{"id":4971,"date":"2020-04-22T08:00:32","date_gmt":"2020-04-22T02:30:32","guid":{"rendered":"https:\/\/www.upnxtblog.com\/?p=4971"},"modified":"2020-07-06T12:20:01","modified_gmt":"2020-07-06T06:50:01","slug":"do-you-inspect-your-containers","status":"publish","type":"post","link":"https:\/\/www.upnxtblog.com\/index.php\/2020\/04\/22\/do-you-inspect-your-containers\/","title":{"rendered":"Do you inspect your containers?"},"content":{"rendered":"
<\/div>

With the increasing adoption <\/a>of containers and microservices<\/a> in the enterprises, there are also risks that come along with containers. For example, If any one of the containers breaks out, it can allow unauthorized access across containers, hosts, or data centers, etc., thus affecting all the containers hosted on the Host OS. To mitigate these risks, we have already looked at various approaches<\/a> to provide secure isolation for containers. In this post, we are going to look at how to inspect the containers.<\/p>\n\n

Introducing\u00a0 amicontained<\/h2>\n

Using amicontained<\/a> <\/strong>tool, we can find out what container runtime, other data points like below:<\/p>\n

    \n
  1. What data does the container have access to<\/strong>?<\/li>\n
  2. What is the composition of your containers during runtime<\/strong>?<\/li>\n
  3. What type of system calls is being blocked<\/strong>?<\/li>\n
  4. What are the details of the SECCOMP\/AppArmor profile<\/strong> that is being used to prevent attacks and preventing others from spreading to the rest of the infrastructure?<\/li>\n<\/ol>\n

    #1. Install amicontained<\/h2>\n

    Install binaries are available from Releases Page.<\/a> Use the below script from the releases page to install amicontained.<\/p>\n

    # Export the sha256sum for<\/span> verification.<\/span>\r\n$ export<\/span> AMICONTAINED_SHA256=\"<\/span>d8c49e2cf44ee9668219acd092ed961fc1aa420a6e036e0822d7a31033776c9f\"<\/span><\/span><\/span>\r\n\r\n# Download and check the sha256sum.<\/span>\r\n$ curl -fSL \"<\/span>https:\/\/github.com\/genuinetools\/amicontained\/releases\/download\/v0.4.9\/amicontained-linux-amd64\"<\/span><\/span> -o \"<\/span>\/usr\/local\/bin\/amicontained\"<\/span><\/span> \\<\/span>\r\n\t&& echo \"${AMICONTAINED_SHA256}  \/usr\/local\/bin\/amicontained\" | sha256sum -c - \\<\/span>\r\n\t&& chmod a+x \"\/usr\/local\/bin\/amicontained\"<\/span>\r\n\r\n$ echo<\/span> \"<\/span>amicontained installed!\"<\/span><\/span><\/span>\r\n\r\n# Run it!<\/span><\/span>\r\n$ amicontained -h\r\n\r\n<\/span><\/pre>\n
    \"\"
    Image – amicontained Installation<\/figcaption><\/figure>\n
    Verify if we have installed correctly by amicontained -h<\/span><\/code><\/p>\n
    \"\"
    Image – amicontained command line<\/figcaption><\/figure>\n
    Now that we have successfully installed, we can try out different scenarios.<\/p>\n
    Scenario #1: Inspect security configuration<\/h2>\n
    In this scenario, we are going to inspect our containers for the security configuration.<\/p>\n
    \"\"
    Image – Security Configuration<\/figcaption><\/figure>\n
    \"Security
    Image – Security Configuration<\/figcaption><\/figure>\n
    We could see that what are the allowed\/blocked syscalls, container runtime, AppArmor profile, capabilities, etc.,<\/p>\n
    Scenario #2: Inspect PID Namespace<\/h2>\n
    By default, all containers have the PID namespace enabled. PID namespace provides separation of processes. The PID Namespace removes the view of the system processes and allows process ids to be reused.<\/p>\n
    In this scenario, we are going to inspect the container with PID namespace as host basically allowing processes within the container to see all of the processes on the system and check the output.<\/p>\n
    \"\"
    Image – Namespace configuration<\/figcaption><\/figure>\n
    Scenario #3: Inspect Container runtime, environment<\/h2>\n
    In this scenario, we are going to run the container with PID namespace as host basically allowing processes within the container to see all of the processes on the system and check the output.<\/p>\n
    \"\"
    Image – Check container runtime,environment<\/figcaption><\/figure>\n
    Congrats! we have learned how to inspect containers using amicontained tool.<\/em><\/p>\n
    Docker container security best practices<\/h2>\n
    Following best practices can help you create a Docker security infrastructure:<\/p>\n
      \n
    1. Container images act as a foundation for multiple systems, and vulnerable images can cause damage across your enterprise. You need to ensure images are protected by scanning for open source and third-party vendor containers and setting up a trusted registry of base images.<\/strong><\/li>\n
    2. Sensitive information such as passwords and addresses needs to be maintained using Docker secrets.<\/strong><\/li>\n
    3. Monitor your container activity and limit the use of resources.<\/strong> Design errors, software bugs, or malware attacks can often lead to DoS attacks. You can handle the large attack surface by limiting the number of system resources allotted for each container.<\/li>\n
    4. SECCOMP provides a default profile that blocks 44 out of the 300+ system calls allowed on Docker containers and lets you manage a whitelist to block additional types of calls. You have the option to use a strict SECCOMP profile<\/strong> to prevent some types of attacks and preventing others from spreading to the rest of the infrastructure.<\/li>\n
    5. Monitoring systems like Prometheus<\/a> can help you identify attacks, send alerts,<\/strong> and even automatically implement fixes. Periodically review log data<\/strong> generated by containers and use it to generate preventive security insights.<\/li>\n
    6. Know the composition of your containers during runtime as well as build time.<\/li>\n<\/ol>\n
      If you’re looking for Docker Security tools, check out here.<\/a><\/p>\n
      Like this post? Don\u2019t forget to share it!<\/strong><\/em><\/p>\n
      Additional Resources :<\/h2>\n