iss-cw4 - HackMD

# iss-cw4 ## image hardening * * ## runtime hardening * The setuid & setgid capabilities can be bypassed in a docker container through the use of the setuid bit using file permissions. To Prevent this you should use the --security-opt="no-new-privileges" flag when running a container. A process can set the no_new_priv bit in the kernel. It persists across fork, clone and execve. The no_new_priv bit ensures that the process or its children processes do not gain any additional privileges via setuid or sgid bits. Solution: List the security options for all the containers using the following command: docker ps --quiet --all | xargs docker inspect --format ': SecurityOpt=' The security options should list no_new_privileges as one of them. One can start a container with no_new_privileges as below: docker run <run-options> --security-opt=no-new-privileges <image> <cmd> # * The final control we’ll add today is one to prevent unexpected writes to the container’s filesystem. Each container starts with a fresh copy of the application image’s filesystem. By default, that filesystem is writable. However, if the application does not need to write to the filesystem, or we know the specific places it needs to write, then we can permit just that. # * The following container run command starts a container with a read-only root filesystem and also provides a small (64kb) in-memory tmpfs for temporary files at /tmp: docker container run --name rando-doggos --rm -it \ -p 5000:5000 \ --user 1500:1500 \ --security-opt no-new-privileges \ --memory 128m \ --cpus 0.75 \ --read-only \ --tmpfs /tmp:rw,noexec,nosuid,size=64k \ qualimente/rando-doggos:2018-03-20-1030 If you exec into the container and try to write a file someplace other than /tmp (e.g. the working directory), that write will fail: $ docker container exec -it rando-doggos sh -c "echo 'hello' > afile" sh: can't create afile: Read-only file system whereas if you write to /tmp it will succeed: $ docker container exec -it rando-doggos sh -c "echo 'hello' > /tmp/afile; cat /tmp/afile" hello You may have noticed that the tmpfs specifies noexec and nosuid options. This means that programs cannot be executed from that filesystem. So an attacker would have limited space and options within this container to bring their own tools or exfiltrate data. # * To make data persistent You need specify the directory to store mysql data on your host machine. You can then remove the data container. Your mysql data will be saved on you local filesystem. Mysql container definition must look like this: mysql: container_name: flask_mysql restart: always image: mysql:latest environment: MYSQL_ROOT_PASSWORD: 'test_pass' # TODO: Change this MYSQL_USER: 'test' MYSQL_PASS: 'pass' volumes: - /opt/mysql_data:/var/lib/mysql ports: - "3306:3306" # * Running containers independently of docker: https://prefetch.net/blog/2019/11/11/how-the-docker-container-creation-process-works-from-docker-run-to-runc/ # * Ports not necessary for the service must not be exposed. Solution: List all the containers and their exposed ports using the following: docker ps --quiet | xargs docker inspect --format ': Ports=' Ensure that there are no unnecessary ports exposed. # * Sharing namespaces have dangerous consequences if not managed properly. Containers can be started with -pid to connect with the host PID namespace or --net to share its network namespace. These allow containers to see and kill PIDs running on the host or even connect to privileged ports. Solution: Avoid sharing host namespaces with containers. ## notes from meeting: * /etc/selinux/config change to enforcing - put in script (https://phoenixnap.com/kb/enable-selinux-centos) * (change to mls?) * Docker volume for db persistence * Mount volume on build (https://docs.docker.com/storage/volumes/) * Volume security? * Seccomp * specify at build * Capabilities * Stripping ## Report stuff Test Case Scenarios * Image builds correctly * Containers can be made from image * Web page loads * Values can be entered * Web page loads showing up-to-date table * Above work when 'docker run' with dropped capabilities