issue153:mon_opinion1
Différences
Ci-dessous, les différences entre deux révisions de la page.
Prochaine révision | Révision précédente | ||
issue153:mon_opinion1 [2020/02/01 17:30] – créée d52fr | issue153:mon_opinion1 [2020/02/04 19:24] (Version actuelle) – d52fr | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
- | There are a number of areas to keep in mind when it comes to securing containers that you have running on your Ubuntu hosts and their workloads. In this article, we’ll have a look at a high-level overview of the key things to bear in mind. We’ll start with a more traditional security approach first and then focus on some of the other pertinent aspects. | + | **There are a number of areas to keep in mind when it comes to securing containers that you have running on your Ubuntu hosts and their workloads. In this article, we’ll have a look at a high-level overview of the key things to bear in mind. We’ll start with a more traditional security approach first and then focus on some of the other pertinent aspects. |
Host Security | Host Security | ||
Ligne 7: | Ligne 7: | ||
The usual rules apply when it comes to your host machines. You will need to update packages when they become available, most likely schedule reboots for kernel updates and also ensure that a minimal number of packages are installed to help limit the attack surface. | The usual rules apply when it comes to your host machines. You will need to update packages when they become available, most likely schedule reboots for kernel updates and also ensure that a minimal number of packages are installed to help limit the attack surface. | ||
- | Aside from the time-honoured package updates, you should ensure that only specific network ports are exposed, locally and publicly, and then firewall off all other points of network access. Where possible, rate limiting access to applications, | + | Aside from the time-honoured package updates, you should ensure that only specific network ports are exposed, locally and publicly, and then firewall off all other points of network access. Where possible, rate limiting access to applications, |
- | Limiting Crosstalk | + | Il faut garder à l' |
+ | |||
+ | La sécurité de l' | ||
+ | |||
+ | Si vous êtes complètement occupé à essayer de faire tourner vos conteneurs exactement comme vous voulez, il est facile d' | ||
+ | |||
+ | Les règles habituelles s' | ||
+ | |||
+ | Outre les mises à jour des paquets, bien connues, vous devriez vous assurer que seuls des ports réseaux spécifiques soient exposés, localement et publiquement, | ||
+ | |||
+ | **Limiting Crosstalk | ||
Another area can be helped significantly with a smattering of common sense and logic. | Another area can be helped significantly with a smattering of common sense and logic. | ||
Ligne 19: | Ligne 29: | ||
There are however lots of other containers running on the same host machine which shouldn’t have any visibility of the potentially sensitive database traffic being passed through the database server before being written and stored outside of the container. The recommendation here would be to use a bridge network. By connecting only our two web servers and single database server to that private network, we will successfully limit network access and provide a layer of isolation. | There are however lots of other containers running on the same host machine which shouldn’t have any visibility of the potentially sensitive database traffic being passed through the database server before being written and stored outside of the container. The recommendation here would be to use a bridge network. By connecting only our two web servers and single database server to that private network, we will successfully limit network access and provide a layer of isolation. | ||
- | This means that if another container on the host is attacked and compromised there’s more layers of security potentially for the attacker to break through in order to get access to the database data. | + | This means that if another container on the host is attacked and compromised there’s more layers of security potentially for the attacker to break through in order to get access to the database data.** |
- | Common Vulnerabilities | + | Limiter la diaphonie |
+ | |||
+ | La sécurité d'un autre domaine peut être prise en charge de façon significative avec un peu de sens commun et de la logique. | ||
+ | |||
+ | Supposez, par exemple, que vous ayez trois conteneurs sur un seul hôte, chacun avec une application unique qui fournit un service quelconque. Je vous conseille de réfléchir soigneusement à la façon dont ces conteneurs pourraient interagir du point de vue de l' | ||
