Container Security. Fundamental Technology Concepts that Protect Containerized Applications (ebook)

Container Security. Fundamental Technology Concepts that Protect Containerized Applications (ebook) - Opis

To facilitate scalability and resilience, many organizations now run applications in cloud native environments using containers and orchestration. But how do you know if the deployment is secure? This practical book examines key underlying technologies to help developers, operators, and security professionals assess security risks and determine appropriate solutions.Author Liz Rice, Chief Open Source Officer at Isovalent, looks at how the building blocks commonly used in container-based systems are constructed in Linux. You'll understand what's happening when you deploy containers and learn how to assess potential security risks that could affect your deployments. If you run container applications with kubectl or docker and use Linux command-line tools such as ps and grep, you're ready to get started.Explore attack vectors that affect container deploymentsDive into the Linux constructs that underpin containersExamine measures for hardening containersUnderstand how misconfigurations can compromise container isolationLearn best practices for building container imagesIdentify container images that have known software vulnerabilitiesLeverage secure connections between containersUse security tooling to prevent attacks on your deployment Spis treści:
Preface
Who This Book Is For
What This Book Covers
A Note about Kubernetes
Examples
How to Run Containers
Feedback
Conventions Used in This Book
Using Code Examples
OReilly Online Learning
How to Contact Us
Acknowledgments
1. Container Security Threats
Risks, Threats, and (...) więcej Mitigations
Container Threat Model
Security Boundaries
Multitenancy
Shared Machines
Virtualization
Container Multitenancy
Container Instances
Security Principles
Least Privilege
Defense in Depth
Reducing the Attack Surface
Limiting the Blast Radius
Segregation of Duties
Applying Security Principles with Containers
Summary
2. Linux System Calls, Permissions, and Capabilities
System Calls
File Permissions
setuid and setgid
Security implications of setuid
Linux Capabilities
Privilege Escalation
Summary
3. Control Groups
Cgroup Hierarchies
Creating Cgroups
Setting Resource Limits
Assigning a Process to a Cgroup
Docker Using Cgroups
Cgroups V2
Summary
4. Container Isolation
Linux Namespaces
Isolating the Hostname
Isolating Process IDs
Changing the Root Directory
Combine Namespacing and Changing the Root
Mount Namespace
Network Namespace
User Namespace
User Namespace Restrictions in Docker
Inter-process Communications Namespace
Cgroup Namespace
Container Processes from the Host Perspective
Container Host Machines
Summary
5. Virtual Machines
Booting Up a Machine
Enter the VMM
Type 1 VMMs, or Hypervisors
Type 2 VMM
Kernel-Based Virtual Machines
Trap-and-Emulate
Handling Non-Virtualizable Instructions
Process Isolation and Security
Disadvantages of Virtual Machines
Container Isolation Compared to VM Isolation
Summary
6. Container Images
Root Filesystem and Image Configuration
Overriding Config at Runtime
OCI Standards
Image Configuration
Building Images
The Dangers of docker build
Daemonless Builds
Image Layers
Sensitive data in layers
Storing Images
Identifying Images
Image Security
Build-Time Security
Provenance of the Dockerfile
Dockerfile Best Practices for Security
Attacks on the Build Machine
Image Storage Security
Running Your Own Registry
Signing Images
Image Deployment Security
Deploying the Right Image
Malicious Deployment Definition
Admission Control
GitOps and Deployment Security
Summary
7. Software Vulnerabilities in Images
Vulnerability Research
Vulnerabilities, Patches, and Distributions
Application-Level Vulnerabilities
Vulnerability Risk Management
Vulnerability Scanning
Installed Packages
Container Image Scanning
Immutable Containers
Regular Scanning
Scanning Tools
Sources of Information
Out-of-Date Sources
Wont Fix Vulnerabilities
Subpackage Vulnerabilities
Package Name Differences
Additional Scanning Features
Scanner Errors
Scanning in the CI/CD Pipeline
Prevent Vulnerable Images from Running
Zero-Day Vulnerabilities
Summary
8. Strengthening Container Isolation
Seccomp
AppArmor
SELinux
gVisor
Kata Containers
Firecracker
Unikernels
Summary
9. Breaking Container Isolation
Containers Run as Root by Default
Override the User ID
Root Requirement Inside Containers
Rootless Containers
The --privileged Flag and Capabilities
Mounting Sensitive Directories
Mounting the Docker Socket
Sharing Namespaces Between a Container and Its Host
Sidecar Containers
Summary
10. Container Network Security
Container Firewalls
OSI Networking Model
Sending an IP Packet
IP Addresses for Containers
Network Isolation
Layer 3/4 Routing and Rules
iptables
IPVS
Network Policies
Network Policy Solutions
Network Policy Best Practices
Service Mesh
Summary
11. Securely Connecting Components with TLS
Secure Connections
X.509 Certificates
Public/Private Key Pairs
Certificate Authorities
Certificate Signing Requests
TLS Connections
Secure Connections Between Containers
Certificate Revocation
Summary
12. Passing Secrets to Containers
Secret Properties
Getting Information into a Container
Storing the Secret in the Container Image
Passing the Secret Over the Network
Passing Secrets in Environment Variables
Passing Secrets Through Files
Kubernetes Secrets
Secrets Are Accessible by Root
Summary
13. Container Runtime Protection
Container Image Profiles
Network Traffic Profiles
Executable Profiles
Observing executables with eBPF
File Access Profiles
User ID Profiles
Other Runtime Profiles
Container Security Tools
Prevention or alerting
Drift Prevention
Summary
14. Containers and the OWASP Top 10
Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities
Broken Access Control
Security Misconfiguration
Cross-Site Scripting XSS
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging and Monitoring
Summary
Conclusions
Security Checklist
Index O autorze: Liz Rice zajmuje jedno z kluczowych stanowisk w firmie Aqua Security. Specjalizuje się w systemach bezpieczeństwa kontenerów. Jest członkiem CNCF Technical Oversight Committee, współprowadziła konferencję KubeCon + CloudNativeCon 2018 w Kopenhadze, Szanghaju i Seattle. Zdobyła imponujące doświadczenie w zespołowym tworzeniu oprogramowania oraz w pracy nad systemami rozproszonymi, a także w zakresie takich technologii jak VOD czy VoIP. mniej