1. Docker Security
Secure container deployment on Linux
openSUSE conference, The Hague, 3 May 2015
Michael Boelen
michael.boelen@cisofy.com

2. Michael Boelen
● Founder of CISOfy
● Security + Open Source
○ Rootkit Hunter (malware scan)
○ Lynis (security scan)
● Analysis → Simplify
2

3. Docker and Me
● Understanding
● Development
● Using it
3

4. Results of Research
● Limited resources
● Outdated articles
● Conflicting information
● Security not important?
Proposal: Let's fix (some of) these issues
4

5. Proposal
Security proposals
● Tooling to simplify Linux security → Lynis
● Articles about Docker security → Blog posts
● Provide input to (GitHub) projects → You
● Presentations → In progress
5

6. What
● Stabilize the vessel
● Secure containers
6

7. How
➔ Benefits
➔ Risks
➔ Defenses
➔ Best Practices
7
Photo credits: imagebase.net

8. Why?
Data!
8

9. Why Security?
Data!
● Docker + Software = Data Sharing
● Keep it confidential
9

10. Warning
From this point on,
there might be lies...
10

11. Docker Benefits
11

12. Primary Benefits
● Flexibility
● Scalability
● Better testing
12

13. Segregation
● The art of splitting up things
● The "Holy Grail" of security
● Smaller units = more control
13

14. Granular Control
● Limit users, access and data
● Easier to understand
● Easier to defend
14

15. Information Disclosure
● Decreased chance of data leakage
● Less resources accessible
15

16. Risks
16

17. Risk: Software Issues
Software security
● Bugs
● Security vulnerabilities
● Regular updates needed
● Backdoors? Auditing?
17

18. Risk: Knowledge gap
Quickly evolving
● IT auditor
● Your colleagues
● You...?
18

19. Risk: "Does not contain"
No full isolation (yet)
● Treat containers as a host
● Know strengths and weaknesses
19

20. Defenses
20

21. Docker Website
Start at the download
● HTTPS
● Digital signatures
● Images verified after downloading
21

22. Docker Containers
● Namespaces and cgroups
● Seccomp
● Capabilities
● Frameworks
22

23. Namespaces
Isolates parts of the OS
● PID namespaces
● Network namespaces
● User namespaces → Not really!
23

24. Namespaces
More spaces
● IPC namespaces (process communication)
● UTS namespaces (hostname/NIS)
● Mount namespaces
24

25. Seccomp
● Secure computing mode
● Filters syscalls with BPF
● Isolation, not virtualization
● Used in software like:
○ Chrome, OpenSSH, vsftpd
○ LXD and Mbox
25

26. Seccomp
Default list of blocked calls
● kexec_load
● open_by_handle_at
● init_module
● finit_module
● delete_module
26

27. Control Groups (cgroups)
● Restrict resources
● Prioritize
● Accounting
● Control
27

28. Capabilities
● Root user → split into roles
● Default list of allowed capabilities
● --cap-add / --cap-drop
● Combine (e.g. add all, drop a few)
28

29. Capabilities
Examples
● CAP_NET_ADMIN - Configure networking
● CAP_SETPCAP - Process capabilities
● CAP_SYS_MODULE - Insert and remove
kernel modules
29

30. Frameworks
AppArmor / SELinux
● MAC frameworks
● Help with containment
● Learning them now, will pay off later
30

31. Audit Subsystem
● Developed by Red Hat
● Files / system calls
● Monitors the (system | file) integrity
31

32. Auditing
Audit (example)
# Time related calls
-a always,exit -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -S clock_settime -k time-change
# Hostname and domain
-a always,exit -S sethostname -S setdomainname -k system-locale
# Password files
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k identity
32

33. Best Practices
33

34. Docker Host Hardening 1/2
● Security = Defense in Depth
● Use AppArmor / SELinux / GRSEC
● Limit
○ users / services / network
34

35. Docker Host Hardening 2/2
● Update your kernel on a regular basis
● Stay up-to-date with Docker
● Limit Docker permissions
35

36. Containers
Harden your Containers
● Use AppArmor / SELinux
● Drop capabilities (man capabilities)
● Filter syscalls (seccomp)
● Network filtering (iptables)
36

37. Read-Only Containers
Least amount of privileges
● Docker 1.5
● --read-only
● Restrict writing to volumes
37

38. Logging
Don't let containers be a black box
● Docker 1.6
● --log-driver
○ none
○ syslog
○ json-file
38

39. Limit Resources
Ulimit
● Default too high
● Set new container default
○ Docker 1.6
○ --default-ulimit
● On run: --ulimit
39

40. Docker Management
"Invisibilize"
● Encrypt connections
● Configure and use TLS, set variables:
○ DOCKER_HOST
○ DOCKER_TLS_VERIFY
40

41. Docker Management
SSH in containers
● Don't use this..
● Use “docker exec -it mycontainer bash”
41

42. Read-Only
● Mounts
● Data
● Configuration
● Use --read-only
42

43. Using Mappings
● Map users to non-privileged
○ /etc/subuid
○ /etc/subgid
43

44. Trust
Or Don't...
● Verify downloads
● Be careful with images from others
● Measure, monitor, audit
44

45. Auditing
Tools
● Lynis
● OpenSCAP
45

46. Docker News
Things go quick with Docker
● Stay informed
● Follow the Docker blog
● Keep an eye on Docker (/LXC/LXD) news
46

47. Questions?
47

48. More Docker Security
● Blog: linux-audit.com
● Twitter: @mboelen
48