coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] 423 pages modified

Browse Source
This commit is contained in:
CPol 2021-01-04 12:13:07 +00:00 committed by gitbook-bot
parent c24979fc08
commit d5150468a1
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 66 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
pentesting/2375-pentesting-docker.md
View File

@ -219,7 +219,26 @@ cat /mnt/etc/shadow
If you are inside a host that is using docker, you may [**read this information to try to elevate privileges**](../linux-unix/privilege-escalation/#writable-docker-socket).
## Securing your Dockerfiles
## Securing your Docker
### Securing Docker installation and usage
* You can use the tool [https://github.com/docker/docker-bench-security](https://github.com/docker/docker-bench-security) to inspect your current docker installation.
* `./docker-bench-security.sh`
* You can use the tool [https://github.com/kost/dockscan](https://github.com/kost/dockscan) to inspect your current docker installation.
* `dockscan -v unix:///var/run/docker.sock`
* You can use the tool [https://github.com/genuinetools/amicontained](https://github.com/genuinetools/amicontained) the privileges a container will have when run with different security options. This is useful to know the implications of using some security options to run a container:
* `docker run --rm -it r.j3ss.co/amicontained`
* `docker run --rm -it --pid host r.j3ss.co/amicontained`
* `docker run --rm -it --security-opt "apparmor=unconfined" r.j3ss.co/amicontained`
### Securing Docker Images
* You can use a docker image of [https://github.com/quay/clair](https://github.com/quay/clair) to make it scan your other docker images and find vulnerabilities.
* `docker run --rm -v /root/clair_config/:/config -p 6060-6061:6060-6061 -d clair -config="/config/config.yaml"`
* `clair-scanner -c http://172.17.0.3:6060 --ip 172.17.0.1 ubuntu-image`
### Securing Dockerfiles
* You can use the tool [https://github.com/buddy-works/dockerfile-linter](https://github.com/buddy-works/dockerfile-linter) to **inspect your Dockerfile** and find all kinds of misconfigurations. Each misconfiguration will be given an ID, you can find here [https://github.com/buddy-works/dockerfile-linter/blob/master/Rules.md](https://github.com/buddy-works/dockerfile-linter/blob/master/Rules.md) how to fix each of them.
* `dockerfilelinter -f Dockerfile`
@ -241,3 +260,49 @@ If you are inside a host that is using docker, you may [**read this information
![](../.gitbook/assets/image%20%28424%29.png)
### Logging Suspicious activity
* You can use the tool [https://github.com/falcosecurity/falco](https://github.com/falcosecurity/falco) to detect **suspicious behaviour in running containers**.
* Note in the following chunk how **Falco compiles a kernel module and insert it**. After that, it loads the rules and **start logging suspicious activities**. In this case it has detected 2 privileged containers started, 1 of them with a sensitive mount, and after some seconds it detected how a shell was opened inside one of the containers.
```text
docker run -it --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro falco
* Setting up /usr/src links from host
* Unloading falco-probe, if present
* Running dkms install for falco
Kernel preparation unnecessary for this kernel. Skipping...
Building module:
cleaning build area......
make -j3 KERNELRELEASE=5.0.0-20-generic -C /lib/modules/5.0.0-20-generic/build M=/var/lib/dkms/falco/0.18.0/build.............
cleaning build area......
DKMS: build completed.
falco-probe.ko:
Running module version sanity check.
modinfo: ERROR: missing module or filename.
- Original module
- No original module exists within this kernel
- Installation
- Installing to /lib/modules/5.0.0-20-generic/kernel/extra/
mkdir: cannot create directory '/lib/modules/5.0.0-20-generic/kernel/extra': Read-only file system
cp: cannot create regular file '/lib/modules/5.0.0-20-generic/kernel/extra/falco-probe.ko': No such file or directory
depmod...
DKMS: install completed.
* Trying to load a dkms falco-probe, if present
falco-probe found and loaded in dkms
2021-01-04T12:03:20+0000: Falco initialized with configuration file /etc/falco/falco.yaml
2021-01-04T12:03:20+0000: Loading rules from file /etc/falco/falco_rules.yaml:
2021-01-04T12:03:22+0000: Loading rules from file /etc/falco/falco_rules.local.yaml:
2021-01-04T12:03:22+0000: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
2021-01-04T12:03:24+0000: Starting internal webserver, listening on port 8765
2021-01-04T12:03:24.646959000+0000: Notice Privileged container started (user=<NA> command=container:db5dfd1b6a32 laughing_kowalevski (id=db5dfd1b6a32) image=ubuntu:18.04)
2021-01-04T12:03:24.664354000+0000: Notice Container with sensitive mount started (user=<NA> command=container:4822e8378c00 xenodochial_kepler (id=4822e8378c00) image=ubuntu:modified mounts=/:/host::true:rslave)
2021-01-04T12:03:24.664354000+0000: Notice Privileged container started (user=root command=container:4443a8daceb8 focused_brahmagupta (id=4443a8daceb8) image=falco:latest)
2021-01-04T12:04:56.270553320+0000: Notice A shell was spawned in a container with an attached terminal (user=root xenodochial_kepler (id=4822e8378c00) shell=bash parent=runc cmdline=bash terminal=34816 container_id=4822e8378c00 image=ubuntu)
```