Wednesday, November 15, 2017

Essential (and free) security tools for Docker

Docker makes it easy for developers to package up and push out application changes, and spin up run-time environments on their own. Maybe too easy.

With Docker, developers can make their own decisions on how to configure and package applications. But this also means that they can make simple but dangerous mistakes that will leave the system unsafe without anyone noticing until it is too late.

Fortunately, there are some good tools that can catch many of these problems early, as part of your build pipelines and run-time configuration checks. Toni de la Fuente maintains a helpful list of Docker security and auditing tools here.

Unfortunately, many of the open source projects in this list have been shelved or orphaned. So, I want to put together a short list of the essential open source tools that are available today to help you secure your Docker environment.

Check your container configuration settings

As part of your build process and continuous run-time checks, it is important that you enforce safe and consistent configuration defaults for containers and the hosts that they run on.

The definitive guidelines for setting up Docker safely is the CIS Docker Benchmark, which lists over 100 recommendations and best practices for hardening the host configuration and Docker daemon configuration (including Swarm configuration settings), file permissions rules, container images and build file management, container runtime settings, and operations practices.

The Docker security team has provided a free tool, Docker Bench for Security, that checks Docker containers against this hardening guide (although the tests are organized a bit differently – the Swarm checks are all run together in a separate section for example). Docker Bench is updated for each release of the CIS benchmark guide, which is updated with each release of Docker, although there tends to be a brief lag.

Docker Bench ships as a small container which runs with high privilege, and executes a set of tests against all containers that it can find. Tests return PASS or WARN (clear fail) status, or INFO (for findings that need to be manually reviewed to see if they match expected results). NOTEs are printed for manual checks that need to be done separately.

After you run Docker Bench, you will need to work through fussy detailed findings and decide what makes sense for your environment. Docker Bench is an auditing tool, designed to be run and reviewed manually. Docker Bench Test shows how you can run Docker Bench in an automated test pipeline, by wrapping it inside the Bats test framework, although unfortunately it hasn’t been updated for a couple of years.

Another free auditing tool from the Docker security team is Actuary. According to Diogo Monica at Docker, Actuary checks the same rules as Docker Bench (for now), but runs across all nodes in a Docker Swarm. Actuary is positioned as a future replacement for Docker Bench: it is written in Go (instead of Bash scripts) and is more extensible, using configurable templates for checking and testing.

Image scanning and policy enforcement

In addition to making sure that your container run-time is configured correctly, you need to ensure that all of the image layers in a container are free from known vulnerabilities. This is done by static scanning of “cold images” in repos, or before they are pushed to a repo, as part of your image build process.

Commercial Docker customers can take advantage of Docker Security Scanning (DSS) (fka Nautilus) to automatically and continuously check images in private registries on Docker Hub or Docker Cloud for known vulnerabilities. DSS is also used to scan Official Repositories on Docker Hub.

If you’re using open source Docker, you’ll need to do your own checking. There are a few good open source tools available, all of which work basically the same way:

  • Scan the image (generally a binary scan), pull apart the layers, and build a detailed manifest or bill of materials of the contents
  • Take a snapshot of OS and software package vulnerability data
  • Compare the contents of the image manifest against the list of known vulnerabilities and report any matches

The effectiveness of these security scanning tools depends on:

  1. Depth and completeness of static analysis – the scanner’s ability to see inside image layers and the contents of those layers (packages and files)
  2. Quality of vulnerability feeds – coverage, and how up to date the vulnerability lists are
  3. How results are presented – is it clear what the problem is, where to find it, and what to do about it
  4. De-duplication and whitelisting capabilities to reduce noise
  5. Scanning speed

First, there is Clair from CoreOS, the scanning engine used in the Quay.io public container registry (an alternative to Docker Hub). Clair is a static analysis tool for Docker and appc containers, which scans an image and compares the vulnerabilities found against a whitelist to see if they have already been reviewed and accepted. It can be controlled through a JSON API or CLI.

If you’re using OpenSCAP there is the oscap-docker util which can be used to scan Docker images and running containers for CVEs, and compliance violations against SCAP policy guides.

