Understanding and Hardening Linux Containers
Docker, LXC, CoreOS Rkt and other container platforms are beginning to change how Linux applications are deployed and even how data centers are architected. These platforms offer security isolation and application containment while improving resource efficiency over full virtual machines. In general, this operating system virtualization via Linux Containers is an attractive feature for efficiency, speed and modern application deployment, however many would-be adopters continue to question the security of these technologies or platforms. Linux containers offer segmentation via kernel namespaces, resource control via cgroups and are often secured through reduced root capabilities, Mandatory Access Control and user namespaces.
Our recently-posted whitepaper starts off exploring the various motivations behind Linux containers and how they contrast with more traditional hardware virtualization on modern general purpose CPUs. The whitepaper then explores Linux namespaces, cgroups, and capabilities in depth, listing example use and illustrating potential risks. Next is an in-depth discussion of the various threats to any container deployment, either container to host attacks, cross-container attacks,and other potential threats to any container deployment, regardless of size. To counter these threats and add future defense in depth, this whitepaper also includes an exploration of key security features such as user namespaces, seccomp-bpf and Mandatory Access Control. While these features are often discussed as they relate to containers, the protections can be applied to any Linux application, regardless of container deployment.
After exploring container basics, threats, and security features, an overview of Docker, LXC and CoreOS Rkt is included. This overview covers the container solution background, key components and includes a brief security analysis of each platform. This section ends by contrasting different container defaults, before enumerating various security recommendations to counter weaknesses (both in general for any container platform, and specifically for LXC, Docker and CoreOS Rkt). These configuration tweaks, security actions, strategies and recommendations help establish hardened Linux containers and adding defense in depth to any application deployment. To conclude, a number of future related technologies are briefly explored such as unikernels, microservices and other container platforms, this also includes a discussion of hybrid container/hardware virtualization using minimal hypervisors.
NCC Group continues to perform a large number of engagements assessing the security of container platforms, container deployments, Linux application hardening, cloud penetration testing, PaaS testing and related application security. Repeated and similar security findings across a number of different size clients, in addition to a general lack of industry knowledge on container security contributed greatly to the author's motivation for this whitepaper. Before deploying any type of containers, explaining what security features or risks are involved with each platform can also help users, teams or enterprises helpfully decide what works best while allowing for the highest security.
Published date:  20 April 2016
Written by:  Aaron Grattafiori