SecDevOps containers
0 likes106 views
The document discusses SecDevOps and provides best practices for container security, emphasizing the importance of building small and immutable container images, avoiding the use of root users, and using official vendor images. It highlights tools and techniques for improving security in container environments, such as Kubernetes, Docker content trust, and security policies. Additionally, it stresses the importance of collaboration, training, and adherence to the principle of least privilege in securing DevOps processes.
![SecDevops Containers
Kube PSP advisor
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
"hostNetwork": [
{
"metadata": {
"name": "busy-rs",
"kind": "ReplicaSet"
},
"namespace": "psp-test",
"hostPID": true,
"hostNetwork": true,
"hostIPC": true,
"volumeTypes": [
"configMap"
]
},
{
"metadata": {
"name": "busy-pod",
"kind": "Pod"
},
"namespace": "psp-test",
"hostNetwork": true,
"volumeTypes": [
"hostPath",
"secret"
],
"mountedHostPath": [
"/usr/bin"
]](https://image.slidesharecdn.com/stackconf-200618093139/85/SecDevOps-containers-38-320.jpg)
SecDevOps containers
- 2. SecDevops Containers ● @jmortegac ● http://jmortega.github.io ● https://www.linkedin.com/in/jmortega1/
- 4. ● Introduction ● Containers Security ● SecDevops tools ● DevOps security best practices SecDevops Containers
- 7. SecDevops Containers ● Increased speed and agility for security teams. ● Increased or better collaboration and communication across teams. ● Increased opportunities for automated builds and quality assurance testing. ● Early identification of vulnerabilities in application code.
- 8. ● 1. Containers are NOT Virtual Machines ● 2. Containers are isolated area in the OS kernel ● 3. Kubernetes is a Container Orchestration Platform. ● 4. Kubernetes abstracts the cloud vendor (AWS,Azure, GCP) scalability features. SecDevops Containers
- 9. ● Build Small Container Images ○ Use Alpine Image as your base Linux OS ○ Using distroless images ○ Smaller image size reduce the Container vulnerabilities. SecDevops Containers
- 10. ● Distroless Images ○ https://github.com/GoogleCloudPlatform/distroless SecDevops Containers
- 11. ● Containers inmutability ○ Container images follow a unix philosophy ○ Container images should be immutable ○ RUN rm /usr/bin/apt-* /usr/bin/dpkg* SecDevops Containers
- 12. ● Avoid root user ○ Create a User account ○ Add Runtime software’s based on the User Account. ○ Run the App under the user account ○ Add Security module SELinux or AppArmour to increase the security SecDevops Containers
- 13. ● Container Security ○ Secure your HOST OS. Containers runs on Host Kernel. ○ No Runtime software downloads inside the container. ○ Declare the software requirements at the build time itself. ○ Download Docker base images from Authentic site. ○ Limit the resource utilization using Container orchestrators like Kubernetes. ○ Don’t run anything on Super privileged mode. SecDevops Containers
- 14. ● Docker hub ○ Do you have your own container registry? ○ Do you check your Dockerfiles? ○ Your pipelines has permissions and access to publish in docker hub? ○ Do you inspect your Dockerfiles? ○ Do you have Docker builds correctly configured? ○ Do you control where layers are built? SecDevops Containers
- 15. ● Docker Content Trust ○ https://docs.docker.com/engine/security/trust/ content_trust/ ○ export DOCKER_CONTENT_TRUST =1 ○ Protection of malicious code in images. ○ Protection against repeated attacks. ○ Protection against key commitments. SecDevops Containers
- 16. ● Exploring layers in docker images ○ https://github.com/wagoodman/dive SecDevops Containers
- 17. ● Container introspection tool ○ https://github.com/genuinetools/amicontained SecDevops Containers
- 18. ● Docker bench security ○ https://github.com/docker/docker-bench-security SecDevops Containers
- 23. ● Kubernetes Security ○ Preventing image manipulation and unauthorized access ○ Deploying Pods without root permissions ○ Pod Security Policies ○ Secrets management SecDevops Containers
- 24. ● Pods Security ○ Never access a Pod directly from another Pod. ○ Never use :latest tag in the image in the production scenario. SecDevops Containers
- 25. ● Namespaces ○ Group your services/pods traffic rules based on specific namespace. ○ Handle specific Resource Allocations for a Namespace. ○ If you have more than a dozen Microservices then it’s time to bring in Namespaces. SecDevops Containers
- 26. ● Using official images ○ Use images provided by a vendor ○ Critical vulnerabilities are resolved automatically when they are updated. SecDevops Containers
- 29. SecDevops Containers Dangerous pod configurations
- 30. SecDevops Containers CPU and memory limits to prevent DoS
- 31. SecDevops Containers runAsNonRoot flag in pod configuration
- 32. SecDevops Containers Capabilities in pod configuration
- 33. SecDevops Containers Kubebench-CIS Kubernetes Benchmark https://github.com/aquasecurity/kube-bench ● Master Node Security Configuration ○ API Server ○ Scheduler ○ Controller Manager /Configuration Files ○ General Security Primitives ○ PodSecurityPolicices ● Worker Node Security Configuration ○ Kubelet ○ Configuration Files
- 34. SecDevops Containers Kubebench-CIS Kubernetes Benchmark https://github.com/aquasecurity/kube-bench
- 37. SecDevops Containers Pod Security Policies https://kubernetes.io/docs/concepts/policy/pod-security-policy/
- 38. SecDevops Containers Kube PSP advisor https://kubernetes.io/docs/concepts/policy/pod-security-policy/ "hostNetwork": [ { "metadata": { "name": "busy-rs", "kind": "ReplicaSet" }, "namespace": "psp-test", "hostPID": true, "hostNetwork": true, "hostIPC": true, "volumeTypes": [ "configMap" ] }, { "metadata": { "name": "busy-pod", "kind": "Pod" }, "namespace": "psp-test", "hostNetwork": true, "volumeTypes": [ "hostPath", "secret" ], "mountedHostPath": [ "/usr/bin" ]
- 40. SecDevops Containers Sysdig falco policies ○ A shell that runs inside a container with root privileges. ○ A process that generates another process with unexpected behavior. ○ Reading a confidential file, for example the etc/shadow ○ A process that is using a file that is not a device type in the /dev path, indicating a possible rootkit activity.
- 41. SecDevops Containers Security best practices ● Do not run containers and pods as root. ● Disable capabilities and privileges ● One application per container, microservice oriented approach. ● Use small images
- 42. ● Training and communication is the key to success ● DevSecOps is not about only ools but the correct tools are necessary. ● Follow “Least privilege principle” SecDevops Containers
- 43. ● https://opensource.com/article/18/8/tools-container-s ecurity ● https://www.devsecops.org/ ● https://github.com/devsecops/awesome-devsecops ● https://cloudowski.com/articles/how-to-increase-cont ainer-security-with-proper-images/ ● https://www.twistlock.com/container-security ● https://developer.okta.com/blog/2019/07/18/container -security-a-developer-guide SecDevops Containers