SlideShare ist ein Scribd-Unternehmen logo

OSDC 2016 - Inspecting Security of Docker formatted Container Images to find Peace of Mind by Ján Lieskovský

NETWAYS
NETWAYS

The presented article will target inspection of security of (un)official Docker formatted container images approaching the resulting safety of the image from two PoVs: examining image content for presence of known security flaws (vulnerability assessment), and validation if the internal software and service(s) encapsulated within the image are configured according to commonly-accepted recommendations as defined in security baselines (security hardening). Starting with reasoning why Docker images security matters, we will proceed to outline architectural concepts Docker images are based on. Subsequently compare these concepts with building blocks used by design of today's virtual machines, and point out areas (main differences) to take care of when container image security is primary concern. We will use the observations from this comparison to emphasize the need to inspect both content of container images themselves, but also the security configuration of the hosting computer in order to reach truly secure infrastructure. We will introduce the section of inspecting security of container images with providing overview of recent effort to implement image signing and verification. Afterwards we will demonstrate inspection of a concrete container image against currently known security flaws, and explain how this approach can be automated and generalized. Thereafter we will focus on examination if software and service(s) included in the container image meet commonly-known requirements for secure configuration. An illustration example how to detect e.g. an unauthorized executable in the container content will be provided. In the part dedicated to securing of the hosting computer we will show it is possible to fully automate this task too. We will conclude with sketching, where development in this area might be heading in the future (features that might be available to strengthen the security of container images even more).

