wtf my container just spawned a shell!
Post on 08-Apr-2017
583 Views
Preview:
TRANSCRIPT
Jorge Salamero Sanz@bencerillo
WTF my container just spawned a shell!
Sysdig
Open Source system troubleshooting
with native container support(htop, vmstat, netstat, lsof, tcpdump…)
Monitoring, alerting,
troubleshooting tool for
Docker, Kubernetes, Mesos,
RancherOS, GCE, ECS
Securing Microservices
Defense in depth Microservices
Single responsibility principle:
• Principle of least privileges
• Principle of least surprise
• Principle of least access
Container Security Techniques
• New workflows (docker pull vs previous apt update/yum update)
• CI/CD Pipeline (Jenkins, Openshift, etc: rebuilds, rolling updates)
• Access management, logging & auditing (Kubernetes, Openshift:
user roles, namespaces, centralized logging, authn & authz, etc)
• Trust boundaries (do you trust entire Docker Hub? Image signing, Docker Notary)
• Simplify container OS, tons of useless stuff (RancherOS, Atomic,
CoreOS, Alpine Linux, etc)
• Network security (Weave, etc)
• Secret management (Vaults instead of environment vars, etc)
Docker Security Techniques
• Drop privileges
• Limit capabilities
• Do not run as root! containers are not VMs!
• cgroups
• Limit resources share, not access restriction
• namespaces
• Useful for not complete security model
• User namespaces
• Kubernetes/Openshift security contexts
• Host security and access (Docker bench, RO access, etc)
Scanning
What are my containers doing?
• Static scanning
• Dynamic scanning
Static Scanning
Yay, this was soo easy to deploy! I Docker Hub!(your developers too, actually they were already using it :P)
uhm… wait, is someone maintaining this image?
RUN apt-get install -y wget build-essential python python-dev python-pip python-virtualenvRUN wget http://nodejs.org/dist/node-latest.tar.gzRUN tar xvzf node-latest.tar.gzRUN cd node-v* && ./configure && CXX="g++ -Wno-unused-local-typedefs" make && CXX="g++ -Wno-unused-local-typedefs" make install
• Static Scanning:
• CoreOS Clair, Docker Nautilus, Red Hat CloudForms, etc
Image Vulnerability Scanning
• Scan contents of images looking for software versions with known defects
• Container image layering can make this efficient (exploits immutable nature of images)
Ubuntu: 14.04
Apache: 2.2
Wordpress: 4.6 PHP: 7.0
Image Vulnerability Scanning
• Scan contents of images looking for software versions with known defects
• Container image layering can make this efficient (exploits immutable nature of images)
•
Ubuntu: 14.04
Apache: 2.2
Wordpress: 4.6 PHP: 7.0
Image Vulnerability Scanning
• Scan contents of images looking for software versions with known defects
• Container image layering can make this efficient (exploits immutable nature of images)
•
Ubuntu: 14.04
Apache: 2.2
Wordpress: 4.6 PHP: 7.0
Image Vulnerability Scanning
• Scan contents of images looking for software versions with known defects
• Container image layering can make this efficient (exploits immutable nature of images)
•
Ubuntu: 14.04
Apache: 2.2
Wordpress: 4.6 PHP: 7.0
Container Security Techniques
OK, no known vulnerabilities, still secure?
Containers are black boxes exposing a behaviour, is something misbehaving?
• Dynamic Scanning:
• Enforcement
• Auditing
Tools
• Basic sandboxing: seccomp
• Sandboxing with policies: seccomp-bpf
• Mandatory access control systems: SELinux, AppArmor
• System auditing: Auditd
• Behavioral monitoring: Falco
Seccomp
• Seccomp: application system call “sandboxing”
• One-way transition to a restricted state
• Limited set of system calls
• SECCOMP_MODE_STRICT: read(), write(), _exit(), and sigreturn()
• Process SIGKILLed when doing anything else
• No wide real use
Seccomp-bpf
• Security profiles per application/container:
• Create filter (BPF program ) with lists of allowed syscalls
• Each syscall matched against filter
• Multiple actions: SIGKILL, SIGSYS, failing the syscall, notify an attached tracer process to skip/change it, allow it
• Docker runs containerized process under a seccomp profile, multiple available
• Notable disallowed syscalls:
• clone (creating new namespaces)
• reboot (reboot the host)
• setns (change namespaces)
Mandatory Access Control
• SELinux or AppArmor
• Same mechanisms: kernel-level interception/filtering
• features++ && complexity++
• Above syscalls:
• Actors (process)
• Actions (read/write on files/sockets)
• Targets (files, IPs, ports)
• Mandatory while seccomp is voluntary
• But what if I only want to put some surveillance in?
Auditd
• Access monitoring system• Logger for SELinux• Rules based on files and syscalls:
# Alert whenever anyone performs an unlink() for a file below /usr/bin-a always,exit -S unlink -S unlinkat -F dir=/usr/bin -F success=1
# Watch any invocation of /usr/bin/passwd-w /usr/bin/passwd -p x -k passwd_mgmt
Sysdig Falco
An anomaly detection system built on top of the sysdig engine
Sysdig
Kernel
Docker
Container1
Container2
Container3
App Apprkt LXC
Kernel moduleInstrumentation
Event stream
OpenReadClose
ConnectReadWriteReadReadWriteClose
Dump to Disk
Filter
Analyze
Events context
• Syscalls are turned into events with context:
• the process name performing the system call• the process’s parents, grandparents, etc• the remote IP address to which the process is
communicating• the directory of the file being read/written• the current memory usage of the process
What is Sysdig Falco?
• Detects suspicious activity defined by a set of easy rules
• Uses sysdig’s flexible and powerful filtering expressions (in userspace -single point of failure-)
• Container support (Docker, Kubernetes, Mesos, etc)• Flexible notification methods• Open Source
Quick Examples
A shell is run in a container container.id != host and proc.name = bash
Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write
Container namespace change evt.type = setns and not proc.name in (docker, sysdig)
Non-device files written in /dev(evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null
Process tries to access cameraevt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
Falco Rules
• .yaml file containing Macros, Lists, and Rules
- macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
- list: package_mgmt_binaries items: [dpkg, dpkg-preconfigu, rpm, rpmkey, yum, frontend]
- rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
Alerts and Outputs
• Events that match filter expression (rule) result in alerts• output field used to format event into alert message• Sending to:
• syslog• file• stdout• shell (e.g. mail -s "Falco Notification" alerts@example.com)
• Sysdig Cloud
Falco Demo
Further reading
● Documentation:○ https://sysdig.com/blog/selinux-seccomp-falco-technical-dis
cussion/
○ https://sysdig.com/blog/friends-dont-let-friends-curl-bash/
● http://www.sysdig.org/falco/
● https://github.com/draios/falco
Thank You!
top related