WIP containers
This commit is contained in:
parent
c89ef222d0
commit
acae001b47
4 changed files with 39 additions and 1 deletions
|
@ -2,7 +2,7 @@
|
||||||
layout: post
|
layout: post
|
||||||
slug: write-up-wargame-ndh-xv
|
slug: write-up-wargame-ndh-xv
|
||||||
status: published
|
status: published
|
||||||
sitemap: false
|
sitemap: true
|
||||||
title: Write-Up Wargame Nuit du Hack XV
|
title: Write-Up Wargame Nuit du Hack XV
|
||||||
description: Les méfaits de The Magic Modbus
|
description: Les méfaits de The Magic Modbus
|
||||||
disqus: true
|
disqus: true
|
||||||
|
|
38
_posts/2017-08-22-hardening-lxc-containers.md
Normal file
38
_posts/2017-08-22-hardening-lxc-containers.md
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
---
|
||||||
|
layout: post
|
||||||
|
slug: hardening-lxc-containers-running-systemd
|
||||||
|
status: draft
|
||||||
|
sitemap: true
|
||||||
|
title: Hardening LXC containers running systemd
|
||||||
|
description: Especially with systemd in the equation
|
||||||
|
disqus: false
|
||||||
|
categories:
|
||||||
|
tags:
|
||||||
|
- security
|
||||||
|
- linux
|
||||||
|
- containers
|
||||||
|
---
|
||||||
|
|
||||||
|
[![LXC Logo](/assets/images/posts/harden-container.jpg)](https://www.flickr.com/photos/mr-rollers/32972266123/)
|
||||||
|
<div style="font-size: 12px; text-align:center; margin-top:-20px">
|
||||||
|
*By Mr. Rollers. License CC BY-NC-ND 2.0*
|
||||||
|
</div>
|
||||||
|
|
||||||
|
|
||||||
|
Hardening Linux Containers, and more especially [LXC containers](https://linuxcontainers.org/fr/lxc/introduction/), is needed to prevent a malicious user to escape your container. But before starting, we need to understand how containers work under the hood.
|
||||||
|
|
||||||
|
As said by Jessie Frazelle in her blog post [Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs](https://blog.jessfraz.com/post/containers-zones-jails-vms/), containers in Linux are not a top level design like Zone in Solaris and Jails in BSD.
|
||||||
|
|
||||||
|
> A "container" is just a term people use to describe a combination of Linux namespaces and cgroups. Linux namespaces and cgroups ARE first class objects. NOT containers.
|
||||||
|
|
||||||
|
In this article, we'll discuss the different "primitives" exposed by the Linux kernel like *namespaces*, *cgroups*, *Linux Security Modules*, *capabilities* and *seccomp*. Our container tool like LXC or Docker, which is a user space binary, will interact with these primitives. We'll see that we can interact with them through the LXC configuration file to improve (or worsen) the security of our LXC container.
|
||||||
|
|
||||||
|
The challenge when it comes to hardening a LXC container, compared to other solutions, is that there is a great probability that you'll run systemd in your container. And systemd heavily uses the primitives quoted before. Especially, systemd rely on *cgroups* to handle its services. We can also mention that many systemd daemon will be provided with a configuration that need to interact with the *capabilities*.
|
||||||
|
|
||||||
|
If you feel a bit lost with all these terms, a good start is the reading of this whitepaper by the NCCGroup: [Understanding and Hardening Linux Containers](https://www.nccgroup.trust/us/our-research/understanding-and-hardening-linux-containers/). This post is also inspired by the article written by Christian Seiler, [LXC containers without CAP\_SYS\_ADMIN under Debian Jessie](https://blog.iwakd.de/lxc-cap_sys_admin-jessie), but we'll see that, due to evolutions in the Linux kernel, the proposed configuration does not work anymore out of the box.
|
||||||
|
|
||||||
|
## Creating a standard LXC container
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
BIN
assets/images/posts/harden-container.jpg
Normal file
BIN
assets/images/posts/harden-container.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 176 KiB |
BIN
assets/images/posts/harden-lxc-logo.png
Normal file
BIN
assets/images/posts/harden-lxc-logo.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 9.8 KiB |
Loading…
Reference in a new issue