├── best-practices.md ├── .gitignore ├── static ├── htop.png ├── mmu1.gif ├── prings.png ├── virtmem.png ├── contextsw.jpg ├── linuxarch.jpg ├── container_vs_vm.jpg └── docker-overview.png ├── lsm.md ├── linuxarch ├── index.md ├── kernel.md ├── processmanage.md ├── protectionrings.md ├── syscalls.md └── memorymanage.md ├── README.md ├── about.md ├── cgroups.md ├── dirtycow.md ├── SUMMARY.md ├── LICENSE ├── capabilities.md ├── namespaces.md ├── seccomp-bpf.md ├── references.md ├── linux-containers.md ├── linux-namespaces.md └── apparmor.md /best-practices.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | _book/* 2 | -------------------------------------------------------------------------------- /static/htop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/makash/linux-container-security-docs/HEAD/static/htop.png -------------------------------------------------------------------------------- /static/mmu1.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/makash/linux-container-security-docs/HEAD/static/mmu1.gif -------------------------------------------------------------------------------- /static/prings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/makash/linux-container-security-docs/HEAD/static/prings.png -------------------------------------------------------------------------------- /static/virtmem.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/makash/linux-container-security-docs/HEAD/static/virtmem.png -------------------------------------------------------------------------------- /static/contextsw.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/makash/linux-container-security-docs/HEAD/static/contextsw.jpg -------------------------------------------------------------------------------- /static/linuxarch.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/makash/linux-container-security-docs/HEAD/static/linuxarch.jpg -------------------------------------------------------------------------------- /static/container_vs_vm.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/makash/linux-container-security-docs/HEAD/static/container_vs_vm.jpg -------------------------------------------------------------------------------- /static/docker-overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/makash/linux-container-security-docs/HEAD/static/docker-overview.png -------------------------------------------------------------------------------- /lsm.md: -------------------------------------------------------------------------------- 1 | ### What is LSM? 2 | 3 | The Linux Security Module (LSM) framework provides a mechanism for 4 | various security checks to be hooked by new kernel extensions. 5 | 6 | The primary users of the LSM interface are Mandatory Access Control 7 | (MAC) extensions which provide a comprehensive security policy. Examples 8 | include SELinux, Smack, Tomoyo, and AppArmor. -------------------------------------------------------------------------------- /linuxarch/index.md: -------------------------------------------------------------------------------- 1 | # Linux Architecture 2 | 3 | >Linux is a Unix-like computer operating system assembled under the model of free and open-source software development and distribution. The defining component of Linux is the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. 4 | 5 | 6 | # 7 | ![Linux Architecture](../static/linuxarch.jpg) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | This book is an attempt to document the security features provided in a modern linux distribution 4 | 5 | # Topics: 6 | 1. Linux Architecture 7 | - Kernel 8 | - Memory management 9 | - Dirtycow Demo 10 | - Protection Rings 11 | - System Calls 12 | 2. Containers 13 | 3. Kernel Features 14 | - namespaces 15 | - seccomp-bpf 16 | - capablities 17 | - cgroups 18 | 4. Security modules 19 | - Apparmor 20 | -------------------------------------------------------------------------------- /about.md: -------------------------------------------------------------------------------- 1 | ### About us 2 | 3 | 4 | ### Subash SN 5 | 6 | - Final year student & Security Enthusiast 7 | - Interested in Cloud Security and Artificial Intelligence 8 | - Twitter: [@pingsns](https://twitter.com/@pingsns) 9 | 10 | 11 | 12 | ### Madhu Akula 13 | 14 | - Automation Ninja @Appsecco 15 | - Interested in Security, DevOps and Cloud 16 | - Speaker & Trainer at Defcon, DevSecCon, AllDayDevOps, etc. 17 | - Found bugs in Google, Microsoft, Yahoo, etc 18 | - Never ending learner! 19 | - Follow me (or) Tweet to me [@madhuakula](https://twitter.com/@madhuakula) -------------------------------------------------------------------------------- /cgroups.md: -------------------------------------------------------------------------------- 1 | ### What are Cgroups 2 | 3 | The kernel uses cgroups to group processes for the purpose of system resource management. Cgroups allocate CPU time, system memory, network bandwidth, or combinations of these among user-defined groups of tasks. 