Container Security: Securing the Docker Ecosystem

To help you master specific topics, we offer both bootcamp recordings and learning paths (curated sets of labs). In this post, we outline our Container Security on-demand bootcamp and learning path — covering everything from basics to advanced.

For access, subscribe to an annual plan, which includes on-demand bootcamps, learning paths and more labs for other topics!

Containers: an overview

Over the last decade, largely because of the Docker open-source project, the interest in Linux container technology has exploded. Containers use operating system-level virtualization to isolate applications from one another. They are lightweight in comparison to virtual machines as they share the host machine’s kernel.

Docker has enabled developers to rapidly build and share applications, and Kubernetes has enabled these applications to be deployed and scaled dynamically. This has led to the widespread adoption of Docker in the industry.

However, like all complex software systems, the container ecosystem is prone to misconfiguration, leading to vulnerabilities that can be exploited by malicious users. Because of this, understanding container security and being able to audit a container environment are critical skills that all security professionals should possess.

Start with our Container Security Beginner Bootcamp

Click here to see what’s covered.

This is a 4-session beginner bootcamp that will teach you the basics of containers and how to secure them. Learn how misconfigured components can lead to breakout attacks and eventually, host compromise.

This on-demand bootcamp covers different tools and techniques to audit containers, container hosts, image repositories and container management tools. Our unique lab setup lets you try low-level breakout attacks which otherwise can only be done in local virtual machines.

• 9+ hours of live bootcamp recordings
• 60+ Lab Exercises

Then embark on our Container Security Learning Path for more labs

What will you learn?

The Container Security learning path contains 11 categories of lab exercises that cover the basic concepts of container security and pentesting. You will learn how to use various tools and commands to identify and exploit vulnerabilities in the different components of the container ecosystem.

Prerequisites

To get the most out of this learning path, we recommend that you have:

• A basic knowledge of computers and networking
• Familiarity with the Linux operating system
• Optionally, a basic knowledge of Docker

While each set of labs can be completed in any order, we recommend the following sequence:

Container Basics

This section explores the container management systems Docker and Podman. The labs also cover the low-level components of the Docker system e.g. containerd, runc. Beginners will learn how to perform basic operations like pushing, pulling, creating and running containers. You will learn:

• Using Docker client to perform basic operations including push, pull, build images and interacting with the container/network
• Using podman to create, manage and interact with containers, images and networks
• Interacting with containerd to run containers
• Running Docker containers using Docker images with runc and umoci

Docker Microservices

The ease of deployment of Docker containers has led to increased interest in a microservice architecture. This is an approach in which an application is built as a set of loosely coupled, scalable, maintainable, independent services. For example, a WordPress blog on the LAMP stack can be deployed on 2 containers rather than all on one node (machine/container) — the first container will hold the Apache web server and PHP with the WordPress files and the second container will contain the MySQL database. This section covers attacks on applications that are deployed in the microservice architecture. The attacker will attack the web applications exposed to the internet, get a foothold on the first container, and then use it as a pivot to attack/explore the other containers. This section covers:

• Attacking web applications deployed in a microservice architecture
• Pivoting between containers

Container Breakouts

The term “Container Breakout” refers to the event where a malicious or legitimate user is able to escape the container isolation and access resources (e.g. filesystem, processes, network interfaces) of the host machine. This section covers the misconfigurations and excessive privileges that can be used to break out of the containers. The labs are based on an assumed breach approach which means the attacker has already gained a command shell on the container. You will learn:

• Exploiting misconfigurations for Docker breakout
• Leveraging excessive privileges to access the Docker host
• Identifying and weaponizing additional Linux capabilities assigned to the container
• Targeting shared namespaces to breach the container isolation

Docker Host Attacks

A Docker host is a machine on which the Docker daemon and Docker containers run. Once the Docker host is compromised, the attacker can also access all the other containers running on it. This section covers Docker socket misconfigurations that can be exploited by attackers to perform privilege escalation to take over the docker host. Scenarios, where insecurely configured host management tools can be leveraged to compromise the host, are also covered. This section covers:

• Exploiting misconfigurations to perform privilege escalation on Docker host
• Pwning a Docker host using insecure management tools
• Leveraging low-level components of the Docker ecosystem to take over the Docker host

Docker Registry

A Docker Registry is used to store and share Docker images among users and systems. Public repositories are mostly protected with authentication. However, in the case of private registries, the users/organizations usually rely on existing security boundaries to protect the registry. This category deals with insecure Docker registries and attacks that can be done on Docker infrastructure using insecure registries, specifically:

• Interacting with insecure registry with curl
• Fetching images using curl and analyzing image layers
• Attacking protected Docker registry
• Backdooring images and leveraging auto-deployment mechanisms to attack Docker host

Docker Image Analysis

A Docker image is a file that is used to create a container. It contains applications/binaries and files that define the function and behavior of the corresponding containers. Docker images are built using instructions in a plain-text file known as a Dockerfile. This category covers the analysis of Docker Image layers and how to recover overwritten artifacts from Docker images. You’ll learn:

• Extracting Docker image layers
• Recovering overwritten artifacts
• Finding secrets from Docker images and using them on live servers

Docker Forensics

The Docker ecosystem comprises different components i.e. images, containers, networks, checkpoints, etc. All of these components can be investigated to understand the chain of events in case of an incident. The labs in this section deal with the forensics aspects of Docker components such as:

• Extracting artifacts from Docker images
• Locate the backdoors in the running and stopped containers
• Using checkpoints and recover the container state

Docker API Firewall

Docker supports third-party plugins that can be used to enforce custom restrictions on the Docker daemon API. An API firewall can be created by clubbing such plugins together. This is not to be confused with the network firewall that can be created using IPtables. The labs in this section deal with bypassing or evading the restrictions applied to the Docker daemon REST API using plugins. It covers:

• Bypassing API based restrictions to launch privileged containers
• Learn about JSON structure of Docker API request
• Entering into the running container to perform Docker host compromise

Docker Tools

Docker has a rich community of developers, sysadmins and security professionals. This community promotes Docker usage by knowledge sharing, knowledge exchange and creating tools to perform different tasks. There are tools that help in simplifying the management of Docker environments and tools that help in keeping the environment secure. This category explores the different types of tools that are used for managing and securing Docker ecosystems. You will learn:

• Managing Docker with management tools like Portainer
• Performing Docker security audit
• Scanning Docker images for vulnerabilities
• Analyzing Docker images

Interested? Subscribe to an annual plan which includes on-demand bootcamps, learning paths and more labs for other topics!