Docker Security Essentials | How To Secure Docker Containers

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello everyone welcome to this video in this particular video we're going to be taking a look at docker security essentials so what we're going to be covering in this video is going to be all the very sick security techniques and features that you can put in place to ensure that your docker environment your docker host and your docker containers are running as securely as possible you know given the rise of you know adoption or the increased adoption of docker and containerization in general it's very important that you understand how to secure your containers you know similarly to if you were running virtual machines now this video is not going to be focused on how to use docker i there's tons of videos and tutorials that can guide you on that we're just going to i'm just going to give you a brief introduction to to docker and we're going to talk a little bit about the architecture and the architecture will give us an idea as to what the potential security issues might be so firstly what is docker well docker you know you can classify as a containerization technology right so docker allows you to build and deploy applications and services in the form of containers it's a platform as as a service offering that utilizes the host operating kernel as opposed to hypervisors uh you know type 2 hypervisors like virtualbox so the containers contain the dependencies and the libraries that the application or service needs to run therefore eliminating the need for installing dependencies manually and you know docker containers are much more efficient than virtual machines as they utilize the host kernel and remove that that added layer of resource consumption so all of this can be explained by taking a look at this diagram that sort of differentiates docker or containerization and virtual machines or type 2 hypervisors right now in this particular case we have a type 1 hypervisor but the the the concept remains the same so with with containerized applications or with containerization what you have what you'll have is you have your hardware right so you're gonna have your your hardware or your host hardware and then you're gonna have your host operating system which can be windows or linux it will certainly be linux in most cases if you're running docker and then you install docker on top of that and then you have your various containers now if you can if you can actually compare this to the to the example of virtual machines you can see that for each of these virtual machines we also need to set up their operating system so we need to set up the guest operating systems and what this does is you know as efficient as it is these operating systems consume a lot of resources now in the case of docker all the containers are utilizing the host operating system kernel so for example if i am running ubuntu 18.04 and i'm running uh you know linux kernel version 5.4 then all containers uh you know that might be running um you know they might be running ubuntu centos they could be running apache we'll all be utilizing the host operating system kernel and uh and we'll we'll use that as par we will actually use that functionality of the host operating system and again you we can customize this or we can customize the extent to which the host operating system is used and that's you know where we we start getting into the various security issues because uh one of the security issues that you can immediately uh tell or point out is the fact that if if we are able or if there is a vulnerability within the host operating system kernel then it will affect all containers so now that we have an understanding of the infrastructure behind the docker and you know your typical type 2 hypervisor or virtual machines we can now get started with a securing docker all right welcome back so we can finally now get our hands dirty but there are a few things or a few concepts that i want to explain uh that'll really really give you a better idea of why we need to we we need to approach security in regards to docker at various levels now this particular video is going to be focusing on the essentials uh you know it'll sort of be an introduction into into securing docker and will sort of open up your eyes to exactly what can be done and what needs to be done so when we talk about securing docker we need to understand it you know given the the actual architecture that i displayed or actually took you through within the presentation so you're going to have your host operating system and that's vitally important so you know the the security of your host is going to determine the actual security of your containers for example uh if i was running an insecure version of ubuntu with an insecure kernel version that was vulnerable to the dirty cow exploit any one of the containers running on that host or that version of ubuntu would be able to compile the exploit and get root access that way so host operating system security is vitally important so the first thing you need to do is you need to decide an operating system that you're comfortable you uh you know that you're comfortable with using and of course in this particular case i'm referring to linux and we're going to be talking about various distributions that you can use as your host operating system so when we talk about security there's the concept of the threat surface right and the larger the threat surface the more difficult it is for you as a user as an administrator as a devops engineer to you know to to cover every aspect of the of of security so the first thing you want to do is you want to have a minimal setup right so there are many minimal operating systems that you can use and you know we recently had core uh the core os i believe it was called that was actually set up to run containers and again the way these operating systems are being set up is uh you know to run whatever or only what they need and getting rid of all the other bits of functionality that you know that are set up to be used by by normal users so you know a typical distribution like ubuntu uh it's really really good for for running docker and you can also use centos or fedora if you'd like but essentially you'd like to use something that you're comfortable with and that you're comfortable securing now this video we're really not going to be talking about you know you know securing the host operating system per se but i'll take you through some important aspects of it so