dockerhostid-anchore-engine, http://anchore-engine:8083): up Service apiext (dockerhostid-anchore-engine, http://anchore-engine:8228): up Service kubernetes_webhook (dockerhostid-anchore-engine, http://anchore-engine:8338): up Service catalog (dockerhostid-anchore-engine, http://anchore-engine:8082): up Service policy_engine (dockerhostid-anchore-engine, http://anchore-engine:8087): up Engine DB Version: 0.0.7 Engine Code Version: 0.2.4
  • 19. @mfdii Install Anchore: Helm helm install --name anchore-stack stable/anchore-engine kubectl get pods NAME READY STATUS RESTARTS AGE anchore-stack-anchore-engine-core-5bf44cb6cd-zxx2k 1/1 Running 0 38m anchore-stack-anchore-engine-worker-5f865c7bf-r72vs 1/1 Running 0 38m anchore-stack-postgresql-76c87599dc-bbnxn 1/1 Running 0 38m ANCHORE_CLI_USER=admin ANCHORE_CLI_PASS=$(kubectl get secret --namespace default anchore-stack-anchore-engine -o jsonpath="{.data.adminPassword}" | base64 --decode; echo) kubectl run -i --tty anchore-cli --restart=Always --image anchore/engine-cli --env ANCHORE_CLI_USER=admin --env ANCHORE_CLI_PASS=${ANCHORE_CLI_PASS} --env ANCHORE_CLI_URL=http://anchore-stack-anchore-engine.default.svc.cluster.local:8228/v1/ / anchore-cli system status
  • 22. @mfdii Using Anchore: CLI(scripting) anchore-cli image add docker.io/library/debian:latest … anchore-cli --json image get docker.io/library/debian:latest | jq '.[0]["analysis_status"]' "analyzing" anchore-cli --json image get docker.io/library/debian:latest | jq '.[0]["analysis_status"]' "analyzed" anchore-cli evaluate check docker.io/library/debian:latest Image Digest: sha256:a0cd2c88c5cc65499e959ac33c8ebab45f24e6348b48d8c34fd2308fcb0cc138 Full Tag: docker.io/library/debian:latest Status: fail Last Eval: 2018-07-28T21:42:42Z Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060 anchore-cli image vuln docker.io/library/debian:latest all anchore-cli image content docker.io/library/debian:latest os anchore-cli image content docker.io/library/debian:latest npm …
  • 23. @mfdii Using Anchore: Kubernetes Admission Control Kubernetes 1.9 and above supports VaildatingAdmissionWebhooks • Kubernetes Admission Controllers General Process • User sends deployment request to Kubernetes API • Kubernetes send admission control request to custom validator service • Service contacts Anchore Engine API to perform policy evaluation on each image specified in the request • Service responds with accept/deny Full detail: Policy-based Image Validation For Kubernetes With Anchore Engine by Vic Iglesias
  • 24. @mfdii Image Scanning + Runtime: Sysdig Falco and Anchore Engine docker run --rm -e ANCHORE_CLI_USER=admin -e ANCHORE_CLI_PASS=foobar -e ANCHORE_CLI_URL=http://192.168.1.3:8228/v1 sysdig/anchore-falco - macro: anchore_stop_policy_evaluation_containers condition: container.image.id in ("52057de6c8d0d0143dfc71fde55e58edaf3ccc5c2212221a614f45283c5ab063","65bf726222e13b0ceff0bb20bb6f 0e99cbf403a7a1f611fdd2aadd0c8919bbcf","8626492fecd368469e92258dfcafe055f636cb9cbc321a5865a98a0a6c 99b8dd","e86d9bb526efa0b0401189d8df6e3856d0320a3d20045c87b4e49c8a8bdb22c1”) - rule: Run Anchore Containers with Stop Policy Evaluation desc: Detect containers which does not receive a positive Policy Evaluation from Anchore Engine. condition: evt.type=execve and proc.vpid=1 and container and anchore_stop_policy_evaluation_containers output: A stop policy evaluation container from anchore has started (%container.info image=%container.image) priority: INFO tags: [container]
  • 25. @mfdii Image Scanning + Runtime: Anchore Webhook Notifications Anchore Catalog Service Image Update Monitor Policy Evaluation Monitor Vulnerability Scan Monitor … Anchore Webhook Consumer Email / Slack Notify New Build Trigger Block/Undeploy … Anchore Webhook Notification
  • 26. @mfdii Runtime Security Network Storage Host Cluster App Code App Runtime Libraries OS App Code App Runtime Libraries OS App Code App Runtime Libraries OS Container Runtime
  • 27. @mfdii Runtime Security Service/Container Admittance - What’s Allowed to Run/Join a Service Secure Secrets - How do applications authenticate Anomaly Detection - Is my runtime environment being tampered with? Forensics - What happened if something was compromised?
