SlideShare ist ein Scribd-Unternehmen logo

Containers and Security for DevOps

Als PPTX, PDF herunterladen
Salesforce Engineering
Salesforce Engineering

The tech talk was given by Cem Gurkok, Salesforce Lead InfoSec Engineer

Technologie
1 von 37
Cem Gurkok Lead InfoSec Engineer cgurkok@salesforce.com @CGurkok Containers and Security
Agenda • Threats • Container pipelines and integrity • Monitoring containers, hosts, apps, networks • Digital Forensics • Vulnerability Management • Hardening • Demo?
Threat s
Container Threats & Challenges Run-time • Container exploit and resource exposure (App) • Breaking out of container • Cross-container attacks • Resource overuse (DoS) At-rest or transport • Tampering of images • Unpatched OS or applications
Mitigations
Securing the Pipeline Docker Security Platform Security Access Controls Content Security Monitoring and Response
The Pipeline
Container Pipeline & Security Base OS and Docker File Base OS Image DEV Docker Trusted Registry + Notary Developer RelEng Image DEV Docker Trusted Registry + Notary Continuous Integration PROD Docker Trusted Registry + Notary Running in PROD Monitoring in all steps. 1. Security Review and Hardening 2. Signing, Authentication, Image Vulnerability Scans 3. Authentication, Verification 4. Signing, Authentication, Image Vulnerability Scans 5. Authentication 6. Authentication, Verification 7. Authentication, Verification, Vulnerability Scans 8. Incident Response, Digital Forensics, Patching
Access Control: Authentication • LDAP Auth over SSL for Docker image transactions: • Users (Devs, RelEng) • Service accounts • Mutual TLS Authentication for registry replication Dev Systems Dev Registry Prod Registry Build & Test DMZ Services Master Registry TLS
Container Integrity Docker Trusted Registry (DTR) • On-premise • Authenticated transactions with LDAPS authentication • DEV and PROD user and image separation • Users will not be able to disable signing validation • Validation will be transparent to the users
Container Integrity Build & Test Docker Notary • Enable Docker Content Trust on consumers • Can enable signing checks on every managed host • Signature verification transparent to users Notary Master DMZ Services Prod Services Sign Validate Validate
Master Docker Registry DE V DMZ Notary Master LDAPS Auth Notary Signing Dev Docker Registry PRO D Mirrored Read-only Registry or Caching Proxy Docker packaged services Mutual TLS Auth HTTPS Pull Validate Dev Systems LDAPS user acct HTTPS Push to Dev Authenticated pulls LDAPS Auth HTTPS Push and Sign HTTPS Pull Sign LDAPS Auth HTTPS Push Already Signed Docker packaged services in DMZ HTTPS No Auth Pull Validate RelEng promotes to DMZ Release case Ticketing System
Hardening
Hardening: Host • Frequent patching • Install only needed components and libraries (i.e. no gcc or bash) • Grsecurity/PaX for the kernel • File system integrity monitoring (no docker bin mods!) • Leverage Linux isolation capabilities!!
Hardening: Container • Base image and app with latest updates/patches • Leverage User namespaces (run as low priv user on host) • Leverage the Docker AuthZ Plugin for granular access control • Use Secure Computing Mode profiles (seccomp) for runtime syscall filtering • docker --security-opt seccomp=/path kernel ?
Hardening: Container • Avoid using Docker with the --privileged flag • Limit access to the docker user and group • Limit and/or separate host and kernel device access • Use --read-only when running containers (immutability) • Install only needed components and libraries (i.e. no gcc or ssh) •
Hardening: Docker Bench for Security • Docker Bench for Security to the rescue! • https://github.com/docker/ docker-bench-security • Checks based on best practices for hosts and containers * https://github.com/docker/docker-bench-security
