Blog gratis
Reportar
Editar
¡Crea tu blog!
Compartir
¡Sorpréndeme!
Blog de la Escuela de Educación Secundaria Técnica N 8 de Quilmes
Administrador Prof. Claudio Enrique Alonso Alvite
img
26 de Julio, 2015    General

Instalando Docker en Kali Linux y echando un vistazo a su seguridad por defecto (Docker Bench for Security)


Docker nació en 2013 y básicamente es una plataforma para crear, distribuir y administrar aplicaciones Linux en contenedores. Utiliza la capacidad del kernel de Linux de crear entornos aislados como si fuera un "chroot con esteroides" y lo hace principalmente mediante:

- cgroups (desde la versión 2.6.29) que limita, controla y aísla el uso de los recursos (CPU, memoria, disco E/S, red, etc.) de un conjunto de procesos.
- namespaces que "envuelve" los procesos de una instancia aislada en espacios de nombres para abstraerlos de los recursos globales.

Las últimas versiones han introducido drivers y una librería llamada libcontainer, que ayuda a que Docker sea totalmente multiplataforma, teniendo compatibilidad con Windows y Mac OS X e incluso distintos servicios en la nube:


https://docs.docker.com/installation/

¿Por qué Docker mola tanto?

Piensa ¿para qué levantar una máquina virtual para ejecutar una determinada aplicación si podemos hacerlo simplemente desde un contenedor en nuestro sistema operativo de una forma mucho más transparente, rápida y liviana?

Docker además simplifica el despliegue y distribución de aplicaciones. Imagina la posibilidad de tener todo el entorno para la aplicación y publicar los cambios que se realicen fácilmente, además de hacer todo el despliegue en producción de una manera bastante fácil y profesional.

Las ventajas son claras y por eso Docker es tan popular. El uso de contenedores se está extendiendo poco a poco y cada vez más entre la comunidad TI así que nosotros también vamos a empezar a usar Docker y algunos contenedores interesantes...


Instalando y calentando motores... 

Empezamos instalándolo en Kali x64. Un comando y listo:

curl -sSL https://get.docker.io/ubuntu/ | sudo sh

Ahora comprobamos que se ha instalado correctamente:

# docker version
Client version: 1.7.1
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 786b29d
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 786b29d
OS/Arch (server): linux/amd64


Y lanzamos Docker Bench Security, un script que comprueba una docena de buenas prácticas para desplegar contenedores Docker en producción.  Las pruebas están automatizadas y están inspiradas en el Benchmark CIS Docker 1.6:

root@kali:~/docker-bench-security# docker run -it --net host --pid host --cap-add audit_control
>     -v /var/lib:/var/lib
>     -v /var/run/docker.sock:/var/run/docker.sock
>     -v /usr/lib/systemd:/usr/lib/systemd
>     -v /etc:/etc --label docker-bench-security
>     docker-bench-security
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.0.0
#
# Docker, Inc. (c) 2015
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker 1.6 Benchmark:
# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
# ------------------------------------------------------------------------------

Initializing Thu Jul 23 01:52:16 CEST 2015


[INFO] 1 - Host Configuration
[WARN] 1.1  - Create a separate partition for containers
[PASS] 1.2  - Use an updated Linux Kernel
[PASS] 1.5  - Remove all non-essential services from the host - Network
[PASS] 1.6  - Keep Docker up to date
[INFO] 1.7  - Only allow trusted users to control Docker daemon
[INFO]      * docker:x:999:
[WARN] 1.8  - Failed to inspect: auditctl command not found.
[WARN] 1.9  - Failed to inspect: auditctl command not found.
[WARN] 1.10 - Failed to inspect: auditctl command not found.
[INFO] 1.11 - Audit Docker files and directories - docker-registry.service
[INFO]      * File not found
[INFO] 1.12 - Audit Docker files and directories - docker.service
[INFO]      * File not found
[WARN] 1.13 - Failed to inspect: auditctl command not found.
[INFO] 1.14 - Audit Docker files and directories - /etc/sysconfig/docker
[INFO]      * File not found
[INFO] 1.15 - Audit Docker files and directories - /etc/sysconfig/docker-network
[INFO]      * File not found
[INFO] 1.16 - Audit Docker files and directories - /etc/sysconfig/docker-registry
[INFO]      * File not found
[INFO] 1.17 - Audit Docker files and directories - /etc/sysconfig/docker-storage
[INFO]      * File not found
[WARN] 1.18 - Failed to inspect: auditctl command not found.


