What is Docker in penetration testing?

  • November 14, 2021
  • By Cyberarch Admin

In this world which is completely getting digitalized there is always a need to stay safe and secure. Most of our information that may be personal or professional is stored in the cloud and hence extra layer of security is needed to safeguard the information. To identify the weak spots, every organization will periodically conduct Security Testing Called Penetration Testing which is crucial.

Whatever technology you may use, you will hear the word Penetration Testing along with that tech term. For example Mobile Application Penetration Testing, Web Application penetration Testing, Infrastructure Penetration Testing, AWS/AZURE Penetration Testing etc. Same way nowadays Kubernetes and Docker Penetration Testing are getting the limelight as many Organizations are moving towards containerised application.

First let’s see basically what is Docker and why many are moving towards it. Docker provides OS Level Virtualization delivering software/application in packages called Containers. Docker containers are isolated from one another (Standalone), Light-weight and comes bundled with executable application along with its libraries, system tools and configuration files etc.

Docker does not need extra configuration as the package in itself is already configured and runs smoothly once deployed. Just a line of command is enough to start the service/process/application. Docker seems similar to a Virtual Machine, but the difference is it runs directly on the kernel of the host by virtualising the OS and not on the hardware. Docker Service runs on the host itself and Containers runs top of it.

Typically a Penetration Test or attack against an organization can be describes as compromising the connected systems using exploits against vulnerable services that are running on those systems. Once a system is compromised, it leads to further exploiting subsequent systems.

Usually attackers will compromise a container through the external facing application. If it is a web application, it can be exploited in the same way as other web applications. So basically attackers will compromise the software/service/application running within a specific container using traditional tools/attack methods/procedures and then leverage the attack by little modification to exploit the internals of an application.

Docker applications may consist of single or multiple containers. In terms of attack, attacking a single container also called as monolithic container is somewhat same as like attacking a traditional host operating system installation of the application and code/command execution will work in the same way it is executed in a host OS.

The exploitation and access will be limited to that container environment alone and may not lead to the exploitation of the container’s host. Sometimes this single/monolithic environment will provide post-exploitation opportunities for the attackers just like how they will do it in the traditional network.

Regardless of the application’s dependence on each other, Docker may place multiple containers in a same private network. In the default configuration each containers on the host may talk to each other even though you specify specific port which should be exposed to the outside world.

Open source images may contain security vulnerabilities which may jeopardise the safety of the containers which in turn may affect the host system/server. When in production if the containers are left unprotected it is possible to hijack them.

Such a hack has happened in Tesla, which faced Cryptojacking Attack where the attackers used the unprotected Kubernetes Cluster of Tesla to mine crypto currencies using the provided GPUs. They made sure that the CPU usage is minimum and the script runs at particular interval. Cryptojacking attack can be possible by exploiting CVE-2018-15664 which gives the attacker root access to a host system.

As Docker is becoming more popular, Security Researchers and Attackers are finding many new ways to attack and exploit it by finding new vulnerabilities along with the existing ones. Usually software bugs and misconfiguration will pose as major security problem. When the program itself has some problem due to poor coding such as improper allocation of storage or memory which may lead to vulnerabilities such as buffer overflow are called bugs. When the software/program is poorly configured or configured with default settings which may leads to exploitation by the attacker, then it is called security misconfiguration. It is the responsible of the developer to recommend the user about proper configuration implementation.

When talking about Docker misconfiguration, few of the mentioned below misconfiguration occurs:

Docker Permission

By default the user will be running with root privilege which itself is a security issue. Giving unprivileged users access to Docker is a common security misconfiguration, which allows them to communicate with Docker Containers. This is considered dangerous because an unprivileged user is given access to the files with root access. Some of the permissions are described below

 Docker Group

Docker Group is for allowing access management of Docker usage. Which means the user present under the docker group will be allowed to use Docker. If an administrator poorly configure docker group and allow all users to be added under docker group, then every user whether privileged or un privileged will be able to access docker as mentioned above. For example let’s say that we are a non-privileged user without sudo privilege, but a member of docker group. We can create a container mounted as a volume and can access any files including the password file with hashes

World Read Write Socket Permission

By default only administrator and users in the Docker Group will be provided with read and write access to the Docker sockets. But when administrators lazily provide permission to all (666), then any user will get read write access to Docker socket which is dangerous.

setuid BIT

This bit is a permission bit in Unix which allows the user to run the binaries as the owner. Setting up the setuid bit on the docker binary for access management is also many times missed or skipped by the administrators. setuid is useful in cases where the user wants to change the password but not able to view the password hashes. That is why passwd binary has the setuid bit set. If a misconfigured system is having the setuid bit set for the docker binary, then any user will be able to execute Docker as root.

Readable Configuration Files

In order to save all the necessary Docker settings to configuration files and not to repeat the process again and again, Docker users use programs such as docker-compose while setting up the environment. This configuration files may contain sensitive files. If read/write permission is not properly configured then it might lead to the leakage of secret information files such as .docker/config.json and docker-compose.yaml.         