Hardening: Vulnerability Management Image Scans with tools, such as Docker Security Scanning: • Operating System • Application source code and libraries Network Scans with traditional vuln scanners: • Discovery • Exposed services Auto and Manual source code audits * “Securing the Software Supply Chain with Docker, ” May 2016, Nathan McCauley
Hardening: Vulnerability Management • Scanning • Docker Images • Applications • Remediation • Prioritization and SLAs for Patching • Relaunching containers after patching Δt
Monitoring
Network Infrastructure • Bridged networking on Host • Containers assigned VNICs, IP addresses, and hostnames • Containers isolated via VLANs (i.e. DB, Web App) • Tap interface for monitoring • Security Policies per VLANs and Zones
Network Infrastructure
Monitoring: Network Network traffic captured for: • Inter-container communications • Host communications • Resource communications (i.e. DB, Public Internet) Network traffic sent to: • IDS (Intrusion Detection System) • Netflow generator • Output sent to SIEM for analysis
Monitoring: Hosts Logs: • All host logs are saved (including auditd for syscall monitoring) • SIEM agents consume and forward the logs from hosts • Monitoring, Dashboarding, Alerting at SIEM Host SIEM
Monitoring: Containers & Apps • Logs are monitored similar to host • OS + Application logs • Network activity monitoring • IP address assignments • Netflows • IDS (Intrusion Detection System) • Raw Network Traffic Capture
Monitoring: Host, Containers & Apps Disk activity monitoring • File system integrity • Run time layer monitoring Memory monitoring • Docker and container process activity • Process integrity: Engine + Containers
Digital Forensics
Digital Forensics • Incident Response Plan/Policies • Live/Post-mortem Memory Forensics • Disk Forensics • Network Monitoring/Forensics
Disk Forensics • Build supertimeline to have integrated view of events • Data Sources: • Raw Disk Image • Log Files • Binaries • Tools • The Sleuth Kit: File system analysis • Plaso: Build supertimeline • dd: Raw disk image dd Sleuth Kit Plaso
Memory Forensics Why Memory Forensics? • Nothing can hide in memory! • Faster artifact discovery vs. disk forensics
Memory Forensics Analyze host memory • Live /dev/*mem • VM memory file • Memory dump/sample Tools: • Analysis (most OS and sample format): • The Volatility Framework • Memory sampling on Linux: LiME, linpmem LiME linpmem
Memory Forensics: Process Hierarchy • pstree_hash [new]: View Docker processes in a tree view based on the PID hash table vs. linked list • Use case: Detect rogue or injected child processes/ containers
Memory Forensics: Loaded Libraries • linux_proc_maps: shows process memory maps, their permissions and original file paths (executable and libraries) • Use case: Detect Shared Library Injections
Memory Forensics: Process Integrity • process_compare [new]: Detect if user space binary has been tampered with in memory (in memory binary vs. on disk) [5] • Works when binary symbols can’t be extracted
Summary Platform Security Isolation Hardening Best Practices Vulnerability Scans Content Security Registry Notary Image/Code Signing Image/Code Scanning Access Controls LDAP S User Authentication System Authentication Monitoring and Response IR Plan & Testing Vulnerability Management Network Logs Forensics
Thank Y u
References 1. “CIS Docker 1.6 Benchmark,” Center for Internet Security 2. “Introduction to Container Security,” Docker.com 3. “Understanding and Hardening Linux Containers,” NCC Group 4. “Abusing Privileged and Unprivileged Linux Containers,” NCC Group 5. “The Volatility Framework,” https://github.com/volatilityfoundation/volatility 6. “Identifying the Unknown in User Space Memory,” Andrew White 7. “LiME,” https://github.com/504ensicsLabs/LiME 8. “linpmem,” http://www.rekall-forensic.com/docs/Tools/ 9. “The Sleuth Kit,” http://www.sleuthkit.org/ 10. “Plaso,” https://github.com/log2timeline/plaso