  • 28. @mfdii Anomaly Detection - Containers are isolated processes. - Processes are “scoped” as to what’s expected. - Container images are immutable, runtime environments often aren’t. - How do you detect “abnormal” behavior.
  • 29. @mfdii Falco: A CNCF Sandbox Project Runtime Security for Cloud Native Platforms. - Detect abnormal behavior in applications, containers, and hosts. - Audit system activity Cloud Native Computing Foundation Sandbox Level Project - https://sysdig.com/blog/falco-cncf-sandbox/
  • 30. @mfdii Falco A behavioral activity monitor •Detects suspicious activity defined by a set of rules •Uses Sysdig’s flexible and powerful filtering expressions With full support for containers/orchestration •Utilizes sysdig’s container & orchestrator support And flexible notification methods •Alert to files, standard output, syslog, programs Open Source •Anyone can contribute rules or improvements
  • 31. Quick examples A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
  • 33. Falco Rules 25 common rules available OOTB Focused on common container best practices: ■ Writing files in bin or etc directories ■ Reading sensitive files ■ Binaries being executed other than CMD/ENTRYPOINT
  • 34. Falco rules .yaml file containing Macros, Lists, and Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
  • 35. @mfdii How can you use Falco?
  • 36. @mfdii Response Engine & Security Playbooks ● Detect abnormal events with Falco ● Publish alerts to Pub/Sub service (NATS.io) ● Subscribers can subscribe to various FALCO topics to receive alerts: ○ FALCO.* - All alerts ○ FALCO.Notice - Alerts of priority “Notice” only ○ FALCO.Critical - Alerts of priority “Critical” only ● Subscribers can take action on alerts: ○ Kill offending Pod ○ Taint Nodes to prevent scheduling ○ Isolate Pod with Networking Policy ○ Send notification via Slack
  • 38. @mfdii Response Engine & Security Playbooks https://aws.amazon.com/blogs/opensource/securing-amazon-eks-lambda-falco/
  • 39. @mfdii Response Engine & Security Playbooks Detects abnormal event, Publishes alert to NATS Subscribers receive Falco Alert through NATS Server Kubeless receives Falco Alert, firing a function to delete the offending Kubernetes Pod https://sysdig.com/blog/oss-container-security-runtime/
  • 40. @mfdii Functions for Operations - Easily write simple functions to react to security events - Multiple subscribers can take multiple actions - One function to delete a pod - One function to notify teams - One function to log events - Small, reusable components
  • 41. @mfdii SIEM with EFK ● Security Information and Event Management ○ Collect security events ○ Easily allow reporting and correlation of events across various data sources ● Elasticsearch, Fluentd, Kibana ○ Fluentd - Cloud Native log aggregation ○ Elasticsearch - Schema free JSON data store ○ Kibana - powerful data visualization tool for Elasticsearch ● https://sysdig.com/blog/kubernetes-security-logging-fluentd-falco/
  • 42. @mfdii SIEM with EFK Detects abnormal event, Publishes alert to stdout Fluentd ships alerts to Elasticsearch Kibana dashboards can be used to aggregate, filter, and report on alerts.
  • 44. Join the community • Website •https://falco.org •https://anchore.com/opensource • Public Slack •http://slack.sysdig.com/ •https://anchore.com/slack •https://sysdig.slack.com/messages/falco • Blog •https://sysdig.com/blog/tag/falco/ •https://anchore.com/opensource
  • 45. Learn more Documentation • Anchore Documentation • Falco Documentation Github • https://github.com/falcosecurity/falco • https://github.com/anchore/anchore-engine Docker Hub • https://hub.docker.com/r/sysdig/falco/ • https://hub.docker.com/r/anchore/anchore-engine/