Software
1 von 75
Downloaden Sie, um offline zu lesen
Inspecting Security of Docker formatted Container Images To find Peace of Mind Ján Lieskovský jlieskov@redhat.com iankko on #openscap
Docker Concepts - Introductory Notes
Docker Formatted Container Images Interesting Application Platform
Docker Formatted Container Images Interesting Application Platform For developers ● Focus on content (rather on build process) ● Data aggregation via Docker Image Specification ● Simplified release management ● Easy customization
Docker Formatted Container Images Interesting Application Platform For users ● Abundance of applications available in official hub ● Simple application deployment ● Continuous application lifecycle management ● Easy customization
Basic Docker Terms Docker image ● Ordered collection of root filesystem changes ● Coupled with corresponding execution parameters ● Doesn’t have a state ● Read-only (never changes) ● Set of layers stacked on top of each other
Basic Docker Terms Docker image ● Each image is derived from base image ● Transformed to final image through set of steps (instructions) ○ Run a command ○ Add a file or directory ○ Create an environment variable ○ What process to run when launching a container from this image
Docker image vs Docker container Docker container ● Any (running / stopped) instance of Docker image ● Consists of: ○ Docker image ○ Execution environment ○ Standard set of instructions ● It’s possible to have many running containers of the same image
Docker architecture
Virtual Machines vs Containers
Container security. And why it matters
Container Security Matters Basic security bricks of Docker daemon / containers ● Kernel security (updates, support for namespaces, cgroups)
Container Security Matters Basic security bricks of Docker daemon / containers ● Kernel security (updates, support for namespaces, cgroups) ● Security of Docker daemon
Container Security Matters Basic security bricks of Docker daemon / containers ● Kernel security (updates, support for namespaces, cgroups) ● Security of Docker daemon ● Security of specific Dockerfile
Container Security Matters Kernel namespaces, cgroups ● Form of isolation ● Own network stack per container ● Resource mngmt via cgroups
Container Security Matters Other kernel features applied in Docker security ● Linux kernel capabilities ● GRSEC, PAX ● SELinux, AppArmor
Container Security Matters Basic security bricks of Docker daemon / containers So far looks reasonable, right?
Container Security Matters But, what if we overlooked something?
Container Security Matters But, what if we overlooked something? 22 April 2014 Daniel J Walsh (Red Hat) Containers do not contain Bottom line: ● Running a container not every major kernel subsystem is namespaced ○ SELinux ○ Cgroups ○ File system under /sys ○ /proc/sys, /proc/irq, /proc/bus ○ Devices and kernel modules are not namespaced
Container Security Matters But, what if we overlooked something?
Container Security Matters But, what if we overlooked something? Meet Shocker!
Container Security Matters But, what if we overlooked something? Meet Shocker!
Virtual Machines vs Containers
Container Security Matters What the wise men have got to say? 22 Jul 2014 Jérôme Petazzoni (Docker Inc.) Is it Safe to Run Applications in Linux Containers? Bottom line: ● Don't run things as root ● Use seccomp-bpf ● Drop capabilities ● Get a GRSEC kernel ● Enable user namespaces ● Update kernels often ● Get rid of shady SUID binaries ● Mount everything read-only ● Enable SELinux (or AppArmor) ● Ultimately, fence things in VMs
Container Security Matters What the wise men have got to say? 03 Sep 2014 Daniel J Walsh (Red Hat) Bringing new security features to Docker Bottom line: ● Only run applications from a trusted source ● Run applications on a enterprise quality host ● Install updates regularly ● Drop privileges as quickly as possible ● Run as non-root whenever possible ● Watch your logs ● setenforce 1
Container Security Matters Plenty of applications from Official Repositories
Container Security Matters (Another) Plenty of applications from Custom Repositories
Container Security Matters Who built these images?
12 Aug 2015 Introduced in Docker v1.8 using The Update Framework Docker Content Trust Workflow ● Image producer - pushing an image to remote repository, Docker engine signs the content using publisher’s private key ● Image consumer - when pulling an image, Docker engine verifies the content of the image using publisher’s public key. If image tampering is detected, pull fails Container Security Matters Docker Image Signing and Verification
Two types of keys known by Docker Content Trust ○ Tagging Key ■ One such key is created per each new repository the publisher owns ■ Intended to be shared with any person / system requiring the ability to sign content for this repository ○ Offline key ■ Can be shared across repositories ■ Required to create a new repository or to rotate existing tagging keys Container Security Matters Docker Image Signing and Verification
Provides ○ Protection against image tampering ○ Protection against image replay attacks ○ Protection against tagging key compromise Container Security Matters Docker Image Signing and Verification
Container Security Matters Who built these images?
Container Security Matters We know the publisher. But how were all these images built?
Docker image (quick recap) ● Each image is derived from base image ● Transformed to final image through set of steps (instructions) Container Security Matters We know the publisher. But how were all these images built?
Docker image (quick recap) ● Each image is derived from base image ● Transformed to final image through set of steps (instructions) Creating new images ● Update the container (running an image) Commit the changes to image ● Build a new image from Dockerfile Container Security Matters How were all these images built?
Container Security Matters Who can build / update the containers?
Container Security Matters Who can build / update the containers? Anyone!!!
Container Security Matters What we trust into when pulling images?
● The base image the pulled image is derived from was secure Container Security Matters What we trust into when pulling images?
● The base image the pulled image is derived from was secure ● The newly introduced changes were performed in secure way Container Security Matters What we trust into when pulling images?
● The base image the pulled image is derived from was secure ● The newly introduced changes were performed in secure way ● When a security flaws was found in base image or the changes, the image available in repository has been already updated Container Security Matters What we trust into when pulling images?
Ultimate goal: ● Secure container infrastructure Container Security Matters Docker daemon / container security - Lessons Learned
Ultimate goal: ● Secure container infrastructure Trust the design: ● We can trust Docker design to be secure Container Security Matters Docker daemon / container security - Lessons Learned
Ultimate goal: ● Secure container infrastructure Trust the design: ● We can trust Docker design to be secure But act responsibly: ● Verify that all of the host, daemon and containers truly are secure Container Security Matters Docker daemon / container security - Lessons Learned
How to verify (inspect) security of containers / images?
Inspecting Security of Containers / Images Two separate tasks: ● Inspect presence of security flaws (vulnerability assessment) ● Verify the configuration is secure (security compliance)
Vulnerability Assessment of Containers / Images
Vulnerability Assessment of Containers / Images
Vulnerability Assessment of Containers / Images ● HTML advisories are easy consumable by humans ● But not suitable for machine processing
Vulnerability Assessment of Containers / Images ● We need a standard ● Security errata information available in the form of that standard ● Scanner able to perform automated scan
Vulnerability Assessment of Containers / Images ● We need a standard to ○ represent configuration information of systems ○ analyze the system for presence of specified machine state (vulnerability, configuration, …) ○ report the results of the assessment back
Vulnerability Assessment of Containers / Images Open Vulnerability and Assessment Language
Vulnerability Assessment of Containers / Images ● We need a standard ● Security errata information available in the form of that standard ● Scanner able to perform automated scan
Vulnerability Assessment of Containers / Images ● We need a standard ● Security errata information available in the form of that standard ○ Red Hat OVAL security data ○ Ubuntu OVAL security data ○ …
Vulnerability Assessment of Containers / Images ● We need a standard ● Security errata information available in the form of that standard ● Scanner able to perform automated scan
Vulnerability Assessment of Containers / Images
Vulnerability Assessment of Containers # dnf -y install openscap-containers # docker pull richxsl/rhel7 # wget http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7. xml # docker run -i -t richxsl/rhel7 /bin/bash
Vulnerability Assessment of Containers # oscap-docker container-cve richxsl/rhel7 Definition oval:com.redhat.rhsa:def:20160695: false Definition oval:com.redhat.rhsa:def:20160685: true Definition oval:com.redhat.rhsa:def:20160676: false Definition oval:com.redhat.rhsa:def:20160650: false Definition oval:com.redhat.rhsa:def:20160612: false Definition oval:com.redhat.rhsa:def:20160594: false Definition oval:com.redhat.rhsa:def:20160534: false Definition oval:com.redhat.rhsa:def:20160532: true ...
Vulnerability Assessment of Containers # oscap-docker container-cve richxsl/rhel7 Definition oval:com.redhat.rhsa:def:20160695: false Definition oval:com.redhat.rhsa:def:20160685: true Definition oval:com.redhat.rhsa:def:20160676: false Definition oval:com.redhat.rhsa:def:20160650: false Definition oval:com.redhat.rhsa:def:20160612: false Definition oval:com.redhat.rhsa:def:20160594: false Definition oval:com.redhat.rhsa:def:20160534: false Definition oval:com.redhat.rhsa:def:20160532: true ...
Vulnerability Assessment of Images Running untrusted containers might be dangerous!
Vulnerability Assessment of Images Running untrusted containers might be dangerous! Let’s scan the images instead !!!
Vulnerability Assessment of Containers # oscap-docker image-cve richxsl/rhel7 Definition oval:com.redhat.rhsa:def:20160695: false Definition oval:com.redhat.rhsa:def:20160685: true Definition oval:com.redhat.rhsa:def:20160676: false Definition oval:com.redhat.rhsa:def:20160650: false Definition oval:com.redhat.rhsa:def:20160612: false Definition oval:com.redhat.rhsa:def:20160594: false Definition oval:com.redhat.rhsa:def:20160534: false Definition oval:com.redhat.rhsa:def:20160532: true ...
Vulnerability Assessment of Containers # oscap-docker image-cve richxsl/rhel7 Definition oval:com.redhat.rhsa:def:20160695: false Definition oval:com.redhat.rhsa:def:20160685: true Definition oval:com.redhat.rhsa:def:20160676: false Definition oval:com.redhat.rhsa:def:20160650: false Definition oval:com.redhat.rhsa:def:20160612: false Definition oval:com.redhat.rhsa:def:20160594: false Definition oval:com.redhat.rhsa:def:20160534: false Definition oval:com.redhat.rhsa:def:20160532: true ...
Vulnerability Assessment of Containers # oscap-docker image-cve richxsl/rhel7 Definition oval:com.redhat.rhsa:def:20160695: false Definition oval:com.redhat.rhsa:def:20160685: true Definition oval:com.redhat.rhsa:def:20160676: false Definition oval:com.redhat.rhsa:def:20160650: false Definition oval:com.redhat.rhsa:def:20160612: false Definition oval:com.redhat.rhsa:def:20160594: false Definition oval:com.redhat.rhsa:def:20160534: false Definition oval:com.redhat.rhsa:def:20160532: true ...
Inspecting Security of Containers / Images Two separate tasks: ● Inspect presence of security flaws (vulnerability assessment) ● Verify the configuration is secure (security compliance)
Verification if Configuration of Containers / Images is Secure?
Verification if Configuration of Containers / Images is Secure? # dnf -y install scap-security-guide
Verification if Configuration of Containers / Images is Secure? # oscap-docker image richxsl/rhel7 xccdf eval --profile standard --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Verification if Configuration of Containers / Images is Secure? # oscap-docker image richxsl/rhel7 xccdf eval --profile standard --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Verification if Configuration of Containers / Images is Secure?
Questions? http://www.open-scap.org/tools/ https://github.com/OpenSCAP (We are hiring) Ján Lieskovský jlieskov@redhat.com iankko on #openscap
Slightly Advanced Topics Customizing security policy for particular use case Example use case: ● Detect unauthorised SUID binaries present in the container
Slightly Advanced Topics Example use case: ● Detect unauthorised SUID binaries present in the container Modify standard SCAP Security Guide profile to contain just: "file_permissions_unauthorized_suid" rule
Slightly Advanced Topics ● Modify standard SCAP Security Guide profile to contain just: "file_permissions_unauthorized_suid" rule ● Rescan the image