firstly you can see i'm currently on the cve details website that lists out the the various vulnerabilities uh for docker over the last couple of years right so you know from 2014 all the way to 2019 and you can see in terms of software it has a very very good track record in terms of the amount of vulnerabilities that is uh in terms of severity we have a few you know really really big ones here so for example we have the number of vulnerabilities released for each of these years uh comes to a total of about 24 which is you know great uh you then have the types of vulnerability so we have dos code execution which is probably the most important one but if we take a look at the other categories we have overflow memory corruption sql injection directory traversal each of these or all of these mostly all of these don't have any vulnerabilities so you know in that aspect a docker is doing really really well now when we talk about docker vulnerabilities these are vulnerabilities within the docker daemon uh or the you know the dock engine itself uh when we talk about how containers can leverage uh you know vulnerabilities within the host operating system to get root access or to gain access to other containers that's a totally different story so in terms of securing your host you want to make sure you're running the latest version of docker secondly you want to make sure you have all your packages updated and upgraded and you're running you know you essentially have everything updated and nothing on your system is vulnerable so that will pretty much mean that if you're part of a large organization that that particular host is part of a vulnerability management program and we also have services now that that actually add or allow you to add containers to your vulnerability management program so that you can also track vulnerabilities within containers as well as the host so you want to make sure that you have your host locked down so you know you can perform the typical linux security best practices which i already have a video on so you can check that out and then of course when we talk about minimal operating systems or operating systems that have been designed to run on the cloud or to you know to run containers and are extremely secure one example of this is actually going to be clear linux so clear linux is an open source rolling release linux distribution optimized for performance and security from the cloud to the edge designed for customization and manageability so you can check this out if you're interested in this as you can see it's set up exactly for what we're doing right now so operate with a custom configuration uh you know it's close to upstream so you get the latest packages it's a modular so again it's open source so that means it's modular cross architecture open source operating system providing the ability to do you know it provides users the ability to differentiate so to actually create your own custom configuration if you wish if you wish and it's intel optimized so again that's something that you you might be interested in as well in terms of ubuntu if you really are looking for a minimal operating system i would recommend taking a look at ubuntu core which is set up for embedded devices so if you're looking for a you know a good host operating system that's minimal i would recommend checking this out there's also other options like rancher os which you can check out for yourself but we're not going to be focusing on that we're simply going to be running uh docker on our ubuntu 20.04 server so i'll be taking you through the various techniques that you can use okay so the first security technique that we're going to be taking a look at is going to be the process or the practice of always running or launching containers with an unprivileged user now the reason you need to do this or you you know it's actually recommended that you do this is to prevent privilege escalation attacks right so in order to to actually run or a particular container from a docker image as an unprivileged user you need to control the build process for that particular con for that particular image so that's another security best practice that you should incorporate and that is to build your own images all right and this gives you the ability to set up the environment based on the parameters you're aware of so for example in my particular case i can build a simple you know a simple docker image using one of our our docker images that we created it's called the bug bounty toolkit so we'll we'll just use the dockerfile here you can see it's based on ubuntu 18.04 and we don't set any particular unprivileged user here so we're going to be doing that so you know i'll just we can just copy this here i'll just copy the first few commands because the rest of the commands essentially set up directories and install tools so what we'll do is we will begin the setup process so i'll just take you through the process of what you do when you're running a a standard container or a standard image so if i list out my docker images so say you know if i say docker images you can see i have an ubuntu 18.04 docker image now you would typically run it by saying you know docker run and then i would you know say we want to use a terminal and i want it to be i want to get rid of this container when i exit and then we specify the image id right so we can specify the image id and then i can use a shell so i can say bin bash hit enter you can see that it logs us in as the root user now this may not this may actually seem like a trivial thing but it actually isn't recommended would you give root access to anyone or would you give root access to a person on a server the answer to that is no even if it's running services so you need to take the whole concept of host security into the containers so that's the first thing we need to do now when it comes down to creating these users i'll just exit from this particular container and if i say docker we can say docker psa uh you can see we we don't have any of these containers running which is excellent so as i said we'll be building our own we'll just create our own docker file so we'll say vim docker file and we'll just hit enter of course this is going to be done locally and we'll just copy this initial configuration here and we'll i'll just insert and we'll put that in there fantastic so in terms of the environment variables i can set my own environment variables right so i can set up for example we can say home and we can set up the name of the user that i want