SlideShare a Scribd company logo

Securing your Container Environment with Open Source

Michael Ducy, profile picture
Michael Ducy

The document covers container security challenges and solutions using open-source tools, focusing on multiple layers including infrastructure, build, and runtime security. Key topics include host and container runtime security, vulnerability management, service identity, and anomaly detection. It also discusses various security policies, tools like Falco for monitoring, and methods for ensuring secure development practices for containerized applications.

Technology
1 of 41
Downloaded 66 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
@mfdii Michael Ducy, Sysdig, @mfdii Securing your Container Environment with Open Source
@mfdii Layers Container Security Infra, Build, Runtime Container Security Challenges Open Source Tools For: - Infra - Build - Runtime Container Security Architecture Agenda
@mfdii Layers of Container Security Runtime Build Infrastructure
@mfdii Infrastructure Host Security Networking Cluster Security Container Runtime
@mfdii Build Image/Software Provenance - Signed Images/Layers - Artifact Signing Vulnerability Management - Upstream OS - Application Vulnerabilities
@mfdii Runtime Service/Container Admittance Secure Secrets Anomaly Detection Forensics
@mfdii Decisions Pushed to Edge Ephemeral Nature of Containers Attack Surface Resource Isolation Challenges of Container Security
@mfdii Infrastructure Security Network Storage Host Cluster Container Runtime
@mfdii Infrastructure Security Cluster: - RBAC, Security Policies, Affinity Host/Container Runtime: - Seccomp, SELinux, AppArmor, Resource Constraints Network: - Service Mesh, Network Policy, Network Filtering
@mfdii Security Policies Security Policies define: - Access to host resources: - Filesystem, Host Network, Namespaces - User/Group of Container - Read Only Filesystem - Linux capabilities available: - http://man7.org/linux/man-pages/man7/capabilities.7.html - Seccomp, AppArmor, or SELinux profiles
@mfdii Linux Security Modules SELinux System wide execution policy Apparmor System wide execution policy, focused on processes Seccomp Per process system call isolation
@mfdii LSMs $ docker run --security-opt "apparmor=<profile>" $ docker run --security-opt seccomp=/path/to/seccomp/profile.json
@mfdii Security Policies apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' spec: privileged: false # Required to prevent escalations to root. allowPrivilegeEscalation: false # This is redundant with non-root + disallow privilege escalation, # but we can provide it for defense in depth. requiredDropCapabilities: - ALL # Allow core volume types. volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' # Assume that persistentVolumes set up by the cluster admin are safe to use. - 'persistentVolumeClaim' hostNetwork: false
@mfdii Container Affinity/Constraints Affinity ensures: - Containers with sensitive data or data processing routines are next scheduled next to other containers Strong labeling schema encouraged/required.
@mfdii Kubernetes Pod Affinity apiVersion: v1 kind: Pod metadata: name: with-node-affinity spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/e2e-az-name operator: In values: - e2e-az1 - e2e-az2 preferredDuringSchedulingIgnoredDuringExecution: - weight: 1 preference: matchExpressions: - key: another-node-label-key operator: In values: - another-node-label-value
@mfdii Host/Container Runtime Security CIS Benchmarks for Docker Hosts - https://www.cisecurity.org/benchmark/docker/ - Chef’s Inspec to scan for policy violations - https://inspec.io - https://github.com/dev-sec/cis-docker-benchmark - Docker Bench for Security - https://github.com/docker/docker-bench-security
@mfdii Networking Standard Firewall Rules/Security Groups - Common exploit point are dashboards or API ports open. Kubernetes: - Network Policies, Container Networking Interface Network Filtering - Kernel level L3/L4/L7 - Cilium - https://cilium.io/
@mfdii Cilium apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy description: "L3-L4 policy to restrict deathstar access to empire ships only" metadata: name: "rule1" spec: endpointSelector: matchLabels: org: empire class: deathstar ingress: - fromEndpoints: - matchLabels: org: empire toPorts: - ports: - port: "80" protocol: TCP
@mfdii Cilium
