Skip to content

kai5263499/awesome-container-security

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

86 Commits
 
 
 
 
 
 
 
 

Repository files navigation

awesome-container-security AwesomeTravis


A collection of container related security resources


Image


  • Identify vulnerabilities in running containers, images, hosts and repositories
  • Static image analysis tool
  • The "War and Peace" of container security
  • Department of commerce guidance on container security
  • Utility for aiding in compliance checks against a container
  • Automated security profiling for Docker image
  • drydock - Inspired by docker-bench-security with the ability to apply custom security profiles
  • Docker bench security - One of the first security linting utility for Docker
  • Packer builds Docker containers without the use of Dockerfiles. By not using Dockerfiles, Packer is able to provision containers with portable scripts or configuration management systems that are not tied to Docker in any way. It also has a simple mental model: you provision containers much the same way you provision a normal virtualized or dedicated server.
  • A toolkit for building custom minimal, immutable Linux distributions
  • An open-source API to audit and govern your software supply chain
  • Python library that extends docker build. It's part of the RedHat Atomic project so its rather opinionated
  • A series of exercises that provide a deep dive into the internals of containers. Also has a good SELinux training component
  • Free image scanning service with a commercial offering similar to Docker Cloud
  • anchore-cli
  • Specialized CVE scanner
  • Framework for peering inside docker images. Useful for rolling your own image scanning system

Commercial solutions


Build Management


  • Source to deployment framework. An alternative to Kubernetes and Spinnaker. I include it here because it implements a concept of trusted images and dependency management

Commercial solutions

  • Project Atomic - RedHat's complete container solution with strong built-in security
  • Docker Cloud - Continuous scanning of images along with a trust mechanism

Networking/Runtime


  • Associating Amazon IAM roles to pods
  • Also for associating Amazon IAM roles to pods
  • Comprehensive guide from Google engineers on securing and isolating containers
  • User-space kernel designed to provide better isolation/sandboxing of containers
  • bSides SF 2017 talk about container monitoring at Netflix using eBPF
  • Security enforcement for Flannel SDN
  • Apply Amazon Identity Management roles to Kubernetes Pods
  • Sidecar and security enforcement system used at Lyft
  • Network policy enforcement
  • Project
  • Realtime metrics gathering across the cluster
  • An exploration of covert channels
  • Contains an interesting point about how contains that share network namespaces can snoop on eachother's traffic
  • Containers are able to send raw ethernet frames to other containers with inter-container communication disabled

Commercial solutions

  • StakRox - Container security solution with adaptive threat protection
  • NeuVector - Continuous network security
  • TwistLock - Network activity profiling

Security profiles


  • AppArmor profile generator for Docker containers
  • A gentle introduction to Security Enhanced Linux
  • Linux namespaces and seccomp-bpf sandbox. Also works with GUI apps
  • A handy list of capabilities that are enabled by default in Docker
  • An SELinux deep dive
  • Blog post about figuring out what capabilities a container needs
  • Spoiler, its using SELinux
  • Bills itself as an adversary resistant computing platform. Under the hood the idea is to run containers in user space
  • An exercise that also takes you through the nitty gritty details of capabilities management

Exploits


  • From the intro: "We’ve been tracking an organized attack campaign that targets misconfigured open Docker Daemon API ports. This persistent campaign has been going on for months, with thousands of attempts taking place nearly on a daily basis."
  • Post exploitation framework
  • This isn't an exploit but it allows user to access the host VM if run in privileged mode
  • List of known security vulnerabilities for Docker
  • Outlines an interesting spear-phishing attack on image maintainers
  • Image scanning system with a red-team focus of exploitation
  • A case study of a vulnerable private registry

Honeypots


  • Capturing exploit attempts by emulating a Wordpress box
  • Docker container running cowrie with DShield output enabled
  • Fairly old but a great idea for platform to build honeypots

Presentations/Posts


  • An extension of the helpful cattle and pets analogy
  • The author presents the intreaging notion of applying the microservices approach to containers where you divide an application apart by capabilities
  • Awesome Object Capabilities - A language-level implementation of the capability based sandboxing methodology
  • Linux port of Capsicum related to this LWN post
  • Securing the image pipeline from creation to delivery
  • A security model to match the deployment model of many orchestration utilities
  • Container performance analysis at Netflix. This contains similar material as the bSides talk listed above with
  • Evolution of Container Usage at Netflix - Also provides insight into container monitoring, logging, and security at Netflix.
  • Chief Systems Architect Sasi Kannappan describes how Docker is used at Visa
  • Collection of resources on hardening your Docker daemon
  • Balancing moving fast and breaking things with securing against vulnerabilities
  • Great presentation on sandboxing containers