to create the unprivileged user that i want to create which is going to be alexis and remember if you do require root privileges you can actually just specify that under uh you can actually just specify that within your docker file so you know you don't need to actually have or you don't need to specify permissions for that user for your docker file to be built right so that's in terms of installation it's just when you're running the container which is the important bit here so to add the user all we need to do is say run so we're you know actually running a command here and the command we want to do is or that we want to run is going to be called a group ad so we're going to be saying group add and then we specify the user which in this case is going to be alexis and again you can customize that to whatever you want so we can say alexis and then we're going to say user add and we're going to specify the group so user add r and g and then we specify the group in this particular case we're not granting alexis any any particular privileges or any pseudo privileges but we could have done that i can say you know for example sudo and then say alexis but in this case i'll just add it alexis to his own group so alexis alexis and he is a fully unprivileged user so that means he can't do anything that requires root uh that requires root privileges so now that we've done this um you can see that immediately below this we can begin the configuration if if we actually want to do that but in our case we're not going to install any particular piece of software but you know just for instance or for the sake of this particular video i can say you know run we can then say you know apt install apt install nikto or just any commands over here but we're not going to do that so i'll save this docker file and to build this particular docker file into an image we're going to say docker build and we then specify this current working directory which is where the dockerfile is being stored and then we specify a tag and we'll just call this let's just call this particular image test and we hit enter and it's going to begin the build process and you can see it's complete and now if we list out our docker images you can see it's going to say it's it's actually just going to say test that's the dock image that we created so now when it comes down to running this particular image you can see that we can approach it two ways we can say docker run and i don't need to specify a user and i just i'd essentially just launch it and it'll actually use the root user however when it comes down to as i said running dockers securely you want to make sure that you use an unprivileged user so if you want to use a a user that you've created or in in your docker image all you need to do is say r and then we specify we all we need to do is say we specify the user so we can actually use u here and then we specify the username or the user id which can be obtained using the etsy password file so the user is going to be alexis and then we specify the other run options so for example uh docker run user lexis we can also just say we're running this and we want it to get deleted and then we specify the image id right over here and we'll put that in and then say you know bin bash for a for a terminal session and there we are so we're now logged in as the user alexis and remember even if we have the the root user added and we haven't disabled it but we actually can do that i'll show you how to do that shortly we can't actually switch to the root user because we didn't set the root password so if we give this particular image to someone or you know if we give this particular container to someone or we give them access to this container they can't escalate their privileges to root and they can't do anything that would potentially compromise the container or the services running within the container or the host itself if there are vulnerabilities within the host so you know the user can't install new software uh they can't muck around with the services running inside they can't compile anything so you and they cannot execute anything that again may damage the system so we can then just hit exit here and we can close that out so again if i just list out my docker images i'm just gonna get rid of this particular docker image that we created so i'll just say docker docker rmi so docker remove this image and we'll just put in the image id there and that's going to get rid of that particular image and then of course as i said we can modify the docker file to lock or block access to the root user completely so for example yeah i can say immediately after this i can say you know run and i can you know say for example we can echo out a command or we can modify or you know prevent access by using the change shell command and then we can change the default shell for the root user and prevent you know we can actually prevent a user from logging into the root user account even if they have the particular password so again we can essentially just specify the uh the terminal for the root user as user s bin no login similar to what you do when you are securing uh when you're securing the root account or disabling the root account on linux so again all we need to do is just provide the the command so we can say change shell and we say the shell is going to be user user s bin no login right and then we specify the the user that we want to specif the user of whom or the user the terminal for the user that we actually want to switch and then um we just need to hit save and then we can build this particular image so we're just going to run the docker build command here there we go and um it looks like that is done and if we list out the docker images now all we need to do is say we're just going to run the docker command again with the user alexis and we're just going to substitute the uh the docker id here so that we don't have to type that in all over again so we'll just copy that in there and put that in there and hit enter and now if we you know try and switch to the root user and even if we have the correct password and we know you had you know for example test it'll actually prevent us from logging in as i said we haven't set a root user password but i can actually demonstrate this to you so for example if we go back into the docker file we can actually say you know just before this or even after this we can actually just say um run we can then say password and then we know we we can then provide a password for the root user but again