Empfohlen

Mender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io | Develop embedded applications faster | Comparing C and GolangMender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io
 
BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017
Manideep Konakandla
 
Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?
Manideep Konakandla
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?
Manideep Konakandla
 
Mender; the open-source software update solution
Mender; the open-source software update solutionMender; the open-source software update solution
Mender; the open-source software update solution
Mender.io
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Jérôme Petazzoni
 
PIC your malware
PIC your malwarePIC your malware
PIC your malware
CODE WHITE GmbH
 
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Jérôme Petazzoni
 

Empfohlen

Mender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io | Develop embedded applications faster | Comparing C and GolangMender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io
 
BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017
Manideep Konakandla
 
Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?
Manideep Konakandla
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?
Manideep Konakandla
 
Mender; the open-source software update solution
Mender; the open-source software update solutionMender; the open-source software update solution
Mender; the open-source software update solution
Mender.io
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Jérôme Petazzoni
 
PIC your malware
PIC your malwarePIC your malware
PIC your malware
CODE WHITE GmbH
 
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Jérôme Petazzoni
 
Kernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a productKernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a product
Anne Nicolas
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015
Jérôme Petazzoni
 
Webinar: Code Faster on Kubernetes
Webinar: Code Faster on KubernetesWebinar: Code Faster on Kubernetes
Webinar: Code Faster on Kubernetes
Ambassador Labs
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017
Jose Manuel Ortega Candel
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanityKernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
Anne Nicolas
 
Android Things : Building Embedded Devices
Android Things : Building Embedded DevicesAndroid Things : Building Embedded Devices
Android Things : Building Embedded Devices
Emertxe Information Technologies Pvt Ltd
 
Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...
Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
Jérôme Petazzoni
 
1assembly in c#
1assembly in c#1assembly in c#
1assembly in c#
Sireesh K
 
ElasTest presentation in MadridJUG (Madrid December 2017)
ElasTest presentation in MadridJUG (Madrid December 2017)ElasTest presentation in MadridJUG (Madrid December 2017)
ElasTest presentation in MadridJUG (Madrid December 2017)
ElasTest Project
 
Embedded Operating System - Linux
Embedded Operating System - LinuxEmbedded Operating System - Linux
Embedded Operating System - Linux
Emertxe Information Technologies Pvt Ltd
 
[Webinar] An Introduction to the Yocto Embedded Framework
[Webinar] An Introduction to the Yocto Embedded Framework[Webinar] An Introduction to the Yocto Embedded Framework
[Webinar] An Introduction to the Yocto Embedded Framework
ICS
 
Thinking inside the box (shared)
Thinking inside the box (shared)Thinking inside the box (shared)
Thinking inside the box (shared)
Joe Brockmeier
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDK
Sebastian Mauer
 
Docker based-pipelines
Docker based-pipelinesDocker based-pipelines
Docker based-pipelines
DevOps.com
 
Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment
Docker, Inc.
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and Containers
Yajushi Srivastava
 
WinOps in a Secure Environment
WinOps in a Secure EnvironmentWinOps in a Secure Environment
WinOps in a Secure Environment
Chocolatey Software
 
Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era
nexB Inc.
 