Anchore is a powerful and flexible automated scanning and policy enforcement engine that is easy to integrate into your CI/CD build pipelines to check for CVEs – and much more – in Docker images. You can create whitelists (to suppress findings that you’ve determined are not exploitable) and blacklists (for required packages or banned packages, and prohibited content such as source code or secrets), as well as custom checks on container or application configuration rules, etc.

Anchore is available as a free SaaS online Navigator for public registries, and an open source engine for on prem scanning. The scanning engine can be wired in to your CI/CD pipelines using CLI or REST or a Jenkins plug in, to automatically analyze images as changes are checked in, and fail the build if checks don’t pass. A nice overview of running Anchore can be found here.

Anchore comes with a built-in set of security and compliance policies, analysis functions and decision gates. You can write your own analysis modules and policies, reports and certification workflows in a high-level language, or extend the analysis engine with custom plugins.

You can also integrate the Anchore scanning engine with Anchore Navigator, so that you can define policies and whitelists using Navigator’s graphical editor. Anchore will subscribe to updates so that you will be automatically notified of new CVEs, or updates to images in public registries.

Anchore (the company) offers premium support subscriptions, and enterprise solutions to discover, explore and analyze images, with additional analysis modules and policies, data feeds, tooling, and workflow integration options.

Another new and ambitious open source container scanner is Dagda. Dagda builds a consolidated vulnerability database, taking snapshots of CVE information from NIST’s NVD, publicly-reported security bugs in the SecurityFocus Bugtraq database, and known exploits from the Offensive Security database, and uses OWASP Dependency Check and Retire.JS to analyze dependencies, to identify known security vulnerabilities in Docker images. Dagda can be controlled through the command line or its REST API, and keeps a history of all checks for auditing and trend analysis.

It also runs ClamAV against Docker images to check for trojans and other malware, and integrates with Sysdig’s powerful (and free) Falco run-time anomaly checker to monitor containers on Linux hosts. Falco is installed as an agent on each host, which taps into kernel syscalls and filters against rules in a signature database to identify suspicious activity and catch attacks or operational problems on the host and inside containers.

Dagda throws everything but the kitchen sink at container security. It is a lot of work to set this up and keep all of it working, but it shows you how far you can go without having to roll out a commercial container protection solution like Twistlock or AquaSec.

Don’t leave container security up to chance

What makes Docker so compelling is also what makes it dangerous: it takes work and decisions out of ops hands, and gives it to developers who may not understand (or care about) the details or why they are important. Using Docker moves responsibility for packaging and configuring application run-times from ops (who are responsible for making sure that this is done carefully and safely) to developers (who want to get it done quickly and simply).

This is why it is so important to add checks that can be run continuously to catch mistakes and known vulnerabilities in dependencies, and to enforce security and compliance policies when changes are made. The tools listed here can help you to reduce operational risks, without getting in the way of teams getting valuable work done.

22 comments:

Thero Than said...

Printers are friendly tools you can find everywhere these days, whether at office or at home. They are an essential part of office supplies, giving you the ease of printing your documents any time for more information on printer go to hp printer setup .

hp envy 5055 setup
hp envy 5055 manual
hp officejet 5255 setup
hp envy 5055 software
hp officejet 5258 manual
hp envy 5052 setup
hp officejet 5252 manual

kevin hart said...

this is nice one !!

printer setup help phone number

Andrew303john said...

Finance Assignment Help

We at Fullassignment.com bring to you the most significant Finance assignment writing service at the best cost. With long stretches of understanding we are prepared to give assignment help over the globe.You will be guided here with a portion of the information of Finance assignment which could assist you in deciding writing a Finance assignment. Nonetheless we uneuqivocally prescribe you to benefit Managerial accounting assignment help from our specialist to find out about marketing and its scope.

https://fullassignment.com/

High Technologies Solutions said...

High Technologies Solutions Provide Classroom and Online SAP Training and counseling organization giving SAP Training, SAP Courses, Online Sap Training and Certification.

World Best Training Center for SAP Training Course with 100% Placement assistance

Sap Training Institute in Delhi
Sap Training Institute in Noida
Sap Training Center in Delhi
Sap Training Center in Noida



Employee Monitoring software said...