4 | 5 | 6 | ``` 7 | $ docker run -d --name='low_priority' --cpuset-cpus=0 --cpu-shares=20 alpine md5sum /dev/urandom 8 | $ docker run -d --name='high_priority' --cpuset-cpus=0 --cpu-shares=80 alpine md5sum /dev/urandom 9 | $ htop 10 | 11 | $ docker stop low_priority high_priority 12 | $ docker rm low_priority high_priority 13 | 14 | $ docker run -d --name='low_priority' alpine md5sum /dev/urandom 15 | $ docker run -d --name='high_priority' alpine md5sum /dev/urandom 16 | $ htop 17 | ``` 18 | -------------------------------------------------------------------------------- /dirtycow.md: -------------------------------------------------------------------------------- 1 | ### Copy on Write (COW) 2 | >Copy-on-write (sometimes referred to as "COW") is an optimization strategy used in computer programming. The fundamental idea is that if multiple callers ask for resources which are initially indistinguishable, you can give them pointers to the same resource. This function can be maintained until a caller tries to modify its "copy" of the resource, at which point a true private copy is created to prevent the changes becoming visible to everyone else. All of this happens transparently to the callers. The primary advantage is that if a caller never makes any modifications, no private copy need ever be created. 3 | 4 | ### POC 5 | ``` 6 | https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs 7 | ``` 8 | 9 | # DEMO 10 | 11 | -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | * [Introduction](README.md) 4 | * [About Us](about.md) 5 | * [Linux Architecture](linuxarch/index.md) 6 | - [Kernel](linuxarch/kernel.md) 7 | - [Process Management](linuxarch/processmanage.md) 8 | - [Protection Rings](linuxarch/protectionrings.md) 9 | - [System Calls](linuxarch/syscalls.md) 10 | - [Memory Management](linuxarch/memorymanage.md) 11 | * [Dirty Cow Demo](dirtycow.md) 12 | * [Linux Containers](linux-containers.md) 13 | * [Namespaces](namespaces.md) 14 | - [What are the Linux namespaces?](linux-namespaces.md) 15 | * [Seccomp](seccomp-bpf.md) 16 | * [Control Group](cgroups.md) 17 | * [Capabilities](capabilities.md) 18 | * [Linux Security Modules](lsm.md) 19 | - [AppArmor](apparmor.md) 20 | * [Best Practices](best-practices.md) 21 | * [References & Resources](references.md) -------------------------------------------------------------------------------- /linuxarch/kernel.md: -------------------------------------------------------------------------------- 1 | ### What is the Linux Kernel? 2 | 3 | >The Kernel is responsible for directing the hardware and software. It is held entirely in the RAM by Reserving the Kernel Space. It also manages the system memory resources as best as possible. It directs the operations using the drivers installed in the Kernel or installed afterward in the form of kernel modules. 4 | 5 | ### How Did The Linux Kernel Start? 6 | 7 | >It was created by a Finnish student by the name of Linus Torvalds in 1991. He sent out an email to a mailing list saying, “Hello everybody out there using minix — I’m doing a (free) operating system (just a hobby, won’t be big and professional like gnu) for 386 (486) AT clones.” 8 | 9 | ### Functions of the Kernel: 10 | - Manages the hardware 11 | - Instructs the CPU 12 | - Bridges hardware and running processes 13 | - Process and Memory management 14 | - Device Drivers 15 | - System Calls and more. -------------------------------------------------------------------------------- /linuxarch/processmanage.md: -------------------------------------------------------------------------------- 1 | ### Process 2 | 3 | ![Htop](../static/htop.png) 4 | 5 | All processes start as user mode. The kernel isnt a process, it's a controller of processes. 6 | 7 | ### Process Scheduling: 8 | 9 | >The process scheduler is a part of the operating system that decides which process runs at a certain point in time. It usually has the ability to pause a running process, move it to the back of the running queue and start a new process; such a scheduler is known as preemptive scheduler, otherwise it is a cooperative scheduler. 10 | 11 | ### Context Switching 12 | 13 | The process by which the CPU is able to transition into executing another process. 14 | 15 | #### Steps: 16 | 1. CPU Stops current operationa and switches to Kernel mode. 17 | 2. CPU Records the current state of the CPU and memory. 18 | 3. Kernel performs pending tasks (I/O,etc.). 19 | 4. Kernel chooses a process based on a scheduling algorithm. 20 | 5. Kernel prepares the memory for the next process and starts the next process execution. 