OSDC 2016 - Tuning Linux for your Database by Colin Charles
OSDC 2016 - Tuning Linux for your Database by Colin CharlesOSDC 2016 - Tuning Linux for your Database by Colin Charles
OSDC 2016 - Tuning Linux for your Database by Colin Charles
NETWAYS
 
OSDC 2016 - Interesting things you can do with ZFS by Allan Jude&Benedict Reu...
OSDC 2016 - Interesting things you can do with ZFS by Allan Jude&Benedict Reu...OSDC 2016 - Interesting things you can do with ZFS by Allan Jude&Benedict Reu...
OSDC 2016 - Interesting things you can do with ZFS by Allan Jude&Benedict Reu...
NETWAYS
 

Weitere ähnliche Inhalte

Was ist angesagt?

Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015
Jérôme Petazzoni
 
Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...
Jérôme Petazzoni
 
Embedded Operating System - Linux
Embedded Operating System - LinuxEmbedded Operating System - Linux
Embedded Operating System - Linux
Emertxe Information Technologies Pvt Ltd
 
Docker based-pipelines
Docker based-pipelinesDocker based-pipelines
Docker based-pipelines
DevOps.com
 
Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment
Docker, Inc.
 

Was ist angesagt? (20)

Kernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a productKernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a product
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015
 
Webinar: Code Faster on Kubernetes
Webinar: Code Faster on KubernetesWebinar: Code Faster on Kubernetes
Webinar: Code Faster on Kubernetes
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanityKernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
Kernel Recipes 2015: The stable Linux Kernel Tree - 10 years of insanity
 
Android Things : Building Embedded Devices
Android Things : Building Embedded DevicesAndroid Things : Building Embedded Devices
Android Things : Building Embedded Devices
 
Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
 
1assembly in c#
1assembly in c#1assembly in c#
1assembly in c#
 
ElasTest presentation in MadridJUG (Madrid December 2017)
ElasTest presentation in MadridJUG (Madrid December 2017)ElasTest presentation in MadridJUG (Madrid December 2017)
ElasTest presentation in MadridJUG (Madrid December 2017)
 
Embedded Operating System - Linux
Embedded Operating System - LinuxEmbedded Operating System - Linux
Embedded Operating System - Linux
 
[Webinar] An Introduction to the Yocto Embedded Framework
[Webinar] An Introduction to the Yocto Embedded Framework[Webinar] An Introduction to the Yocto Embedded Framework
[Webinar] An Introduction to the Yocto Embedded Framework
 
Thinking inside the box (shared)
Thinking inside the box (shared)Thinking inside the box (shared)
Thinking inside the box (shared)
 
Introduction to the Android NDK
Introduction to the Android NDKIntroduction to the Android NDK
Introduction to the Android NDK
 
Docker based-pipelines
Docker based-pipelinesDocker based-pipelines
Docker based-pipelines
 
Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and Containers
 
WinOps in a Secure Environment
WinOps in a Secure EnvironmentWinOps in a Secure Environment
WinOps in a Secure Environment
 
Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era
 

Andere mochten auch

OSDC 2016 - Tuning Linux for your Database by Colin Charles
OSDC 2016 - Tuning Linux for your Database by Colin CharlesOSDC 2016 - Tuning Linux for your Database by Colin Charles
OSDC 2016 - Tuning Linux for your Database by Colin Charles
NETWAYS
 
OSDC 2016 - Interesting things you can do with ZFS by Allan Jude&Benedict Reu...
OSDC 2016 - Interesting things you can do with ZFS by Allan Jude&Benedict Reu...OSDC 2016 - Interesting things you can do with ZFS by Allan Jude&Benedict Reu...
OSDC 2016 - Interesting things you can do with ZFS by Allan Jude&Benedict Reu...
NETWAYS
 
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
NETWAYS
 
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
NETWAYS
 
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-BayesOSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
NETWAYS
 
OSDC 2016 - Hello Redfish, goodbye IPMI by Werner Fischer
OSDC 2016 - Hello Redfish, goodbye IPMI by Werner FischerOSDC 2016 - Hello Redfish, goodbye IPMI by Werner Fischer
OSDC 2016 - Hello Redfish, goodbye IPMI by Werner Fischer
NETWAYS
 
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
NETWAYS
 
OSDC 2016 - Kaiten Zushi - Chef at Goodgame Studios by Jan Ulferts
OSDC 2016 - Kaiten Zushi - Chef at Goodgame Studios by Jan UlfertsOSDC 2016 - Kaiten Zushi - Chef at Goodgame Studios by Jan Ulferts
OSDC 2016 - Kaiten Zushi - Chef at Goodgame Studios by Jan Ulferts
NETWAYS
 
