Back in Container security I said that we need to think about containers as VMs. I then looked at an easier way of looking at containers, by not treating them as VMs. Hopefully, at this point, some of you were thinking “Hmmm!”. Finally I discussed the processes and workflows outside of the container implementation that is needed to keep containers safe (build processes, etc). We can turn what we’ve learned on its head.
Identity and Access Management (IAM) historically consists of the three A’s Authentication What acccount is being accessed? Authorization Is this account allowed access to this machine? Access Control What resources are you allowed to use? On top of this we may also need to consider Auditing Log the attempt to use the machine Provisioning How does the account get onto the machine?
In a previous post I showed that if you stop treating containers as if they were VMs then container security is easy. Now we need to look at how to keep the contents of containers safe. In general there are a number steps: Build good containers Scan existing containers Replace bad containers Build good containers This should just be an extension of your existing source control process; your CI/CD process; your “test driven” processes.
People think container security is hard. But it’s not… if you think about it the right way. And that’s where people tend to go wrong, and that’s why they think it is hard. So let’s follow a thought pattern… First we need to consider what is a container and what distinguishes it from a virtual machine. In general a container has the following properties: Shared kernel Segmented view of resources Separate process ID space Separate filesystem mount space Separate IPC memory segments Separate view of the network … Multi-platform Linux VServer (from 2001!
It started with a set of slides by a friend: My first thought was to wonder wonder how heartbleed, shellshock, cve-2015-7547 and the like fit into this story. He answered “rebuild the world and redeploy”. Which I felt missed the problem. You also need a level of control around what goes into containers, who can build containers, where they get deployed. We have decades of history of knowing that self-run machines are badly patched and badly maintained; if the bug isn’t in the application code then it’s mostly invisible to the developer.
My old site was nicely hand crafted HTML. Each bit loving created. It worked… but it did smell a little 90’s. Which doesn’t surprise me; the last time I did any web development was the 90s! So I thought I’d try something a little more modern. Unfortunately most CMS systems (eg WordPress, Joomla, Drupal) appear to want to use a database of some form. The content is displayed dynamically based on the user request and the database content.
I was reminded of a backblaze article about SMART numbers. This nudged me to look up the stats on my drives to see if any numbers had budged. Let’s collect the data for processing: for a in /dev/sd? do smartctl -a $a > $a done Spot the error. I ran the code. Did an “ls”… and didn’t see any output. I started to panic a little… I didn’t just do what I think I just did… did I?
Coworker: i’ve found that networking/factime can pay dividends CW: *face time Me: “factime” - that was the early name for “bullet time”, but they realised “fast and circular” didn’t sound as cool. CW: stephen you ever play trivial pursuit and if so how’d you do? CW: or maybe jeopardy Me: Umm, you really shouldn’t believe everything I write :-) CW: lol CW2: Stephen, have you ever played balderdash? And if so, how’d you do?
So it looks like those scans were coming from NCATS. This is only meant to scan networks associated with the Federal government. I’m guessing there was a misconfiguration, somewhere, ‘cos Panix tell me they never requested any scans of their network :-) Through a friend I contacted their SOC. I saw another scan yesterday and escalated. They just replied and told me that they’ve removed the IP ranges from their config.
Either the DHS is attacking me, or else they’ve got compromised computers… In my logs I see 1147 attempts from 64.69.57.20 to my web server; e.g. 64.69.57.20 - - [03/Jul/2015:00:40:32 -0400] "\x16\x03\x01" 501 295 "-" "-" 64.69.57.20 - - [03/Jul/2015:00:40:40 -0400] "GNUTELLA CONNECT/0.6" 400 306 "-" "-" 64.69.57.20 - - [03/Jul/2015:00:40:41 -0400] "GET http://rfi.nessus.org/check_proxy.html HTTP/1.0" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" 64.69.57.20 - - [03/Jul/2015:00:40:42 -0400] "ABKJFC / HTTP/1.
