Wednesday, November 15, 2017

Essential (and free) security tools for Docker

Docker makes it easy for developers to package up and push out application changes, and spin up run-time environments on their own. Maybe too easy.

With Docker, developers can make their own decisions on how to configure and package applications. But this also means that they can make simple but dangerous mistakes that will leave the system unsafe without anyone noticing until it is too late.

Fortunately, there are some good tools that can catch many of these problems early, as part of your build pipelines and run-time configuration checks. Toni de la Fuente maintains a helpful list of Docker security and auditing tools here.

Unfortunately, many of the open source projects in this list have been shelved or orphaned. So, I want to put together a short list of the essential open source tools that are available today to help you secure your Docker environment.

Check your container configuration settings

As part of your build process and continuous run-time checks, it is important that you enforce safe and consistent configuration defaults for containers and the hosts that they run on.

The definitive guidelines for setting up Docker safely is the CIS Docker Benchmark, which lists over 100 recommendations and best practices for hardening the host configuration and Docker daemon configuration (including Swarm configuration settings), file permissions rules, container images and build file management, container runtime settings, and operations practices.

The Docker security team has provided a free tool, Docker Bench for Security, that checks Docker containers against this hardening guide (although the tests are organized a bit differently – the Swarm checks are all run together in a separate section for example). Docker Bench is updated for each release of the CIS benchmark guide, which is updated with each release of Docker, although there tends to be a brief lag.

Docker Bench ships as a small container which runs with high privilege, and executes a set of tests against all containers that it can find. Tests return PASS or WARN (clear fail) status, or INFO (for findings that need to be manually reviewed to see if they match expected results). NOTEs are printed for manual checks that need to be done separately.

After you run Docker Bench, you will need to work through fussy detailed findings and decide what makes sense for your environment. Docker Bench is an auditing tool, designed to be run and reviewed manually. Docker Bench Test shows how you can run Docker Bench in an automated test pipeline, by wrapping it inside the Bats test framework, although unfortunately it hasn’t been updated for a couple of years.

Another free auditing tool from the Docker security team is Actuary. According to Diogo Monica at Docker, Actuary checks the same rules as Docker Bench (for now), but runs across all nodes in a Docker Swarm. Actuary is positioned as a future replacement for Docker Bench: it is written in Go (instead of Bash scripts) and is more extensible, using configurable templates for checking and testing.

Image scanning and policy enforcement

In addition to making sure that your container run-time is configured correctly, you need to ensure that all of the image layers in a container are free from known vulnerabilities. This is done by static scanning of “cold images” in repos, or before they are pushed to a repo, as part of your image build process.

Commercial Docker customers can take advantage of Docker Security Scanning (DSS) (fka Nautilus) to automatically and continuously check images in private registries on Docker Hub or Docker Cloud for known vulnerabilities. DSS is also used to scan Official Repositories on Docker Hub.

If you’re using open source Docker, you’ll need to do your own checking. There are a few good open source tools available, all of which work basically the same way:

  • Scan the image (generally a binary scan), pull apart the layers, and build a detailed manifest or bill of materials of the contents
  • Take a snapshot of OS and software package vulnerability data
  • Compare the contents of the image manifest against the list of known vulnerabilities and report any matches

The effectiveness of these security scanning tools depends on:

  1. Depth and completeness of static analysis – the scanner’s ability to see inside image layers and the contents of those layers (packages and files)
  2. Quality of vulnerability feeds – coverage, and how up to date the vulnerability lists are
  3. How results are presented – is it clear what the problem is, where to find it, and what to do about it
  4. De-duplication and whitelisting capabilities to reduce noise
  5. Scanning speed

First, there is Clair from CoreOS, the scanning engine used in the Quay.io public container registry (an alternative to Docker Hub). Clair is a static analysis tool for Docker and appc containers, which scans an image and compares the vulnerabilities found against a whitelist to see if they have already been reviewed and accepted. It can be controlled through a JSON API or CLI.