that's not recommended but this is a great way of blocking root access or providing a user who is trying to escalate their privileges with no terminal that they can log into all right so that is essentially how to set a you know unauthenticated user now to block root access for your particular images and containers so again it's always recommended that even if you're using a third-party uh docker a docker image it's recommended that you get the docker file and then you know change or customize the configuration based on the parameters that you feel are necessary or you can secure it as required that's the great thing about docker so we're now going to move on to the next step all right so the next security protocol or the security feature or the security practice to bear in mind is you know the ability to run docker containers in privileged mode and of course you then have the ability to restrict that so it's always recommended that you never run a docker container in privileged mode and you might be saying well what exactly do you mean here so if i just list out my docker containers let me just check check if i have one i don't and of course we created the image previously so we're just going to be using that particular image that i created so what i can do is i can say docker run right and i can then say you know these the typical commands i was unlikely to use we want an interactive session and i want to get rid of this container when i exit and then of course i can say privileged right i can actually use that particular i can use that particular option and this will run this container in privileged mode you never want to do that unless it's explicitly required so when it comes down to a new type of vulnerability or vulnerability that many of you who are security centric and i've actually you know performed some penetration testing you'll know of a a typical or a a very very very very simple concept in regards to set use id binaries and the fact that you can escalate privileges or abuse the set use id binaries to run commands as a as another user so for example if within our particular container if we if we had a set use id binary that allowed us to to actually run a command or run a particular binary with root permissions we can actually leverage that right so as an attacker we can leverage that to run you know various other commands as root so if you want to disable this what you need to specify is the security options so we can say security security opt which is which stands for options so again we say is equal to no new privileges so very very simple so no new privileges uh so that's privileges and we then specify the docker image um the docker image id right so i'll just copy this because i don't have my docker image id at hand and i think i actually should have shouldn't have cleared that so if we list out my docker images here and we again just go back to the i'll just paste in that particular command and we then specify the docker image id here and you know we just specify we're just going to use bash by default that is going to give me access and remember i can then specify to use the on uh the the unprivileged user that i created so let me just do that as well as an added security feature and of course you can automate these uh the execution of these particular of these particular containers and so we'll say run and then of course we specify the user in this particular case is going to be alexis sorry we actually specified run but rather just a user and then we say alexis and hit enter and we're now launched in as the user nexus so now if i had a su a a set use id binary here i would not be able to actually escalate my privileges and you know as it is already i can't i can't run anything or do anything uh that requires root privileges because i did not assign root privileges to this particular user so that is in essence how to disable or how to work around you know privileged and unprivileged containers and how to configure them to run as either privileged or unprivileged all right so now let's take a look at a security practice or a feature with within docker that allows you to specify uh kernel level or kernel functionality uh kernel capability and you know in the previous section we talked about you know running containers in privileged mode when we say uh privileged mode what exactly does this mean well when we specify the privileged flag what this means is that this will essentially give that container all linux kernel capabilities now if you've never heard of what capabilities are in the context of a linux kernel let me just introduce you to that right now so i'll i've just opened up the capabilities man page which explains it really really well so again capabilities you can see for the purpose of performing permission checks traditional unix implementations distinguish two categories of processes now when i just want to intercept there when we talk about a modern operating systems and their permission and privilege architecture you're going to have two modes you're going to have privileged mode and unprivileged mode and again as it says here in regards to the processes privileged processes whose effective user ids is zero also referred to as super user or root and unprivileged processors whose effective user id is nonzero right so privileged processes bypass all kernel permission checks while unprivileged processes are subject to full permission checking based on the processes credentials so what this means is in the previous section when we specified the security option that essentially prevented us uh from upgrading or or actually yep upgrading our credentials uh you know in the event we were trying to abuse a set user id binary what that means is if we set that up or we set up a an unprivileged user and we assign the privileged flag to that to that container at runtime we essentially just use serping or getting rid of that of the fact that we have specified an unprivileged user because that container will still be able to bypass all the kernel permission checks and will be able to essentially run all the various capabilities that are listed right over here so in terms of the the various capabilities implemented on linux you have the you have them sorted out here and they all they all have a prefix uh you know they're all prefixed with cap or capability and so for example the capability audit control enables or disables kernel auditing so you can see you can specify the capabilities that you want and that's the great thing with docker i can