Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Jorge Salamero Sanz
Lions, Tigers and Deers:
What building zoos
can teach us about
securing microservices?
% whoami
Jorge Salamero Sanz
<jorge.salamero@sysdig.com> @bencerillo
@sysdig
• Working on OSS last 12 years
• Working on O...
Sysdig
Open Source system troubleshooting
with native container support
(htop, vmstat, netstat, lsof, tcpdump…)
Monitoring...
Traditional deployment
Full host OS
kernel
systemd
syslogd
App services
MySQL
Nginx
OpenSSL
Java
App A
App B
App C
Ops Devs
Containerized deployment
Full host OS
kernel
+
Docker
MySQL App A
Ops DevOps
Nginx + OpenSSL App B
Java 8.0 build XXX App C
How to secure this?
Containerization is not something new to us...
• Establish trust boundaries
• Identify, minimise, and ...
Securing Microservices
Defense in depth Microservices
Single responsibility principle:
• Principle of least privileges
• P...
Container Security Techniques
• New workflows (docker pull vs previous apt update/yum update)
• CI/CD Pipeline (Jenkins, O...
Docker Security Techniques
• Drop privileges
• Limit capabilities
• Do not run as root! containers are not VMs!
• cgroups
...
Scanning
What are my containers doing?
• Static scanning
• Dynamic scanning
Static Scanning
Yay, this was soo easy to deploy! I Docker Hub!
(your developers too, actually they were already using it ...
Image Vulnerability Scanning
• Scan contents of images looking for software versions with
known defects
• Container image ...
Image Vulnerability Scanning
• Scan contents of images looking for software versions with
known defects
• Container image ...
Image Vulnerability Scanning
• Scan contents of images looking for software versions with
known defects
• Container image ...
Image Vulnerability Scanning
• Scan contents of images looking for software versions with
known defects
• Container image ...
Container Security Techniques
OK, no known vulnerabilities, still secure?
Containers are black boxes exposing a behaviour,...
Seccomp
• Seccomp: application system call “sandboxing”
• Create filter (BPF program ) with lists of allowed syscalls
• Ea...
Mandatory Access Control
• SELinux or AppArmor
• Same mechanisms: kernel-level interception/filtering
• features++ && comp...
Behavioral Security Monitoring
• Auditing vs enforcement
• detect intrusions instead of preventing intrusions
• Build rule...
Sysdig Falco
An anomaly detection system built on
top of the sysdig engine
Sysdig ContainerVision
Kernel
Docker
Container
1
Container
2
Container
3
App App
rkt LXC
Kernel module
Instrumentation
What is Sysdig Falco?
• Detects suspicious activity defined by a set of easy
rules
• Uses sysdig’s flexible and powerful f...
Quick Examples
A shell is run in a container container.id != host and proc.name = bash
Overwrite system binaries
fd.direct...
Falco Rules
• .yaml file containing Macros, Lists, and Rules
- macro: bin_dir
condition: fd.directory in (/bin, /sbin, /us...
Alerts and Outputs
• Events that match filter expression (rule) result in alerts
• output field used to format event into ...
Falco Demo
Remember
Container behaviour security monitoring
shouldn’t be difficult...
Learn More
Thank You!
Nächste SlideShare
Wird geladen in …5
×

Lions, Tigers and Deers: What building zoos can teach us about securing microservices?

393 Aufrufe

Veröffentlicht am

How to secure microservices running in containers? Strategies for Docker, Kubernetes, Openshift, RancherOS, DC/OS Mesos.

Privileges, resources and visibility constrains with capabilities, cgroups and namespaces. Image vulnerability scanning and behaviour security monitoring with Sysdig Falco.

Veröffentlicht in: Ingenieurwesen
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Lions, Tigers and Deers: What building zoos can teach us about securing microservices?