OSDC 2016 - Hybrid Cloud - A Cloud Migration Strategy by Schlomo Schapiro
OSDC 2016 - Hybrid Cloud - A Cloud Migration Strategy by Schlomo SchapiroOSDC 2016 - Hybrid Cloud - A Cloud Migration Strategy by Schlomo Schapiro
OSDC 2016 - Hybrid Cloud - A Cloud Migration Strategy by Schlomo Schapiro
NETWAYS
 
OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...
OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...
OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...
NETWAYS
 
OSDC 2016: ChatOps - Collaborative Communication (or: You cannot not communic...
OSDC 2016: ChatOps - Collaborative Communication (or: You cannot not communic...OSDC 2016: ChatOps - Collaborative Communication (or: You cannot not communic...
OSDC 2016: ChatOps - Collaborative Communication (or: You cannot not communic...
NETWAYS
 

Andere mochten auch (20)

OSDC 2016 - Tuning Linux for your Database by Colin Charles
OSDC 2016 - Tuning Linux for your Database by Colin CharlesOSDC 2016 - Tuning Linux for your Database by Colin Charles
OSDC 2016 - Tuning Linux for your Database by Colin Charles
 
OSDC 2016 - Interesting things you can do with ZFS by Allan Jude&Benedict Reu...
OSDC 2016 - Interesting things you can do with ZFS by Allan Jude&Benedict Reu...OSDC 2016 - Interesting things you can do with ZFS by Allan Jude&Benedict Reu...
OSDC 2016 - Interesting things you can do with ZFS by Allan Jude&Benedict Reu...
 
OSDC 2016 - Scalable Systems Management with Salt Stack by Sebastian Meyer
OSDC 2016 - Scalable Systems Management with Salt Stack by Sebastian MeyerOSDC 2016 - Scalable Systems Management with Salt Stack by Sebastian Meyer
OSDC 2016 - Scalable Systems Management with Salt Stack by Sebastian Meyer
 
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
 
ODSC 2016 - Scalable Systems Management with Salt Stack by Sebastian Meyer
ODSC 2016 - Scalable Systems Management with Salt Stack by Sebastian MeyerODSC 2016 - Scalable Systems Management with Salt Stack by Sebastian Meyer
ODSC 2016 - Scalable Systems Management with Salt Stack by Sebastian Meyer
 
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
 
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-BayesOSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
 
OSDC 2016 - Hello Redfish, goodbye IPMI by Werner Fischer
OSDC 2016 - Hello Redfish, goodbye IPMI by Werner FischerOSDC 2016 - Hello Redfish, goodbye IPMI by Werner Fischer
OSDC 2016 - Hello Redfish, goodbye IPMI by Werner Fischer
 
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
 
OSDC 2016 - Kaiten Zushi - Chef at Goodgame Studios by Jan Ulferts
OSDC 2016 - Kaiten Zushi - Chef at Goodgame Studios by Jan UlfertsOSDC 2016 - Kaiten Zushi - Chef at Goodgame Studios by Jan Ulferts
OSDC 2016 - Kaiten Zushi - Chef at Goodgame Studios by Jan Ulferts
 
OSDC 2016 - MySQL-Server in Teamwork - Replication and Galera Cluster by Jörg...
OSDC 2016 - MySQL-Server in Teamwork - Replication and Galera Cluster by Jörg...OSDC 2016 - MySQL-Server in Teamwork - Replication and Galera Cluster by Jörg...
OSDC 2016 - MySQL-Server in Teamwork - Replication and Galera Cluster by Jörg...
 
OSDC 2016 - Bareos Backup Integration with Standard Open Source Tools by Maik...
OSDC 2016 - Bareos Backup Integration with Standard Open Source Tools by Maik...OSDC 2016 - Bareos Backup Integration with Standard Open Source Tools by Maik...
OSDC 2016 - Bareos Backup Integration with Standard Open Source Tools by Maik...
 
OSDC 2016 - Introduction to Testing Puppet Modules by David Schmitt
OSDC 2016 - Introduction to Testing Puppet Modules by David SchmittOSDC 2016 - Introduction to Testing Puppet Modules by David Schmitt
OSDC 2016 - Introduction to Testing Puppet Modules by David Schmitt
 
OSDC 2016 - Hybrid Cloud - A Cloud Migration Strategy by Schlomo Schapiro
OSDC 2016 - Hybrid Cloud - A Cloud Migration Strategy by Schlomo SchapiroOSDC 2016 - Hybrid Cloud - A Cloud Migration Strategy by Schlomo Schapiro
OSDC 2016 - Hybrid Cloud - A Cloud Migration Strategy by Schlomo Schapiro
 
OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...
OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...
OSDC 2016 - An Introduction to Software Defined Networking (SDN) by Martin Lo...
 
OSDC 2016 - Automating a R&D lab with Foreman: What can be hard? by Julien Pi...
OSDC 2016 - Automating a R&D lab with Foreman: What can be hard? by Julien Pi...OSDC 2016 - Automating a R&D lab with Foreman: What can be hard? by Julien Pi...
OSDC 2016 - Automating a R&D lab with Foreman: What can be hard? by Julien Pi...
 
