Comments (12)
Hi Lukas,
thanks! @wurstbrot: would you mind making the sources available?
Cheers, Dirk
from docker-security.
Hi @gramsimamsi ,
thank you, changed it to "container outbreak".
What do you think about adding "Privilege Escalation in Deamon" or "Exploits" as a leaf of "Container Outbreak" (e.g. dirty cow)?
I will create a separate PR to add source slides so everyone will be able to "copy"/"fork" and change it.
from docker-security.
Hi @wurstbrot ,
sorry for the misunderstanding - "container breakout" is the correct one :)
PrivEsc through daemon is definitely another valid problem.
Only problem would be the structure of leafs IMO, since kernel exploits may also be used for container breakouts in a similar way.
...on the other hand, other kernel or daemon exploits might be used for DOS, too.
from docker-security.
@gramsimamsi my fault.
"...on the other hand, other kernel or daemon exploits might be used for DOS, too" or network... Therefore, I added a note next to DoS
Please check page 68 again, I improved PrivEsc
The structure is also changed due to PrivEsc
In addation, I changed "kernel exploit" to "kernel vulnerability".
Comments?
from docker-security.
Looks good so far! I'd add another leaf to Container Breakout though - "privileged containers".
Since we have user namespace remapping in docker + kubernetes, processes can run as root inside a container, but not be root outside the container context (helps in cases where i.e. other vulns allow the container to poke around outside his context).
Privileged containers pose a threat as processes are still considered root outside the container context. Even privileged containers not running as root might pose a threat, as the UID given through a "USER X" line in a dockerfile might map to an existing user on the host with access to more files/resources/...
from docker-security.
@gramsimamsi thank you! Please check the mind map on slide 74 again.
from docker-security.
You're welcome - looks great now, I've got nothing more to add :)
from docker-security.
from docker-security.
So risky bind mounts are considered covered by "processes as root" in https://raw.githubusercontent.com/OWASP/Docker-Security/master/assets/threats.png as of today — is that correct?
from docker-security.
@hartwork: @drwetter announced to create an other one and will not maintain the current one. Therefore, I have not placed my updates here.
Everyone can copy and adjust the mind map, just for your information.
Please find the current mind map on https://docs.google.com/presentation/d/1SWCyscCQ0YGW3_Y6vCwI4ZY_Q5-TOQ-eoVZaT6qwofc/edit?usp=sharing slide 89.
Does that solves your question?
from docker-security.
Does that solves your question?
Yes! (So this ticket may not be as done as it appeared to me earlier.)
For a direct link to page 89 if anyone needs it: https://docs.google.com/presentation/d/1SWCyscCQ0YGW3_Y6vCwI4ZY_Q5-TOQ-eoVZaT6qwofc/edit#slide=id.g5d977fc8c0_6_3103
from docker-security.
@hartwork : If a ticket is done it'll be closed ;-)
I have a started a threat model map I created for my talk in Amsterdam (https://www.owasp.org/images/d/df/Dirk_Wetter_-_Docker_Top10-AMS.pdf). It is in SVG format (that's what I meant by sources) but still is not as good as it wanted to be. So Timo's is for now the working revision now, despite the wording which @gramsimamsi correctly pointed out.
from docker-security.
Related Issues (20)
- D01 - Secure User Mapping: Namespaces HOT 2
- CONTRIBUTING.md missing
- Add year of document release to numbering scheme HOT 2
- Image Scanning in D02 HOT 2
- Typo "then" (instead of "ten") in cover.jpg (assets/cover.xcf) ? HOT 4
- Rendered PDF seems to have broken letter spacing, makes reading a lot less enjoyable HOT 4
- Cover should mention "CC-BY-NC-SA 4.0 International", not just Creative Commons HOT 4
- [D01] Issues with relying on (or advertising) Docker instruction "USER <user>[:<group>]"
- Other threats (+testing guide) HOT 7
- owasp/modsecurity vulnerabilites HOT 3
- Translation to Brazilian Portuguese and Contributions HOT 3
- Fix or replace gitbook (in Dockerfile)
- Gitbook error: "TypeError: cb.apply is not a function" HOT 8
- PDF generation: Replacement for gitbook-cli (and maybe calibre)? HOT 3
- Create copyright and license section
- Trailing page(s) of document
- D02 - Patch Management Strategy Suggestion
- MD to PDF HOT 49
- D06,D08,D09,D10 content lost
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-security.