WIP containers

This commit is contained in:
Quentin Dufour 2017-08-22 09:28:42 +02:00
parent c89ef222d0
commit acae001b47
4 changed files with 39 additions and 1 deletions

View file

@ -2,7 +2,7 @@
layout: post
slug: write-up-wargame-ndh-xv
status: published
sitemap: false
sitemap: true
title: Write-Up Wargame Nuit du Hack XV
description: Les méfaits de The Magic Modbus
disqus: true

View file

@ -0,0 +1,38 @@
---
layout: post
slug: hardening-lxc-containers-running-systemd
status: draft
sitemap: true
title: Hardening LXC containers running systemd
description: Especially with systemd in the equation
disqus: false
categories:
tags:
- security
- linux
- containers
---
[![LXC Logo](/assets/images/posts/harden-container.jpg)](https://www.flickr.com/photos/mr-rollers/32972266123/)
<div style="font-size: 12px; text-align:center; margin-top:-20px">
*By Mr. Rollers. License CC BY-NC-ND 2.0*
</div>
Hardening Linux Containers, and more especially [LXC containers](https://linuxcontainers.org/fr/lxc/introduction/), is needed to prevent a malicious user to escape your container. But before starting, we need to understand how containers work under the hood.
As said by Jessie Frazelle in her blog post [Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs](https://blog.jessfraz.com/post/containers-zones-jails-vms/), containers in Linux are not a top level design like Zone in Solaris and Jails in BSD.
> A "container" is just a term people use to describe a combination of Linux namespaces and cgroups. Linux namespaces and cgroups ARE first class objects. NOT containers.
In this article, we'll discuss the different "primitives" exposed by the Linux kernel like *namespaces*, *cgroups*, *Linux Security Modules*, *capabilities* and *seccomp*. Our container tool like LXC or Docker, which is a user space binary, will interact with these primitives. We'll see that we can interact with them through the LXC configuration file to improve (or worsen) the security of our LXC container.
The challenge when it comes to hardening a LXC container, compared to other solutions, is that there is a great probability that you'll run systemd in your container. And systemd heavily uses the primitives quoted before. Especially, systemd rely on *cgroups* to handle its services. We can also mention that many systemd daemon will be provided with a configuration that need to interact with the *capabilities*.
If you feel a bit lost with all these terms, a good start is the reading of this whitepaper by the NCCGroup: [Understanding and Hardening Linux Containers](https://www.nccgroup.trust/us/our-research/understanding-and-hardening-linux-containers/). This post is also inspired by the article written by Christian Seiler, [LXC containers without CAP\_SYS\_ADMIN under Debian Jessie](https://blog.iwakd.de/lxc-cap_sys_admin-jessie), but we'll see that, due to evolutions in the Linux kernel, the proposed configuration does not work anymore out of the box.
## Creating a standard LXC container

Binary file not shown.

After

Width:  |  Height:  |  Size: 176 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.8 KiB