OSDC 2016 - Another 7 Tools for your #devops Stack by Kris Buytaert
OSDC 2016 - Another 7 Tools for your #devops Stack by Kris BuytaertOSDC 2016 - Another 7 Tools for your #devops Stack by Kris Buytaert
OSDC 2016 - Another 7 Tools for your #devops Stack by Kris Buytaert
 
OSDC 2016: ChatOps - Collaborative Communication (or: You cannot not communic...
OSDC 2016: ChatOps - Collaborative Communication (or: You cannot not communic...OSDC 2016: ChatOps - Collaborative Communication (or: You cannot not communic...
OSDC 2016: ChatOps - Collaborative Communication (or: You cannot not communic...
 
Présentation Handimap - B-ware - 2012-11-12x
Présentation Handimap - B-ware - 2012-11-12xPrésentation Handimap - B-ware - 2012-11-12x
Présentation Handimap - B-ware - 2012-11-12x
 
Présentation Yvan Galisson (Timwi)
Présentation Yvan Galisson (Timwi)Présentation Yvan Galisson (Timwi)
Présentation Yvan Galisson (Timwi)
 

Ähnlich wie OSDC 2016 - Inspecting Security of Docker formatted Container Images to find Peace of Mind by Ján Lieskovský

Adding Container Image Scanning to Your Codefresh Pipelines with Anchore
Adding Container Image Scanning to Your Codefresh Pipelines with AnchoreAdding Container Image Scanning to Your Codefresh Pipelines with Anchore
Adding Container Image Scanning to Your Codefresh Pipelines with Anchore
Codefresh
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
Amazon Web Services
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
Docker, Inc.
 

Ähnlich wie OSDC 2016 - Inspecting Security of Docker formatted Container Images to find Peace of Mind by Ján Lieskovský (20)

Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images Security
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
 
JOSA TechTalks - Docker in Production
JOSA TechTalks - Docker in ProductionJOSA TechTalks - Docker in Production
JOSA TechTalks - Docker in Production
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017
 
Anchore Engine
Anchore EngineAnchore Engine
Anchore Engine
 
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise ...
 
Docker container security
Docker container securityDocker container security
Docker container security
 
Best Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerBest Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with Docker
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing Pods
 
Build and run applications in a dockerless kubernetes world - DevConf India 18
Build and run applications in a dockerless kubernetes world - DevConf India 18Build and run applications in a dockerless kubernetes world - DevConf India 18
Build and run applications in a dockerless kubernetes world - DevConf India 18
 
Docker primer and tips
Docker primer and tipsDocker primer and tips
Docker primer and tips
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Docker up and Running For Web Developers
Docker up and Running For Web DevelopersDocker up and Running For Web Developers
Docker up and Running For Web Developers
 
Docker Up and Running for Web Developers
Docker Up and Running for Web DevelopersDocker Up and Running for Web Developers
Docker Up and Running for Web Developers
 
Adding Container Image Scanning to Your Codefresh Pipelines with Anchore
Adding Container Image Scanning to Your Codefresh Pipelines with AnchoreAdding Container Image Scanning to Your Codefresh Pipelines with Anchore
Adding Container Image Scanning to Your Codefresh Pipelines with Anchore
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
 
Docker Fundamentals
Docker FundamentalsDocker Fundamentals
Docker Fundamentals
 
Docker EE Deep Dive
Docker EE Deep DiveDocker EE Deep Dive
Docker EE Deep Dive
 
SecDevOps containers
SecDevOps containersSecDevOps containers
SecDevOps containers
 

Kürzlich hochgeladen

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
software pro Development
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 

Kürzlich hochgeladen (20)

8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 

OSDC 2016 - Inspecting Security of Docker formatted Container Images to find Peace of Mind by Ján Lieskovský

