This slide is the speech provided by me for InfoSec2020 (https://2020.infosec.org.tw/) conference in Taiwan. It describes the container security, what issues is. how to exploit it and how to defense it.
17. Attack Scenario I
Vulnerable Container
1. Attack vulnerable container
2. Compromise the host
Docker Host or K8s Cluster
18. Attack Scenario II
Bad Container
1. Push bad image
2. Deploy by admin
3. Create bad container
Docker Host or K8s cluster
19. Attack Scenario III
Privileged Container
1. Find out open docker host
2. Create privileged container
3. Compromise the host
Open Docker Host
20. Bad Image for Cryptocurrency Mining
https://www.trendmicro.com/vinfo/tw/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining
24. • Always use the most up to date version of Docker
• Allow only trusted users control of the Docker daemon by making sure only trusted users are members of Docker group
• Run your containers as a non-root user (UID not 0)
• Use only trusted base images when building your containers
• Use minimal base images that don’t include unnecessary software packages that could lead to a larger attack surface
• Don’t store secrets in images/Dockerfiles
• When running containers, remove all capabilities not required for the container to function as needed
• Don’t run containers with –privileged flag
• Don’t mount sensitive host system directories on containers, especially in writable mode that could expose them to being changed maliciously in a way
that could lead to host compromise
• Don’t run sshd within containers
• Don’t map any ports below 1024 within a container as they are considered privileged because they transmit sensitive data
• Make sure you have rules in place that give you an audit trail for:
• Docker daemon and Docker files and directories:
• /var/lib/docker
• /etc/docker
• docker.service
• docker.socket
• /etc/default/docker
• /etc/docker/daemon.json
• /etc/sysconfig/docker
• /usr/bin/containerd
• /usr/sbin/runc https://www.stackrox.com/post/2019/09/docker-security-101/