+ | |||
+ | Examinons un autre scénario où vous pourriez avoir deux serveurs Web en avant-plan qui tournent grâce à deux conteneurs et, aussi, un seul serveur de données en arrière-plan. Les serveurs en avant-plan envoient des requêtes de lecture et d' | ||
+ | |||
+ | Il y a cependant des foules d' | ||
+ | |||
+ | Cela signifie que, si un autre conteneur sur l' | ||
+ | |||
+ | **Common Vulnerabilities | ||
The dreaded CVEs (Common Vulnerabilities and Exploits) apply to package updates just as we saw on a host’s Operating System a moment ago and you should monitor CVEs using any of a variety of tools. | The dreaded CVEs (Common Vulnerabilities and Exploits) apply to package updates just as we saw on a host’s Operating System a moment ago and you should monitor CVEs using any of a variety of tools. | ||
Ligne 29: | Ligne 51: | ||
The recommendation is to think carefully about what risks affect you the most. Take time to fully understand your priorities and the attack surfaces that you present inwardly and externally. Then think about how realistic updating every package for triggered alerts is and at what frequency. Choosing a tool which can automatically alert you to software updates can be a little daunting as there are a few. One such sophisticated tool which can run from containers itself can be found here (https:// | The recommendation is to think carefully about what risks affect you the most. Take time to fully understand your priorities and the attack surfaces that you present inwardly and externally. Then think about how realistic updating every package for triggered alerts is and at what frequency. Choosing a tool which can automatically alert you to software updates can be a little daunting as there are a few. One such sophisticated tool which can run from containers itself can be found here (https:// | ||
- | As mentioned, not all issues with CVEs can be mitigated against using package manager updates because fixes haven’t been released by vendors. Trade-offs between using alternative base Operating Systems and using alternative applications might be required on occasion. | + | As mentioned, not all issues with CVEs can be mitigated against using package manager updates because fixes haven’t been released by vendors. Trade-offs between using alternative base Operating Systems and using alternative applications might be required on occasion.** |
- | Locking Down Access | + | Les vulnérabilités communes |
+ | |||
+ | Les CVE (Common Vulnerabilities and Exploits) tant redoutés s' | ||
+ | |||
+ | L' | ||
+ | |||
+ | La recommandation est de bien réfléchir aux risques qui vous affectent le plus. Prenez le temps de comprendre pleinement vos priorités ainsi que les surfaces d' | ||
+ | |||
+ | Comme mentionné tous les problèmes des CVE ne peuvent pas être mitigés en utilisant les mises à jour proposées par le gestionnaire des paquets, parce que les correctifs n'ont pas été publiés par les vendeurs. Des compromis entre l' | ||
+ | |||
+ | **Locking Down Access | ||
As all containers share the same host kernel on a machine, it’s imperative that suitable isolation is put in place to protect the host. Without the host functioning correctly, ultimately there’s only downtime which means failure to stop a successful attack on one container from performing a “container escape” will mean that other containers, and their applications, | As all containers share the same host kernel on a machine, it’s imperative that suitable isolation is put in place to protect the host. Without the host functioning correctly, ultimately there’s only downtime which means failure to stop a successful attack on one container from performing a “container escape” will mean that other containers, and their applications, | ||
Ligne 41: | Ligne 73: | ||
You might want to also read up on Kernel Capabilities – which can achieve all sorts of useful access restrictions. For example, do you really want a container to be able to change the time and date on your host’s system clock? It’s unlikely! | You might want to also read up on Kernel Capabilities – which can achieve all sorts of useful access restrictions. For example, do you really want a container to be able to change the time and date on your host’s system clock? It’s unlikely! | ||
