Chris Binnie - Cloud Native Security

1 Cover

2 Title Page

3 Introduction Meeting the Challenge A Few Conventions Companion Download Files How to Contact the Publisher

4 Part I: Container and Orchestrator Security CHAPTER 1: What Is A Container? Common Misconceptions Container Components Kernel Capabilities Other Containers Summary CHAPTER 2: Rootless Runtimes Docker Rootless Mode Running Rootless Podman Summary CHAPTER 3: Container Runtime Protection Running Falco Configuring Rules Summary CHAPTER 4: Forensic Logging Things to Consider Salient Files Breaking the Rules Key Commands The Rules Parsing Rules Monitoring Ordering and Performance Summary CHAPTER 5: Kubernetes Vulnerabilities Mini Kubernetes Options for Using kube-hunter Container Deployment Inside Cluster Tests Minikube vs. kube-hunter Getting a List of Tests Summary CHAPTER 6: Container Image CVEs Understanding CVEs Trivy Exploring Anchore Clair Summary

5 Part II: DevSecOps Tooling CHAPTER 7: Baseline Scanning (or, Zap Your Apps) Where to Find ZAP Baseline Scanning Scanning Nmap's Host Adding Regular Expressions Summary CHAPTER 8: Codifying Security Security Tooling Installation Simple Tests Example Attack Files Summary CHAPTER 9: Kubernetes Compliance Mini Kubernetes Using kube-bench Troubleshooting Automation Summary CHAPTER 10: Securing Your Git Repositories Things to Consider Installing and Running Gitleaks Installing and Running GitRob Summary CHAPTER 11: Automated Host Security Machine Images Idempotency Secure Shell Example Kernel Changes Summary CHAPTER 12: Server Scanning With Nikto Things to Consider Installation Scanning a Second Host Running Options Command-Line Options Evasion Techniques The Main Nikto Configuration File Summary

6 Part III: Cloud Security CHAPTER 13: Monitoring Cloud Operations Host Dashboarding with NetData Cloud Platform Interrogation with Komiser Summary CHAPTER 14: Cloud Guardianship Installing Cloud Custodian More Complex Policies IAM Policies S3 Data at Rest Generating Alerts Summary CHAPTER 15: Cloud Auditing Runtime, Host, and Cloud Testing with Lunar AWS Auditing with Cloud Reports CIS Benchmarks and AWS Auditing with Prowler Summary CHAPTER 16: AWS Cloud Storage Buckets Native Security Settings Automated S3 Attacks Storage Hunting Summary

7 Part IV: Advanced Kubernetes and Runtime Security CHAPTER 17: Kubernetes External Attacks The Kubernetes Network Footprint Attacking the API Server Attacking etcd Attacking the Kubelet Summary CHAPTER 18: Kubernetes Authorization with RBAC Kubernetes Authorization Mechanisms RBAC Overview RBAC Gotchas Auditing RBAC Summary CHAPTER 19: Network Hardening Container Network Overview Restricting Traffic in Kubernetes Clusters CNI Network Policy Extensions Summary CHAPTER 20: Workload Hardening Using Security Context in Manifests Mandatory Workload Security PodSecurityPolicy PSP Alternatives Summary

8 Index

9 Copyright

10 About the Authors

11 About the Technical Editor

12 End User License Agreement

1 Chapter 1 Table 1.1: Common Container Components

2 Chapter 2 Table 2.1: Rootless Mode Limitations and Restrictions

3 Chapter 4 Table 4.1: Actions for auditdWhen Disks Are Filling Up Rapidly Table 4.2: The Different Permissions You Can Apply Table 4.3: List Options Available for forkand cloneSyscallsTable 4.4: Options for audit_set_failure

4 Chapter 5Table 5.1: Deployment Methods for kube-hunterTable 5.2: Scanning Options That You Can Try in kube-hunterTable 5.3: Hunting Modes in kube-hunter

5 Chapter 6Table 6.1: Policy Matching Criteria That Anchore Can Use Within Its PoliciesTable 6.2: The Policies Available from the Policy Hub