@mfdii Cilium apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy description: "L7 policy to restrict access to specific HTTP call" metadata: name: "rule1" spec: endpointSelector: matchLabels: org: empire class: deathstar ingress: - fromEndpoints: - matchLabels: org: empire toPorts: - ports: - port: "80" protocol: TCP rules: http: - method: "POST" path: "/v1/request-landing"
@mfdii Cilium
@mfdii Build Security Network Storage Host Cluster App Code App Runtime Libraries OS App Code App Runtime Libraries OS App Code App Runtime Libraries OS Container Runtime
@mfdii Build Security Image/Artifact Provenance: - Artifact signing, trusted registries, admittance control Vulnerability Management: - Image scanning, OS libraries, application libraries
@mfdii Image Scanning Clair - Static analysis of vulnerabilities in application containers. - Focuses on Operating System packages and libraries - https://github.com/coreos/clair Anchore - Analyzes container images against user defined policies. - https://github.com/anchore
@mfdii CoPilot & Openhub CoPilot - Open Source Application Dependency Vulnerability Management - https://copilot.blackducksoftware.com/ - Incorporate into your build process OpenHub - Compare open source project usage, and project health - https://www.openhub.net/
@mfdii Notary & Portieris Notary - Signs collections of digital content (Artifacts) - Project from Docker - Docker Content Trust - Implementation of The Update Framework - https://github.com/theupdateframework/ Portieries - Kubernetes Admission controller for enforcing Content Trust - https://github.com/IBM/portieris - https://schd.ws/hosted_files/kccnceu18/41/kubernetes-notary-tuf.pdf - https://www.youtube.com/watch?v=JK70k_B87mw
@mfdii Notary & Portieris
@mfdii Runtime Security Network Storage Host Cluster App Code App Runtime Libraries OS App Code App Runtime Libraries OS App Code App Runtime Libraries OS Container Runtime
@mfdii Runtime Security Service/Container Admittance - What’s Allowed to Run/Join a Service Secure Secrets - How do applications authenticate Anomaly Detection - Is my runtime environment being tampered with? Forensics - What happened if something was compromised?
@mfdii Service Identity How can you verify a service is who it says it is? SPIFFE - Secure Production Identity Framework For Everyone - Cryptographically verifiable Service IDs - https://github.com/spiffe/spiffe
@mfdii Service Identity
@mfdii Anomaly Detection - Containers are isolated processes. - Processes are “scoped” as to what’s expected. - Container images are immutable, runtime environments often aren’t. - How do you detect “abnormal” behavior.
@mfdii Sysdig Falco A behavioral activity monitor •Detects suspicious activity defined by a set of rules •Uses Sysdig’s flexible and powerful filtering expressions With full support for containers/orchestration •Utilizes sysdig’s container & orchestrator support And flexible notification methods •Alert to files, standard output, syslog, programs Open Source •Anyone can contribute rules or improvements
@mfdii Quick examples A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
@mfdii Falco architecture falco_probe Kernel Module Kernel User Syscalls Sysdig Libraries ` Events Alerting Falco Rules Suspicious Events File Syslog Stdout Filter Expression Shell
@mfdii Falco Rules 25 common rules available OOTB Focused on common container best practices: ■ Writing files in bin or etc directories ■ Reading sensitive files ■ Binaries being executed other than CMD/ENTRYPOINT
@mfdii Falco rules .yaml file containing Macros, Lists, and Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
@mfdii Active Security with Falco, NATS, and Kubeless Falco NATS Kubeless Detects abnormal event, Publishes alert to NATS Subscribers receive Falco Alert through NATS Server Kubeless receives Falco Alert, firing a function to delete the offending Kubernetes Pod
@mfdii Join the community • Website •http://www.sysdig.org/falco • Public Slack •http://slack.sysdig.com/ •https://sysdig.slack.com/messages/falco • Blog •https://sysdig.com/blog/tag/falco/ • Sysdig Secure •http://sysdig.com/product/secure
@mfdii Learn more Github • https://github.com/draios/falco • Pull Requests welcome! Wiki • https://github.com/draios/falco/wiki Docker Hub • https://hub.docker.com/r/sysdig/falco/
@mfdii Thank You. Questions? michael@sysdig.com, @mfdii

