Containers are based on an entirely isolated environment, they provide a solution to the problem of how to get the software to run reliably when migrating from one cloud computing ecosystem to another computing ecosystem. Container security is an approach to applying security processes, tools, and policies to protect container-based workloads. This article will give an overview of Container Security.
Why is Container Security important?
Containers a standard way to package your application's code. It is the isolated process i.e., the process running in the sandbox that typically only sees the other methods that are started in the same container. Containers make our app portable -
It looks the same everywhere.
No matter where you run it.
Doesn't need to install all the app dependencies.
Containerization allows for greater modularity i.e., and the application can split into modules.
Allows development teams to move fast, and deploy software efficiently.
Less overhead operations as Containers require fewer system resources.
Applications operating in containers can be deployed quickly to different operating systems.
What are the mechanisms of Container Security?
Linux Kernel namespaces:Docker uses namespaces of several kinds to implement the isolation that containers require to remain portable and abstain from affecting the remainder of the host system E.g., process id
Linux control groups: Provide a mechanism for efficiently running and monitoring system resources, by partitioning things like CPU time, system memory, disk, and network bandwidth, into groups, then assigning tasks to those groups. The docker daemon in Container Security Mechanisms
- Docker daemon is the mastermind behind the whole operation.
- When the docker run command is used to start up a container, the docker client will transpose that command into an HTTP API call and transmits it to the docker daemon then assesses the request, talks to the underlying OS, and provisions your container.
Linux capabilities: This feature aims to break up the power of the superuser so that an application requiring some privilege does not get all rights.
Linux security mechanism AppArmor, SELinux: SElinux acts as a protective agent on servers. SELinux relies on compulsory access controls (MAC) that restrain users to rules and procedures established by the system administrator.
Dockers are the containers that make our app shareable. A Dockerfile is a text file or a list of instructions that we pass to a docker engine to tell it how we build a container. Docker build command is used to pass a docker file to a docker engine. Docker engine follows the instructions set in the docker file to build a docker image. Docker image uses a docker run command to start a container based on that image. If code needs to be compiled and executable, it can be done in two ways -
Compile code manually and specify in the docker file
Describe how to compile your executable in the docker file as an instruction, so the docker engine will follow this instruction to compile an executable.
Docker engine can manage how many physical resources, how much RAM, and how much CPU is allowed to use by each of these containers. Every time we run the docker build command if the docker file is changed, we are not replacing the old docker image, the new docker image is continuously being created every time we run a docker build command Things that make docker-engine special - We can take any docker image and start it as a container on a different OS. The new container will run in the same way as it runs on the original computer.
Providing security to your custom images by scanning the container images and enforcing policies as a part of continuous delivery workflow. Click to explore about, Complete Container Protection Platform
Accessing The Container Security Mechanisms
Containers are accessible because they provide a standard way to package an application code. They make the app portable and do not need to install all dependencies. But there are still some difficulties in container security. Some container software is used to secure containers. Docker has commonly used container software. Docker container technology increases the default security by creating the isolation layers between the application and between the application and hosts. Isolation is a powerful mechanism in controlling what containers can see or access or what resources they can use. Docker container provides resource constraints with Linux namespaces and groups.
When the developer has completed their aspect, they will push to the continuous integration system (CI), which will build and test the images. The image will then drove to the registry. It is now ready for deployment to production.
Docker Image Provenance
The gold standard for image provenance is Docker Content Trust. DCT presents the capability to use digital signatures for data sent to and received from remote Docker registries. With docker content trust enabled, a digital signature is added to the image before they are pushed into the registry. When the image pulls docker content trust will verify the signature, by ensuring that the image comes from the correct organization and the content of the image exactly matched with the image that was pushed. It is also possible to verify the image using digests.
A digest is the sha256 hash of a docker image. When the image is pushed, a docker client will return a string that represents the digest of an image. Whenever the image is pulled, the docker will verify the digest matches with an image. Any update in the image will result in the generation of the new digest.
A standard approach to package your application's source code, configuration files, libraries, and dependencies in a single object. Click to explore about, Role of Containers in DevOps
Docker security scanning gives the ability to do a binary level scan of all images. The image scanner automatically helps to identify all the vulnerabilities and reduce risk., it also ensures the integrity of a container image. Docker security scanning is available as an integral part of the docker cloud and docker data center but not as a stand-alone service.
Auditing for Container Security Mechanisms
The production environment is regularly edited to ensure that all the containers are based on up-to-date containers, and both hosts and containers are securely configured. Auditing directly follows security scanning and image provenance. It isn't enough to scan images before they are deployed as new vulnerabilities are reported. Therefore, it is essential to scan all the images that are running. Some tools can be used to verify that the container files system has not diverged from the underlying file systems. Tools, such as docker diff is used to list the changed files and directories in a container file system since the container was created.
