If it's in a Container it's Secure Right? Scott Coulton, AutoPilot HQ
-
Upload
openstack -
Category
Technology
-
view
90 -
download
0
Transcript of If it's in a Container it's Secure Right? Scott Coulton, AutoPilot HQ
Does the traditional infosectoolchain work efficiently in a world where a container’s average lifespan is 2 days?
1. IntroWhat we will cover
➔ How is container security different ?Does traditional security fit ?
➔ How to protect our containerProtecting from the inside out
➔ Security and CD Can the 2 worlds live together
➔ Live demo
The way that traditional infosec works is
ReactiveContainers allow you to be
Proactive in your approach to infosec
2. ExamplesHere are a few comparable examples:
➔ Traditional Nessus, AV, HIDS
➔ New schoolAppArmor, Clair, Notary
The risks.● DoS the host (CPU, Memory or Disk)● Fork Bomb● Kernel modification● Privilege Escalation
Let’s look @ protecting the engine.
Docker 1.12 Benchmark
Some sane defaults.● Don’t run --pid host or --net host (without knowing the
risks)● Don’t bind your daemon to tcp://0.0.0.0:4243● Don’t use aufs as your storage driver● Use TLS for all daemon traffic
3. Live DemoWe are going to test what we have learnt today and run a standard Nginx image
We will them use the Dirtyc0w vulnerability to write to a file owned by root, then privilege escalate to root for a standard user :
➔ Without AppArmorAll exploits will work
➔ With AppArmorOur container will be safe
The code from the live demo is available @ https://github.com/scotty-c