- | Although we’ve just scratched the surface on this topic, you should also make sure that lesser privileged users can’t start and stop containers with permissions that an attacker can do bad things with. Leave that sort of thing to the “root” superuser alone. | + | Although we’ve just scratched the surface on this topic, you should also make sure that lesser privileged users can’t start and stop containers with permissions that an attacker can do bad things with. Leave that sort of thing to the “root” superuser alone.** |
- | Orchestration | + | Verrouiller l' |
+ | |||
+ | Puisque tous les conteneurs sur une même machine partage le noyau de l' | ||
+ | |||
+ | Au fil des ans, le noyau Linux a introduit de nombreuses techniques astucieuses d' | ||
+ | |||
+ | Toutefois, vous devriez connaître les Kernel Namespaces (espaces de noms), qui signifient que, si tout se passe bien d'une perspective sécuritaire, | ||
+ | |||
+ | Vous voudriez sans doute lire aussi quelque chose sur les capacités du noyau, car il peut créer toutes sortes de restrictions d' | ||
+ | |||
+ | Bien que nous n' | ||
+ | |||
+ | |||
+ | **Orchestration | ||
When you’re running more than a few containers at once, it can be a little like herding cats trying to get them all to behave properly. | When you’re running more than a few containers at once, it can be a little like herding cats trying to get them all to behave properly. | ||
Ligne 55: | Ligne 100: | ||
Finally for sensitive container scenarios, you can introduce Security Context Constraints (https:// | Finally for sensitive container scenarios, you can introduce Security Context Constraints (https:// | ||
- | You’re encouraged to read further in order to get cluster security working well, amongst a number of other areas. | + | You’re encouraged to read further in order to get cluster security working well, amongst a number of other areas.** |
- | Stronger Isolation | + | Orchestration |
+ | |||
+ | Quand vous faites tourner plus que quelques conteneurs à la fois, cela pourrait être comme essayer de rassembler des chats et de les faire bien se comporter. | ||
+ | |||
+ | Pour de grosses charges de travail, beaucoup de gens font appel à Kubernetes (https:// | ||
+ | |||
+ | Bref, vous devriez utiliser une approche de l' | ||
+ | |||
+ | Vous devriez également affiner les Pod Security Policies (Règles de sécurisation des Pods), qui sont valables sur tout l' | ||
+ | |||
+ | Enfin, pour les scénarios des conteneurs sensibles, vous pouvez introduire les Security Context Constraints (Contraintes contextuelles de sécurité) (https:// | ||
+ | |||
+ | N' | ||
+ | |||
+ | **Stronger Isolation | ||
Despite a very high level of isolation being possible through a previous Virtual Machine incarnation of “rkt” (https:// | Despite a very high level of isolation being possible through a previous Virtual Machine incarnation of “rkt” (https:// | ||
- | Virtual Machines adopt a hardware level of isolation making attacks much, much harder than just circumventing a host machine’s kernel. By cleverly enforcing that level of isolation, but enjoying the quick start-up times, portability, | + | Virtual Machines adopt a hardware level of isolation making attacks much, much harder than just circumventing a host machine’s kernel. By cleverly enforcing that level of isolation, but enjoying the quick start-up times, portability, |
- | The End Is Nigh | + | Une isolation plus forte |
+ | |||
+ | Bien qu'un très haut niveau d' | ||
+ | |||
+ | Les machines virtuelles adoptent une isolation au niveau du matériel ce qui rend les attaques bien plus difficiles que le contournement tout simple du noyau de la machine hôte. En imposant astucieusement ce niveau-là d' | ||
+ | |||
+ | **The End Is Nigh | ||
We’ve barely scratched the surface in terms of getting into the detail about securing applications in your containers. | We’ve barely scratched the surface in terms of getting into the detail about securing applications in your containers. | ||
- | Hopefully, however, the key areas which we’ve looked at briefly will give you some food for thought about what to read up on further the next time you need to make a decision about how to approach solving a container security problem. | + | Hopefully, however, the key areas which we’ve looked at briefly will give you some food for thought about what to read up on further the next time you need to make a decision about how to approach solving a container security problem.** |
+ | |||
+ | La fin approche | ||
+ | |||
+ | On n'a à peine effleuré la surface en termes d' | ||
+ | |||
+ | Cependant, j' | ||
issue153/mon_opinion1.1580574604.txt.gz · Dernière modification : 2020/02/01 17:30 de d52fr