Boost Your Organization Productivity with Best Employee Monitoring Software. Nowadays Every Business should use Employee Monitoring Software.

sindhuja cynixit said...

I would like to thank you for the efforts you have made in writing this article, Its good and Informative.
Kubernetes online training

Unknown said...

London Kids Preschool franchise in Haldwani is the best place where your children develop their skills. In the first few years of children, they need the right direction to develop their minds and London Kids provides the same platform to children.

YOLAMA said...

Good concept of donating good in such
http://www.yobaila.com/
http://www.nedbeck.com/
http://www.photo-zj.com/
http://www.nbzhongbiao.com/
http://www.radvairuse.com/

YOLAMA said...

What a great idea
http://www.ivaluedc.com/
http://www.yoadrianphoto.com/
http://www.holidayinnsongdo.com/
http://www.natashareiterart.com/
http://www.soncrestcavaliers.com/

YOLAMA said...

I will be looking forward to your next post
http://www.myprevmed.com/
http://www.neihanquanshu.com/
http://www.queensfrcscourse.com/
http://www.freeshowfilming.com/
http://www.ramsdelldental.com/

Henry Cook said...

So, you can understand, it is an advanced level of TV viewing experience. If you are looking for a kind of streaming device that can offer you to watch a large number of TV Programs or movies for the sake of entertainment. Enjoy this amazing streaming device that opens a world of entertainment for you!

activate hulu roku
activate hulu button not showing
vevo roku activation not working
how do i connect my roku to my wireless
activate hulu device code
connect roku device
vevo activate your device

netflix customer service said...


Netflix help centre will help you by providing prior information regarding Netflix app and how to access its best services. Netflix Customer Service.
Netflix Device Activation Code
netflix customer service
Netflix Device Activation Code
netflix.com your accountt
netflix sign in
netflix help center

Unknown said...

Did you realize there is a 12 word phrase you can tell your man... that will induce intense emotions of love and instinctual appeal for you deep within his heart?

That's because hidden in these 12 words is a "secret signal" that triggers a man's impulse to love, admire and guard you with all his heart...

12 Words That Trigger A Man's Love Impulse

This impulse is so hardwired into a man's mind that it will make him work harder than ever before to build your relationship stronger.

Matter-of-fact, fueling this powerful impulse is absolutely mandatory to getting the best ever relationship with your man that the moment you send your man a "Secret Signal"...

...You will instantly find him expose his heart and soul for you in a way he's never experienced before and he will recognize you as the only woman in the universe who has ever truly appealed to him.

Ismail said...

Thanks for sharing this information with us...
Interior Design Sketches in Bangalore

Anik Howlader said...


This is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article.

Website Design and Development Company

Website Design Company

Website Development Company

Wordpress Customization comapany

SEO Company

digital marketing company

Ismail said...

Thanks for sharing this information with us...
Unani Treatment in Bangalore

learn digital marketing said...

Best web designing company in indore

learn digital marketing said...

Thank you for sharing very informative and creative content. This content is very useful best way to extend the knowledge of custom software development company in indore

hpprinterdrivers said...

123.hp.com/setup 5258 | hp officejet 5258 manual | HP Officejet Pro 6978 Driver | 123.hp.com/setup 6978 |

Robert Charles said...

Great post.......Thanks for sharing this post.

Go for the best services and devices to help yourself. Talk to the customer care executives with the free spirit if some kinds of issues stop you to make the necessary decisions.

netgear router customer service number
netgear router customer support number
netgear router customer care number
netgear router setup without modem
reset your Netgear router

sammer mark said...

Nice blog I like to read your blog please keep it up. If you are looking for a Problem to Uninstall Avast Antivirus or any other issues call our Toll-free number at anytime that way our technician will help you to resolve the issues in a very simple way.

Nithya said...

Thanks for detailing the security tools for Docker. Image scanning and policy enforcement can be accomplished with this beneficially. We are a top IAS academy in Chennai with a focus on helping candidates achieve their goals and dreams to clear their UPSC examinations. We help candidates clear all competitive examinations.

Site Meter