run a container in privileged mode which gives that container all internal capabilities or i can specify an unprivileged user and then specify what capabilities i want that container to be run with which is fantastic so we can do this really really simply by again if i'll just say docker run and before i do that let me just list out my images here so we say docker run and then i say i can then specify the capabilities that i want to use so you know i can say capabilities and that's done by using the cap option so capabilities i can then say add or drop so for example what is recommended is that you drop all so you say drop all and then you add the ones that you want so you can say docker run cap drop all so capabilities drop all and then you can say capabilities add and then we can copy the name of a capability here and you know we can just search for one that would make sense in this particular case because they're all very very powerful as you can see so for example let's see if i can find one that makes sense so we can use net admin which allows us to perform various network related operations like interface configuration administration of ip firewalls etc etc so that seems like a piece of functionality that you might want to assign to your container so we can say capabilities add and then we say we provide the capability name and then i can specify you know the other uh the com the other runtime options that i want and then we can specify the user as alexis and we then specify the image id here and we specify the shell finally and you know i can say bin bash hit enter and we now have uh firstly we have dropped all other kernel capabilities secondly we have specified the the kernel capability that we wanted to use and of course you know i i really am not going to be demonstrating what we can do with this particular kernel capability but you can use the kernel capabilities list here to specify the functionality that you need even though you want to run the container in an unprivileged mode or with an unprivileged user so that is the process of using or specifying capabilities based on your requirements or based on your container requirements and as i said there is never a reason to actually run a container in privileged mode because that's probably one of the biggest the biggest mistakes you can make when it comes down to running containers all right so i'm just going to exit for that con from that container and we can move on to the next step we're now going to take a look at how to you know prevent a container from writing any particular changes to the file system or how to set up a temporary file system so you know this is a it's a piece of functionality that's very very important when it comes down to restricting your containers or restricting a service account or you know for example the root account so what do i mean when i say you know restricting access to the file system well what we can do is we can actually specify and say that we want this container to run in read-only mode which means that that any user on that particular container any service cannot make any changes or cannot write any files to the file system now you might be saying well you this doesn't make any sense because my container my image requires me to install particular files or i i you know my web server will be dynamic files will be changing what do you mean i can't make any changes well again this is very important uh in relation or in context with other with other you know file system commands like the temporary file system flag or the temporary file system option which allows you to to actually save something temporarily or to save a file temporarily and you can specify the directories that you want so for example if i wanted to run my um if i wanted to run the docker image that we created in this video and i can say you know docker run and i can then start specifying for example read only right so you can say read only and um you know i'll just run it as as is so we'll say user is going to be alexis and i'll just show you what's going to happen here we'll say we also want to get rid of the container when we're done so the rm option or the rm flag really doesn't correspond to the file system to file system permissions in regards to writing uh to writing files or to making changes this is in in essence for managing containers and the fact that when i'm done with this container or when it's in in an exited state i want that container to be deleted so that's just a personal preference because you know i'm demonstrating something here so then i can copy the image id here and we can then just use a bash right so we can log in so remember i'm currently i can actually go into my root well i actually haven't set up the environment variable but i did i did actually create the uh the home directory so we can say home uh do we have that directory created um if i just say cd home uh and we have the we actually don't have a directory there right so if i say you know touch test for example you can see it's going to tell me cannot touch test or cannot create the file test this is a read-only file system so that means i cannot make changes in regardless of what user i am so you might be saying well that's weird what if you're the root user so let's try that out so i'm just going to exit from the container and instead of specifying the user this time i can just specify or i can just leave that out and log in as the root user and i'm logged in as root and i can say touch test and i hit enter and there we go so it says hey you can make any changes to this file system so this is a great way of as i said locking down access around particular users or particular services or you may just have a service that you know you want to lock down in regards to what files or what directories you can that particular service or that particular container will be able to make changes in so for example if i wanted to use a temporary file system i can say we can say we'll still use the root user i can also combine the read only flag with the the temporary file system so i can say t tmp fs so tmpfs and of course sorry we need to actually just say tmpfs and then we specify the directory under which we we can make the temporary file uh we can make the temporary changes right so we can specify the opt directory for example and hit enter and now if i print my working directory i'm currently in the root if i you know if i say something like and you know as the root user we actually have the permission to do this if i say