More Related Content

PPTX
Open source security tools for Kubernetes.
Michael Ducy
 
PDF
Automating Security Response with Serverless
Michael Ducy
 
PDF
Sysdig Open Source Intro
Michael Ducy
 
PDF
Monitoring & Securing Microservices in Kubernetes
Michael Ducy
 
PDF
Container Runtime Security with Falco
Michael Ducy
 
PDF
DevOps in a Cloud Native World
Michael Ducy
 
PDF
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
PDF
Principles of Monitoring Microservices
Michael Ducy
 
Open source security tools for Kubernetes.
Michael Ducy
 
Automating Security Response with Serverless
Michael Ducy
 
Sysdig Open Source Intro
Michael Ducy
 
Monitoring & Securing Microservices in Kubernetes
Michael Ducy
 
Container Runtime Security with Falco
Michael Ducy
 
DevOps in a Cloud Native World
Michael Ducy
 
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Principles of Monitoring Microservices
Michael Ducy
 

What's hot (20)

PDF
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
PDF
Csw2016 wang docker_escapetechnology
CanSecWest
 
PDF
XFLTReat: a new dimension in tunnelling
Shakacon
 
PDF
Barbican 1.0 - Open Source Key Management for OpenStack
jarito030506
 
PPTX
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
PDF
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
PPTX
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
PPT
Container security
Anthony Chow
 
PDF
NetDevOps Developer Environments with Vagrant @ SCALE16x
Hank Preston
 
PPTX
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
CODE BLUE
 
PDF
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
PDF
Useful Python Libraries for Network Engineers - PyOhio 2018
Hank Preston
 
PPTX
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
PDF
Practical Approaches to Container Security
Shea Stewart
 
PDF
Chris Rutter: Avoiding The Security Brick
Michael Man
 
PPTX
An In-depth look at application containers
John Kinsella
 
PDF
Kali tools list with short description
Jose Moruno Cadima
 
PPTX
Shamsa altayer 10bg kali linux
shamsaot
 
PDF
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
 
PPTX
Kali Linux - Falconer - ISS 2014
TGodfrey
 
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Csw2016 wang docker_escapetechnology
CanSecWest
 
XFLTReat: a new dimension in tunnelling
Shakacon
 
Barbican 1.0 - Open Source Key Management for OpenStack
jarito030506
 
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
Container security
Anthony Chow
 
NetDevOps Developer Environments with Vagrant @ SCALE16x
Hank Preston
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
CODE BLUE
 
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Useful Python Libraries for Network Engineers - PyOhio 2018
Hank Preston
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
Practical Approaches to Container Security
Shea Stewart
 
Chris Rutter: Avoiding The Security Brick
Michael Man
 
An In-depth look at application containers
John Kinsella
 
Kali tools list with short description
Jose Moruno Cadima
 
Shamsa altayer 10bg kali linux
shamsaot
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
 
Kali Linux - Falconer - ISS 2014
TGodfrey
 
Ad

Similar to Securing your Container Environment with Open Source (20)

PDF
WTF my container just spawned a shell!
Sysdig
 
PDF
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
PDF
Securing your Kubernetes applications
Néstor Salceda
 
ODP
Continuous Security
Sysdig
 
PDF
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
PDF
Docker Runtime Security
Sysdig
 
PDF
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
PDF
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Néstor Salceda
 
PDF
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
NUS-ISS
 
PDF
The Container Security Checklist
LibbySchulze
 
PPTX
Csa container-security-in-aws-dw
Cloud Security Alliance, UK chapter
 
PPTX
Kubernetes and container security
Volodymyr Shynkar
 
PPTX
Containers and workload security an overview
Krishna-Kumar
 
PDF
LXC, Docker, security: is it safe to run applications in Linux Containers?
Jérôme Petazzoni
 
