Containerization and Orchestration

TODO: Some of this belongs in defense

Containers

• HackTricks - Docker Breakout / Privilege Escalation
• dockle
  • Container image auditor
• dive
  • Explore each layer in Docker image
• dockerscan
  • Docker security analysis/hacking tools
• CDK
  • Make security testing of K8s, Docker, and Containerd easier
• amicontainerd
  • Container introspection tool
• deepce
  • Docker Enumeration, Escalation of Privileges and Container Escapes
• grype
  • Vulnerability scanner for container images and filesystems
• Distroless Container Images
  • Very, very minimal container OS
• Docker API RCE.py
  • Python script that uses the Docker API to get a shell on a remote host

Kubernetes

• kubectl Cheat Sheet
• kind (Kubernetes in Docker)
  • Spin up a Kubernetes cluster within Docker
  • Makes lab creation way simpler
• audit2rbac
  • Autogenerate RBAC based on audit logs
• peirates
  • Kubernetes attack tool
  • Can be manual or automated
• kyverno
  • Policy management
• Open Policy Agent
  • Policy management via the rego language
• kube2iam
  • AWS IAM cred provider for containers (basically provides better segmentation)
• kiam
  • Integrate K8s with AWS IAM
• k8s-metadata-proxy
  • Proxy for serving concealed metadata to containers in GCE VM
• kube-bench
  • Audit K8s compliance with CIS benchmarks
• trivy
  • Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
  • Older version: kube-hunter
• rbac-police
  • Evaluate RBAC perms of SAs, nodes, and pods via rego policies
• popeye
  • Cluster resource/config scanner
  • Checks what's running, not what's on disk

Resources

• The Use of Name Spaces in Plan 9
  • Interesting historical tidbit about the development of namespaces + early ideas around containerization
  • More about the system itself: Plan 9 from Bell Labs
• DEF CON Cloud Village and Black Hat USA: See New Unit 42 Cloud Research

Docker

• Protect the Docker daemon socket
  • To avoid malicious use of Docker itself, make sure the socket is locked down appropriately
• Abusing access to mount namespaces through /proc/pid/root
• Why is Exposing the Docker Socket a Really Bad Idea?
• Anatomy of a hack: Docker Registry
  • Security concerns related to Docker registries
• Project Zero - Who Contains the Containers?
  • Windows privesc
• GitHub - lockfale/Malicious_Containers_Workshop: Workshop resources and materials for Workshop presented at DefCon and other security conferences - Creating and Uncovering Malicious Containers
• Application Container Security Guide

Kubernetes

• Kubernetes Privilege Escalation: Excessive Permissions in Popular Platforms
  • Vulnerability in Azure service fabric
• Kubernetes Hardening Guidance
  • NOTE: This link will die whenever the guidance is updated. Look up "DoD Kubernetes Hardening Guide" or "CTR_KUBERNETESHARDENINGGUIDANCE" if you need the latest one.
• A Complete Kubernetes Config Review Methodology - Security Café