Do you inspect your containers?
With the increasing adoption of containers and microservices in the enterprises, there are also risks that come along with containers. For example, If any one of the containers breaks out, it can allow unauthorized access across containers, hosts, or data centers, etc., thus affecting all the containers hosted on the Host OS. To mitigate these risks, we have already looked at various approaches to provide secure isolation for containers. In this post, we are going to look at how to inspect the containers.
Quick Snapshot
Introducing amicontained
Using amicontained tool, we can find out what container runtime, other data points like below:
- What data does the container have access to?
- What is the composition of your containers during runtime?
- What type of system calls is being blocked?
- What are the details of the SECCOMP/AppArmor profile that is being used to prevent attacks and preventing others from spreading to the rest of the infrastructure?
#1. Install amicontained
Install binaries are available from Releases Page. Use the below script from the releases page to install amicontained.
# Export the sha256sum for verification. $ export AMICONTAINED_SHA256="d8c49e2cf44ee9668219acd092ed961fc1aa420a6e036e0822d7a31033776c9f" # Download and check the sha256sum. $ curl -fSL "https://github.com/genuinetools/amicontained/releases/download/v0.4.9/amicontained-linux-amd64" -o "/usr/local/bin/amicontained" \ && echo "${AMICONTAINED_SHA256} /usr/local/bin/amicontained" | sha256sum -c - \ && chmod a+x "/usr/local/bin/amicontained" $ echo "amicontained installed!" # Run it! $ amicontained -h
Verify if we have installed correctly by amicontained -h
Now that we have successfully installed, we can try out different scenarios.
Scenario #1: Inspect security configuration
In this scenario, we are going to inspect our containers for the security configuration.
We could see that what are the allowed/blocked syscalls, container runtime, AppArmor profile, capabilities, etc.,
Scenario #2: Inspect PID Namespace
By default, all containers have the PID namespace enabled. PID namespace provides separation of processes. The PID Namespace removes the view of the system processes and allows process ids to be reused.
In this scenario, we are going to inspect the container with PID namespace as host basically allowing processes within the container to see all of the processes on the system and check the output.
Scenario #3: Inspect Container runtime, environment
In this scenario, we are going to run the container with PID namespace as host basically allowing processes within the container to see all of the processes on the system and check the output.
Congrats! we have learned how to inspect containers using amicontained tool.
Docker container security best practices
Following best practices can help you create a Docker security infrastructure:
- Container images act as a foundation for multiple systems, and vulnerable images can cause damage across your enterprise. You need to ensure images are protected by scanning for open source and third-party vendor containers and setting up a trusted registry of base images.
- Sensitive information such as passwords and addresses needs to be maintained using Docker secrets.
- Monitor your container activity and limit the use of resources. Design errors, software bugs, or malware attacks can often lead to DoS attacks. You can handle the large attack surface by limiting the number of system resources allotted for each container.
- SECCOMP provides a default profile that blocks 44 out of the 300+ system calls allowed on Docker containers and lets you manage a whitelist to block additional types of calls. You have the option to use a strict SECCOMP profile to prevent some types of attacks and preventing others from spreading to the rest of the infrastructure.
- Monitoring systems like Prometheus can help you identify attacks, send alerts, and even automatically implement fixes. Periodically review log data generated by containers and use it to generate preventive security insights.
- Know the composition of your containers during runtime as well as build time.
If you’re looking for Docker Security tools, check out here.
Like this post? Don’t forget to share it!
Additional Resources :
- Implementing secure containers using gVisor+Docker tutorial
- Secure Coding Practices Specialization by UC Davis
- Implementing Policies in Kubernetes
- Using Docker Application Packages to Deliver Apps across Teams
- Get Job Ready with Professional Certificates from Coursera
Summary
Article Name
Do you inspect your containers?
Description
In this post, we are going to look at how to inspect the containers using amicontained tool.
Author
Karthik
Publisher Name
Upnxtblog
Publisher Logo
More Stories
Unlock the Potential of Java Microservices for Scalable Solutions
In today's rapidly evolving digital landscape, businesses and developers are continuously searching for efficient, scalable solutions to meet their complex...
How You Can Improve Your Business’s Performance with a Kubernetes Ingress Controller
Improving your business is vital to not only its progress but also its survival. There are many areas where this...
Scalable Data Management for Docker Containers: Harnessing NAS Appliances
The rise of containerized applications has revolutionized the world of software development. Docker containers have simplified the deployment process, enabling...
Enforcing policies with Kubewarden on Amazon EKS
According to Red Hat's 2022 State of Kubernetes Security Report, respondents stated that exposures due to misconfigurations in their container...
Top Kubernetes Security Best Practices: Securing Kubernetes Workloads with OPA & OPA Gatekeeper in Amazon EKS
Introduction As the adoption of container orchestration platforms like Kubernetes increases, so does the need for robust security measures. Open...
Choosing the Right Container Orchestration Service: A Guide to AppRunner, ECS, and EKS
AWS provides several services for running containerized applications, including Amazon Elastic Container Service (ECS), Amazon Elastic Kubernetes Service (EKS), and...
Average Rating