Chap 10 - 01 - Understand Virt Essential Concepts and OS Virt Security - 11_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
OCRED
Tags
Related
- Kubernetes Vs. Docker (Exam 212-82) PDF
- Chapter 10 - 02 - Understand Cloud Computing Fundamentals - 01_ocred.pdf
- Chapter 10 - 02 - Understand Cloud Computing Fundamentals - 03_ocred.pdf
- Chapter 10 - 02 - Understand Cloud Computing Fundamentals - 01_ocred_fax_ocred.pdf
- Chapter 10 - 02 - Understand Cloud Computing Fundamentals - 02_ocred_fax_ocred.pdf
- Chapter 10 - 02 - Understand Cloud Computing Fundamentals - 04_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing Best Practices for Container Security 1 2...
Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing Best Practices for Container Security 1 2 3 Regularly monitor the CVEs of the Employ app-aware tools to monitor Configure applications to run as container runtime and remediate, if container network interfaces, normal users to prevent privilege any vulnerabilities are detected network traffic, and network escalation anomalies 4 S 6 Configure the host's root file system Employ application security scanning Perform regular scanning of the in read-only mode to restrict the tools to protect containers from images in the repository to identify write access malicious software vulnerabilities or misconfigurations Best Practices for Container Security Discussed below are various best practices for securing the container environment. = Regularly monitor the CVEs of the container runtime and remediate, if vulnerabilities are detected. * Employ app-aware tools to monitor container network interfaces, network traffic, and network anomalies. = Configure applications to run as normal users to prevent privilege escalation. = Configure the host's root file system in read-only mode to restrict the write access and prevent malware injection attacks. * Avoid using third-party software and employ application security scanning tools to protect containers from malicious software. = Perform regular scanning of the images in the repository to identify vulnerabilities or misconfigurations. * Deploy application firewalls for enhancing container security and prevent threats entering the environment. = Ensure the authenticated access to registries including sensitive images and data. = Use a separate database for each application for greater visibility of individual applications and enhanced data management. Module 10 Page 1296 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing Best Practices for Docker Security Enable read-only Limit the capabilities by allowing mode on file systems Always use trusted access only to the features and volumes by setting Docker images only required by the container --read-only flag Avoid exposing the Regularly patch the host OS Use Linux security modules such Docker daemon and Docker with the latest as seccomp, AppArmor, and socket security updates SELinux to gain fine-grained control over the processes Copyright © by EC-Council All All Rights Rights Reserved. ReproductionIs Strictly Prohibited Prohibited. Best Practices for Docker Security Discussed below are various best practices for securing Docker environment. *» Avoid exposing the Docker daemon socket because it is the basic entry point for the Docker API. = Only use trusted Docker images because Docker images created by malicious users may be injected with backdoors. = Regularly patch host OS and Docker with the latest security updates. =* Limit capabilities by allowing access only to the features required by the container. = Use Linux security modules, such as seccomp, AppArmor, and SELinux, to gain fine- grained control over the processes. = Limit resources such as memory, CPU, the maximum number of file descriptors, the maximum number of processes, and restarts to prevent DoS attacks. * Enable read-only mode on filesystems and volumes by setting the --read-only flag. *» Set the Docker daemon log level to 'info' and avoid running Docker daemon using the 'debug' log level. *» The default user setting for the Docker image is root; configure the container application to run as unprivileged user to prevent privilege escalation attacks. = |Install only necessary packages to reduce the attack surface. Install Module 10 Page 1297 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing Ensure proper validation of Implement the configuration (01 file contents and their path at method for the credential ()2 every stage of processing paths Use common parsing BeSt PraCtlces 3. functions such as ParsePort Rausc;errors efaxphcitly afte; 06 across the codebase to f or I{ub ernetes eac step.ova c:::::::n 03 increase code readability ] Security Never use compound shell Use the well-tested JSON 05 commands without proper library and type structures for 04 validations constructing JSON objects Copyright © by EC- iL All Rights Reserved. Reproduction is Strictly Prohibited. Best Practices for Kubernetes Security Discussed below are various best practices for securing the Kubernetes environment. Ensure proper validation of file contents and their path at every stage of processing. Implement configuration method for the credential paths and do not depend on the hardcoded paths. Raise errors explicitly after each step of a compound operation. Use the well-tested JSON library and type structures for constructing JSON objects. Never use compound shell commands without proper validations because they affect the system state. Use centralized libraries to perform common tasks and use common parsing functions, such as ParsePort, across the codebase to increase code readability. Use persistent logs