Empfohlen

Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container PipelineSalesforce Engineering
 
Docker & Daily DevOps
Docker & Daily DevOpsDocker & Daily DevOps
Docker & Daily DevOpsSatria Ady Pradana
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 

Empfohlen

Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container PipelineSalesforce Engineering
 
Docker & Daily DevOps
Docker & Daily DevOpsDocker & Daily DevOps
Docker & Daily DevOpsSatria Ady Pradana
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...
DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...
DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...Docker, Inc.
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...Docker, Inc.
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
 
Using IT Automation for deploy infrostructure for microservices
Using IT Automation for deploy infrostructure for microservicesUsing IT Automation for deploy infrostructure for microservices
Using IT Automation for deploy infrostructure for microservicesVad Tymoshyk
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerRonak Kogta
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Jose Manuel Ortega Candel
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
You, and Me, and Docker Makes Three
You, and Me, and Docker Makes ThreeYou, and Me, and Docker Makes Three
You, and Me, and Docker Makes ThreeChristopher Grayson
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerJeff Anderson
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 Recapehazlett
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 

Weitere ähnliche Inhalte

Was ist angesagt?

Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...
DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...
DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...Docker, Inc.
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...Docker, Inc.
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
 
Using IT Automation for deploy infrostructure for microservices
Using IT Automation for deploy infrostructure for microservicesUsing IT Automation for deploy infrostructure for microservices
Using IT Automation for deploy infrostructure for microservicesVad Tymoshyk
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerRonak Kogta
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
You, and Me, and Docker Makes Three
You, and Me, and Docker Makes ThreeYou, and Me, and Docker Makes Three
You, and Me, and Docker Makes ThreeChristopher Grayson
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerJeff Anderson
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 Recapehazlett
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 

Was ist angesagt? (20)

Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...
DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...
DockerCon EU 2015: Persistent, stateful services with docker cluster, namespa...
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Container security
Container securityContainer security
Container security
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
Using IT Automation for deploy infrostructure for microservices
Using IT Automation for deploy infrostructure for microservicesUsing IT Automation for deploy infrostructure for microservices
Using IT Automation for deploy infrostructure for microservices
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
You, and Me, and Docker Makes Three
You, and Me, and Docker Makes ThreeYou, and Me, and Docker Makes Three
You, and Me, and Docker Makes Three
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support Engineer
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 Recap
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
 

Ähnlich wie Containers and Security for DevOps

Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentDave Ward
 
Using Docker in production: Get started today!
Using Docker in production: Get started today!Using Docker in production: Get started today!
Using Docker in production: Get started today!Clarence Bakirtzidis
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsDevOps.com
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...NETWAYS
 
The eBay-Way Meetup IL - CI/CD with Microservices
The eBay-Way Meetup IL - CI/CD with MicroservicesThe eBay-Way Meetup IL - CI/CD with Microservices
The eBay-Way Meetup IL - CI/CD with Microservicesyinonavraham
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
 
Containers and security
Containers and securityContainers and security
Containers and securitysriram_rajan
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 

Ähnlich wie Containers and Security for DevOps (20)

Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
 
Using Docker in production: Get started today!
Using Docker in production: Get started today!Using Docker in production: Get started today!
Using Docker in production: Get started today!
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical Deployments
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
 
The eBay-Way Meetup IL - CI/CD with Microservices
The eBay-Way Meetup IL - CI/CD with MicroservicesThe eBay-Way Meetup IL - CI/CD with Microservices
The eBay-Way Meetup IL - CI/CD with Microservices
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker Containers
 
ExpoQA 2017 Docker and CI
ExpoQA 2017 Docker and CIExpoQA 2017 Docker and CI
ExpoQA 2017 Docker and CI
 
Docker & ci
Docker & ciDocker & ci
Docker & ci
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
Containers and security
Containers and securityContainers and security
Containers and security
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharbor
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 

Mehr von Salesforce Engineering

Locker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackLocker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackSalesforce Engineering
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudTechniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudSalesforce Engineering
 
Predictive System Performance Data Analysis
Predictive System Performance Data AnalysisPredictive System Performance Data Analysis
Predictive System Performance Data AnalysisSalesforce Engineering
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveAspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveSalesforce Engineering
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteA Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteSalesforce Engineering
 
Implementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesImplementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesSalesforce Engineering
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Engineering
 
Global State Management of Micro Services
Global State Management of Micro ServicesGlobal State Management of Micro Services
Global State Management of Micro ServicesSalesforce Engineering
 
Apache BookKeeper Distributed Store- a Salesforce use case
Apache BookKeeper Distributed Store- a Salesforce use caseApache BookKeeper Distributed Store- a Salesforce use case
Apache BookKeeper Distributed Store- a Salesforce use caseSalesforce Engineering
 

Mehr von Salesforce Engineering (20)

Locker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackLocker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With Webpack
 
Scaling HBase for Big Data
Scaling HBase for Big DataScaling HBase for Big Data
Scaling HBase for Big Data
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudTechniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the Cloud
 
Predictive System Performance Data Analysis
Predictive System Performance Data AnalysisPredictive System Performance Data Analysis
Predictive System Performance Data Analysis
 
Apache HBase State of the Project
Apache HBase State of the ProjectApache HBase State of the Project
Apache HBase State of the Project
 
Hit the Trail with Trailhead
Hit the Trail with TrailheadHit the Trail with Trailhead
Hit the Trail with Trailhead
 
