Do you inspect your containers?

With the increasing adoption of containers and microservices in the enterprises, there are also risks that come along with containers. For example, If any one of the containers breaks out, it can allow unauthorized access across containers, hosts, or data centers, etc., thus affecting all the containers hosted on the Host OS. To mitigate these risks, we have already looked at various approaches to provide secure isolation for containers. In this post, we are going to look at how to inspect the containers.

Introducing  amicontained

Using amicontained tool, we can find out what container runtime, other data points like below:

1. What data does the container have access to?
2. What is the composition of your containers during runtime?
3. What type of system calls is being blocked?
4. What are the details of the SECCOMP/AppArmor profile that is being used to prevent attacks and preventing others from spreading to the rest of the infrastructure?

#1. Install amicontained

Install binaries are available from Releases Page. Use the below script from the releases page to install amicontained.

# Export the sha256sum for verification.
$ export AMICONTAINED_SHA256="d8c49e2cf44ee9668219acd092ed961fc1aa420a6e036e0822d7a31033776c9f"

# Download and check the sha256sum.
$ curl -fSL "https://github.com/genuinetools/amicontained/releases/download/v0.4.9/amicontained-linux-amd64" -o "/usr/local/bin/amicontained" \
 && echo "${AMICONTAINED_SHA256}  /usr/local/bin/amicontained" | sha256sum -c - \
 && chmod a+x "/usr/local/bin/amicontained"

$ echo "amicontained installed!"

# Run it!
$ amicontained -h

Verify if we have installed correctly by amicontained -h

Now that we have successfully installed, we can try out different scenarios.

Scenario #1: Inspect security configuration

In this scenario, we are going to inspect our containers for the security configuration.

We could see that what are the allowed/blocked syscalls, container runtime, AppArmor profile, capabilities, etc.,

Scenario #2: Inspect PID Namespace

By default, all containers have the PID namespace enabled. PID namespace provides separation of processes. The PID Namespace removes the view of the system processes and allows process ids to be reused.

In this scenario, we are going to inspect the container with PID namespace as host basically allowing processes within the container to see all of the processes on the system and check the output.

Scenario #3: Inspect Container runtime, environment

In this scenario, we are going to run the container with PID namespace as host basically allowing processes within the container to see all of the processes on the system and check the output.

Congrats! we have learned how to inspect containers using amicontained tool.

Docker container security best practices

Following best practices can help you create a Docker security infrastructure:

1. Container images act as a foundation for multiple systems, and vulnerable images can cause damage across your enterprise. You need to ensure images are protected by scanning for open source and third-party vendor containers and setting up a trusted registry of base images.
2. Sensitive information such as passwords and addresses needs to be maintained using Docker secrets.
3. Monitor your container activity and limit the use of resources. Design errors, software bugs, or malware attacks can often lead to DoS attacks. You can handle the large attack surface by limiting the number of system resources allotted for each container.
4. SECCOMP provides a default profile that blocks 44 out of the 300+ system calls allowed on Docker containers and lets you manage a whitelist to block additional types of calls. You have the option to use a strict SECCOMP profile to prevent some types of attacks and preventing others from spreading to the rest of the infrastructure.
5. Monitoring systems like Prometheus can help you identify attacks, send alerts, and even automatically implement fixes. Periodically review log data generated by containers and use it to generate preventive security insights.
6. Know the composition of your containers during runtime as well as build time.

If you’re looking for Docker Security tools, check out here.

Like this post? Don’t forget to share it!

Additional Resources :

• Implementing secure containers using gVisor+Docker tutorial
• Secure Coding Practices Specialization by UC Davis
• Implementing Policies in Kubernetes
• Using Docker Application Packages to Deliver Apps across Teams
• Get Job Ready with Professional Certificates from Coursera