The evolution of Docker has also seen a fair share of Critical Vulnerabilities such as CVE-2014-9357CVE-2019-5736CVE-2019-15752 etc. which has a severity rating of 9.3 to 10.0. These vulnerabilities are related to Code Execution and Privilege Escalation. Apart from this there are some bugs which are severe such as malicious use of Docker sockets and CVE such as CVE-2019-16884 are container escape.

There is a big list of CVEs related to Docker which can be found here https://www.cvedetails.com/vulnerability-list/vendor_id-13534/Docker.html. It is found that most of the official and popular Docker containers have lots of vulnerabilities. This is why we need to focus on Docker Security just like any other Security such as Network Security, Web App Security, Mobile App Security etc. Docker Security means Securing and Hardening.


Top open-source tools for Docker security

Automating container auditing, as well as using other container security processes, can be a huge boon for enterprises by helping teams catch problems early in the build pipeline.

While there are plenty of open-source container security tools out there, here are the best, most mature ones with the largest user communities.

1. Docker Bench for Security

A script to audit Docker containers against security benchmarks.Geared toward developers who manage containers with the Docker community edition, Docker Bench for Security is Docker’s open-source script for auditing containers against common security best practices.

Docker Bench bases its tests on the industry-standard CIS benchmarks, helping automate the tedious process of manual vulnerability testing.

You can initiate the container as follows:

docker run -it –net host –pid host –userns host –cap-add audit_control \ -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc –label docker_bench_security \ docker/docker-bench-security

The results give out Info, Warning, and Pass logs for each security configuration benchmark. You can also run this utility from the Docker host, clone it through Docker Compose, or run it straight from your base host. One drawback is a lack of machine readability in output results. Many community packages, such as Docker Bench Testdrydock, and Actuary, improve upon Docker Bench.

2. Clair

An API-driven static container security analysis with a huge CVE database

Clair, built by CoreOS, performs static analysis of container vulnerabilities. It’s also used in Quay.io, a public container registry alternative to Docker Hub. Clair ingests many vulnerability data sources, such as Debian Security Bug TrackerUbuntu CVE Tracker, and Red Hat Security Data. Since Clair consumes so many CVE databases, its auditing is comprehensive.

Clair first indexes a list of features within a container image. Then, using the Clair API, developers can query the database for vulnerabilities related to a particular image.

To get started with Clair, see the Running Clair guide. It’s easy to deploy it to a Kubernetes cluster:git clone https://github.com/coreos/clair cd clair/contrib/helm cp clair/values.yaml ~/my_custom_values.yaml vi ~/my_custom_values.yaml helm dependency update clair helm install clair -f ~/my_custom_values.yaml

Clair’s feature set is flexible. It lets you add your own drivers for additional behaviors. Also, making separate API calls to audit specific container images is a sleek, machine-driven alternative to scouring through massive report logs.

3. Cilium

API-aware networking and security at the kernel layer

Cilium is all about securing network connectivity. Compatible with Linux container platforms such as Docker and Kubernetes, Cilium adds security visibility and control logic. The interesting aspect of its low-level implementation is that you can apply and update Cilium security policies without changing the application code or container configuration.

CoreOS developed Cilium in response to the volatile lifecycles of modern microservices development and quick container deployment. Integrating it with Kubernetes is straightforward; here’s how to deploy Cilium with local changes:$ kubectl create -f ./cilium.yaml clusterrole "cilium" created serviceaccount "cilium" created clusterrolebinding "cilium" created configmap "cilium-config" created secret "cilium-etcd-secrets" created daemonset "cilium" created $ kubectl get ds --namespace kube-system NAME DESIRED CURRENT READY NODE-SELECTOR AGE cilium 1 1 1 <none> 2m

The support and community around Cilium is fantastic.

4. Anchore

A tool for inspecting container security using CVE data and user-defined policies.Anchore Engine is a tool for analyzing container images. In addition to CVE-based security vulnerability reporting, Anchore Engine can evaluate Docker images using custom policies.

Policies result in a Pass or Fail outcome. Policies are based on whitelists or blacklists, credentials, file contents, configuration types, or other user-generated cues.Packaged as a Docker container image, Anchore can run standalone or on an orchestration platform such as Kubernetes. It also has Jenkins and GitLab integrations for CI/CD.

The Anchore command-line interface (CLI) is an easy way to manipulate the Anchore Engine. For example, this CLI command returns detailed information about the content of an image:anchore-cli image content INPUT_IMAGE CONTENT_TYPE

And this example command will perform a vulnerability scan on an image:anchore-cli image vuln docker.io/library/debian:latest os

Anchore outputs a list of vulnerability details, threat levels, CVE identifiers, and other pertinent information. Because user-defined rules are created using the Anchore Cloud Service graphical user interface (GUI), it operates like SaaS.