HBase/PHOENIX @ Scale
HBase/PHOENIX @ ScaleHBase/PHOENIX @ Scale
HBase/PHOENIX @ Scale
 
Scaling up data science applications
Scaling up data science applicationsScaling up data science applications
Scaling up data science applications
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveAspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already Have
 
Monitoring @ Scale in Salesforce
Monitoring @ Scale in SalesforceMonitoring @ Scale in Salesforce
Monitoring @ Scale in Salesforce
 
Performance Tuning with XHProf
Performance Tuning with XHProfPerformance Tuning with XHProf
Performance Tuning with XHProf
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteA Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
 
Implementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesImplementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 Miles
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
 
Koober Preduction IO Presentation
Koober Preduction IO PresentationKoober Preduction IO Presentation
Koober Preduction IO Presentation
 
Finding Security Issues Fast!
Finding Security Issues Fast!Finding Security Issues Fast!
Finding Security Issues Fast!
 
Microservices
MicroservicesMicroservices
Microservices
 
Global State Management of Micro Services
Global State Management of Micro ServicesGlobal State Management of Micro Services
Global State Management of Micro Services
 
The Future of Hbase
The Future of HbaseThe Future of Hbase
The Future of Hbase
 
Apache BookKeeper Distributed Store- a Salesforce use case
Apache BookKeeper Distributed Store- a Salesforce use caseApache BookKeeper Distributed Store- a Salesforce use case
Apache BookKeeper Distributed Store- a Salesforce use case
 

Kürzlich hochgeladen

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Containers and Security for DevOps

