Container security Page

Container Security



Container Security Topics - part of Container Topics

Return to Container Security - Fundamental Technology Concepts that Protect Containerized Applications by Liz Rice, April 2020: First Edition, 978-1-492-05670-6, Container Security Index, Return to Container Security Table of Contents


Return to GCP, AWS Security, Azure Security, Microsoft 365 Security, IBM Cloud Security, Oracle Cloud Security, Alibaba Cloud Security, Kubernetes Security, Container Security, Salesforce Security, Linux Security, Window Server Security, Windows Security, macOS Security, iOS Security, Android Security



Container Security Threats Risks, Threats, and Mitigations


1. Container Security Threats Risks, Threats, and Mitigations

Container Threat Model

Security Boundaries

Multitenancy Shared Machines

Virtualization

Container Multitenancy

Container Instances





Security Principles Least Privilege

Defense in Depth

Reducing the Attack Surface

Limiting the Blast Radius

Segregation of Duties

Applying Security Principles with Containers





Summary




Linux System Calls, Permissions, and Capabilities System Calls



2. Linux System Calls, Permissions, and Capabilities System Calls

File Permissions setuid and setgid





Linux Capabilities

Privilege Escalation

Summary




Control Groups Cgroup Hierarchies


3. Control Groups Cgroup Hierarchies

Creating Cgroups

Setting Resource Limits

Assigning a Process to a Cgroup

Docker Using Cgroups

Cgroups V2

Summary




Container Isolation Linux Namespaces



4. Container Isolation Linux Namespaces

Isolating the Hostname

Isolating Process IDs

Changing the Root Directory

Combine Namespacing and Changing the Root

Mount Namespace

Network Namespace

User Namespace User Namespace Restrictions in Docker





Inter-process Communications Namespace

Cgroup Namespace

Container Processes from the Host Perspective

Container Host Machines

Summary




Virtual Machines Booting Up a Machine


5. Virtual Machines Booting Up a Machine

Enter the VMM Type 1 VMMs, or Hypervisors

Type 2 VMM

Kernel-Based Virtual Machines





Trap-and-Emulate

Handling Non-Virtualizable Instructions

Process Isolation and Security

Disadvantages of Virtual Machines

Container Isolation Compared to VM Isolation

Summary




Container Images Root Filesystem and Image Configuration



6. Container Images Root Filesystem and Image Configuration

Overriding Config at Runtime

OCI Standards

Image Configuration

Building Images The Dangers of docker build

Daemonless Builds

Image Layers





Storing Images

Identifying Images

Image Security

Build-Time Security Provenance of the Dockerfile

Dockerfile Best Practices for Security

Attacks on the Build Machine





Image Storage Security Running Your Own Registry

Signing Images





Image Deployment Security Deploying the Right Image

Malicious Deployment Definition

Admission Control





GitOps and Deployment Security

Summary




Software Vulnerabilities in Images Vulnerability Research




7. Software Vulnerabilities in Images Vulnerability Research

Vulnerabilities, Patches, and Distributions

Application-Level Vulnerabilities

Vulnerability Risk Management

Vulnerability Scanning

Installed Packages

Container Image Scanning Immutable Containers

Regular Scanning





Scanning Tools Sources of Information

Out-of-Date Sources

Won’t Fix Vulnerabilities

Subpackage Vulnerabilities

Package Name Differences

Additional Scanning Features

Scanner Errors





Scanning in the CI/CD Pipeline

Prevent Vulnerable Images from Running

Zero-Day Vulnerabilities

Summary




Strengthening Container Isolation Seccomp



8. Strengthening Container Isolation Seccomp

AppArmor

SELinux

gVisor

Kata Containers

Firecracker

Unikernels

Summary




Breaking Container Isolation Containers Run as Root by Default Override the User ID



9. Breaking Container Isolation Containers Run as Root by Default Override the User ID

Root Requirement Inside Containers

Rootless Containers





The --privileged Flag and Capabilities

Mounting Sensitive Directories

Mounting the Docker Socket

Sharing Namespaces Between a Container and Its Host

Sidecar Containers

Summary





Container Network Security Container Firewalls



10. Container Network Security Container Firewalls

OSI Networking Model

Sending an IP Packet

IP Addresses for Containers

Network Isolation

Layer 3/4 Routing and Rules iptables

IPVS





Network Policies Network Policy Solutions

Network Policy Best Practices





Service Mesh

Summary




Securely Connecting Components with TLS Secure Connections



11. Securely Connecting Components with TLS Secure Connections

X.509 Certificates Public/Private Key Pairs

Certificate Authorities

Certificate Signing Requests





TLS Connections

Secure Connections Between Containers

Certificate Revocation

Summary




Passing Secrets to Containers Secret Properties



12. Passing Secrets to Containers Secret Properties

Getting Information into a Container Storing the Secret in the Container Image

Passing the Secret Over the Network

Passing Secrets in Environment Variables

Passing Secrets Through Files





Kubernetes Secrets

Secrets Are Accessible by Root

Summary




Passing Secrets to Containers Secret Properties



13. Container Runtime Protection Container Image Profiles Network Traffic Profiles

Executable Profiles

File Access Profiles

User ID Profiles

Other Runtime Profiles

Container Security Tools





Drift Prevention

Summary




Containers and the OWASP Top 10 Injection



14. Containers and the OWASP Top 10 Injection

Broken Authentication

Sensitive Data Exposure

XML External Entities

Broken Access Control

Security Misconfiguration

Cross-Site Scripting XSS

Insecure Deserialization

Using Components with Known Vulnerabilities

Insufficient Logging and Monitoring

Summary





Conclusions

Security Checklist



Index