Infosec_Reference/Draft/Containers.md

Containers

---

Table of contents

---

• Static Analysis of Docker image vulnerabilities with Clair - Petr Kohut

• Docker Security Best Practices: Part 3 – Securing Container Images - Jeremy Valance

• How to implement Docker image scanning with open source tools - Mateo Burillo

https://www.digitalocean.com/community/tutorials/an-introduction-to-kubernetes https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/AtredisPartners_Attacking_Kubernetes-v1.0.pdf

http://blog.sevagas.com/IMG/pdf/exploiting_capabilities_the_dark_side.pdf

https://blog.hansenpartnership.com/containers-and-cloud-security/

https://github.com/gravitational/gravity https://github.com/rexray/rexray https://wiki.unraid.net/UnRAID_6/Overview#Containers

• How to Lose a Container in 10 Minutes - Sarah Young(BSidesSF 2019)
  • Moving to the cloud and deploying containers? In this talk I will discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments with some real life (albeit redacted) examples. We'll also look at what happens to a container that's been left open to the Internet for the duration of the talk.

Understanding and HardeningLinux Containers - NCCGroup

https://storageos.com/why-containers-miss-a-major-mark-solving-persistent-data-in-docker/

https://blog.appsecco.com/analysing-and-exploiting-kubernetes-apiserver-vulnerability-cve-2018-1002105-3150d97b24bb?gi=da5afbcc2d73

https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdf https://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/ https://www.reddit.com/r/docker/comments/439a8h/exploiting_your_system_using_docker/ https://github.com/ProfessionallyEvil/harpoon https://github.com/P3GLEG/Whaler https://samaritan.ai/blog/reversing-docker-images-into-dockerfiles/ http://ifeanyi.co/posts/linux-namespaces-part-1/ http://ifeanyi.co/posts/linux-namespaces-part-2/

• Docker Your Command & Control (C2) - obscuritylabs
• Vulnerable Docker VM - notsosecure http://www.friedhoff.org/posixfilecaps.html

https://www.redhat.com/en/blog/architecting-containers-part-1-why-understanding-user-space-vs-kernel-space-matters

Mesos https://stackoverflow.com/questions/47769570/what-does-apache-mesos-do-that-kubernetes-cant-do-and-vice-versa?rq=1 https://stackoverflow.com/questions/26705201/whats-the-difference-between-apaches-mesos-and-googles-kubernetes?noredirect=1 https://stackoverflow.com/questions/28094147/what-does-apache-mesos-actually-do http://mesos.apache.org/documentation/latest/architecture/ http://mesos.apache.org/documentation/latest/ https://en.wikipedia.org/wiki/Apache_Mesos

https://www.notsosecure.com/vulnerable-docker-vm/

https://null-byte.wonderhowto.com/how-to/create-reusable-burner-os-with-docker-part-1-making-ubuntu-hacking-container-0175328/ https://null-byte.wonderhowto.com/how-to/create-reusable-burner-os-with-docker-part-2-customizing-our-hacking-container-0175353/

https://blog.docker.com/2017/09/day-life-docker-admin/ Peter Benjamins blogposts https://www.youtube.com/playlist?list=PLKDRii1YwXnLmd8ngltnf9Kzvbja3DJWx http://carnal0wnage.attackresearch.com/2019/01/kubernetes-master-post.html?m=1 https://www.youtube.com/watch?v=fVqCAUJiIn0&feature=youtu.be https://www.youtube.com/watch?v=UwBshgfnAGA

https://www.youtube.com/watch?v=ru7GicI5iyI https://docs.google.com/presentation/d/1u6S1ycs8DURORf6S9XYKjP56oszJpouOca6xlkH9ILs/edit#slide=id.p https://sysdig.com/blog/docker-image-scanning/

https://cloud.google.com/solutions/best-practices-for-operating-containers https://sysdig.com/blog/oss-container-security-runtime/ https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/august/tools-and-methods-for-auditing-kubernetes-rbac-policies/ http://sven.stormbind.net/blog/posts/docker_from_30_to_230/

https://www.redhat.com/en/blog/architecting-containers-part-1-why-understanding-user-space-vs-kernel-space-matters [Docker] https://zeltser.com/security-risks-and-benefits-of-docker-application/ https://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/ http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and-security https://www.blackhat.com/docs/eu-15/materials/eu-15-Bettini-Vulnerability-Exploitation-In-Docker-Container-Environments-wp.pdf https://www.sumologic.com/blog-security/securing-docker-containers/ https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-10pdf/

https://github.com/genuinetools/img

• Scanning Docker images with CoreOS Clair - wdijkerman https://medium.com/cruise/building-a-container-platform-at-cruise-part-1-507f3d561e6f
• One of the original developers of cgroups on why it was created

Containers

• cgroups
  • 101
  • Articles/Blogposts/Writeups
  • Securing
  • Tools
• Docker
  • 101
  • Articles/Blogposts/Writeups
  • Securing
  • Tools
• Jails
• Kubernetes
  • 101
  • Articles/Blogposts/Writeups
  • Securing
  • Tools
• RunC
  • 101
  • Articles/Blogposts/Writeups
  • Securing
  • Tools
• Mesos
  • 101
  • Articles/Blogposts/Writeups
  • Securing
  • Tools

https://github.com/coreos/clair https://github.com/freach/kubernetes-security-best-practice https://cloudplatform.googleblog.com/2018/03/exploring-container-security-an-overview.html?m=1 https://itnext.io/kubernetes-hardening-d24bdf7adc25 https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/

* https://github.com/argoproj/argo

• hardening-kubernetes from-scratch

  • A hands-on walkthrough for creating an extremely insecure Kubernetes cluster and then hardening it, step by step. https://www.pentestpartners.com/security-blog/docker-for-hackers-a-pen-testers-guide/ https://www.stackrox.com/post/2017/08/hardening-docker-containers-and-hosts-against-vulnerabilities-a-security-toolkit/

• xkcd on containers

• https://github.com/hawkeyesec/scanner-cli

• Install and run a SPIRE Server and Agent locally on a Kubernetes cluster

  • This tutorial walks you through getting a SPIRE Server and SPIRE Agent running in a Kubernetes cluster, and configuring a workload container to access SPIRE.

