What if I tell you there is no container, is just another process running on your machine - Container Security
2020-12-05, 15:05–15:55, Stream 4

Containers Security is mostly based on already existing Linux security mechanism, In this talk we are going to explore, at a high level, how processes works in Linux and how with the use of Namespaces, Cgroups and Capabilities we can have what we commonly known as "Containers"


What if I tell you there is no container, is just another process running on your machine

Description

Containers Security is mostly based on already existing Linux security mechanism, In this talk we are going to explore, at a high level, how processes works in Linux and how with the use of Namespaces, Cgroups and Capabilities we can have what we commonly known as "Containers", the talk is divided in two part, offensive and defensive security of Linux containers:

Container Offensive Security

Container escape and privilege escalation using containers

  • volume mounts
  • host network
  • pid boundary

Container Defensive Security

How to build more secure containers and runtime protections

  • scratch container
  • distroless
  • drop capabilities
  • secComp
  • AppArmor
  • SELinux