Shulou(Shulou.com)06/01 Report--

This article mainly explains the "Docker container security control method", the content of the article is simple and clear, easy to learn and understand, now please follow the editor's train of thought slowly in depth, together to study and learn "Docker container security control method"!

I. Preface

There is no doubt that container is one of the popular and mainstream technologies in cloud computing. By packaging application runtime environment and application together, Docker solves the problem of deployment environment dependence; it eliminates the gap between compilation, packaging and deployment, operation and maintenance, and helps to improve the efficiency of application development and operation and maintenance: in short, it coincides with the concept of DevOps and is respected by many enterprises.

Of course, there are many security risks in the life cycle of Docker containers, such as the problems of the container itself, the image of the container, and the problems exposed when the container is running and so on. Therefore, this article will discuss the safety problems of Docker container life cycle and the corresponding improvement methods. I hope readers will criticize and correct them.

II. Life cycle security of Docker containers

Security issues may be introduced in many stages of the Docker container life cycle. This chapter will analyze these security issues in modules. Let's first take a look at the architecture of Docker container lifecycle security control, as shown in figure 1.

Figure 1. Docker container lifecycle security control architecture

This picture can reflect Docker's "Build, Ship and Run" operation on its core-"mirror" (build image, transfer image and run container); Docker application environment can be divided into "non-production environment" and "production environment".

Non-production environment is strongly related to Dev (development), while production environment is strongly related to Ops (operation and maintenance). The main control point in non-production environment is image depth scanning. When container arrangement is done in production environment, you need to pull and run Docker image from non-production environment, so image operation control is also a major control point.

The main control points in the production environment are container system intrusion detection and protection and container network intrusion detection and protection. At the same time, compliance baselines should be taken as an important control point at all stages of the Docker container life cycle.

Starting from the main control points of Docker container security, the following lists some of the security issues they deal with.

1. Mirror depth scan

Security issues that should be taken into account when doing mirror depth scans include, but are not limited to:

Operating system packages and application dependencies in the image contain known CVE vulnerabilities

The mirrored application directory is implanted into Webshell

Image sensitive information disclosure

Image integrity check problem

There is an unsafe way to write in Dockerfile (Dockerfile is the build script for Docker images)

two。 Mirror operation control

When doing mirror operation control, security issues that should be taken into account include, but are not limited to:

Image integrity check problem

Privileged mode sharing root permissions

Memory quota is not limited

CPU priority is not limited

Storage space quota is not limited

Use Host network mode when enabling containers

3. Intrusion Detection and Protection of Container system

When doing container system intrusion detection and protection, the security issues that should be paid attention to include, but are not limited to:

File system not quarantined

Call vulnerable system kernel functions

Denial of service attack

4. Intrusion Detection and Protection of Container Network

When doing container network intrusion detection and protection, the security issues that should be paid attention to include, but are not limited to:

Local area network attack between containers

Remote API interface security

Docker defective Architecture and Security Mechanism flaws

Security issues of Web applications based on Micro Service Architecture

5. Safety compliance baseline

In order to address Docker security issues, security issues that should be taken into account include, but are not limited to:

Kernel level

Network level

Mirror level

Container level

File limit

Capacity limitation

6. Docker and its supporting software vulnerabilities

When using Docker and its supporting software, security issues that should be taken into account include, but are not limited to:

Docker's own vulnerabilities

K8S (Kubernetes) and other orchestration applications have their own vulnerabilities

Image repository itself loophole

Note: Docker and its supporting software vulnerabilities have a profound impact on the security of Docker containers, so they are independent into a point of control. "the versions of Docker and its supporting software used are not affected by known vulnerabilities" as a "security compliance baseline".

III. Methods for improving the safety status of Docker containers

In the face of the challenge of Docker container safety, we can "divide and conquer" and control the safety control points in all stages. When implementing management and control, you can also prioritize the more important control points, and defer the consideration of less important control points (for example, the "mirror operation control" control point is more related to the way users use Docker. Users can be warned of dangerous operations in security products, but they do not have to be blocked. Docker container security products should pay attention to the prevention of security problems caused by the unsafe use of users.

Next, combined with the practical experience of the industry, we sort out the management and control methods for "image depth scanning", "container system intrusion detection and protection", "container network intrusion detection and protection" and "security compliance baseline".

1. Management and Control method of "Mirror depth scanning"

Using the Docker image scanner before using Docker images can help you discover security issues with Docker images. Based on this, the well-known open source image repository Harbor integrates image scanners, as shown in figure 2.

Figure 2. Harbor, a well-known open source image repository, integrates image scanners.

The existing image scanning tools basically have the basic function of "scanning for software vulnerabilities". Some open source projects or commercial platforms have the following special features:

Static analysis of Trojans, viruses, malware or other malicious threats

Static discovery of code security issues in mainstream programming languages (closely integrated with development workflow)

Check the Dockerfile

Check for credential disclosure

Because Docker image is the template of Docker container, which involves a large attack surface, and some security risks are not easily detected by scanners, the current practice of "Docker image scanning" still cannot guarantee the security of Docker image. It is recommended to check the image manually (you can check some information of the image by combining commands such as "docker inspect" and "docker history").

two。 Management and Control method of intrusion Detection and Protection of Container system

Strengthening the isolation between Docker container and kernel is helpful to strengthen "container system intrusion detection and protection". Examples include security features developed by the Docker community, Linux runtime scenarios, anomaly detection applications, and "container + full virtualization" scenarios, as shown in figure 3.