5. OpenSCAP Workbench

An environment for creating and maintaining security policies for various platformsOpenSCAP is an ecosystem for IT admins and security auditors that includes many open security benchmark guides, configuration baselines, and open-source tools.

Those operating on Fedora, Red Hat Enterprise Linux, CentOS, or Scientific Linux can install the OpenSCAP Workbench as a GUI to run scans on virtual machines, containers, and images. You install OpenSCAP Workbench with this command:# yum install scap-workbench

To verify containers against SCAP policy guides and CVEs, use the oscap-docker utility that ships with OpenSCAP.

OpenSCAP is centered on the NIST-certified Security Content Automation Protocol (SCAP), and provides many machine-readable security policies. The OpenSCAP Security Guide states that the project’s goal is to “allow multiple organizations to efficiently develop security content by avoiding redundancy.”Because OpenSCAP is more broad-based than others on this list, it’s a good choice for teams looking to create security policies for an entire platform.

6. Dagda

A tool for scanning for vulnerabilities, Trojans, viruses, and malware in Docker containersDagda is another tool for static analysis of container security. Its CVE sources include the OWASP dependency checkRed Hat Oval, and the Offensive Security exploit database.

To use Dagda to scan a Docker container, you first populate a Mongo database with vulnerability data. Perform this command to analyze a single Docker image:python3 dagda.py check --docker_image jboss/wildfly

You can run it remotely, or continually call it to monitor active Docker containers. The output displays the number of vulnerabilities, severity level, and other details to aid remediation.One of Dagda’s benefits is wide coverage of vulnerability data. That means direct access to a wealth of updated, comprehensive exploit collections. It is also flexible in that you can control it by way of both a CLI and REST API.

7. Notary

A framework for boosting container security with a server for cryptographically delegating responsibility

Notary is the de facto Docker image signing framework, now open-sourced for other implementations. Docker developed it, then donated it to the Cloud Native Computing Foundation in 2017.

Notary is all about responsibility separation; using Notary, developers can delegate roles and define responsibilities among containers. The package provides a server and client to provide a cryptographically secure method of publishing and verifying content.

To deploy Notary locally, get started by cloning the repo. Next, use Docker Compose to deploy a local configuration:$ docker-compose build $ docker-compose up -d $ mkdir -p ~/.notary && cp cmd/notary/config.json cmd/notary/root-ca.crt ~/.notary

Relying on The Update Framework and the Go language as dependencies, Notary can verify the cryptographic integrity of a container application image.

8. Grafaes

A metadata API to to help govern internal security policies

Grafaes can greatly help you create your own container security scanning projects. Announced in late 2017, this container security tool was developed by IBM and Google.Developers can use use Grafaes, described as a “component metadata API, to define metadata for virtual machines and containers. IBM’s Vulnerability Advisor is also integrated into the project.

For a solid case study, see how Shopify uses Grafaes to manage metadata for 500,000 container images. In tandem with Kritis, the team enforces security policies on Kubernetes clusters that use Grafeas metadata.

Being able to quickly source container metadata helps speed remediation attempts, thus decreasing the window from exploit to resolution. Though Grafaes is open-source, it’s maintained by large software providers—a benefit for long-term support.

9. Sysdig Falco

Offers behavioral activity monitoring with deep container visibility

Falco is a Kubernetes-aware security auditing tool, developed by Sysdig, that emphasizes behavioral monitoring for containers, hosts, and network activities. Using Falco, developers can set up continuous checks on their infrastructure, detect anomalies, and set up alerts for any type of Linux system calls.

Falco documentation recommends that users run Falco as a Docker container. It can be installed using these commands. When implemented, a standard output Falco alert looks like this:stdout_output: enabled: true 10:20:05.408091526: Warning Sensitive file opened for reading by non-trusted program

Use Falco to monitor when a shell runs in a container, where a container has been mounted, unexpected reads of sensitive files, outbound network attempts, or other suspicious calls. Sysdig provides further container troubleshooting materials here.

10. Banyanops Collector

Framework for static analysis of Docker container images

Supported by BanyanopsCollector is an open-source utility that can be used to “peek” inside Docker container image files. Using Collector, developers can collect container data, enforce security policies, and more.

To get started, Banyanops can be run on a private registry or as a container on Docker Hub. Banyanops also provides SaaS products that offer deeper data analysis, so beware an up-sell if you encounter limited functionality.

Additional open-source tools

  • Dockscan: A security vulnerability scanner with a low number of commits
  • Batten: An auditing toolkit similar to Docker Bench, but with inactive support
  • BlackDuck Docker security: A container image security scanning tool built as a web service. Unfortunately, production use is not advised in its current form
  • Inspec: An auditing and testing framework with Docker container testing capabilities

Recent Articles

Got hacked? Speak to our security consultant.

Get in Touch
Scroll Top