If you’re using OpenSCAP there is the oscap-docker util which can be used to scan Docker images and running containers for CVEs, and compliance violations against SCAP policy guides.

Anchore is a powerful and flexible automated scanning and policy enforcement engine that is easy to integrate into your CI/CD build pipelines to check for CVEs – and much more – in Docker images. You can create whitelists (to suppress findings that you’ve determined are not exploitable) and blacklists (for required packages or banned packages, and prohibited content such as source code or secrets), as well as custom checks on container or application configuration rules, etc.

Anchore is available as a free SaaS online Navigator for public registries, and an open source engine for on prem scanning. The scanning engine can be wired in to your CI/CD pipelines using CLI or REST or a Jenkins plug in, to automatically analyze images as changes are checked in, and fail the build if checks don’t pass. A nice overview of running Anchore can be found here.

Anchore comes with a built-in set of security and compliance policies, analysis functions and decision gates. You can write your own analysis modules and policies, reports and certification workflows in a high-level language, or extend the analysis engine with custom plugins.

You can also integrate the Anchore scanning engine with Anchore Navigator, so that you can define policies and whitelists using Navigator’s graphical editor. Anchore will subscribe to updates so that you will be automatically notified of new CVEs, or updates to images in public registries.

Anchore (the company) offers premium support subscriptions, and enterprise solutions to discover, explore and analyze images, with additional analysis modules and policies, data feeds, tooling, and workflow integration options.

Another new and ambitious open source container scanner is Dagda. Dagda builds a consolidated vulnerability database, taking snapshots of CVE information from NIST’s NVD, publicly-reported security bugs in the SecurityFocus Bugtraq database, and known exploits from the Offensive Security database, and uses OWASP Dependency Check and Retire.JS to analyze dependencies, to identify known security vulnerabilities in Docker images. Dagda can be controlled through the command line or its REST API, and keeps a history of all checks for auditing and trend analysis.

It also runs ClamAV against Docker images to check for trojans and other malware, and integrates with Sysdig’s powerful (and free) Falco run-time anomaly checker to monitor containers on Linux hosts. Falco is installed as an agent on each host, which taps into kernel syscalls and filters against rules in a signature database to identify suspicious activity and catch attacks or operational problems on the host and inside containers.

Dagda throws everything but the kitchen sink at container security. It is a lot of work to set this up and keep all of it working, but it shows you how far you can go without having to roll out a commercial container protection solution like Twistlock or AquaSec.

Don’t leave container security up to chance

What makes Docker so compelling is also what makes it dangerous: it takes work and decisions out of ops hands, and gives it to developers who may not understand (or care about) the details or why they are important. Using Docker moves responsibility for packaging and configuring application run-times from ops (who are responsible for making sure that this is done carefully and safely) to developers (who want to get it done quickly and simply).

This is why it is so important to add checks that can be run continuously to catch mistakes and known vulnerabilities in dependencies, and to enforce security and compliance policies when changes are made. The tools listed here can help you to reduce operational risks, without getting in the way of teams getting valuable work done.

22 comments:

Packers and Movers Bangalore said...

Packers and Movers Bangalore as a Services providing company can make all the difference to your ###Home Relocation experience. Bangalore based Company which offers versatile solutions, Right team that easily reduce the stress associated with a ✔✔✔Household Shifting, ***Vehicle Transportation. we help things run smoothly and reduce breakages and offer you seamless, Affordable, Reliable Shifting Services, Compare Shifting Charges @ Packers And Movers Bangalore

Sarah Colins said...

Such an interesting information. I always rate my paper to know level of it.

Herry Anderson said...

Informative post, thanks for telling us about “Building real software”. Your post will be helpful for people. Appreciate your work. Keep share more and more post with us.

Boiler systems

ibTech said...

Nice post!
That blog is very useful for us, So thanx for sharing.
Secure system solutions UAE

Subhash Komuravelli said...