[INFO] 2 - Docker Daemon Configuration
[PASS] 2.1  - Do not use lxc execution driver
[WARN] 2.2  - Restrict network traffic between containers
[PASS] 2.3  - Set the logging level
[PASS] 2.4  - Allow Docker to make changes to iptables
[PASS] 2.5  - Do not use insecure registries
[INFO] 2.6  - Setup a local registry mirror
[INFO]      * No local registry currently configured
[WARN] 2.7  - Do not use the aufs storage driver
[PASS] 2.8  - Do not bind Docker to another IP/Port or a Unix socket
[INFO] 2.9  - Configure TLS authentication for Docker daemon
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.10 - Set default ulimit as appropriate
[INFO]      * Default ulimit doesn't appear to be set


[INFO] 3 - Docker Daemon Configuration Files
[INFO] 3.1  - Verify that docker.service file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.2  - Verify that docker.service file permissions are set to 644
[INFO]      * File not found
[INFO] 3.3  - Verify that docker-registry.service file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.4  - Verify that docker-registry.service file permissions are set to 644
[INFO]      * File not found
[INFO] 3.5  - Verify that docker.socket file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.6  - Verify that docker.socket file permissions are set to 644
[INFO]      * File not found
[INFO] 3.7  - Verify that Docker environment file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.8  - Verify that Docker environment file permissions are set to 644
[INFO]      * File not found
[INFO] 3.9  - Verify that docker-network environment file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.10 - Verify that docker-network environment file permissions are set to 644
[INFO]      * File not found
[INFO] 3.11 - Verify that docker-registry environment file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.12 - Verify that docker-registry environment file permissions are set to 644
[INFO]      * File not found
[INFO] 3.13 - Verify that docker-storage environment file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.14 - Verify that docker-storage environment file permissions are set to 644
[INFO]      * File not found
[PASS] 3.15 - Verify that /etc/docker directory ownership is set to root:root
[PASS] 3.16 - Verify that /etc/docker directory permissions are set to 755
[INFO] 3.17 - Verify that registry certificate file ownership is set to root:root
[INFO]      * Directory not found
[INFO] 3.18 - Verify that registry certificate file permissions are set to 444
[INFO]      * Directory not found
[INFO] 3.19 - Verify that TLS CA certificate file ownership is set to root:root
[INFO]      * No TLS CA certificate found
[INFO] 3.20 - Verify that TLS CA certificate file permissions are set to 444
[INFO]      * No TLS CA certificate found
[INFO] 3.21 - Verify that Docker server certificate file ownership is set to root:root
[INFO]      * No TLS Server certificate found
[INFO] 3.22 - Verify that Docker server certificate file permissions are set to 444
[INFO]      * No TLS Server certificate found
[INFO] 3.23 - Verify that Docker server key file ownership is set to root:root
[INFO]      * No TLS Key found
[INFO] 3.24 - Verify that Docker server key file permissions are set to 400
[INFO]      * No TLS Key found
[INFO] 3.25 - Verify that Docker socket file ownership is set to root:docker
[INFO]      * File not found
[INFO] 3.26 - Verify that Docker socket file permissions are set to 660
[INFO]      * File not found


[INFO] 4 - Container Images and Build Files
[WARN] 4.1  - Create a user for the container
[WARN]      * Running as root: 26aa8d74b869


