We are moving
from virtualization to containerization and we are all familiar with the
container services such as docking or quay.io. You can pick a dock image for a
particular application by selecting several choices. As you know, when a
developer works with a container, it not only packs the program but is part of
the OS, and we do not know whether the connect libraries have been patched or
vulnerable.
So, we will show
"how to perform a container audit and vulnerability assessment"
in any infrastructure in this role.
Table of Contents
Prerequisties
Clair
·
Installation
·
Docker
Image Vulnerabilty Scanning
Bench-security
·
Installation
·
Container
Hardening
Prerequisties
At your host
machine, Install docker and pull an image, you want to scan.
Clair : Vulnerability
Installation
CoreOS has created
an awesome container scan tool called Clair. Clair is an open source project
for the static analysis of vulnerabilities in appc and docker containers. You
can clone the package with the help of git, using following command
git clone https://github.com/arminc/clair-scanner.git
The scanner is develop in go language,
therefore golang on your local machine over which is docker is running.
apt install golang
Build the library to install all dependencies
of the clair.
cd clair-scanner
make build
make cross
As you can see, we have the following file
in the bucket list.
If, in your host machine, you don't have a
docker image, you can pull a new image, as we did here to illustrate
vulnerability assessment.
docker pull ubuntu:16.04
Now, run the docker image of the clair that
will listen at local port 5432.
docker run -d -p 5432:5432 –name db
arminc/clair-db:latest
Also run the docker image for postgres to
link clair scan with the help of the following command.
docker run -d -p 6060:6060 –link
db:postgres –name clair arminc/clair-local-scan:latest
Now, let’s use the clair for scanning the
vulnerability of a container or docker image, with the help of the following command.
Syntax: ./clair-scanner -ip -r output.jason
./clair-scanner –ip 172.17.0.1 -r
report.jason ubuntu:16.04
Booom!!!! And we got the scanning output
which is showing 50 unapproved vulnerabilities.
Bench-Security: Container Hardening
The Docker Bench for Security is a
script that checks for dozens of common best-practices around deploying Docker
containers in production. The tests are all automated, and are inspired by the CIS
Docker Benchmark v1.2.0.
So, as you can see, we have few docker
images on our host.
Let’s start docker audit for container
hardening by executing a set of command as shown here.
docker run -it --net host --pid host --userns
host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security
The output results as Info, Warning,
Pass and Notes for each of the configuration recommendations as
mention below:
1.
Host Configuration
2.
Docker Daemon Configuration
3.
Docker Daemon Configuration
Files
4.
Container Images and Build
Files
5.
Container Runtime
6.
Docker Security Operations
Let me explain this in a better way: You
can observe in the highlighted session that it has created alert against root
privilege for running the docker image.
To fix such type of misconfiguration,
stop the running process for docker and then again, run the docker image with
low privilege user access as show below.
docker stop $(docker ps -aq)
docker rm $(docker ps -aq)
docker run -itd –user 1001:1001
ubuntu
If the loophole is closed, use the bench
again for cross validation and this time ensure you have passed the warning. As
you can see, this time we got the Green sign that shows we got the loopholes
patched.
0 comments:
Post a Comment