Get My Score

Docker Container Security and STRIDE

The first step in building a secure infrastructure is to understand the threats. Threats are potential events which lead to something useful for the attacker. It could be money, it could be bragging rights, or it could just be pure fun mutilating the reputation of a business entity. Threat risk modelling is an essential exercise to categorize threats and determine strategies for mitigating them. One such threat assessment model is STRIDE.

STRIDE is an acronym for six threat categories as outlined below:

  • Spoofing Identity – An attacker could prove that she is an authorized user of the system
  • Tampering with Data – An attacker could successfully add, modify or delete data
  • Repudiation – An attacker could deny or make it impossible to prove his delinquency
  • Information disclosure – An attacker could gain access to privileged Information
  • Denial of Service – An attacker could make the system unresponsive to legitimate usage
  • Elevation of privilege – An attacker could elevate her privileges

The STRIDE threat model forces you to think about securing your infrastructure from a threat perspective.

When developing a security configuration benchmark such as the CIS Docker 1.12 security configuration benchmark, we take into account such threat assessment models. We then evaluate various product features against such models to come up with a list of recommendations that are pertinent to securing the design and operations of the infrastructure. Such models force us to think in terms of threats arising out of product features and how such threats could put systems to risk. We invest a significant time in balancing functionality and security and then bring up recommendations that do not undermine the hard work of product teams.

 

An excerpt from such an exercise is below.

Section ID

CIS Docker 1.12 Benchmark Rule Title

STRIDE Categorization

5.1

Do not disable AppArmor Profile

Elevation of privilege

5.2

Verify SELinux security options, if applicable

Elevation of privilege

5.3

Restrict Linux Kernel Capabilities within containers

Elevation of privilege

5.4

Do not use privileged containers

Elevation of privilege

5.5

Do not mount sensitive host system directories on containers

Information disclosure

5.6

Do not run ssh within containers

Denial of Service

5.7

Do not map privileged ports within containers

Information disclosure

5.8

Open only needed ports on container

Information disclosure

5.9

Do not share the host's network namespace

Information disclosure

5.10

Limit memory usage for container

Denial of Service

5.11

Set container CPU priority appropriately

Denial of Service

5.12

Mount container's root filesystem as read only

Tampering with data

5.13

Bind incoming container traffic to a specific host interface

Denial of Service

5.14

Set the 'on-failure' container restart policy to 5

Denial of Service

5.15

Do not share the host's process namespace

Information disclosure

5.16

Do not share the host's IPC namespace

Information disclosure

5.17

Do not directly expose host devices to containers

Information disclosure

5.18

Override default ulimit at runtime only if needed

Denial of Service

5.19

Do not set mount propagation mode to shared

Information disclosure

5.20

Do not share the host's UTS namespace

Information disclosure

5.21

Do not disable default seccomp profile

Elevation of privilege

5.22

Do not docker exec commands with privileged option

Elevation of privilege

5.23

Do not docker exec commands with user option

Spoofing identity

5.24

Confirm cgroup usage

Denial of Service

5.25

Restrict container from acquiring additional privileges

Elevation of privilege

5.26

Check container health at runtime

Denial of Service

5.27

Ensure docker commands always get the latest version of the image

Tampering with data

5.28

Use PIDs cgroup limit

Denial of Service

5.29

Do not use Docker's default bridge docker0

Information disclosure

5.30

Do not share the host's user namespaces

Information disclosure

5.31

Do not mount the Docker socket inside any containers

Elevation of privilege

© 2016 Cavirin Systems, Inc.

STRIDE categorization of the complete benchmark reveals some interesting facts and figures. 68% of the benchmark recommendations are tuned towards protection from data tampering, denial of service and elevation of privileges. This is evident from the fact of increasing cybersecurity threats in the form of undisclosed vulnerabilities, ransomware and other crypto based hacks. Modern workloads have significant threat coming from such threat categories and it is evident that we need to elevate the safeguards that we have.

At an enterprise scale, we need a continuous monitoring product that can automate STRIDE assessment for container environments and helps us to maintain focus on our business priorities. Cavirin Automated Risk Analysis Platform (ARAP) enables organizations to proactively manage IT risk, leveraging continuous visibility and automated assessments to make the right decisions faster. A purpose-built, agent-less solution that deploys quickly to on-premises, cloud, and containerized infrastructures, it helps organizations reduce complexity, increase agility, and drive dramatic increases in efficiency with their security, risk and compliance programs.

About the Author: We are pleased to introduce new team member   Pravin Goyal, CISSP | CIPT | CUA | TOGAF | CCSK | CWSP |  RHCE | HP-UX CSA | VCP4-DCV | MBA | GISP | CloudU | CompTIA CE | ITIL-F | ITSM-F | CWNA | Mobility | VSP 2015

Director of Information Security and Compliance Engineering

 Pravin is a cybersecurity expert and has contributed to various CIS security benchmarks. He has authored CIS Docker Benchmark (all versions and currently updating Docker 1.13 benchmark) and CIS Quick Cloud Start Benchmark. He is currently setting up a CIS community around Google Cloud Platform.

 

 Cavirin is exhibiting at DockerCon 2017, April 17-20.  Come see us there, http://2017.dockercon.com.

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.