  1. 1. Jorge Salamero Sanz Lions, Tigers and Deers: What building zoos can teach us about securing microservices?
  2. 2. % whoami Jorge Salamero Sanz <jorge.salamero@sysdig.com> @bencerillo @sysdig • Working on OSS last 12 years • Working on OSS+Cloud last 5 years • Working on monitoring last 3 years • Technical Marketing geek @sysdig
  3. 3. Sysdig Open Source system troubleshooting with native container support (htop, vmstat, netstat, lsof, tcpdump…) Monitoring, alerting, troubleshooting tool for Docker, Kubernetes, Mesos, RancherOS, GCE, ECS
  4. 4. Traditional deployment Full host OS kernel systemd syslogd App services MySQL Nginx OpenSSL Java App A App B App C Ops Devs
  5. 5. Containerized deployment Full host OS kernel + Docker MySQL App A Ops DevOps Nginx + OpenSSL App B Java 8.0 build XXX App C
  6. 6. How to secure this? Containerization is not something new to us... • Establish trust boundaries • Identify, minimise, and harden attack surfaces • Reduce scope and access • Layer protections and defenses From Aaron Grattafiori presented “The Golden Ticket: Docker and High Security Microservices
  7. 7. Securing Microservices Defense in depth Microservices Single responsibility principle: • Principle of least privileges • Principle of least surprise • Principle of least access
  8. 8. Container Security Techniques • New workflows (docker pull vs previous apt update/yum update) • CI/CD Pipeline (Jenkins, Openshift, etc: rebuilds, rolling updates) • Access management, logging & auditing (Kubernetes, Openshift: user roles, namespaces, centralized logging, authn & authz, etc) • Trust boundaries (do you trust entire Docker Hub? Image signing, Docker Notary) • Simplify container OS, tons of useless stuff (RancherOS, Atomic, CoreOS, Alpine Linux, etc) • Network security (Weave, etc) • Secret management (Vaults instead of environment vars, etc)
  9. 9. Docker Security Techniques • Drop privileges • Limit capabilities • Do not run as root! containers are not VMs! • cgroups • Limit resources share, not access restriction • namespaces • Useful for not complete security model • User namespaces • Kubernetes/Openshift security contexts • Host security and access (Docker bench, RO access, etc)
  10. 10. Scanning What are my containers doing? • Static scanning • Dynamic scanning
  11. 11. Static Scanning Yay, this was soo easy to deploy! I Docker Hub! (your developers too, actually they were already using it :P) uhm… wait, is someone maintaining this image? RUN apt-get install -y wget build-essential python python-dev python-pip python-virtualenv RUN wget http://nodejs.org/dist/node-latest.tar.gz RUN tar xvzf node-latest.tar.gz RUN cd node-v* && ./configure && CXX="g++ -Wno-unused-local-typedefs" make && CXX="g++ -Wno-unused-local-typedefs" make install • Static Scanning: • CoreOS Clair, Docker Nautilus, Red Hat CloudForms, etc
  12. 12. Image Vulnerability Scanning • Scan contents of images looking for software versions with known defects • Container image layering can make this efficient (exploits immutable nature of images) Ubuntu: 14.04 Apache: 2.2 Wordpress: 4.6 PHP: 7.0
  13. 13. Image Vulnerability Scanning • Scan contents of images looking for software versions with known defects • Container image layering can make this efficient (exploits immutable nature of images) • Ubuntu: 14.04 Apache: 2.2 Wordpress: 4.6 PHP: 7.0
  14. 14. Image Vulnerability Scanning • Scan contents of images looking for software versions with known defects • Container image layering can make this efficient (exploits immutable nature of images) • Ubuntu: 14.04 Apache: 2.2 Wordpress: 4.6 PHP: 7.0
  15. 15. Image Vulnerability Scanning • Scan contents of images looking for software versions with known defects • Container image layering can make this efficient (exploits immutable nature of images) • Ubuntu: 14.04 Apache: 2.2 Wordpress: 4.6 PHP: 7.0
  16. 16. Container Security Techniques OK, no known vulnerabilities, still secure? Containers are black boxes exposing a behaviour, is something misbehaving? • Dynamic Scanning: • Seccomp • MAC (Mandatory Access Control) • Behavioral Security Monitoring
  17. 17. Seccomp • Seccomp: application system call “sandboxing” • Create filter (BPF program ) with lists of allowed syscalls • Each syscall matched against filter • Failures-> log message, error return, and/or kill process • Docker runs containerized process under a seccomp profile • Notable disallowed syscalls: • clone (creating new namespaces) • reboot (reboot the host) • setns (change namespaces)
  18. 18. Mandatory Access Control • SELinux or AppArmor • Same mechanisms: kernel-level interception/filtering • features++ && complexity++ • Above syscalls: • Actors (process) • Actions (read/write on files/sockets) • Targets (files, IPs, ports) • But what if I only want to put some surveillance in?
  19. 19. Behavioral Security Monitoring • Auditing vs enforcement • detect intrusions instead of preventing intrusions • Build rules that define suspicious/anomalous behavior • Match rules against activity on a system • Auditd (SELinux logger) • Falco (with container capabilities)
  20. 20. Sysdig Falco An anomaly detection system built on top of the sysdig engine
  21. 21. Sysdig ContainerVision Kernel Docker Container 1 Container 2 Container 3 App App rkt LXC Kernel module Instrumentation
  22. 22. What is Sysdig Falco? • Detects suspicious activity defined by a set of easy rules • Uses sysdig’s flexible and powerful filtering expressions (in userspace) • Container support (Docker, Kubernetes, Mesos, etc) • Flexible notification methods • Open Source
  23. 23. Quick Examples A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
  24. 24. Falco Rules • .yaml file containing Macros, Lists, and Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: package_mgmt_binaries items: [dpkg, dpkg-preconfigu, rpm, rpmkey, yum, frontend] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
  25. 25. Alerts and Outputs • Events that match filter expression (rule) result in alerts • output field used to format event into alert message • Sending to: • syslog • file • stdout • shell (e.g. mail -s "Falco Notification" alerts@example.com) • Sysdig Cloud
  26. 26. Falco Demo
  27. 27. Remember Container behaviour security monitoring shouldn’t be difficult...
  28. 28. Learn More
  29. 29. Thank You!

×