Security on the cloud
Hackzone VI, 14 Avril 2018
Tunis, Tunisie
Amine Ben Asker
Cloud Architect
Automation enthusiast
Night shift
Rainbow hacker
Infrastructure guy
Internet hacktivist
Torrent seeder
Blockchain Fun
...
Java ?
Python ?
Golang ?
Docker ?
Microkernel ?
The cloud refers to software and services that run on the Internet, instead of locally on your computer
What is the Cloud ?
Stop saying the cloud is just someone else's computer - because it's not
My home Lab, Dec 2017 Paris
Cloud is about how you do computing, not where you do computing.
Spoon & trash
VM => Container
How it works ?
Same as 1979 ?
mkdir jail
chroot jail
mkdir jail/bin
cp /bin/sh jail/bin
chroot jail
mkdir jail/bin
cp all/dep.so to jail/bin
chroot jail
Same as 1979 ?
Nope
Unchroot using recursive chroot('.')
Docker runs as root
Kernel Namespaces
Control Groups
Linux Kernel Capabilities
Attack Surface of the Docker Daemon
How to Secure ?
Just follow the best practices
Install Secure packages/bin
RUN apt-key adv --keyserver hkp://cloud-pizza:80 --recv-keys B97B0A....8 RUN apt-get update && apt-get install ...
Install Secure packages/bin
RUN apt-key adv --keyserver hkp://cloud-pizza.local:80 \ --recv-keys B97B0A....8 RUN apt-get update && apt-get install ...
Use trusted image followed by tag
FROM base-image:tag
Never install ssh server in docker images
Docker exec ...
Secure your version control system
Sign commits
2 factors authentication
hardware tokens
Never hard code secrets
docker secret create
docker secret inspect
docker secret ls
docker secret rm
--secret flag for docker service create
--secret-add and --secret-rm flags for docker service update
Be minimal, less vulns
Use only required packages
Use Alpine linux (5 Mb)
instead of Ubuntu(190Mb)
Least priveleges microservices
FROM base-image:tag
adduser -u 1000 -G root default
USER default
&Never use --privileged
Immutable Infrastructure
Thanks
Follow me @asker_amine
Questions