WIP 3 LXC hardening

This commit is contained in:
Quentin Dufour 2017-08-22 11:47:44 +02:00
parent 5ac363f2b8
commit eeb89b8cd6
5 changed files with 29 additions and 8 deletions

View file

@ -4,7 +4,7 @@ slug: hardening-lxc-containers-running-systemd
status: draft status: draft
sitemap: true sitemap: true
title: Hardening LXC containers running systemd title: Hardening LXC containers running systemd
description: Especially with systemd in the equation description: An epic trying to drop CAP\_SYS\_ADMIN
disqus: false disqus: false
categories: categories:
tags: tags:
@ -15,10 +15,9 @@ tags:
![A real container](/assets/images/posts/harden-container.jpg) ![A real container](/assets/images/posts/harden-container.jpg)
<div style="font-size: 12px; text-align:center; margin-top:-20px"> <div style="font-size: 12px; text-align:center; margin-top:-20px">
*By [Mr. Rollers](https://www.flickr.com/photos/mr-rollers/32972266123/). License CC BY-NC-ND 2.0* *A container. Photo by [Mr. Rollers](https://www.flickr.com/photos/mr-rollers/32972266123/). CC BY-NC-ND 2.0*
</div> </div>
Hardening Linux Containers, and more especially [LXC containers](https://linuxcontainers.org/fr/lxc/introduction/), is needed to prevent a malicious user to escape your container. But before starting, we need to understand how containers work under the hood. Hardening Linux Containers, and more especially [LXC containers](https://linuxcontainers.org/fr/lxc/introduction/), is needed to prevent a malicious user to escape your container. But before starting, we need to understand how containers work under the hood.
As said by Jessie Frazelle in her blog post [Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs](https://blog.jessfraz.com/post/containers-zones-jails-vms/), containers in Linux are not a top level design like Zone in Solaris and Jails in BSD. As said by Jessie Frazelle in her blog post [Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs](https://blog.jessfraz.com/post/containers-zones-jails-vms/), containers in Linux are not a top level design like Zone in Solaris and Jails in BSD.
@ -35,7 +34,7 @@ If you feel a bit lost with all these terms, a good start is the reading of this
![A factory](/assets/images/posts/harden-factory.jpg) ![A factory](/assets/images/posts/harden-factory.jpg)
<div style="font-size: 12px; text-align:center; margin-top:-20px"> <div style="font-size: 12px; text-align:center; margin-top:-20px">
*By [Thomas Berg](https://www.flickr.com/photos/decafinata/1989725289/). License CC BY-SA 2.0* *A factory building containers ? Photo by [Thomas Berg](https://www.flickr.com/photos/decafinata/1989725289/). CC BY-SA 2.0*
</div> </div>
Before starting, you'll need a very recent version of LXC, at least lxc-2.0.9 (not yet released as of this writing). Fortunately, you can compile it from its master branch. We'll see later why we need a such recent version. Before starting, you'll need a very recent version of LXC, at least lxc-2.0.9 (not yet released as of this writing). Fortunately, you can compile it from its master branch. We'll see later why we need a such recent version.
@ -64,8 +63,20 @@ sudo lxc-start -n harden -lDEBUG -F
It will launch your container in foreground (so you'll be able to see systemd logs at boot) and it will log many useful informations in the `/var/log/lxc/harden.log` file. It will launch your container in foreground (so you'll be able to see systemd logs at boot) and it will log many useful informations in the `/var/log/lxc/harden.log` file.
## Capabilities: split the root
![Puzzle](/assets/images/posts/harden-puzzle.jpg)
<div style="font-size: 12px; text-align:center; margin-top:-20px">
*The great puzzle of root. Photo by [Kevin Dooley](https://www.flickr.com/photos/pagedooley/14555354976). CC BY 2.0.*
</div>
## cgroups: group your processes ## cgroups: group your processes
![Lions](/assets/images/posts/harden-lions.jpg)
<div style="font-size: 12px; text-align:center; margin-top:-20px">
*A cgroup of lions with parents and children. Photo by [Joel Herzog](https://unsplash.com/@joel_herzog). Unsplash license.*
</div>
[Wikipedia](https://en.wikipedia.org/wiki/Cgroups) proposes the following definition: [Wikipedia](https://en.wikipedia.org/wiki/Cgroups) proposes the following definition:
> cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. > cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.
@ -87,12 +98,22 @@ Michael Kerrisk wrote an interesting [serie of articles about namespaces](https:
At first glance, namespaces handle could appear trivial in LXC: every available namespaces are used and that's all. At first glance, namespaces handle could appear trivial in LXC: every available namespaces are used and that's all.
## Seccomp ## Seccomp: filter your syscalls
## Capabilities: split the root ![Barriers](/assets/images/posts/harden-barrier.jpg)
<div style="font-size: 12px; text-align:center; margin-top:-20px">
*The seccomp barrier protects the access to the kernel. Photo by [Mike Wilson](https://unsplash.com/@mkwlsn). Unsplash license.*
</div>
## Linux Security Modules (LSM) ## LSM: mandatory access control
![Top Secret](/assets/images/posts/harden-secret.jpg)
<div style="font-size: 12px; text-align:center; margin-top:-20px">
*Back to the origin. Photo by [Michelangelo Carrieri](https://www.flickr.com/photos/malakhkelevra/4951863053). CC BY-ND 2.0*
</div>
## Other ## Other
prlimit ### prlimit
### /dev

Binary file not shown.

After

Width:  |  Height:  |  Size: 180 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 227 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 374 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 228 KiB