6 Chapter 7Table 7.1: ZAP Builds Available via Docker

7 Chapter 8Table 8.1: Using Tags in Gauntlt to Get More or Less Results

8 Chapter 12Table 12.1: Interactive Options for Nikto While It's RunningTable 12.2: IDS Evasion Capabilities Courtesy of LibwhiskerTable 12.3: Nikto Offers “Mutation” Technique Options, TooTable 12.4: Tuning Options Within Nikto

9 Chapter 15Table 15.1: The Many Areas of Coverage That Lunar Offers

10 Chapter 16Table 16.1: Public Access Settings for S3 Buckets and ObjectsTable 16.2: Ways to List S3 Buckets in S3Scanner

1 Chapter 1 Figure 1.1: How virtual machines and containers reside on a host

2 Chapter 5Figure 5.1: The excellent kube-hunterhas found Kubernetes components but is...Figure 5.2: We need the vulnerability IDs so that we can look up more detail...Figure 5.3: Looking up KHV002 in the Knowledge Base offers more detail.Figure 5.4: An internal view of Minishift is a slight improvement over k3s's...

3 Chapter 6Figure 6.1: The Common Vulnerability Scoring SystemFigure 6.2: Trivy's assessment of the latest nginxcontainer imageFigure 6.3: Older versions of images tend to flag more issues, as you'd expe...Figure 6.4: Anchore is up, courtesy of Docker Compose.Figure 6.5: Only 2 medium-ranked CVEs have been found by Anchore, but 52 low...Figure 6.6: Harbor has the excellent Clair CVE scanner built-in.Figure 6.7: Different scanning results again for the nginxcontainer imageFigure 6.8: Harbor lets you inspect the layers of your images with ease.

4 Chapter 7Figure 7.1: A combination of Docker and Webswing means that running ZAP with...Figure 7.2: A redacted HTML report from a baseline scanFigure 7.3: A trimmed screenshot of the HTML report after scanning Nmap’s ho...

5 Chapter 10Figure 10.1: Fine-grained permissions from GitHub via personal access tokens...Figure 10.2: GitRob initializing and beginning to scan all repositories belo...

6 Chapter 11Figure 11.1: The Ansible directory structure, courtesy of the treecommand

7 Chapter 12Figure 12.1: Even an HTTP 403 is revealing.

8 Chapter 13Figure 13.1: The start of the Netdata installation processFigure 13.2: Netdata has completed its installation successfully.Figure 13.3: The top of the dashboardFigure 13.4: Networking information showing the docker0network interfaceFigure 13.5: The cpuidledashboard to show how quiet your CPU cores areFigure 13.6: Temperature metrics can be useful for on-premises hosts that ha...Figure 13.7: The splash screen for Komiser made available by our containerFigure 13.8: A billing summary per-service plus outstanding support tickets...Figure 13.9: Checking running instances is useful not just for costs but str...Figure 13.10: Lambda functions aren't forgotten about in Komiser.Figure 13.11: Potentially costly utilized network resource in an AWS region...

9 Chapter 14Figure 14.1: Cloud Custodian courtesy of the Python installation routeFigure 14.2: In the AWS Console or programmatically, add a tag to an EC2 ins...Figure 14.3: Highly permissive EC2 policy for our first test policy in Cloud...Figure 14.4: We have stopped our instance successfully using a policy.

10 Chapter 15Figure 15.1: Some of the permissions that your user/role will need in AWS, b...Figure 15.2: The start of the Cloud Reports build process, courtesy of Node....Figure 15.3: The end of the build processFigure 15.4: The IAM policy is very permissive, even as read-only, so be sur...Figure 15.5: Check your progress via the Last Used column in IAM for your us...Figure 15.6: HTML output after using the -f htmlswitch, with the AWS accoun...Figure 15.7: A relatively empty region in the AWS account still produced 16 ...Figure 15.8: Prowler needs two IAM policies attached to an IAM user or role....Figure 15.9: Prowler is firing up and ready to scan a (redacted) AWS account...

11 Chapter 16Figure 16.1: You should only give S3 Read access to S3 Inspector for obvious...Figure 16.2: Redacted output from the same results as Listing 16.1, focusing...Figure 16.3: The top-level listing in the AWS Console of S3 buckets reminds ...Figure 16.4: There are relatively new Edit Public Access Settings options no...Figure 16.5: GrayhatWarfare is an excellent resource for learning about stor...Figure 16.6: Public files discovered in S3 buckets