something like um sorry touch test and i hit enter it's going to say hey you can't make these changes because this is a read only file system however if i go into the opt directory which is the temporary file system that we have specified and i say you know touch test and there we go so we can actually make changes within this directory so this is a great way of locking or you know setting up restricted access even though you may already have privileged users or you may not want to use a privileged user so you know there's tons of ways you can set up security with your docker containers at large so that is how to use uh or how to set up you know the file system type to use and how to set up uh you know your temporary file system all right so we're now going to take a look at a very very uh interesting aspect of um of container security now if you remember in the introduction i you know i briefly outlined the differences in in terms of architecture uh you know from containers and virtual machines right and you know one of the questions you might have if you've used virtual machines before is uh with a virtual machine setup i know that i can isolate each virtual machine from one another or i can i can essentially separate and isolate a virtual machines based on uh on their functionality based on their purpose and the way i can do this is by using various and networking modes well your question might be can we actually do this with docker can we do this with docker containers can i isolate a docker container and the answer to that is yes now you know previously with docker you had the ability to you know outrightly uh disable uh or set inter uh container communication to false there was an actual flag for this and many of you have used docker for a long time actually knew about this but now it's all being handled through a network so uh what we can do now is what we're going to be taking a look at now is how to create our own bridge network and we can then specify the options that we want to modify one of these options is going to be the intercontainer communication all right so firstly what we want to do is let's take a look at the networks that we already have firstly let me just check if i have uh any containers running no we don't okay so to inspect networks or the networks that come by default is we can just say docker network and ls so that's going to list out all the networks and you can see they're sorted based on the type of network so you have your bridged mode which again allows uh all all containers that are running on that particular bridged mode to to communicate with each other now by default all containers will use the bridged mode and i can i can actually demonstrate this to you or demonstrate this for you so for example if i want to inspect this particular network i can say docker network inspect and i just say bridge right and i hit enter and it's going to give us the subnet right over here which again is 172.17 so let me just keep this here let me just note this down so i can actually prove that to you so that's the subnet so that means we'll have an ip within this particular range now if we take a look at the other options for example enable ipv6 that's disabled that's fine and of course you have the uh the options here that i'm referring to so we have the uh if i can find it there we are so we have com docker network bridge enable icc icc is uh an abbreviation for intercon intercontainer communication so by default it's set to true so we want to change that value to false now the way we can do this is by creating our own network and i'll show you how to do this in a second so what i'll do is i'll just create a quick little container just to show you that it is using the bridged mode so we'll say um docker container so we'll just say sorry docker run because we don't have one currently running and we'll just specify you know the test uh the test image and just say bin and we'll just say bash here okay so we're currently logged in as a root user if i just say you know apt app update and well we actually don't need ifconfig ad we use ipa s let's just use ipas we don't have ipaddr uh so we just we can just say i uh apt update and apt install uh let's see why and we'll install net tools um so we'll just install that here and we should be able to get the ip then so uh so we'll just give that a few seconds here there we are so ifconfig like so you can see it's set to that particular subnet that we had just copied over so you know 17.7 172.17 so that means that if i create another container we will essentially be able to communicate with that particular container so for example if i just um you know i don't think i can actually demonstrate that but let's actually move on to the process of creating our own network so i can actually demonstrate this so what i'll do is we will just use tmux i think i have tmox here and we'll just say contain a one container one and we'll create a new session here and i'll just rename this to container two right so container two all right so within container uh within the um sorry within container one which i'm actually active on right now we'll just create a container similar to what we just did so we'll say docker run i t and we'll say you know we'll just leave it as is and we'll just run the test one so test and then we will say um pin bash right and uh we'll just hit enter so we have one container running we'll then open up the second container so i'll just move to my second section to my second session and say docker run same thing the exact same options here and we'll just say you know bin bash and obviously gonna have different ips so um what we can do is again just say sudo apt um we'll just say app update because we don't have sudo so app update and apt install uh why we say net tools and i'll just copy this particular command and run it in the first container as well so we'll just hit enter go back into the first container run that particular command as well and remember all of these containers are running simultaneously so we'll just let this complete and now what we'll do is just wait for that to complete here and there we are so if i say ifconfig we have the ip here and let's check the container we can actually run an nmap scan but we're going to we're not going to be doing that so ifconfig and if i say you know if we want to ping this particular address we can again just copy that and if we go back to the first container and say you know ping uh ping that particular container address so it's apt install ping because