Essentials to Securing Threats for Containerized Cloud-Native Applications
Nowadays, a containerized solution is a de facto standard in the cloud-native application development world. Tools like Docker, Containers, CRI-O, and Kubernetes are on-trend. Millions of development and architecture teams choose a container-based solution to build their product. All well-known cloud providers have numerous services and are based on Kubernetes, Docker, and other container orchestration platforms.
Tools and platforms are a fundamental part of the threat detection foundation. There are a lot of open-source tools that contain a lot of threat detection options. Below I-ve listed some tools that provide logic:
Static image vulnerability scanning
Threat Detection for Containers Refcard contains the extended guide on securing threats for containerized cloud-native applications.
Clair is a static security scanner tool. It is based on Open Container Initiative (OCI) format. Clair validates and indexes the images against all well-known threats and vulnerability information sources, like CVE Tracker, Redhat security Data, and Debian Security Bug Tracker. Also, Clair provides an API for development integration purposes. It allows you to create your divers to extend and customize Clair functionality. Clair has several Indexer, matcher,notifier, or combo models. The easiest and fastest way to start is the combo model. In this way, it runs in a single process.
For combo mode, you need a load balancer or Kubernetes ingress and a single database, as shown in the figure above.
Trivy is a security container scanner based on the CVE threat database. It can also scan misconfiguration, secrets, and software dependencies. Trivy uses several scanning sources, like:
Filesystem and Storage
Trivy can be installed on your PC or in the Kubernetes nodes, using npm, apt-get, brew, and other package managers.
apt-get install trivy yum install trivy brew install aquasecurity/trivy/trivy
To execute image scanning you can following command
$ trivy image app-backend:1.9-test
The main goal Secret Scanner is to look into the container images, infrastructure as code files, JSON log files for hardcoded and default secrets, passwords, AWS access IDs, AWS secret access keys, Google OAuth Key, SSH keys, and tokens.
To run SecretScanner as a standalone, you should do the following:
docker run -it - rm - name=deepfence-secretscanner -v $(pwd):/home/deepfence/output -v /var/run/docker.sock:/var/run/docker.sock deepfenceio/deepfence_secret_scanner:latest -image-name node:8.11
OpenSCAP is a tool that includes complex security auditing options. It allows you to scan, edit and export SCAP documents. SCAP (Security Content Automation Protocol) provides and describes security compliance checks for the infrastructure that is based on Linux.
Open SCAP consists of the following components and tools:
OpenSCAP Base- For vulnerability and configuration scans
oscap-docker- For compliance scans
SCAP Workbench- A graphical utility to facilitate the execution of typical oscap tasks
OpenSCAP Daemon- A service that runs in the background
SCAPtimony- Middleware that retains SCAP results for the infrastructure of the user
Below you can see an example of how you run the validation process of the SCAP content.
oscap ds sds-validate scap-ds.xml
To configure the kube-bench you can use YAML files. I have listed YAML file. You can use it to run the validation process against a single pod.
--- apiVersion: batch/v1 kind: Job metadata: name: kube-bench spec: template: metadata: labels: app: kube-bench spec: hostPID: true containers: - name: kube-bench image: docker.io/aquasec/kube-bench:v0.6.8 command: ["kube-bench"] volumeMounts: - name: var-lib-etcd mountPath: /var/lib/etcd readOnly: true - name: var-lib-kubelet mountPath: /var/lib/kubelet readOnly: true - name: var-lib-kube-scheduler mountPath: /var/lib/kube-scheduler readOnly: true - name: usr-bin mountPath: /usr/local/mount-from-host/bin readOnly: true - name: etc-cni-netd mountPath: /etc/cni/net.d/ readOnly: true - name: opt-cni-bin mountPath: /opt/cni/bin/ readOnly: true … restartPolicy: Never volumes: - name: var-lib-etcd hostPath: path: "/var/lib/etcd" - name: var-lib-kubelet hostPath: path: "/var/lib/kubelet" …
Let-s save this document to the file job.yaml and run it with the apply command:
$ kubectl apply -f job.yaml
I have to cut the file a bit. You can find the complete version here.
Threat mapper is a complex security solution for Cloud Native applications. It scans your infrastructure cluster components for threats and vulnerabilities. It contains:
Generate Software Bill of Materials (SBOM)
Infrastructure security and threats visualization
Before we jump into the tool description, I will give an overview of what is software Bill of Materials (SBOM).
SBOM is a combination of all open-source and third-party tools and components that contains your application. An SBOM contains license information of all components. This information is important for quick identification of the security risk.
The threat scanner contains the following components:
Management console - is a UI tool that builds a security infrastructure overview and provides vulnerabilities and threats reports.
Sensors agents - is a tool that scans your cluster nodes and gathers security telemetry. Sensors agents report telemetry to the management console.
For example, to install Sensor agents to the AKS cluster, you need to do the following:
helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/threatmapper
helm repo add deepfence [https://deepfence-helm-charts.s3.amazonaws.com/threatmapper](https://deepfence-helm-charts.s3.amazonaws.com/threatmapper) helm show readme deepfence/deepfence-agent helm show values deepfence/deepfence-agent # helm v2 helm install deepfence/deepfence-agent \ --name=deepfence-agent \ --set managementConsoleUrl=x.x.x.x \ --set deepfenceKey=C8TtyEtNB0gBo1wGhpeAZICNSAaGWw71BSdS2kLELY0 # helm v3 helm install deepfence-agent deepfence/deepfence-agent \ --set managementConsoleUrl=x.x.x.x \ --set deepfenceKey=C8TtyEtNB0gBo1wGhpeAZICNSAaGWw71BSdS2kLELY0
To install the management console in your AKS cluster, you can use the following command:
helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/threatmapper helm install deepfence-console deepfence/deepfence-console
The installation downloads and install helm package directly to the cluster namespace. It uses two simple commands that allow you to include it in your IaC process.
Threat Detection for Containers
“With the exponential increase in container adoption, it-s more critical than ever for teams to ensure that proper security and threat management infrastructure and practices are in place. This Refcard presents a comprehensive examination of threat detection for containerized environments, spanning several focus areas such as common cloud security architectures and Kubernetes hardening guidelines.”
And central to this Refcard are the fundamentals of container threat detection, including concepts like resource limits, static image vulnerability scanning, configuration validation, and much more.