PDF
Securing Containerized Applications: A Primer
Phil Estes
 
PDF
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
ContainerDay Security 2023
 
PDF
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
PDF
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 
PDF
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
ContainerDay Security 2023
 
PDF
Testing Docker Images Security
Jose Manuel Ortega Candel
 
WTF my container just spawned a shell!
Sysdig
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
Securing your Kubernetes applications
Néstor Salceda
 
Continuous Security
Sysdig
 
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
Docker Runtime Security
Sysdig
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Néstor Salceda
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
NUS-ISS
 
The Container Security Checklist
LibbySchulze
 
Csa container-security-in-aws-dw
Cloud Security Alliance, UK chapter
 
Kubernetes and container security
Volodymyr Shynkar
 
Containers and workload security an overview
Krishna-Kumar
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
Jérôme Petazzoni
 
Securing Containerized Applications: A Primer
Phil Estes
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
ContainerDay Security 2023
 
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
ContainerDay Security 2023
 
Testing Docker Images Security
Jose Manuel Ortega Candel
 
Ad

More from Michael Ducy (20)

PDF
Rethinking Open Source in the Age of Cloud
Michael Ducy
 
PDF
Sysdig Tokyo Meetup 2018 02-27
Michael Ducy
 
PDF
Survey of Container Build Tools
Michael Ducy
 
PDF
Monoliths, Myths, and Microservices - CfgMgmtCamp
Michael Ducy
 
PDF
Monoliths, Myths, and Microservices
Michael Ducy
 
PPTX
Why Pipelines Matter
Michael Ducy
 
PPTX
The Future of Everything
Michael Ducy
 
PPTX
Improving Goat Production
Michael Ducy
 
PDF
Changing the Way Development and Operations Works
Michael Ducy
 
PDF
CloudStack Day 14 - Automation: The Key to Hybrid Cloud
Michael Ducy
 
PPTX
The Road to Hybrid Cloud is Paved with Automation
Michael Ducy
 
PPTX
The Velocity of Bureaucracy
Michael Ducy
 
PPTX
The Goat and the Silo
Michael Ducy
 
PPTX
Little Tech, Big Impact - Monktoberfest 2013
Michael Ducy
 
PPT
Object, measure thyself
Michael Ducy
 
PPTX
DevOps Columbus Meetup Kickoff - Infrastructure as Code
Michael Ducy
 
PPTX
DevOpsDays Amsterdam - DudeOps: Why The Big Lebowski is About Your IT Project
Michael Ducy
 
PPTX
I've Got 99 Problems But DevOps Ain't One
Michael Ducy
 
PPT
DudeOps - Why The Big Lebowski is About Building a Cloud
Michael Ducy
 
PPTX
Defrag - How Your Enterprise Software Vendor is Ripping You Off
Michael Ducy
 
Rethinking Open Source in the Age of Cloud
Michael Ducy
 
Sysdig Tokyo Meetup 2018 02-27
Michael Ducy
 
Survey of Container Build Tools
Michael Ducy
 
Monoliths, Myths, and Microservices - CfgMgmtCamp
Michael Ducy
 
Monoliths, Myths, and Microservices
Michael Ducy
 
Why Pipelines Matter
Michael Ducy
 
The Future of Everything
Michael Ducy
 
Improving Goat Production
Michael Ducy
 
Changing the Way Development and Operations Works
Michael Ducy
 
CloudStack Day 14 - Automation: The Key to Hybrid Cloud
Michael Ducy
 
The Road to Hybrid Cloud is Paved with Automation
Michael Ducy
 
The Velocity of Bureaucracy
Michael Ducy
 
The Goat and the Silo
Michael Ducy
 
Little Tech, Big Impact - Monktoberfest 2013
Michael Ducy
 
Object, measure thyself
Michael Ducy
 
DevOps Columbus Meetup Kickoff - Infrastructure as Code
Michael Ducy
 
DevOpsDays Amsterdam - DudeOps: Why The Big Lebowski is About Your IT Project
Michael Ducy
 
