How to securely deploy your containers, by the author of rkhunter and auditing tool Lynis. Many introductory talks about Docker and its container technology, have been given. This attention to the subject is not surprising, seeing the amount of people "doing DevOps" now. With container technology being fairly new on the Linux platform, the security aspects of containers are often being overlooked. While Linux containers do still not fully contain from a security point of view, we can definitely improve the security level of them. In this talk, we have a look at the underlying Linux security measures, followed by the features Docker itself has to offer. The goal is to get an understanding how we can deploy containers in a secure way. After all, Docker is no longer just a toy, and our precious data is involved.

1. Docker Security
Secure container deployment on Linux
openSUSE conference, The Hague, 3 May 2015
Michael Boelen
michael.boelen@cisofy.com

2. Michael Boelen
● Founder of CISOfy
● Security + Open Source
○ Rootkit Hunter (malware scan)
○ Lynis (security scan)
● Analysis → Simplify
2

3. Docker and Me
● Understanding
● Development
● Using it
3

4. Results of Research
● Limited resources
● Outdated articles
● Conflicting information
● Security not important?
Proposal: Let's fix (some of) these issues
4

5. Proposal
Security proposals
● Tooling to simplify Linux security → Lynis
● Articles about Docker security → Blog posts
● Provide input to (GitHub) projects → You
● Presentations → In progress
5

6. What
● Stabilize the vessel
● Secure containers
6

7. How
➔ Benefits
➔ Risks
➔ Defenses
➔ Best Practices
7
Photo credits: imagebase.net

8. Why?
Data!
8

9. Why Security?
Data!
● Docker + Software = Data Sharing
● Keep it confidential
9

10. Warning
From this point on,
there might be lies...
10

11. Docker Benefits
11

12. Primary Benefits
● Flexibility
● Scalability
● Better testing
12

13. Segregation
● The art of splitting up things
● The "Holy Grail" of security
● Smaller units = more control
13

14. Granular Control
● Limit users, access and data
● Easier to understand
● Easier to defend
14

15. Information Disclosure
● Decreased chance of data leakage
● Less resources accessible
15

16. Risks
16

17. Risk: Software Issues
Software security
● Bugs
● Security vulnerabilities
● Regular updates needed
● Backdoors? Auditing?
17

18. Risk: Knowledge gap
Quickly evolving
● IT auditor
● Your colleagues
● You...?
18

19. Risk: "Does not contain"
No full isolation (yet)
● Treat containers as a host
● Know strengths and weaknesses
19

20. Defenses
20

21. Docker Website
Start at the download
● HTTPS
● Digital signatures
● Images verified after downloading
21

22. Docker Containers
● Namespaces and cgroups
● Seccomp
● Capabilities
● Frameworks
22

23. Namespaces
Isolates parts of the OS
● PID namespaces
● Network namespaces
● User namespaces → Not really!
23

24. Namespaces
More spaces
● IPC namespaces (process communication)
● UTS namespaces (hostname/NIS)
● Mount namespaces
24

25. Seccomp
● Secure computing mode
● Filters syscalls with BPF
● Isolation, not virtualization
● Used in software like:
○ Chrome, OpenSSH, vsftpd
○ LXD and Mbox
25

26. Seccomp
Default list of blocked calls
● kexec_load
● open_by_handle_at
● init_module
● finit_module
● delete_module
26

27. Control Groups (cgroups)
● Restrict resources
● Prioritize
● Accounting
● Control
27

28. Capabilities
● Root user → split into roles
● Default list of allowed capabilities
● --cap-add / --cap-drop
● Combine (e.g. add all, drop a few)
28

29. Capabilities
Examples
● CAP_NET_ADMIN - Configure networking
● CAP_SETPCAP - Process capabilities
● CAP_SYS_MODULE - Insert and remove
kernel modules
29

30. Frameworks
AppArmor / SELinux
● MAC frameworks
● Help with containment
● Learning them now, will pay off later
30

31. Audit Subsystem
● Developed by Red Hat
● Files / system calls
● Monitors the (system | file) integrity
31

32. Auditing
Audit (example)
# Time related calls
-a always,exit -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -S clock_settime -k time-change
# Hostname and domain
-a always,exit -S sethostname -S setdomainname -k system-locale
# Password files
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k identity
32

33. Best Practices
33

34. Docker Host Hardening 1/2
● Security = Defense in Depth
● Use AppArmor / SELinux / GRSEC
● Limit
○ users / services / network
34

35. Docker Host Hardening 2/2
● Update your kernel on a regular basis
● Stay up-to-date with Docker
● Limit Docker permissions
35

36. Containers
Harden your Containers
● Use AppArmor / SELinux
● Drop capabilities (man capabilities)
● Filter syscalls (seccomp)
● Network filtering (iptables)
36

37. Read-Only Containers
Least amount of privileges
● Docker 1.5
● --read-only
● Restrict writing to volumes
37

38. Logging
Don't let containers be a black box
● Docker 1.6
● --log-driver
○ none
○ syslog
○ json-file
38

39. Limit Resources
Ulimit
● Default too high
● Set new container default
○ Docker 1.6
○ --default-ulimit
● On run: --ulimit
39

40. Docker Management
"Invisibilize"
● Encrypt connections
● Configure and use TLS, set variables:
○ DOCKER_HOST
○ DOCKER_TLS_VERIFY
40

41. Docker Management
SSH in containers
● Don't use this..
● Use “docker exec -it mycontainer bash”
41

42. Read-Only
● Mounts
● Data
● Configuration
● Use --read-only
42

43. Using Mappings
● Map users to non-privileged
○ /etc/subuid
○ /etc/subgid
43

44. Trust
Or Don't...
● Verify downloads
● Be careful with images from others
● Measure, monitor, audit
44

45. Auditing
Tools
● Lynis
● OpenSCAP
45

46. Docker News
Things go quick with Docker
● Stay informed
● Follow the Docker blog
● Keep an eye on Docker (/LXC/LXD) news
46

47. Questions?
47

48. More Docker Security
● Blog: linux-audit.com
● Twitter: @mboelen
48