• Optimising Docker Layers for Better Caching with Nix - Graham Christensen

• Hacking and Hardening Kubernetes Clusters by Example - Brad Geesaman(KubeCon 2017)

  • "an eye-opening journey examining real compromises and sensitive data leaks that can occur inside a Kubernetes cluster, highlighting the configurations that allowed them to succeed, applying practical applications of the latest built-in security features and policies to prevent those attacks, and providing actionable steps for future detection."

• An Attacker Looks at Docker: Approaching Multi-Container Applications - Wesley McGrew

• PaaSTA

  • PaaSTA is a highly-available, distributed system for building, deploying, and running services using containers and Apache Mesos!

• Getting Towards Real Sandbox Containers - Jesse Frazelle(May2016)

• An Attacker Looks at Docker: Approaching Multi-Container Applications - Wesley McGrew

• Kamus

  • An open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enable users to easily encrypt secrets than can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS and AES). To learn more about Kamus, check out the blog post and slides.

Docker

• https://github.com/wsargent/docker-cheat-sheet
• https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1.pdf
• https://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and-security
• http://www.projectatomic.io/blog/2014/08/is-it-safe-a-look-at-docker-and-security-from-linuxcon/
• https://linux-audit.com/docker-security-best-practices-for-your-vessel-and-containers/
• https://blog.docker.com/2016/02/docker-engine-1-10-security/
• https://medium.com/@quayio/your-docker-image-ids-are-secrets-and-its-time-you-treated-them-that-way-f55e9f14c1a4
• https://github.com/konstruktoid/Docker/blob/master/Security/CheatSheet.adoc
• https://github.com/docker/docker-bench-security
• https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/
• http://www.projectatomic.io/blog/2016/03/no-new-privs-docker/
• https://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf
• https://github.com/genuinetools/bane
• https://raesene.github.io/blog/2016/02/04/Docker-User-Namespaces/
• On Docker security: 'docker' group considered harmful - Andreas Jung
• Securing The Docker Containers At CI/CD Pipeline Level - Alina Radu(BSidesBCN 2019)

Docker

• How to write excellent Dockerfiles - Jakub Skalecki
• Networking overview - docs.docker
• Get Started, Part 1: Orientation and setup - docs.docker
• Dockerfile reference - docs.docker.com
• Docker Image Specification v1.0.0
• Docker security - docs.docker
• Reducing Deploy Risk With Docker’s Health Check Instruction - newrelic.com
• What is the purpose of VOLUME in Dockerfile - StackOverflow

Dockerfiles - Jessie Frazelle

---

Containers

• 101
  • LXC - Wikipedia
  • Process Containers - lwn.net
  • cgroups - wikipedia
  • Everything you need to know about Jails - bsdnow.tv
  • Jails - FreeBSD handbook
• Articles/Blogposts/Writeups
  • Containers
    • Controlling access to user namespaces - lwn.net
    • Namespaces in operation, part 1: namespaces overview - lwn.net
    • Linux LXC vs FreeBSD jail - Are there any notable differences between LXC (Linux containers) and FreeBSD's jails in terms of security, stability & performance? - unix.StackExchange
  • Docker
    • Docker Security Best-Practices - Peter Benjamin
    • Is it possible to escalate privileges and escaping from a Docker container? - StackOverflow
    • The Dangers of Docker.sock
    • Abusing Privileged and Unprivileged Linux Containers - nccgroup
    • Understanding and Hardening Linux Containers - nccgroup
      • Linux containers offer native OS virtualisation, segmented by kernel namespaces, limited through process cgroups and restricted through reduced root capabilities, Mandatory Access Control and user namespaces. This paper discusses these container features, as well as exploring various security mechanisms. Also included is an examination of attack surfaces, threats, and related hardening features in order to properly evaluate container security. Finally, this paper contrasts different container defaults and enumerates strong security recommendations to counter deployment weaknesses-- helping support and explain methods for building high-security Linux containers. Are Linux containers the future or merely a fad or fantasy? This paper attempts to answer that question.
  • Jails
    • ezjail – Jail administration framework
  • Kubernetes
• Privilege Escalation
  • Privilege Escalation via lxd - Josiah Beverton
• Talks & Presentations
  • Docker: Security Myths, Security Legends - Rory McCune
• Tools
  • Containers
    • nsjail
      • A light-weight process isolation tool, making use of Linux namespaces and seccomp-bpf syscall filters (with help of the kafel bpf language)
    • ezjail – Jail administration framework
  • Docker
    • docker-layer2-icc
      • Demonstrating that disabling ICC in docker does not block raw packets between containers.
    • docker-bench-security
      • The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
    • Vulnerable Docker VM
      • For practicing pen testing docker instances
  • Kubernetes
    • Kubernetes Security Best-Practices - Peter Benjamin