  • 1. Inspecting Security of Docker formatted Container Images To find Peace of Mind Ján Lieskovský jlieskov@redhat.com iankko on #openscap
  • 2. Docker Concepts - Introductory Notes
  • 3. Docker Formatted Container Images Interesting Application Platform
  • 4. Docker Formatted Container Images Interesting Application Platform For developers ● Focus on content (rather on build process) ● Data aggregation via Docker Image Specification ● Simplified release management ● Easy customization
  • 5. Docker Formatted Container Images Interesting Application Platform For users ● Abundance of applications available in official hub ● Simple application deployment ● Continuous application lifecycle management ● Easy customization
  • 6. Basic Docker Terms Docker image ● Ordered collection of root filesystem changes ● Coupled with corresponding execution parameters ● Doesn’t have a state ● Read-only (never changes) ● Set of layers stacked on top of each other
  • 7. Basic Docker Terms Docker image ● Each image is derived from base image ● Transformed to final image through set of steps (instructions) ○ Run a command ○ Add a file or directory ○ Create an environment variable ○ What process to run when launching a container from this image
  • 8. Docker image vs Docker container Docker container ● Any (running / stopped) instance of Docker image ● Consists of: ○ Docker image ○ Execution environment ○ Standard set of instructions ● It’s possible to have many running containers of the same image
  • 10. Virtual Machines vs Containers
  • 11. Container security. And why it matters
  • 12. Container Security Matters Basic security bricks of Docker daemon / containers ● Kernel security (updates, support for namespaces, cgroups)
  • 13. Container Security Matters Basic security bricks of Docker daemon / containers ● Kernel security (updates, support for namespaces, cgroups) ● Security of Docker daemon
  • 14. Container Security Matters Basic security bricks of Docker daemon / containers ● Kernel security (updates, support for namespaces, cgroups) ● Security of Docker daemon ● Security of specific Dockerfile
  • 15. Container Security Matters Kernel namespaces, cgroups ● Form of isolation ● Own network stack per container ● Resource mngmt via cgroups
  • 16. Container Security Matters Other kernel features applied in Docker security ● Linux kernel capabilities ● GRSEC, PAX ● SELinux, AppArmor
  • 17. Container Security Matters Basic security bricks of Docker daemon / containers So far looks reasonable, right?
  • 18. Container Security Matters But, what if we overlooked something?
  • 19. Container Security Matters But, what if we overlooked something? 22 April 2014 Daniel J Walsh (Red Hat) Containers do not contain Bottom line: ● Running a container not every major kernel subsystem is namespaced ○ SELinux ○ Cgroups ○ File system under /sys ○ /proc/sys, /proc/irq, /proc/bus ○ Devices and kernel modules are not namespaced
  • 20. Container Security Matters But, what if we overlooked something?
  • 21. Container Security Matters But, what if we overlooked something? Meet Shocker!
  • 22. Container Security Matters But, what if we overlooked something? Meet Shocker!
  • 23. Virtual Machines vs Containers
  • 24. Container Security Matters What the wise men have got to say? 22 Jul 2014 Jérôme Petazzoni (Docker Inc.) Is it Safe to Run Applications in Linux Containers? Bottom line: ● Don't run things as root ● Use seccomp-bpf ● Drop capabilities ● Get a GRSEC kernel ● Enable user namespaces ● Update kernels often ● Get rid of shady SUID binaries ● Mount everything read-only ● Enable SELinux (or AppArmor) ● Ultimately, fence things in VMs
  • 25. Container Security Matters What the wise men have got to say? 03 Sep 2014 Daniel J Walsh (Red Hat) Bringing new security features to Docker Bottom line: ● Only run applications from a trusted source ● Run applications on a enterprise quality host ● Install updates regularly ● Drop privileges as quickly as possible ● Run as non-root whenever possible ● Watch your logs ● setenforce 1
  • 26. Container Security Matters Plenty of applications from Official Repositories
  • 27. Container Security Matters (Another) Plenty of applications from Custom Repositories
  • 28. Container Security Matters Who built these images?
  • 29. 12 Aug 2015 Introduced in Docker v1.8 using The Update Framework Docker Content Trust Workflow ● Image producer - pushing an image to remote repository, Docker engine signs the content using publisher’s private key ● Image consumer - when pulling an image, Docker engine verifies the content of the image using publisher’s public key. If image tampering is detected, pull fails Container Security Matters Docker Image Signing and Verification
  • 30. Two types of keys known by Docker Content Trust ○ Tagging Key ■ One such key is created per each new repository the publisher owns ■ Intended to be shared with any person / system requiring the ability to sign content for this repository ○ Offline key ■ Can be shared across repositories ■ Required to create a new repository or to rotate existing tagging keys Container Security Matters Docker Image Signing and Verification
  • 31. Provides ○ Protection against image tampering ○ Protection against image replay attacks ○ Protection against tagging key compromise Container Security Matters Docker Image Signing and Verification
  • 32. Container Security Matters Who built these images?
  • 33. Container Security Matters We know the publisher. But how were all these images built?
  • 34. Docker image (quick recap) ● Each image is derived from base image ● Transformed to final image through set of steps (instructions) Container Security Matters We know the publisher. But how were all these images built?
  • 35. Docker image (quick recap) ● Each image is derived from base image ● Transformed to final image through set of steps (instructions) Creating new images ● Update the container (running an image) Commit the changes to image ● Build a new image from Dockerfile Container Security Matters How were all these images built?
  • 36. Container Security Matters Who can build / update the containers?
  • 37. Container Security Matters Who can build / update the containers? Anyone!!!
  • 38. Container Security Matters What we trust into when pulling images?
  • 39. ● The base image the pulled image is derived from was secure Container Security Matters What we trust into when pulling images?
  • 40. ● The base image the pulled image is derived from was secure ● The newly introduced changes were performed in secure way Container Security Matters What we trust into when pulling images?