I've Got 99 Problems But DevOps Ain't One
Michael Ducy
 
DudeOps - Why The Big Lebowski is About Building a Cloud
Michael Ducy
 
Defrag - How Your Enterprise Software Vendor is Ripping You Off
Michael Ducy
 

Recently uploaded (20)

PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
KodekX | Application Modernization Development
KodekX
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Encapsulation theory and applications.pdf
gurumoop
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Approach and Philosophy of On baking technology
30anthuong17
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 

Securing your Container Environment with Open Source

  • 1. @mfdii Michael Ducy, Sysdig, @mfdii Securing your Container Environment with Open Source
  • 2. @mfdii Layers Container Security Infra, Build, Runtime Container Security Challenges Open Source Tools For: - Infra - Build - Runtime Container Security Architecture Agenda
  • 3. @mfdii Layers of Container Security Runtime Build Infrastructure
  • 5. @mfdii Build Image/Software Provenance - Signed Images/Layers - Artifact Signing Vulnerability Management - Upstream OS - Application Vulnerabilities
  • 7. @mfdii Decisions Pushed to Edge Ephemeral Nature of Containers Attack Surface Resource Isolation Challenges of Container Security
  • 9. @mfdii Infrastructure Security Cluster: - RBAC, Security Policies, Affinity Host/Container Runtime: - Seccomp, SELinux, AppArmor, Resource Constraints Network: - Service Mesh, Network Policy, Network Filtering
  • 10. @mfdii Security Policies Security Policies define: - Access to host resources: - Filesystem, Host Network, Namespaces - User/Group of Container - Read Only Filesystem - Linux capabilities available: - http://man7.org/linux/man-pages/man7/capabilities.7.html - Seccomp, AppArmor, or SELinux profiles
  • 11. @mfdii Linux Security Modules SELinux System wide execution policy Apparmor System wide execution policy, focused on processes Seccomp Per process system call isolation
  • 12. @mfdii LSMs $ docker run --security-opt "apparmor=<profile>" $ docker run --security-opt seccomp=/path/to/seccomp/profile.json
  • 13. @mfdii Security Policies apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' spec: privileged: false # Required to prevent escalations to root. allowPrivilegeEscalation: false # This is redundant with non-root + disallow privilege escalation, # but we can provide it for defense in depth. requiredDropCapabilities: - ALL # Allow core volume types. volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' # Assume that persistentVolumes set up by the cluster admin are safe to use. - 'persistentVolumeClaim' hostNetwork: false
  • 14. @mfdii Container Affinity/Constraints Affinity ensures: - Containers with sensitive data or data processing routines are next scheduled next to other containers Strong labeling schema encouraged/required.
  • 15. @mfdii Kubernetes Pod Affinity apiVersion: v1 kind: Pod metadata: name: with-node-affinity spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/e2e-az-name operator: In values: - e2e-az1 - e2e-az2 preferredDuringSchedulingIgnoredDuringExecution: - weight: 1 preference: matchExpressions: - key: another-node-label-key operator: In values: - another-node-label-value
  • 16. @mfdii Host/Container Runtime Security CIS Benchmarks for Docker Hosts - https://www.cisecurity.org/benchmark/docker/ - Chef’s Inspec to scan for policy violations - https://inspec.io - https://github.com/dev-sec/cis-docker-benchmark - Docker Bench for Security - https://github.com/docker/docker-bench-security
  • 17. @mfdii Networking Standard Firewall Rules/Security Groups - Common exploit point are dashboards or API ports open. Kubernetes: - Network Policies, Container Networking Interface Network Filtering - Kernel level L3/L4/L7 - Cilium - https://cilium.io/
  • 18. @mfdii Cilium apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy description: "L3-L4 policy to restrict deathstar access to empire ships only" metadata: name: "rule1" spec: endpointSelector: matchLabels: org: empire class: deathstar ingress: - fromEndpoints: - matchLabels: org: empire toPorts: - ports: - port: "80" protocol: TCP