we don't have that i can't believe that's not there already uh apt install net tools we've already installed net tools here do we need to do that again do we need to install net tools again we already have net tools um so we should be able to ping um ping is not found so apt search ping how come we can find the ping package here iputilsping alright so apt install iputils and we say ping iputoolsping like so and we can then say ping um that particular ip here and you can see we can communicate with that particular with that particular container so that's uh in essence how the bridge how the bridge connection works now if we want to disable uh you know inter inter container communication all we need to do is let me just go back to my uh to my second container here so i'll just exit and we'll close this particular container in this particular session and i'll just leave this within tmox and we'll just say we'll just call it at term one okay so we'll exit from this particular container as well and uh we our job now is to create a new bridge network that prevents inter container communication so the way we do this is by saying uh docker network and then we say create of course and then we provide the the driver that we want to use which is going to be bridge so we'll say um the driver is going to be of type bridge right and we then specify the options that we want to use in this particular case um we need to copy the uh the additional option i think i'd copied it the option that essentially specifies whether or not we want to enable um we want to enable the inter in the intercontainer communication so i'll just copy that here and uh we should be able to paste it directly so there we are so we'll just add the the quotation marks so that was the option here and we've set it to false okay which is very important and then we provide the network name so i'll just call it test net all right so we'll just call the network test net and we'll hit enter it's going to create that network so now we say docker network ls and we list out that particular test net you can see we can then say docker network inspect and then we say testnet right to just list out the information we have not specified the subnet information or the any of the ip information that's up to you but the option uh that we're looking for here is you know the uh docker network uh bridge enable icc and we want to set that to false okay so now if we want to run a particular docker image or a container with a particular network configuration we all we need to do is just say docker docker run and we just again specify the flags that you like or that you're comfortable with in regards to the configuration and then we say network and that's going to be testnet we'll run it with the test network and then we just specify the name of the image which in this case is just going to be called test and we'll just run this with bash here and if i now say you know appt uh install or app update let's just run that particular command select update and apt install we'll just say if or i think it's net net tools and ipu tools iputools ipu tools ping i believe it was and we hit enter and let those packages install all right so we're just going to accept that and we should be good there so if i now say ifconfig we you know we have a different uh different subnet but uh the main process or the main thing here is whether or not we have the ability to to communicate with another container you know we wanted to disable that if we want to isolate this particular container so i'll create a new terminal session here and we'll just say docker run and we'll run it on the same network or even we don't even need to run it on on the custom network that we created all we're trying to see is whether one is whether one container can communicate with another and the one that we've isolated we want to make sure it cannot communicate with the other ones so we'll say docker run i t and i will just say you know bin bash and the first thing you'll notice of course uh well we actually have to just perform this cumbersome installation every time um so i'll just say apt update apt install why um net tools because we don't need the ping utility right now so net tools ifconfig so we've got the you can see it's on a totally different network but if we can also do it on the same but if i go back in here and we say ping for example paste in that here you can see it's not going to be able to get a response now now that's on a different network if we put the if we put the second container on the sim on on the same test net network then again uh it will actually be the same thing so we'll just exit from here and we'll then say uh you know docker we'll just say docker run and we then say you know i t rm and we say um we can then specify the network option which again is network and then we say test network so testnet and then we say test and that's the image name and then bin bash hit enter app update let me just speed up this process update act install y and then we say net tools i actually should have installed these packages within the image itself or within the dockerfile i should have specified these packages to be installed so that we save time but you know hey ho alright so there we go we'll just say ifconfig and now they're on the same they're on the same subnet so you can just copy that and we can go back to the first terminal here and say ping and provide that there and hit enter and you can see they can't communicate with each other i can't communicate the other the other container on the same network and they're all isolated so if you want to isolate your containers uh you can create your network configuration you can specify your ip configuration i'll have all of this documentation listed out within the documentation for this video so you can actually do that for yourself so that is how to enable uh you know or to disable intercontainer communication uh you know under the guise of isolation which is uh which can be very very important all right so now that we've taken a look at you know the various security practices that are recommended you know when it comes down to you know docker security and uh the key thing to understand here or to note is that uh this video has been focused on best practices in regards to running your containers and your environment we really haven't touched upon the actual uh docker uh the actual docker platform and its own security uh now you know we can start uh performing audits which is very very important when you set up