  • 41. ● The base image the pulled image is derived from was secure ● The newly introduced changes were performed in secure way ● When a security flaws was found in base image or the changes, the image available in repository has been already updated Container Security Matters What we trust into when pulling images?
  • 42. Ultimate goal: ● Secure container infrastructure Container Security Matters Docker daemon / container security - Lessons Learned
  • 43. Ultimate goal: ● Secure container infrastructure Trust the design: ● We can trust Docker design to be secure Container Security Matters Docker daemon / container security - Lessons Learned
  • 44. Ultimate goal: ● Secure container infrastructure Trust the design: ● We can trust Docker design to be secure But act responsibly: ● Verify that all of the host, daemon and containers truly are secure Container Security Matters Docker daemon / container security - Lessons Learned
  • 45. How to verify (inspect) security of containers / images?
  • 46. Inspecting Security of Containers / Images Two separate tasks: ● Inspect presence of security flaws (vulnerability assessment) ● Verify the configuration is secure (security compliance)
  • 49. Vulnerability Assessment of Containers / Images ● HTML advisories are easy consumable by humans ● But not suitable for machine processing
  • 50. Vulnerability Assessment of Containers / Images ● We need a standard ● Security errata information available in the form of that standard ● Scanner able to perform automated scan
  • 51. Vulnerability Assessment of Containers / Images ● We need a standard to ○ represent configuration information of systems ○ analyze the system for presence of specified machine state (vulnerability, configuration, …) ○ report the results of the assessment back
  • 52. Vulnerability Assessment of Containers / Images Open Vulnerability and Assessment Language
  • 53. Vulnerability Assessment of Containers / Images ● We need a standard ● Security errata information available in the form of that standard ● Scanner able to perform automated scan
  • 54. Vulnerability Assessment of Containers / Images ● We need a standard ● Security errata information available in the form of that standard ○ Red Hat OVAL security data ○ Ubuntu OVAL security data ○ …
  • 55. Vulnerability Assessment of Containers / Images ● We need a standard ● Security errata information available in the form of that standard ● Scanner able to perform automated scan
  • 57. Vulnerability Assessment of Containers # dnf -y install openscap-containers # docker pull richxsl/rhel7 # wget http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7. xml # docker run -i -t richxsl/rhel7 /bin/bash
  • 58. Vulnerability Assessment of Containers # oscap-docker container-cve richxsl/rhel7 Definition oval:com.redhat.rhsa:def:20160695: false Definition oval:com.redhat.rhsa:def:20160685: true Definition oval:com.redhat.rhsa:def:20160676: false Definition oval:com.redhat.rhsa:def:20160650: false Definition oval:com.redhat.rhsa:def:20160612: false Definition oval:com.redhat.rhsa:def:20160594: false Definition oval:com.redhat.rhsa:def:20160534: false Definition oval:com.redhat.rhsa:def:20160532: true ...
  • 59. Vulnerability Assessment of Containers # oscap-docker container-cve richxsl/rhel7 Definition oval:com.redhat.rhsa:def:20160695: false Definition oval:com.redhat.rhsa:def:20160685: true Definition oval:com.redhat.rhsa:def:20160676: false Definition oval:com.redhat.rhsa:def:20160650: false Definition oval:com.redhat.rhsa:def:20160612: false Definition oval:com.redhat.rhsa:def:20160594: false Definition oval:com.redhat.rhsa:def:20160534: false Definition oval:com.redhat.rhsa:def:20160532: true ...
  • 60. Vulnerability Assessment of Images Running untrusted containers might be dangerous!
  • 61. Vulnerability Assessment of Images Running untrusted containers might be dangerous! Let’s scan the images instead !!!
  • 62. Vulnerability Assessment of Containers # oscap-docker image-cve richxsl/rhel7 Definition oval:com.redhat.rhsa:def:20160695: false Definition oval:com.redhat.rhsa:def:20160685: true Definition oval:com.redhat.rhsa:def:20160676: false Definition oval:com.redhat.rhsa:def:20160650: false Definition oval:com.redhat.rhsa:def:20160612: false Definition oval:com.redhat.rhsa:def:20160594: false Definition oval:com.redhat.rhsa:def:20160534: false Definition oval:com.redhat.rhsa:def:20160532: true ...
  • 63. Vulnerability Assessment of Containers # oscap-docker image-cve richxsl/rhel7 Definition oval:com.redhat.rhsa:def:20160695: false Definition oval:com.redhat.rhsa:def:20160685: true Definition oval:com.redhat.rhsa:def:20160676: false Definition oval:com.redhat.rhsa:def:20160650: false Definition oval:com.redhat.rhsa:def:20160612: false Definition oval:com.redhat.rhsa:def:20160594: false Definition oval:com.redhat.rhsa:def:20160534: false Definition oval:com.redhat.rhsa:def:20160532: true ...
  • 64. Vulnerability Assessment of Containers # oscap-docker image-cve richxsl/rhel7 Definition oval:com.redhat.rhsa:def:20160695: false Definition oval:com.redhat.rhsa:def:20160685: true Definition oval:com.redhat.rhsa:def:20160676: false Definition oval:com.redhat.rhsa:def:20160650: false Definition oval:com.redhat.rhsa:def:20160612: false Definition oval:com.redhat.rhsa:def:20160594: false Definition oval:com.redhat.rhsa:def:20160534: false Definition oval:com.redhat.rhsa:def:20160532: true ...
  • 65. Inspecting Security of Containers / Images Two separate tasks: ● Inspect presence of security flaws (vulnerability assessment) ● Verify the configuration is secure (security compliance)
  • 66. Verification if Configuration of Containers / Images is Secure?
  • 67. Verification if Configuration of Containers / Images is Secure? # dnf -y install scap-security-guide
  • 68. Verification if Configuration of Containers / Images is Secure? # oscap-docker image richxsl/rhel7 xccdf eval --profile standard --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
  • 69. Verification if Configuration of Containers / Images is Secure? # oscap-docker image richxsl/rhel7 xccdf eval --profile standard --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
  • 70. Verification if Configuration of Containers / Images is Secure?
  • 72.
  • 73. Slightly Advanced Topics Customizing security policy for particular use case Example use case: ● Detect unauthorised SUID binaries present in the container
  • 74. Slightly Advanced Topics Example use case: ● Detect unauthorised SUID binaries present in the container Modify standard SCAP Security Guide profile to contain just: "file_permissions_unauthorized_suid" rule
  • 75. Slightly Advanced Topics ● Modify standard SCAP Security Guide profile to contain just: "file_permissions_unauthorized_suid" rule ● Rescan the image