Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker Containers Hardening & Restrictions (apparmor, cgroups, etc) #130

Closed
moul opened this issue Sep 18, 2019 · 3 comments
Closed

Docker Containers Hardening & Restrictions (apparmor, cgroups, etc) #130

moul opened this issue Sep 18, 2019 · 3 comments
Assignees
@overedge @Z-a-r-a-k-i
Labels
t/infra t/platform urgent
Projects
Pathwar Roadmap
Milestone
42. 🤡 Bonus

Comments

@moul
Copy link
Member

moul commented Sep 18, 2019
edited by moul-bot

Examples of profiles we can imagine having:

  • one for web levels without external internet access
  • one for unix levels
  • one for databases that aren't exposed and only used by another container ...

The common point will always to restrict the level of DOSing the server running it (restrict memory, cpu, disk)
@moul moul changed the title Create apparmor profiles Restrict docker containers (apparmor, cgroups, etc) Oct 3, 2019
@moul
Copy link
Member Author

moul commented Oct 3, 2019

The idea of this issue is mostly to gather the knowledge, then we will try to make:

  • a "default" profile
  • a documentation about most common customisation in the wiki for level maintainers

@moul moul changed the title Restrict docker containers (apparmor, cgroups, etc) Docker Containers Hardening & Restrictions (apparmor, cgroups, etc) Oct 3, 2019
@Z-a-r-a-k-i
Copy link
Member

Here is a compilation of common stuff that can be found on google

@Z-a-r-a-k-i
Copy link
Member

Z-a-r-a-k-i commented Oct 3, 2019
edited

PATHWAR LEVEL SECURITY GUIDELINES

1. Denial of Service mitigation

  • Limit cpu number that can be used per docker (set 1 by default)
  • Limit RAM usage (set 512mb by default)
  • Limit Disk space usage

Limit imposes an upper limit to the amount of memory that can potentially be used by a Docker container.

Memory Reservations tries to bring the container’s memory consumption at or below the reservation limit, when the system is running low on memory. If there’s an abundance of memory, however, the application can expand upto the hard set memory limit.

Example with docker :

docker run -it — cpus 1 — memory 512Mb --storage-opt size=20G image_name

Example with docker-compose :

version: "3.7"
services:
  service_name:
    image: img:alpine
    deploy:
      resources:
        limits:
          cpus: '1'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 128M

storage-opt option is only available on docker-compose v2, not in v3.

2. Mitigate privilege escalation / container hijacking

1. Keep docker updated (thx captn obvious)

2. Run as limited user

In Dockerfile :

RUN adduser -D pathwarrior
USER pathwarrior

On Runtime

docker run -u pathwarrior image_name

3. Isolate containers with a user namespace

Use /etc/docker/daemon.json

{
  "userns-remap": "pathwarrior"
}

To disable user namespaces for a specific container, add the --userns=host flag to the docker container create, docker container run, or docker container exec command.

The following standard Docker features are incompatible with running a Docker daemon with user namespaces enabled:

sharing PID or NET namespaces with the host (--pid=host or --network=host).
external (volume or storage) drivers which are unaware or incapable of using daemon user mappings.
Using the --privileged mode flag on docker run without also specifying --userns=host.

One of the interesting issues I faced while using userns-remap was an error when doing a docker pull of the form: failed to register layer: Error processing tar file (exit status 1): container id xxx cannot be mapped to a host id. Once userns-remap is enabled, all docker engine operations are carried out as the user specified - not the user executing the docker client command. If an image you are pulling has files with user ID 1000, and if your subuid file entry doesn’t have space for 1000 users, it is going to fail. The solution is to have a decent enough range of users in your subuid entry.

4. Limit available system calls using Seccomp

Example profile -> https://github.com/giuliocomi/csplogger/blob/master/seccomp-profile-csplogger.json

Risky because if any unexpected system call is executed in the container, the whole container will be immediately terminated.

5. Use Apparmor to whitelist what is possible to do on the container

Tool for qol : https://github.com/genuinetools/bane
Sample file : https://github.com/genuinetools/bane/blob/master/sample.toml

6. Run some automated security bench scripts

Ideally we want a Makefile option to test a single container or any container found in the whole project, ie :

make security-test level_name
make security-test

1. Docker Bench for Security

https://github.com/docker/docker-bench-security

Looks really cool, didn't test yet but it seems to test any known security vulnerability against running docker containers.

2. clair

https://github.com/coreos/clair

Looks a bit complex, didn't test yet.

7. Check used image through Content Trust

Add following option to /etc/docker/daemon.json

{
    "content-trust": {
        "mode": "enforced"
    }
}

Need Docker Enterprise Engine

@moul moul added this to the 3. 🤡 Bonus milestone Oct 12, 2019
@moul-bot moul-bot mentioned this issue Oct 19, 2019
Open
@moul moul added this to Triage in Pathwar Roadmap Oct 20, 2019
@moul moul moved this from Triage to Backlog in Pathwar Roadmap Oct 24, 2019
@moul moul mentioned this issue Nov 28, 2019
Closed
25 tasks
Pathwar Roadmap automation moved this from Backlog to Done Jun 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@overedge overedge

@Z-a-r-a-k-i Z-a-r-a-k-i

Labels
t/infra t/platform urgent
Projects
Pathwar Roadmap
  
Done
Milestone
42. 🤡 Bonus
Development

No branches or pull requests
4 participants
@moul @overedge @moul-bot @Z-a-r-a-k-i