[INFO] 5  - Container Runtime
[WARN] 5.1  - Verify AppArmor Profile, if applicable
[WARN]      * No AppArmorProfile Found: 26aa8d74b869
[WARN] 5.2  - Verify SELinux security options, if applicable
[WARN]      * No SecurityOptions Found: 26aa8d74b869
[WARN] 5.3  - Verify that containers are running only a single main process
[WARN]      * Too many proccesses running: 26aa8d74b869
[PASS] 5.4  - Restrict Linux Kernel Capabilities within containers
[PASS] 5.5  - Do not use privileged containers
[PASS] 5.6  - Do not mount sensitive host system directories on containers
[PASS] 5.7  - Do not run ssh within containers
[PASS] 5.8  - Do not map privileged ports within containers
[PASS] 5.10 - Do not use host network mode on container
[WARN] 5.11 - Limit memory usage for container
[WARN]      * Container running without memory restrictions: 26aa8d74b869
[WARN] 5.12 - Set container CPU priority appropriately
[WARN]      * Container running without CPU restrictions: 26aa8d74b869
[WARN] 5.13 - Mount container's root filesystem as read only
[WARN]      * Container running with root FS mounted R/W: 26aa8d74b869
[WARN] 5.14 - Bind incoming container traffic to a specific host interface
[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in 26aa8d74b869
[PASS] 5.15 - Do not set the 'on-failure' container restart policy to always
[PASS] 5.16 - Do not share the host's process namespace
[PASS] 5.17 - Do not share the host's IPC namespace
[PASS] 5.18 - Do not directly expose host devices to containers
[INFO] 5.19 - Override default ulimit at runtime only if needed
[INFO]      * Container no default ulimit override: 26aa8d74b869


[INFO] 6  - Docker Security Operations
[INFO] 6.5 - Use a centralized and remote log collection service
[INFO]      * Container has no volumes, ensure centralized logging is enabled : 26aa8d74b869
[INFO] 6.6 - Avoid image sprawl
[INFO]      * There are currently: 3 images
[INFO] 6.7 - Avoid container sprawl
[INFO]      * There are currently a total of 2 containers, with 2 of them currently running


Cómo véis algunas cosas que mejorar, esto no ha hecho más que empezar...


Palabras claves , , ,
publicado por alonsoclaudio a las 21:07 · Sin comentarios  ·  Recomendar
 
Más sobre este tema ·  Participar
Comentarios (0) ·  Enviar comentario
Enviar comentario

Nombre:

E-Mail (no será publicado):

Sitio Web (opcional):

Recordar mis datos.
Escriba el código que visualiza en la imagen Escriba el código [Regenerar]:
Formato de texto permitido: <b>Negrita</b>, <i>Cursiva</i>, <u>Subrayado</u>,
<li>· Lista</li>
CALENDARIO
Ver mes anterior Julio 2017 Ver mes siguiente
DOLUMAMIJUVISA
1
2345678
9101112131415
16171819202122
23242526272829
3031
BUSCADOR
Blog   Web
TÓPICOS
» General (2606)
NUBE DE TAGS  [?]
SECCIONES
» Inicio
ENLACES
MÁS LEÍDOS
» Cómo espiar WhatsApp
» Cómo usar Metashield protector for Client y por qué utilizarlo
» Ejecución remota de código arbitrario en OpenSSH
» Ganar dinero con 1.200 Millones de identidades robadas
» Hardware y sus 4 Funcionamientos Basicos y Principales en una Computadora
» #Phishing masivo a #BancoFrances, #PagoMisCuentas y #Movistar (110 afectados en 4 horas)
» Redes de la Deep Web: CJDNS y la Red Hyperboria
» Unidad Central de Procesamiento CPU
» Vulnerabilidad en Youtube permitió borrar cualquier video
» Wassap, la aplicación que permite usar WhatsApp desde la PC
SE COMENTA...
» SoftPerfect WiFi Guard permite saber quién esta conectado a mi WiFi
1 Comentario: carlos lopez
» Cómo espiar WhatsApp
13 Comentarios: spider hackers, spider hackers, spider hackers, [...] ...
» Analizando el LiveBox 2.1 de Orange
2 Comentarios: Nadie, brahim
» Antenas WiFi de gran potencia. Enlaces a 1.000 Km.
2 Comentarios: julio enoy, julio enoy
» Cómo liberar software – guía para principiantes :)
1 Comentario: seo plugin
SOBRE MÍ
FOTO

Prof. Claudio Enrique Alonso Alvite



» Ver perfil

AL MARGEN
Escuela de Educacion Secundaria Tecnica N 8 de Quilmes
(Técnicos en Informática Personal y Profesional)
FULLServices Network | Blogger | Privacidad