Figure 3. Management and Control method of intrusion Detection and Protection of Container system

The Docker community has developed security features for Cgroup and Namespce for Linux (Cgroup can be used to limit CPU, memory, and block device I docker run O (see the parameters of the "docker run" command); Namespace can be used to isolate kernel resources such as PID, mount, network, UTS, IPC, user, etc.; Cgroup's isolation of system resources is relatively perfect, while Namespace isolation is not perfect (or even impossible, because it is an inherent defect caused by the shared kernel).

Some of the Linux runtime scenarios that you can learn from are as follows:

Capability: what are the capabilities of a program?

Selinux: defines the permissions for each user, process, application, file access and transformation in the system, and then uses a security policy to control the interaction between these entities (that is, users, processes, applications, and files). The security policy specifies how to check strictly or loosely.

Apparmor: set access control permissions for executing programs (can restrict programs from reading / writing a directory file, opening / reading / writing network ports, etc.)

Secomp: the sandboxie mechanism of the application, which restricts the process to call the system by whitelist and blacklist.

Grsecurity:linux kernel patch to enhance kernel security.

Some of the open source applications for abnormal behavior detection in container environment are as follows:

Sysdig Falco: a process anomaly detection tool designed for cloud native platforms that supports access to system call events and Kubernetes audit logs

CAdvisor: real-time monitoring and performance data collection of resources and containers on node machines, including CPU usage, memory usage, network throughput and file system usage.

The "Container + full Virtualization" solution is also an effective solution for "Container system intrusion Protection". If the container is run in a fully virtualized environment (such as running the container in a virtual machine), even if the container is breached, there is also the protection of virtual machines (this is the way adopted in some application scenarios with high security requirements).

3. Management and Control method of Container Network intrusion Detection and Protection

The security problems of Docker container network can be divided into two categories: "network security protection" and "micro-service Web application security". The main ideas such as "isolation" and "access control" are helpful to control the security problems of both. In addition, some of the mature security technologies at this stage can still be applied to Docker scenarios. In the specific implementation, it can be managed and controlled according to the scale of Docker application and the actual network deployment.

The Docker network itself has a network security mechanism with the functions of "isolation" and "access control", but it has some defects such as "large granularity" and "lack of awareness of security threats", as shown in figure 4.

Figure 4. Security mechanism of Docker network itself

In order to make up for the security shortcomings of Docker network, some commercial end-to-end Docker security products defend network clusters in depth, and their functional features include:

Container firewall

Runtime protection

Network depth packet inspection

Warning of aggressive behavior and abnormal behavior

Log monitoring

Multi-orchestration platform support

Visualization of network traffic

When realizing the above function points, some manufacturers have introduced machine learning methods into their products to generate behavior patterns and container-aware network rules.

Docker network has the characteristics of diversified networking schemes, different container life cycle, diversified application scenarios and so on. Therefore, the management and control method should be formulated with reference to the characteristics of the networking scheme. The intrusion detection and prevention ideas for "traditional monomer applications" and "micro-service architecture applications" are shown in figure 5.

Figure 5. Docker network intrusion detection and protection ideas

First of all, let's take a look at the intrusion detection and protection ideas of the Docker network cluster, which is similar to the traditional single application. Take the micro-service cluster shown in figure 6 as an example. There are only three containers for Nginx, Tomcat, and MySQL in this cluster.

Figure 6. Intrusion Detection and Protection of Docker Network Cluster with similar traditional single Application

Note: the green dotted line in the figure indicates file mounting or Docker's cp command, which makes it easier to modify the configuration file in the Nginx container, adjust the application file in the Tomcat container, or persist the data in the MySQL container in real time on the host.

In order to conduct intrusion detection and prevention for this set of Docker Web applications, the following nine methods can be considered:

(1) Iptables isolation

By making an Iptables-based isolation policy on the outside of the Docker network cluster on the host side, the attacker's access to the "port on which the container is mapped on the host" can be restricted and the attack surface can be reduced.

(2) deploy soft WAF

By deploying soft WAF at the traffic entrance of the Docker network cluster (in the form of host software or Docker container), you can block and find some malicious traffic here.

(3) deploy RASP

By deploying RASP products inside the Docker container of Java and PHP servers, it can be used as the last link of protection and as a supplement to network governance.

(4) Webshell scanning

By scanning the "Web application files" from the Docker container through the Webshell scanning engine on the host side, which can be obtained through the "docker cp" command or the "dynamic mount" mechanism, it helps to discover the Webshell implanted by the attacker.

(5) Log analysis

Analyze the log files from the Docker container through log analysis such as ELK on the host side (these log files can also be obtained by means of "docker cp" or "dynamic mount"). In addition, practices such as running the Sidekick log container separately can help identify security threats.