  • 20. @mfdii Cilium apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy description: "L7 policy to restrict access to specific HTTP call" metadata: name: "rule1" spec: endpointSelector: matchLabels: org: empire class: deathstar ingress: - fromEndpoints: - matchLabels: org: empire toPorts: - ports: - port: "80" protocol: TCP rules: http: - method: "POST" path: "/v1/request-landing"
  • 22. @mfdii Build Security Network Storage Host Cluster App Code App Runtime Libraries OS App Code App Runtime Libraries OS App Code App Runtime Libraries OS Container Runtime
  • 23. @mfdii Build Security Image/Artifact Provenance: - Artifact signing, trusted registries, admittance control Vulnerability Management: - Image scanning, OS libraries, application libraries
  • 24. @mfdii Image Scanning Clair - Static analysis of vulnerabilities in application containers. - Focuses on Operating System packages and libraries - https://github.com/coreos/clair Anchore - Analyzes container images against user defined policies. - https://github.com/anchore
  • 25. @mfdii CoPilot & Openhub CoPilot - Open Source Application Dependency Vulnerability Management - https://copilot.blackducksoftware.com/ - Incorporate into your build process OpenHub - Compare open source project usage, and project health - https://www.openhub.net/
  • 26. @mfdii Notary & Portieris Notary - Signs collections of digital content (Artifacts) - Project from Docker - Docker Content Trust - Implementation of The Update Framework - https://github.com/theupdateframework/ Portieries - Kubernetes Admission controller for enforcing Content Trust - https://github.com/IBM/portieris - https://schd.ws/hosted_files/kccnceu18/41/kubernetes-notary-tuf.pdf - https://www.youtube.com/watch?v=JK70k_B87mw
  • 28. @mfdii Runtime Security Network Storage Host Cluster App Code App Runtime Libraries OS App Code App Runtime Libraries OS App Code App Runtime Libraries OS Container Runtime
  • 29. @mfdii Runtime Security Service/Container Admittance - What’s Allowed to Run/Join a Service Secure Secrets - How do applications authenticate Anomaly Detection - Is my runtime environment being tampered with? Forensics - What happened if something was compromised?
  • 30. @mfdii Service Identity How can you verify a service is who it says it is? SPIFFE - Secure Production Identity Framework For Everyone - Cryptographically verifiable Service IDs - https://github.com/spiffe/spiffe
  • 32. @mfdii Anomaly Detection - Containers are isolated processes. - Processes are “scoped” as to what’s expected. - Container images are immutable, runtime environments often aren’t. - How do you detect “abnormal” behavior.
  • 33. @mfdii Sysdig Falco A behavioral activity monitor •Detects suspicious activity defined by a set of rules •Uses Sysdig’s flexible and powerful filtering expressions With full support for containers/orchestration •Utilizes sysdig’s container & orchestrator support And flexible notification methods •Alert to files, standard output, syslog, programs Open Source •Anyone can contribute rules or improvements
  • 34. @mfdii Quick examples A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
  • 36. @mfdii Falco Rules 25 common rules available OOTB Focused on common container best practices: ■ Writing files in bin or etc directories ■ Reading sensitive files ■ Binaries being executed other than CMD/ENTRYPOINT
  • 37. @mfdii Falco rules .yaml file containing Macros, Lists, and Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
  • 38. @mfdii Active Security with Falco, NATS, and Kubeless Falco NATS Kubeless Detects abnormal event, Publishes alert to NATS Subscribers receive Falco Alert through NATS Server Kubeless receives Falco Alert, firing a function to delete the offending Kubernetes Pod
  • 39. @mfdii Join the community • Website •http://www.sysdig.org/falco • Public Slack •http://slack.sysdig.com/ •https://sysdig.slack.com/messages/falco • Blog •https://sysdig.com/blog/tag/falco/ • Sysdig Secure •http://sysdig.com/product/secure
  • 40. @mfdii Learn more Github • https://github.com/draios/falco • Pull Requests welcome! Wiki • https://github.com/draios/falco/wiki Docker Hub • https://hub.docker.com/r/sysdig/falco/