Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security options for container implementations

Published byOwen Todd Modified over 6 years ago

Similar presentations

Presentation on theme: "Security options for container implementations"— Presentation transcript:

1 Security options for container implementations

2 http://doger.io @container_doge
Who am I @container_doge

3 Decreasing Skill Level
Triangle of Effort NSA Decreasing Skill Level Hacker Organized Crime Drive By/Botnet Script Kiddie Increasing Effort

4 What is security? Restrict access to other containers
Prevent knowledge of other containers from leaking Ability to account for memory/cpu/network/disk usage Ability to control memory/cpu/network/disk resources Ability to detect and remove rouge processes

5 Usual Suspects Unix permissions Chroot Rlimit App Armor Selinux
Capabilities Quotas Cgroups Seccomp ACLs

6 What does not work rlimits Quotas Blacklisting via ACLs

7 Capabilities CAP_SYS_MODULE CAP_SYS_RAWIO CAP_NET_BROADCA ST CAP_MKNOD
CAP_SYS_TTY_CONF IG CAP_AUDIT_WRITE CAP_AUDIT_CONTRO L CAP_AUDIT_READ CAP_SYS_TIME CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_NET_RAW CAP_SETPCAP CAP_SYSLOG CAP_WAKE_ALARM CAP_BLOCK_SUSPE ND CAP_SYS_BOOT

8 Capabilities 'capsh' to drop capabilities
Call instead of /sbin/init or entry point Have it invoke the init/entrypoint CAP_SETPCAP allows you to turn capabilties back on

9 cgroups Multiple protections in one Accounting of resource usage
Limiting resource usage (cpu/mem) Tracking of processes Preventing/allowing device access

10 cgroups

11 App Armor vs selinux

12 selinux NSA ASIO CIA Secret Multi Level Security Confidential
Unclassified Multi Category Security

13 selinux 'runcon' is your friend
'chcon' to tag the files as belonging to a container Mainly going to be changing the security level s0:c1,c4 Will need appropriate policies/rules in place This means a working selinux setup

14 seccomp Mount Acct Umount2 Sethostname Swapon swapoff Reboot Adjtimeex
Setdomainname init_module delete_module Quotactl finit_module Setns clock_adjtime kexec_load Nfsservct pivot_root pciconfig_iobase pciconfig_read pciconfig_write clock_settime Personality

15 Adding things in Can be patched in: App Armor Selinux Capabilities
Cgroups Requires app support: seccomp

16 Questions

Download ppt "Security options for container implementations"

Similar presentations

Operating-System Structures

Operating-System Structures
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
Authentication James Walden Northern Kentucky University.

Authentication James Walden Northern Kentucky University.
CS 483 – SD SECTION (8) AUTHORIZATION. INTRODUCTION The authorization (or access control) process is used to decide if person, program or device X is.

CS 483 – SD SECTION (8) AUTHORIZATION. INTRODUCTION The authorization (or access control) process is used to decide if person, program or device X is.
Docker Security Rahul Sharma. Our Problem Sandboxing user coding assessments : Compile / Run different languages Allow to extract result Control network.

Docker Security Rahul Sharma. Our Problem Sandboxing user coding assessments : Compile / Run different languages Allow to extract result Control network.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 Distributed File System, and Disk Quotas (Week 7, Thursday 2/21/2007) © Abdou Illia, Spring 2007.

1 Distributed File System, and Disk Quotas (Week 7, Thursday 2/21/2007) © Abdou Illia, Spring 2007.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Joshua Caltagirone-Holzli

Joshua Caltagirone-Holzli
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Linux Intrusion Detection/Defense System (LIDS) - Sowmya Ponugoti - Binita Mehta - Christopher James.

Linux Intrusion Detection/Defense System (LIDS) - Sowmya Ponugoti - Binita Mehta - Christopher James.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.

Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.

CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
AtomPark Software is founded in 2001. The head office is located in Saint-Petersburg, Russia. Company is officially registered in the United States. AtomPark.

AtomPark Software is founded in The head office is located in Saint-Petersburg, Russia. Company is officially registered in the United States. AtomPark.

Similar presentations

Ads by Google