(6) identify man-in-the-middle attacks

Network isolation within the Docker network cluster is an effective way to prevent such network-based attacks, which makes it impossible for attackers to manipulate or eavesdrop on the network traffic of hosts and other containers; in this case, OpenVPN (Open Virtual Private Network) provides a way to implement virtual private networks (VPN) through TLS (Transport layer Security Protocol) encryption.

(7) identify and block traffic with abnormal flow direction

The "micro-segmentation" isolation of the network within the Docker network cluster according to the actual network topology diagram (under the "micro-service architecture", the IP address may change frequently, but the pre-divided network segments will not change frequently), or the DPI analysis of the specified network bridge and network card will help to identify and block the abnormal flow.

(8) identify denial of service attacks

A denial of service attack can be identified by reading the real-time contents (network, CPU, memory, disk) of files related to the cgroup file system corresponding to the Docker container on the host side.

(9) Visualization of network traffic

"Network traffic visualization" is a common additional feature of existing "container security products". The function of this function may rely on "DPI analysis of traffic for designated bridges and network cards".

Then let's take a look at the intrusion detection and protection ideas of the Docker network cluster of "micro-service architecture applications". The significant differences between "micro-service architecture applications" and "traditional single applications" include a large number of Docker containers, complex network topology and so on. In this production scenario, platforms such as K8S can help users with large-scale container choreography. The ideas for intrusion detection and protection that can be considered are as follows:

(1) the network strategy of using K8S native or its third-party network plug-ins

The native network policy "NetworkPolicy" of K8S provides "IP address / port number" level network isolation for "Pod", the most basic operating unit of K8S.

Note: K8S supports the choice of network scheme in the form of "third-party network plug-in", which will affect the choice of network strategy. For example,

NetworkPolicy must be provided by network plug-ins that implement the CNI interface (such as Calico, Cilium, Kube-route, Weave Net, etc.).

(2) pay attention to the interface "authentication and authentication" of micro-service architecture Web applications

Developers should pay attention to the authentication and authentication of micro-service architecture Web applications, so as to reduce the risk that interfaces are maliciously accessed by containers that can be interconnected with each other. Common "authentication and authentication" schemes can include: gateway authentication mode, service autonomous authentication mode, API Token mode.

(3) deploy Web security applications in micro-service clusters in the form of "componentization"

In order to increase the security capability of Docker network clusters, Web security applications can be deployed in Docker clusters (the practice of "single-like Web applications" can continue to be used. For example, our website security dog can be used to protect Web applications deployed in Docker containers, as shown in figure 7). In addition, you can also consider deploying API gateway containers (based on Nginx+Lua), honeypot containers or asset discovery and vulnerability scanners in container clusters.

Figure 7. Website security dogs can be used to protect Docker containers

(4) using "Service Mesh" technology

Service Mesh (Service Grid) technology makes up for the deficiency of K8S in micro-service communication and helps to restrict access to the application layer. Service grid is an infrastructure layer, whose function is to deal with the communication between services, and its main responsibility is to realize the reliable transmission of requests. In practice, a service grid is usually implemented as a lightweight network proxy, usually deployed with the application, but transparent to the application. Take the open source application Istio as an example, it meets the diverse needs of micro-service applications by providing behavioral insight and operational control for the entire service grid. It provides key functions such as traffic management, policy enforcement, service identity and security in the service network. At the same time, Istio can also integrate existing ACL, log, monitoring, quota, audit and other functions. The converged architecture model for future Service Mesh is shown in figure 8.

Figure 8. Future Service Mesh Convergence Architecture

4. Management and Control method of "Safety Compliance baseline"

To address the full range of problems in the Docker container lifecycle, you need an operational, executable Docker security baseline checklist that is clear, searchable, and maintainable for performing infrastructure security checks and audits in a production environment.

The following safety compliance inspection tools have a good reference:

(1) docker-bench-security (matching with Docker official and CIS security standards, as shown in figure 9).

(2) Kube-bench (run the CIS Kubernetes benchmark to check the security of the Kubernetes deployment).

(3) OpenPolicyAgent (decoupling security policies and best practices from a specific runtime platform).

Figure 9. Docker-Bench-Security matched with the official white paper

IV. Summary

After years of development, Docker container technology has been gradually accepted and applied in the fields of DevOps and micro-services, and there is still great potential in the future. This paper discusses some safety problems in the life cycle of containers. It is not difficult to find that in order to do a good job in the safety management and control of Docker containers, we should not ignore image depth scanning, intrusion detection and protection of container systems and container networks, and security compliance. In the face of the above links, we can consider to learn from and transform the existing network security technology.

Because different organizations have different levels of Docker application and technology selection, the specific implementation methods will be different. Different organizations should choose the appropriate solution according to their own situation by stages and layers (container engine layer, orchestration and scheduling layer) to better protect the Docker container environment.

Thank you for reading, the above is the content of "Docker container security control method". After the study of this article, I believe you have a deeper understanding of the Docker container security control method, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.