1 of 49

Practical

Docker Security

Hack.lu - Thursday 18 October 2018

Framapad: https://mensuel.framapad.org/p/dockerworkshophacklu

2 of 49

Overview

  • @PaulWebSec�
  • After this presentation, you will :
  • (Hopefully) Improve your Docker skills
  • Learn about proper isolation within a Docker environment
  • Capabilities management
  • Seccomp profiles

And bunch of other stuffs!

3 of 49

PID Namespace

4 of 49

PID Namespace

5 of 49

PID Namespace

6 of 49

PID Namespace

7 of 49

PID Namespace

8 of 49

Resource groups

9 of 49

Stress it! (1/2)

10 of 49

Stress it! (2/2)

11 of 49

But there’s way moar

You can limit :

  • CPU Usage
  • Memory (RAM, ..)
  • etc.

Link: https://docs.docker.com/config/containers/resource_constraints/

12 of 49

PID Limits

13 of 49

:(){ :|: & };:

14 of 49

Fork bomb!

15 of 49

User Namespaces

16 of 49

User namespaces 101

17 of 49

Mounting volumes 101

18 of 49

Mounting volumes + user remapping

19 of 49

Dockerd + namespace remapping

20 of 49

Container Policies

21 of 49

Mounting volume in read-only (:ro)

22 of 49

Seccomp profiles

+/- ~ “Firewall for syscalls”

23 of 49

Checking if seccomp is active?

24 of 49

Container + Seccomp

25 of 49

syscalls.drop(chmod)

26 of 49

“Unconfined” = worst ennemy

27 of 49

Strace to the win!

28 of 49

Finding which syscalls are used for a cmd

29 of 49

Root capabilities

30 of 49

Capabilities 101

31 of 49

User remap + adding new capabilities ?

32 of 49

Block all and add only what’s necessary

33 of 49

Checking capabilities from container

34 of 49

Checking capabilities from container

Note: Not working since the capabilities are set to one binary

35 of 49

Checking capabilities from host machine

36 of 49

Network segmentation

37 of 49

Practical example

Interface 1

Container no 1

Container no 2

Container no 3

Interface 2

38 of 49

Creating all the networks and...

39 of 49

… plugging!

40 of 49

Practical example

Interface 1

Container no 1

Container no 2

Container no 3

Interface 2

172.19.0.2

172.19.0.3

172.20.0.2

172.20.0.3

41 of 49

Docker auditing

42 of 49

Docker Bench Security

https://github.com/docker/docker-bench-security

43 of 49

Image Security Scanning with Clair

44 of 49

https://github.com/arminc/clair-scanner

45 of 49

Protect the Docker daemon socket

46 of 49

Docker socket exposed (1/2)

47 of 49

Docker socket exposed (2/2)

48 of 49

Docker Security “Checklist”

�- Use minimal and certified images (alpine, even after this =/)�- Use images pulled with content trust (BlackDuck, Artifactory, DTR, …)�- Scan images nightly with Clair-scanner + reporting �- Check your host implementation with Docker CIS�- Push to your consumers with content trust (Artifactory, ...)�- Analyse results from Docker Security Scanning�- TLS encrypt everything! (think auth through certificate)�- Read-only volumes + containers if possible (container policies)�- Separate networks whenever possible�- Drop root privileges / unused system calls (seccomp)

49 of 49

Resources

Thanks!

https://docs.docker.com/https://github.com/coreos/clairhttps://github.com/arminc/clair-scannerhttps://github.com/docker/docker-bench-securityhttps://www.katacoda.com/courses/docker-security/

�Framapad : https://mensuel.framapad.org/p/dockerworkshophacklu

@PaulWebSec