Security Sprint: using Seccomp for secure containers.
Paula Nov 26
Last week I skipped Security Sprint, oops! But today I'm bringing you another DevSecOps content. In this case we are learning about Seccomp and how to apply it for secure containers. Secure computing mode (seccomp) is a Linux kernel feature, as explained in the docker documentation.
You can use this feature to restrict your application’s access, and making its security stronger. They're defined in a JSON file that is applied when a container starts. This is only available if Docker has been built with
seccomp and the kernel is configured with
CONFIG_SECCOMP enabled. To check if our kernel supports seccomp, we should write:
$ grep CONFIG_SECCOMP= /boot/config-$(uname -r)
If it returns
CONFIG_SECCOMP=y, it does support it. Now, let's see an example of a json which have been defined with seccomp permissions to disable allowing containers to run seccomp.
If we launch our container with docker (
docker run ...) and try
chmod we would receive a permission error. This allows us to prevent from attacks or prevent vulnerabilities in different versions in case we don't want to change our application. Be careful, tho. Seccomp works with syscalls, and for that we need to know which ones are being used, depends on the system. For example, is not the same to create rules for a container based in Alpine (uses
strace) than a container based in Ubuntu(uses
strace-ubuntu). There's an example of all of this in Katacoda.
The default profile already blocks some
syscalls, here's a list of them. But of course we get to choose either the default or a customized version, depending on our needs.
Personally I think a good option for fast security setup in your container would be a vuln scanning and performing a list of blocked syscall regarding those version vuln until you are able to change the version (or this version is being patched, in case of zero days). For scanning, I suggest using CoreOS, an open source project hosted by -gasp- red hat. If we have a populated data base, we can start Clair service using
docker-compose up -d clair command and send it Docker Images to scan and return which vulnerabilities it contains. For this, we are using klar, here's the github repo, klar is an Integration of Clair and Docker Registry. For jsonize our data we can use jq. An example, now, of a command line using all of these would be:
CLAIR_ADDR=https://our_service CLAIR_OUTPUT=High CLAIR_THRESHOLD=15 JSON_OUTPUT=true klar postgres:latest | jq
This last scanning was public, from the public Docker Registry. We can scan a private image, too, using tags. Here's another example of a command line:
CLAIR_ADDR=http://our_service \ CLAIR_OUTPUT=Low CLAIR_THRESHOLD=10 \ klar our_tag/postgres:latest
You can see an example of this here.
Once we have our output (which will contain the vulnerability name, ID, description and others) we can perform our seccomp rule definition, in json too, as already described.
Welp, this is it. I hope you enjoyed this, please feel free to add more tools, ideas and information.