  • 1. Cem Gurkok Lead InfoSec Engineer cgurkok@salesforce.com @CGurkok Containers and Security
  • 2. Agenda • Threats • Container pipelines and integrity • Monitoring containers, hosts, apps, networks • Digital Forensics • Vulnerability Management • Hardening • Demo?
  • 4. Container Threats & Challenges Run-time • Container exploit and resource exposure (App) • Breaking out of container • Cross-container attacks • Resource overuse (DoS) At-rest or transport • Tampering of images • Unpatched OS or applications
  • 8. Container Pipeline & Security Base OS and Docker File Base OS Image DEV Docker Trusted Registry + Notary Developer RelEng Image DEV Docker Trusted Registry + Notary Continuous Integration PROD Docker Trusted Registry + Notary Running in PROD Monitoring in all steps. 1. Security Review and Hardening 2. Signing, Authentication, Image Vulnerability Scans 3. Authentication, Verification 4. Signing, Authentication, Image Vulnerability Scans 5. Authentication 6. Authentication, Verification 7. Authentication, Verification, Vulnerability Scans 8. Incident Response, Digital Forensics, Patching
  • 9. Access Control: Authentication • LDAP Auth over SSL for Docker image transactions: • Users (Devs, RelEng) • Service accounts • Mutual TLS Authentication for registry replication Dev Systems Dev Registry Prod Registry Build & Test DMZ Services Master Registry TLS
  • 10. Container Integrity Docker Trusted Registry (DTR) • On-premise • Authenticated transactions with LDAPS authentication • DEV and PROD user and image separation • Users will not be able to disable signing validation • Validation will be transparent to the users
  • 11. Container Integrity Build & Test Docker Notary • Enable Docker Content Trust on consumers • Can enable signing checks on every managed host • Signature verification transparent to users Notary Master DMZ Services Prod Services Sign Validate Validate
  • 12. Master Docker Registry DE V DMZ Notary Master LDAPS Auth Notary Signing Dev Docker Registry PRO D Mirrored Read-only Registry or Caching Proxy Docker packaged services Mutual TLS Auth HTTPS Pull Validate Dev Systems LDAPS user acct HTTPS Push to Dev Authenticated pulls LDAPS Auth HTTPS Push and Sign HTTPS Pull Sign LDAPS Auth HTTPS Push Already Signed Docker packaged services in DMZ HTTPS No Auth Pull Validate RelEng promotes to DMZ Release case Ticketing System
  • 14. Hardening: Host • Frequent patching • Install only needed components and libraries (i.e. no gcc or bash) • Grsecurity/PaX for the kernel • File system integrity monitoring (no docker bin mods!) • Leverage Linux isolation capabilities!!
  • 15. Hardening: Container • Base image and app with latest updates/patches • Leverage User namespaces (run as low priv user on host) • Leverage the Docker AuthZ Plugin for granular access control • Use Secure Computing Mode profiles (seccomp) for runtime syscall filtering • docker --security-opt seccomp=/path kernel ?
  • 16. Hardening: Container • Avoid using Docker with the --privileged flag • Limit access to the docker user and group • Limit and/or separate host and kernel device access • Use --read-only when running containers (immutability) • Install only needed components and libraries (i.e. no gcc or ssh) •
  • 17. Hardening: Docker Bench for Security • Docker Bench for Security to the rescue! • https://github.com/docker/ docker-bench-security • Checks based on best practices for hosts and containers * https://github.com/docker/docker-bench-security
  • 18. Hardening: Vulnerability Management Image Scans with tools, such as Docker Security Scanning: • Operating System • Application source code and libraries Network Scans with traditional vuln scanners: • Discovery • Exposed services Auto and Manual source code audits * “Securing the Software Supply Chain with Docker, ” May 2016, Nathan McCauley
  • 19. Hardening: Vulnerability Management • Scanning • Docker Images • Applications • Remediation • Prioritization and SLAs for Patching • Relaunching containers after patching Δt
  • 21. Network Infrastructure • Bridged networking on Host • Containers assigned VNICs, IP addresses, and hostnames • Containers isolated via VLANs (i.e. DB, Web App) • Tap interface for monitoring • Security Policies per VLANs and Zones
  • 23. Monitoring: Network Network traffic captured for: • Inter-container communications • Host communications • Resource communications (i.e. DB, Public Internet) Network traffic sent to: • IDS (Intrusion Detection System) • Netflow generator • Output sent to SIEM for analysis
  • 24. Monitoring: Hosts Logs: • All host logs are saved (including auditd for syscall monitoring) • SIEM agents consume and forward the logs from hosts • Monitoring, Dashboarding, Alerting at SIEM Host SIEM
  • 25. Monitoring: Containers & Apps • Logs are monitored similar to host • OS + Application logs • Network activity monitoring • IP address assignments • Netflows • IDS (Intrusion Detection System) • Raw Network Traffic Capture
  • 26. Monitoring: Host, Containers & Apps Disk activity monitoring • File system integrity • Run time layer monitoring Memory monitoring • Docker and container process activity • Process integrity: Engine + Containers
  • 28. Digital Forensics • Incident Response Plan/Policies • Live/Post-mortem Memory Forensics • Disk Forensics • Network Monitoring/Forensics
  • 29. Disk Forensics • Build supertimeline to have integrated view of events • Data Sources: • Raw Disk Image • Log Files • Binaries • Tools • The Sleuth Kit: File system analysis • Plaso: Build supertimeline • dd: Raw disk image dd Sleuth Kit Plaso
  • 30. Memory Forensics Why Memory Forensics? • Nothing can hide in memory! • Faster artifact discovery vs. disk forensics
  • 31. Memory Forensics Analyze host memory • Live /dev/*mem • VM memory file • Memory dump/sample Tools: • Analysis (most OS and sample format): • The Volatility Framework • Memory sampling on Linux: LiME, linpmem LiME linpmem
  • 32. Memory Forensics: Process Hierarchy • pstree_hash [new]: View Docker processes in a tree view based on the PID hash table vs. linked list • Use case: Detect rogue or injected child processes/ containers
  • 33. Memory Forensics: Loaded Libraries • linux_proc_maps: shows process memory maps, their permissions and original file paths (executable and libraries) • Use case: Detect Shared Library Injections
  • 34. Memory Forensics: Process Integrity • process_compare [new]: Detect if user space binary has been tampered with in memory (in memory binary vs. on disk) [5] • Works when binary symbols can’t be extracted
  • 37. References 1. “CIS Docker 1.6 Benchmark,” Center for Internet Security 2. “Introduction to Container Security,” Docker.com 3. “Understanding and Hardening Linux Containers,” NCC Group 4. “Abusing Privileged and Unprivileged Linux Containers,” NCC Group 5. “The Volatility Framework,” https://github.com/volatilityfoundation/volatility 6. “Identifying the Unknown in User Space Memory,” Andrew White 7. “LiME,” https://github.com/504ensicsLabs/LiME 8. “linpmem,” http://www.rekall-forensic.com/docs/Tools/ 9. “The Sleuth Kit,” http://www.sleuthkit.org/ 10. “Plaso,” https://github.com/log2timeline/plaso