Security
in the Linux container platform is still in an evolving state yet
incomplete. Container technology came into existence with the need to
run certain workloads in isolation, not to protect those workloads but
to protect others from those workloads.
Security in containers is still evolving, docker is taking steps to plug potential holes in container platforms but yet needs to do a lot of work. Focusing Security in containers is very important. The first level of security is to provide ways to restrict/allow calls between container workload and the Host kernel. We all know that containers depend on the Host kernel to run. There are different ways to restrict/block calls between the containers and kernel.
There are 3 different ways to restrict/block calls between the containers and kernel. They are Capabilities, Seccomp and AppArmor.
Each of these security features have different purposes and they overlap very little. They all function to reduce the damage that a process can cause once it has been compromised. They are all very low overhead and can be used to improve the security of the software.
Seccomp - This is linux kernel feature that allows a user space program to setup syscal filters. A User space is a system memory allocated to running applications. We can use this to restrict actions available with in a container. We can use this feature to restrict application access. The filters that are specified using this can define which system calls are permitted and which are not. Check here for more details.
AppArmor - This is a mandatory access control framework that function as a Linux security module. This is used to whitelist or blacklist a subject (program) access to an object (file,path etc) . For example, this can be used to allow a program to have read access to the /etc/passwd file and don’t have access to the /etc/shadow file. These can be used to restrict capabilities or even limit network access. Check here for more details.
Capabilities - The most common security setting that we do with containers is the capability settings or dropping. The capability dropping is a technique where a privileged processes revokes a subset of the privileges it is endowed with.For example we can drop the capability for the root process to create raw network connections. This technique is not very fine-grained as there are only a limited number of capabilities that can be dropped, but it reduces the damage a program can do if it has been compromised nonetheless. Check here for more details
In general,
Seccomp reduces the chance that a kernel vulnerability will be exploited.
AppArmor prevents an application from accessing files it should not access.
Capability dropping reduces the damage a compromised privileged process can do.
Container Image Scanning - As we already know a Container is a running instance of an Image. The Images are nothing but a executable package that includes everything needed to run an application: the application code, configuration files, runtime ( java , python ), libraries and environment variables. The Image is built up from a series of layers. For a Docker image, each layer in the image represents a Instruction in the Image build file ( Dockerfile). Each Image will be built from the Parent Image defined in the FROM element in the Dockerfile. The parent image will be downloaded from a Public registry while building the Image.
It is incredibly difficult and time consuming to manually track all the files, packages, libraries that are included in the image. When downloaded from public registries there is always a chance of vulnerabilities that they may possess. Vulnerabilities leading to security breaches can be a costliest thing an organization can endure. One way to prevent these breaches is to regularly scan the images and compare them to the list of known Common Vulnerabilities and exposures (CVEs). The automatic detection of the vulnerabilities helps in applying best security practices even before the application container comes alive. To learn more about the Container scan check here
Container Runtime security - Runtime container security means vetting all activities within the container application environment from analysis of container, runtime and host activities to monitoring protocols and payloads of network connections. Some of the vulnerabilities can be remediated by Host bench-marking and vulnerability scanning on Host Operating systems. Container images are scanned for vulnerabilities and remediation before running them but there is a need for analysis monitoring of the running containers. We need to understand what is happening within the running containers, what network calls are being made, what directories and drives are being accessed etc. It is very important to understand how the containers are behaving while running. This is where Container Runtime monitoring comes into picture and Falco is one such tool. More Details about the Runtime analysis tools is here
Security in containers is still evolving, docker is taking steps to plug potential holes in container platforms but yet needs to do a lot of work. Focusing Security in containers is very important. The first level of security is to provide ways to restrict/allow calls between container workload and the Host kernel. We all know that containers depend on the Host kernel to run. There are different ways to restrict/block calls between the containers and kernel.
There are 3 different ways to restrict/block calls between the containers and kernel. They are Capabilities, Seccomp and AppArmor.
Each of these security features have different purposes and they overlap very little. They all function to reduce the damage that a process can cause once it has been compromised. They are all very low overhead and can be used to improve the security of the software.
Seccomp - This is linux kernel feature that allows a user space program to setup syscal filters. A User space is a system memory allocated to running applications. We can use this to restrict actions available with in a container. We can use this feature to restrict application access. The filters that are specified using this can define which system calls are permitted and which are not. Check here for more details.
AppArmor - This is a mandatory access control framework that function as a Linux security module. This is used to whitelist or blacklist a subject (program) access to an object (file,path etc) . For example, this can be used to allow a program to have read access to the /etc/passwd file and don’t have access to the /etc/shadow file. These can be used to restrict capabilities or even limit network access. Check here for more details.
Capabilities - The most common security setting that we do with containers is the capability settings or dropping. The capability dropping is a technique where a privileged processes revokes a subset of the privileges it is endowed with.For example we can drop the capability for the root process to create raw network connections. This technique is not very fine-grained as there are only a limited number of capabilities that can be dropped, but it reduces the damage a program can do if it has been compromised nonetheless. Check here for more details
In general,
Seccomp reduces the chance that a kernel vulnerability will be exploited.
AppArmor prevents an application from accessing files it should not access.
Capability dropping reduces the damage a compromised privileged process can do.
Container Image Scanning - As we already know a Container is a running instance of an Image. The Images are nothing but a executable package that includes everything needed to run an application: the application code, configuration files, runtime ( java , python ), libraries and environment variables. The Image is built up from a series of layers. For a Docker image, each layer in the image represents a Instruction in the Image build file ( Dockerfile). Each Image will be built from the Parent Image defined in the FROM element in the Dockerfile. The parent image will be downloaded from a Public registry while building the Image.
It is incredibly difficult and time consuming to manually track all the files, packages, libraries that are included in the image. When downloaded from public registries there is always a chance of vulnerabilities that they may possess. Vulnerabilities leading to security breaches can be a costliest thing an organization can endure. One way to prevent these breaches is to regularly scan the images and compare them to the list of known Common Vulnerabilities and exposures (CVEs). The automatic detection of the vulnerabilities helps in applying best security practices even before the application container comes alive. To learn more about the Container scan check here
Container Runtime security - Runtime container security means vetting all activities within the container application environment from analysis of container, runtime and host activities to monitoring protocols and payloads of network connections. Some of the vulnerabilities can be remediated by Host bench-marking and vulnerability scanning on Host Operating systems. Container images are scanned for vulnerabilities and remediation before running them but there is a need for analysis monitoring of the running containers. We need to understand what is happening within the running containers, what network calls are being made, what directories and drives are being accessed etc. It is very important to understand how the containers are behaving while running. This is where Container Runtime monitoring comes into picture and Falco is one such tool. More Details about the Runtime analysis tools is here
No comments :
Post a Comment