in place of log rotation, so that the logs can be written in linear order and new logs can be created when rotation is required. Use single encoding format for all configuration tasks because it supports centralized validation. Limit the size of manifest files to prevent out-of-memory errors in kubelet. Use kube-apiserver instances that maintain CRLs to check the presented certificates. Use key management services to enable secret data encryption and avoid using AES- Galois/Counter mode or cipher block chaining for encryption. Module 10 Page 1298 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing Best Practices for Serverless Security. Minimize serverless permissions in the development phase to reduce the attack surface area ®_< Regularly monitor function layers to identify malicious code injection attempts Use third-party security tools as they provide additional layers of visibility and control o Regularly patch and update function dependencies and applications Use tools such as Snyk to scan serverless applications for known vulnerabilities ®—< Properly sanitize event input to prevent code injection attacks Copyright © by EC-C ¢il All Rights Reserved. Reproduction is Strictly Prohibited. Best Practices for Serverless Security Discussed below are various best practices for securing the serverless computing environment. = Minimize serverless permissions in the development phase to reduce the attack surface area. = Monitor function layers regularly to identify the attempts of malicious code injection and other web server attacks. = Use third-party security tools because they provide additional layers of visibility and control. = Regularly patch and update function dependencies and applications. = Use tools, such as Snyk, to scan serverless applications for known vulnerabilities. * Maintain isolated function perimeters and avoid relying on the function access and invocation ordering. = Properly sanitize event input to prevent code injection attacks. = Use security libraries that disable access to resources and implement runtime least- privileges. = Deploy functions in minimal granularity to minimize the level of detail and prevent implicit global roles. * Employ data validation technique on schemas and data transfer objects, instead of data serialization and deserialization. Module 10 Page 1299 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing Docker Security Tools A script that enables checking: = Docker Daemon Configuration Files Docker Bench = Host Configuration = Container Images and Build Files for Security.. = Docker Daemon Configuration = Container Runtime Twistlock https://github.com 0006006 00006 additional privileges ap-ny i nx alth at runt Aqua Ith check not https://www.aquasec.com : e in docke Anchore o nat share the I Du nat mount the D w contalners https://anchore.com https://anchore.com curity Operations # regular ecgular security audits of your host systes system and containers Neu\Iector NeuVector tainers ners uzage, performance perfornance and netering ata https://neuvector.com fwoid « There are y: 1?7 inages = There arc currently a total of 2 containers, comtainers, uith ulth 1 of then currently running CloudPassage Halo jluallensubantu :~sdocker-bench-secur jluallendubantu i “/docker-bench-secur ity _ https://www.cloudpassage.com https://www.cloudpassoge.com https//github.com Copyright © by EC-Council Al All Rights Reserved. Reproduction Reproduction isis Strictly Prohibited. Prohibited. Docker Security Tools = Docker Bench for Security Source: https://github.com The Docker Bench for Security is a script that checks for dozens of common best- practices around deploying Docker containers in production. It is a script that enables checking: o Host Configuration o Docker Daemon Configuration o Docker Daemon Configuration Files o Container Images and Build Files o Container Runtime Module 10 Page 1300 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing not set mount propagation mode to shared adg not share the host’s UTS namespace not disable default seccomp profile o not docker exec commands with privileged option not docker exec commands with user option Conf irm cgroup usage Confirm Restrict container from acquiring additional privileges Privileges not restricted: docker-nginx Check container health at runtime (43} Health check not set: docker-nginx CLINFO1 Ensure docker commands always aluways get the latest version of the image &)l &y Use PIDs cgroup limit PIDs limit linit not set: docker-nginx [2 B [INFO] Do not use Docker's default bridge docker0 [INFO) Container in docker0 network: Do not share the host’s user namespaces Do not mount the Docker socket inside any containers - Docker Security Operations {11 6.1 - Perform regular security audits of your host system and containers [INFO] 6.2 - Monitor Docker containers usage, performance and metering LINFO) K] Backup container data LINFO) 4 Avoid image spraul fivoid sprawl | LINFO) There are currently: 17 images x [INFO) Only 2 out of 17 are in use x LINFO) 6.5 Avoid container sprawl I (INFO) » There are currently a total of 2 containers, with 1 of them currently ruming rumming Jjluallen@ubuntu:~/docker-bench-security$ _ jluallen@ubuntu:~/docker-bench-security$ Figure 10.20: Screenshot of Docker Bench for Security Some additional Docker security tools are listed below: = Twistlock (https://github.com) = Aqua (https://www.aquasec.com) =* Anchore (https://anchore.com) =* NeuVector (https://neuvector.com) * (CloudPassage Halo (https.//www.cloudpassage.com) CloudPassage (https://www.cloudpassage.com) Module 10 Page 1301 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