Nice blog, very interesting to read
I have bookmarked this article page as i received good information from this.

Best ERP Software in India | ERP Software in India

Cloud Based ERP Software in India | Low Price ERP Software in India

Employee Monitoring Software - FairTrak said...


Amazing post shared by you, thank you for such useful information. You can also avail Employee monitoring software for increased productivity.

mobile application development said...

Amazing Post. Your writing is very inspiring. Thanks for Posting.
Mobile App Development Company in chennai
mobile app development chennai
Mobile application development company in chennai
Mobile application development chennai
Mobile apps development companies in chennai
enterprise mobile app development company

Java application development said...

I have perused your blog its appealing and noteworthy. I like it your blog.
java software development company
Java web development company
Java development companies
java development services
Java application development services

Software development company said...

I have scrutinized your blog its engaging and imperative. I like it your blog.
custom application development services
Software development company
software application development company
offshore software development company
custom software development company

best ppc company in india said...

I have inspected your blog its associating with and essential. I like it your blog.
ppc marketing services
pay per click advertising services
ppc campaign management services
ppc marketing company
ppc management services

Digitalmarketing said...


I have perused your blog its appealing and noteworthy. I like it your blog.
digital marketing company in chennai,
digital marketing agency in india,
digital marketing company in chennai,
online marketing company in chennai,
digital marketing company in india,
digital marketing services,
digital marketing company,

Nancy Singh said...

Hey Nice Blog!!! Thank you for sharing information. Wonderful blog & good post.Its really helpful for me, waiting for a more new post. Keep Blogging!

Photography Studio Management
ERP Software Solution Company
Best Network Security Provider Company in Lucknow

Packers and Movers Gurgaon said...

Hiring packers and movers in Gurgaon is not too hard if you take help of the best moving professionals. Best movers and packers Gurgaon assist with their skilled and trained team to pack, load, unload and unpack your belongings.
So be aware and hire the best mover packer to save your valuables.
packers and movers Gurgaon
packers and movers Gurgaon Charges

Packers And Movers Chennai said...

Packers and Movers Chennai Give Safe and Reliable ***Household Shifting Services in Chennai with Reasonable ###Packers and Movers Price Quotation. We Provide Household Shifting, Office Relocation, ✔✔✔Local and Domestic Transportation Services, Affordable and Reliable Shifting Service Charges @
Packers And Movers Chennai

usman said...

We are a creative Digital Media Agency with experienced team. We provide digital Marketing services, Web Development services, app design services Services and Branding.

sheela rajesh said...

I have to appreciate you for your great work which you had done in your blog.i want you to add more like this.
JAVA Training in Chennai
JAVA Training in Tnagar
Selenium Training in Chennai
Digital Marketing Course in Chennai
Python Training in Chennai
Big data training in chennai
JAVA Training in Chennai
Java Training in Velachery

PoL said...

Outsourcing to Poland is getting more and more popular. But what should you begin with? Here's what you need to know about building an offshore development team in Poland offshore development team poland

Riya Singh said...

Hey Nice Blog!!! Thank you for sharing information. Wonderful blog & good post.Its really helpful for me, waiting for a more new post. Keep Blogging!

Restaurant Management Software in Lucknow
Inventory Management Software in Lucknow
Hospital Managment Software System in Lucknow

Kate said...

Write an essay for me is a reliable academic help service. We guarantee top-notch quality, affordable prices and 24/7 support. Don’t hesitate to contact us.

Jagadeesh said...

Very interesting blog Really excellent information Amazing Article.
Learn Digital Academy offers, Digital marketing training in Bangalore
In-class training program.

DevOps Training said...

Great blog created by you. I read your blog, its best and useful information. You have done a great work. Super blogging and keep it up.
Devops Online Training
DevOps Training institute in Ameerpet

james said...

NETSOL Technologies provides superior software solutions & digital enablement solutions for the asset finance
& leasing industry worldwide.Asset Finance Software
https://www.netsoltech.com/

Site Meter