Addition to the threat mindmap might be needed about docker-security HOT 12 OPEN

Hi Lukas,

thanks! @wurstbrot: would you mind making the sources available?

Cheers, Dirk

from docker-security.

Hi @gramsimamsi ,
thank you, changed it to "container outbreak".
What do you think about adding "Privilege Escalation in Deamon" or "Exploits" as a leaf of "Container Outbreak" (e.g. dirty cow)?

I will create a separate PR to add source slides so everyone will be able to "copy"/"fork" and change it.

from docker-security.

Hi @wurstbrot ,
sorry for the misunderstanding - "container breakout" is the correct one :)

PrivEsc through daemon is definitely another valid problem.
Only problem would be the structure of leafs IMO, since kernel exploits may also be used for container breakouts in a similar way.

...on the other hand, other kernel or daemon exploits might be used for DOS, too.

from docker-security.

@gramsimamsi my fault.

"...on the other hand, other kernel or daemon exploits might be used for DOS, too" or network... Therefore, I added a note next to DoS

Please check page 68 again, I improved PrivEsc
The structure is also changed due to PrivEsc

In addation, I changed "kernel exploit" to "kernel vulnerability".

Comments?

from docker-security.

Looks good so far! I'd add another leaf to Container Breakout though - "privileged containers".

Since we have user namespace remapping in docker + kubernetes, processes can run as root inside a container, but not be root outside the container context (helps in cases where i.e. other vulns allow the container to poke around outside his context).

Privileged containers pose a threat as processes are still considered root outside the container context. Even privileged containers not running as root might pose a threat, as the UID given through a "USER X" line in a dockerfile might map to an existing user on the host with access to more files/resources/...

from docker-security.

@gramsimamsi thank you! Please check the mind map on slide 74 again.

from docker-security.

You're welcome - looks great now, I've got nothing more to add :)

from docker-security.

from docker-security.

So risky bind mounts are considered covered by "processes as root" in https://raw.githubusercontent.com/OWASP/Docker-Security/master/assets/threats.png as of today — is that correct?

from docker-security.

@hartwork: @drwetter announced to create an other one and will not maintain the current one. Therefore, I have not placed my updates here.
Everyone can copy and adjust the mind map, just for your information.

Please find the current mind map on https://docs.google.com/presentation/d/1SWCyscCQ0YGW3_Y6vCwI4ZY_Q5-TOQ-eoVZaT6qwofc/edit?usp=sharing slide 89.

Does that solves your question?

from docker-security.

Does that solves your question?

Yes! (So this ticket may not be as done as it appeared to me earlier.)

For a direct link to page 89 if anyone needs it: https://docs.google.com/presentation/d/1SWCyscCQ0YGW3_Y6vCwI4ZY_Q5-TOQ-eoVZaT6qwofc/edit#slide=id.g5d977fc8c0_6_3103

from docker-security.

@hartwork : If a ticket is done it'll be closed ;-)

I have a started a threat model map I created for my talk in Amsterdam (https://www.owasp.org/images/d/df/Dirk_Wetter_-_Docker_Top10-AMS.pdf). It is in SVG format (that's what I meant by sources) but still is not as good as it wanted to be. So Timo's is for now the working revision now, despite the wording which @gramsimamsi correctly pointed out.

from docker-security.