Isolation and Least Privileged
The significant security benefit of the container is the extra tooling around isolation. Containers work by creating a system with separate namespaces. The principle of least privilege is defined as "Every program and privileged user of the system should function using the least amount of privilege required to complete the job" Concerning containers this represents that each container should run with a minimal set of privileges possible for its effective operation.
A container can also be secured by running containers with read-only file systems. In docker, this is achieved by only passing the read-only flag to docker run. Bypassing the read-only flag, the attacker will be unable to write the malicious scripts to the file systems and unable to modify the contents. The network traffic is between containers on the same host, which increases the risk of unwanted disclosure of information to other vessels. To reduce these risks, the developer should restrict container access by allowing intercommunication that is necessary by linking specific containers.
No matter how good a job is done with vulnerability scanning and container hardening. There are always unknown bugs and vulnerabilities that may recognize in runtime and cause a disturbance. That is why real-time threat detection is essential. Tools like AuqaSecurity and Twistlock offer runtime threat detection. Twistlock provides full-stack container and cloud-native cybersecurity for teams using Docker, Kubernetes, serverless, and other cloud-native technologies.
Twistlock integrates with any CI tool and registry and runs wherever we choose to run containers and cloud-native applications. Twistlock integrates with any CI tool and is used to provide unmatched vulnerability and enforcement for container images, hosts, and serverless functions. Twistlock automatically learns the behavior of the images and microservices while preventing anything anomalous.
The most two standard security modules are SELinux and AppArmor. They both are an implementation of the Mandatory Access Control (MAC) mechanism. SELinux and AppArmor are brave attempts to clean up the security holes in Linux containers. MAC will check that the user or process has the right to perform various actions such as reading and writing. Application Armor (AppArmor) is an effective and easy-to-use Linux application security system. AppArmor protects the OS and applications from any kind of internal and external threat. AppArmor is available for docker containers and applications present in the containers. AppArmor is always recommended to use as is by default with Ubuntu 16.04.
Security-Enhanced Linux (SELinux) is the implementation of the MAC security mechanism. It allows the server admin to define various permissions for all processes. SELinux defines how processes can interact with another part of the server. E.g., An apache user with full permission can only access/var/www/html directory but cannot access the other part of the system without policy modification. If an attacker managed to access the Apache web server, it would only have excess to exploit the server. The files will have regular access as defined in the policy of the server. The attacker does not have access to other parts of the system or internal LAN. Therefore, the damage can restrict to the particular server and files.
Avoid root access
The namespace feature in Linux containers allows developers to avoid root access by giving isolated containers a separate user account. So, a user from one container does not have access to another container. The system administrator should have to enable this feature, as this feature is not enabled by default.
What are the best practices of Container Security?
Here are some useful things that one should follow while using the containers -
Create Immutable Containers - Immutable infrastructure is a paradigm in which servers are never modified after they are deployed, i.e., they can be only rebuilt. Therefore, in the case of containers, if there is an increase in any defects or vulnerabilities, developers can rebuild and redeploy containers.
Securing Images for Container Security- Containers make it easy to quickly build, share, and deploy the images, which might be a risk if you don't have an excellent way to control where the images come from and what is contained in the image. Therefore, you must specify the list of trusted sources for the images and libraries.
Securing Registries for Container Security- Once the image is built and secured in the best way possible, so now the image must be stored in a registry. If the image is stored in a registry, one should scan them regularly for the vulnerabilities.
Run Images From Trusted Sources - Building images from trusted sources can minimize the attack surface. While building images from trusted sources, there are still some chances that vulnerabilities can be present. Therefore, it is recommended to scan the content with the scanning tool.
Securing Deployment for Container Security - The target environment needs to be secure, i.e., the operating system should be appropriately hardened on which containers are running. If deployed to cloud environments, one should consider immutable deployments.
Keeping Containers Lightweight - Usually, containers are lighter than virtual machines. While running containers, it is possible to load too many packages. Therefore, lightweight containers should be chosen for reliability.
Implement Robust Access Control - In containers, all the users are assigned root privileges by default. Therefore, it is necessary to change their access privileges to non-root users. By using role-based access control (RBAC), you can configure specific sets of permissions.
Handle Confidential Data With Care - Never store secrets like keys, tokens, passwords, and confidential information inside docker files, because even if the data is deleted, it can easily be retrieved from the image history.
Summarizing Container Security
Containers are gaining popularity as they are efficient and fast. Therefore, Containers Security must require a different approach. So, one should follow these Container Security Best Practices. Usually, three distinct layers need to be achieved in a container implementation, i.e., images, containers that contain these images, and the host that is running these containers. To understand more about Containers we advise taking the following steps -