mirror of
https://github.com/kai5263499/awesome-container-security.git
synced 2024-10-01 05:35:38 -04:00
Awesome list of resources related to container security
.travis.yml | ||
contributing.md | ||
LICENSE | ||
README.md |
A collection of container related security resources
Image
Understanding and Hardening Linux Containers
- The "War and Peace" of container security
Security Assurance Requirements for Linux Application Container Deployments
- Department of commerce guidance on container security
Dramatically Reducing Software Vulnerabilities
- NIST guidance on reducing software vulnerabilities
CoreOS Clair
- Utility from CoreOS for automated vulnerability analysis for containers
- Clair: The Container Image Security Analyzer (by Joey Schorr & Quentin Machu) - Presentation about the Clair platform
- A more polished presentation of Clair at CoreOS Fest 2016
OpenSCAP Container Compliance
- Utility for aiding in compliance checks against a container
Actuary
- Automated security profiling for Docker image
- drydock - Inspired by docker-bench-security with the ability to apply custom security profiles
- Docker bench security - One of the first security linting utility for Docker
Buildah
- Introduction
- Docker image building framework
Packer
- Packer builds Docker containers without the use of Dockerfiles. By not using Dockerfiles, Packer is able to provision containers with portable scripts or configuration management systems that are not tied to Docker in any way. It also has a simple mental model: you provision containers much the same way you provision a normal virtualized or dedicated server.
LinuxKit
- A toolkit for building custom minimal, immutable Linux distributions
Grafeas
- An open-source API to audit and govern your software supply chain
Atomic Reactor
- Python library that extends docker build. It's part of the RedHat Atomic project so its rather opinionated
Containers Internals Lab
- A series of exercises that provide a deep dive into the internals of containers. Also has a good SELinux training component
Anchore
- Free image scanning service with a commercial offering similar to Docker Cloud
Alpine CVE Check
- Specialized CVE scanner
Protect Your Docker Containers Against Shellshock
- Most base images have patched out Shellshock, but its still a good exercise for thinking about how to mitigate similar attacks in the future
Banyan Collector: A framework to peek inside containers
- Framework for peering inside docker images. Useful for rolling your own image scanning system
Commercial solutions
- Project Atomic - RedHat's complete container solution with strong built-in security
- Black Duck Software
- Docker Cloud - Continuous scanning of images along with a trust mechanism
- Tenable - Includes FlawCheck
- GrSecurity - A collection of image hardening tools
- Aqua - Full lifecycle container security management platform
- LayeredInsight - Continuous container scanning and auditing
Networking
Cilium
- Network policy enforcement based on eBPF
- Cilium - Container Security and Networking Using BPF and XDP - Thomas Graf, Covalent - Presentation of Cilium by its creator
Linux Monitoring at Scale with eBPF (Brendan Gregg & Alex Maestretti)
- bSides SF 2017 talk about container monitoring at Netflix using eBPF
Calico
- Security enforcement for Flannel SDN
Kube2IAM
- Apply Amazon Identity Management roles to Kubernetes Pods
Trieme
- SDN application segmentation
Envoy
- Sidecar and security enforcement system used at Lyft
Scope
- Realtime metrics gathering across the cluster
Segment Routing in Container Networks
- Research paper on a practical implementation of segment routing in a container cluster
Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud
- An exploration of covert channels
Commercial solutions
- StakRox - Container security solution with adaptive threat protection
- Netsil - Operations dashboard for Kubernetes
- NeuVector - Continuous network security
- TwistLock - Network activity profiling
Security profiles
bane
- AppAromor profile generator for Docker containers
Container security as explained by the three pigs
SELinux for Mere Mortals
- A gentle introduction to Security Enhanced Linux
SELinux is no Longer an Option
Firejail
- Linux namespaces and seccomp-bpf sandbox. Also works with GUI apps
Docker SELinux Capabilities reference
- A handy list of capabilities that are enabled by default in Docker
Detailed post about SELinux Capabilities
- An SELinux deep dive
What capabilities do I really need in my container?
- Blog post about figuring out what capabilities a container needs
Secure Your Containers with this One Weird Trick
- Spoiler, its using SELinux
Falco
- Open source container security monitoring
Exploits
nsenter
- This isn't an exploit but it allows user to access the host VM if run in privileged mode
Dirty COW
- CVE-2016-5195
- Privilege escalation vulnerability in Linux kernel
- Proof of concepts
- Dirty COW and why lying is bad even if you are the Linux kernel
Docker CVE List
- List of known security vulnerabilities for Docker
Three Overlooked Lessons about Container Security
- Outlines an interesting spear-phishing attack on image maintainers
Don't expose the Docker socket
- Exploration of what an attacker could do with access to the Docker daemon
Docker Scan
- Image scanning system with a red-team focus of exploitation
Presentations
Introduction to Container Security
GoDaddy's Production Kubernetes Story & Moving Target Defense in Container Envs
Container Security Round Table
Secure Substrate: Least Privilege Container Deployment
A Docker Image Walks Into a Notary
How Secure Are Your Docker Images?
Docker Security Deep Dive - Docker Track
- Securing the image pipeline from creation to delivery
Scaling Application Defense with Intent Based Security - Michael Withrow (Twistlock)
- A security model to match the deployment model of many orchestration utilities
Container Performance Analysis
- Container performance analysis at Netflix. This contains similar material as the bSides talk listed above with
- Evolution of Container Usage at Netflix - Also provides insight into container monitoring, logging, and security at Netflix.
Docker Networking in Production at Visa
- Chief Systems Architect Sasi Kannappan describes how Docker is used at Visa
The Golden Ticket- Docker and High Security Microservices - Black Belt Track
Docker Engine Security Cheatsheet
- Collection of resources on hardening your Docker daemon