security features or security protocols it's very important that you set up an audit or you you know perform an initial baseline audit and then you make your changes and then you perform the audit after that to see whether you know the changes you've put in are actually making a difference now in this particular video i'll just be taking you through the various auditing tools that you can use and then in the next set of videos regarding docker security we'll we'll get into securing the docker platform on its own so the the tool that we're going to be using right now is called docker security or docker i think it's docker security bench uh if i'm not wrong so docker security bench if i can just search for that here um right over here and it's yeah there we are it's docker bench security my badge so docker bench security is a script that checks for dozens of common best practices around uh deploying docker containers in production and now it's important to know that we haven't done things like enabling um how should i say enabling auditing but again running it should be fairly simple so for example uh all we need to do firstly is to uh we can actually just get that particular we can just clone the repository here and i'll just take you through a bit of the usability directly from here so to use it as you can see running docker bench for security we can specify you know the particular network and then you can specify the various options that you want to run in regards to the um to the audit process right so let's move on to the first step which is getting it set up all right so we'll just clone the repository here so you know just copy the address here and we'll just clone it to uh to our root directory so we'll just say git clone and we'll paste in the address there and we can then just run the script so we'll just say docker bench security and we'll run the docker bench security shell script and hit enter it's now going to go through all the various aspects of you know the docker platform so uh you can see right over here if we can just scroll upwards let me just get out of tmux for a second and i'll run that particular script again uh so again we'll just go into the docker security docker bench security and then run that script again so uh just list out that there so there we are and hit enter and we can now scroll all the way through and take a look at some of the other options that again all have to do primarily i'm going to guess with the the actual platform so let's get started at the top you can see it's going to go through various tests number one you're going to have your host configuration uh number two it's going to go through the linux host specific configuration so um we'll then go through the docker daemon right which is there and then you have the docker daemon configuration files the container image and build files and you have the container runtime docker security operations the docker swarm configuration and enterprise configuration so let's start off at the top okay so number one a general configuration nothing interesting there for the linux host specific configuration you can see we have a warning for this option so it says ensure a separate partition for containers has already been created we haven't done that yet so there we are second warning we get is for the auditing process which i said we'll cover in the next video to how to enable auditing uh there's tons of ways we can do that and all the other options also have to do with auditing of the docker files or essentially setting up an audit log or a system of auditing all the actions all right you can see that you know we can we need to ensure that network traffic is restricted between containers on the default bridge so again we can make changes to the default bridges i already did i've actually shown you how to create your own network that sets up inter container communication or disables that which we've already done so we don't need to worry about that enable the user namespace support again these are things that we'll be covering in the next set of videos ensure that authorization for docker client commands is enabled we we're running as an on i think an unauthenticated or sorry a privileged user um let's see ensure centralized remote logging we haven't done that so no no syslog setup ensure live restore yeah nothing there as well as for the docker daemon configuration file we get no warning there although the other files weren't found in regards to the daemon so it doesn't run those particular tests uh right we then have the contain images and build files you can see that ensure that trust for docker is enabled a content trust that is and then ensure that health check instructions have been added to the container images so we can actually do that so you know add a health check for that and then you have the um let's see if we have anything else so nothing else so again this particular audit is great for you know moving onwards now because i've essentially taken you through how to run docker containers as securely as possible and we've talked about isolation so this is how to audit the entire docker platform as a whole and i just wanted to take you through that as we'll be using this tool as we move on through the docker security essentials video series okay so that concludes this particular video covering the essentials of docker security as i said this is not a totally comprehensive video that aims to highlight every security practice or technique that you can run to secure uh to secure docker as i said securing docker is a multi-tier uh multi-tier approach requires a multi-tier approach as you need to secure your host you then need to secure the docker platform and then you have the process of securing docker containers and images so as we move on in this series we'll be taking a look at each of these aspects of security [Music] you

Info

Channel: HackerSploit

Views: 15,236

Rating: 4.9841895 out of 5

Keywords: hackersploit, hacker exploit, hacking, kali linux, docker, docker tutorial, docker container, container security, docker security best practices, docker security, docker security vulnerabilities, docker security tutorial, docker security scanning tools, docker security interview questions, docker container security, docker bench security, docker bench security tutorial, docker container security best practices, how to secure docker containers, how to secure docker registry

Id: KINjI1tlo2w

Channel Id: undefined

Length: 53min 32sec (3212 seconds)

Published: Mon Mar 29 2021