21 | 22 | ![Multitasking](../static/contextsw.jpg) 23 | 24 | -------------------------------------------------------------------------------- /linuxarch/protectionrings.md: -------------------------------------------------------------------------------- 1 | ### Protection rings in x86 2 | # 3 | ![Protection Rings](../static/prings.png) 4 | 5 | # 6 | 7 | **Ring 0** is the **kernel** mode. **Ring 3** is the **user** mode. The other rings are not usually used. **Virtualbox** loads the Virtual Machine's Kernel into **Ring 1**. 8 | 9 | ### Kernel Mode vs User Mode Execution 10 | 11 | >In Kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. In User mode, the executing code has no ability to directly access hardware or reference memory. Code running in user mode must delegate to system APIs to access hardware or memory. 12 | 13 | These two modes aren't mere labels; they're enforced by the CPU hardware. If code executing in User mode attempts to do something outside its purview-- like, say, accessing a privileged CPU instruction or modifying memory that it has no access to -- a trappable exception is thrown. Instead of your entire system crashing, only that particular application crashes. That's the value of User mode. -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Akash Mahajan 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /capabilities.md: -------------------------------------------------------------------------------- 1 | ### What is capabilities? 2 | 3 | > Capabilities turn the binary “root/non-root” dichotomy into a fine-grained access control system. Processes (like web servers) that just need to bind on a port below 1024 do not have to run as root: they can just be granted the `net_bind_service` capability instead. And there are many other capabilities, for almost all the specific areas where root privileges are usually needed. 4 | 5 | Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. 6 | 7 | For exmaple, if you run a container that run ntpd, which needs to modify the host system time. The container would not run because it requires `SYS_TIME`. 8 | 9 | 10 | ### Scenario Demo 11 | 12 | If you specify the --privileged=true option to docker create or docker run, the container has access to all the devices on the host, which can present a security risk. For more precise control, you can use the `--cap-add` and `--cap-drop` options 13 | 14 | ``` 15 | $ docker run -it alpine sh 16 | # ip route 17 | # ip route del default 18 | 19 | $ docker run --cap-add=NET_ADMIN -it alpine sh 20 | # ip route 21 | # ip route del default 22 | ``` 23 | -------------------------------------------------------------------------------- /namespaces.md: -------------------------------------------------------------------------------- 1 | ### What are the Linux Namespaces? 2 | 3 | > The kernel provides process isolation by creating separate namespaces for containers. Namespaces enable creating an abstraction of a particular global system resource and make it appear as a separated instance to processes within a namespace. Consequently, several containers can use the same resource simultaneously without creating a conflict. 4 | 5 | 6 | ### Some of the namespaces in Linux 7 | - Mount namespaces 8 | - UTS namespaces (UNIX Timesharing System) 9 | - IPC namespaces (Interprocess Communication) 10 | - PID namespaces (Process Identification) 11 | - Network namespaces 12 | 13 | Note: Namespaces are a feature of the Linux kernel that isolates and virtualizes system resources of a collection of processes. (wikipedia) 14 | 15 | 16 | > There is another type of namespace called user namespace. User namespaces are similar to PID namespaces, they allow you to specify a range of host UIDs dedicated to the container. Consequently, a process can have full root privileges for operations inside the container, and at the same time be unprivileged for operations outside the container. 17 | 18 | 19 | ### Sample overview demo 20 | 21 | ``` 22 | $ docker run -d alpine sleep 1000 23 | $ sudo ls /proc/[pid]/ns/ 24 | ``` 25 | -------------------------------------------------------------------------------- /seccomp-bpf.md: -------------------------------------------------------------------------------- 1 | ### Seccomp 2 | Seccomp stands for secure computing mode. It's a simple sandboxing tool in the Linux kernel, available since Linux version 2.6.12. When enabling seccomp, the process enters a "secure mode" where a very small number of system calls are available (exit(), read(), write(), sigreturn()). Writing code to work in this environment is difficult; for example, dynamic memory allocation (using brk() or mmap(), either directly or to implement malloc()) is not possible. 3 | 4 | ### Seccomp-bpf 5 | Seccomp-BPF is a more recent extension to seccomp, which allows filtering system calls with BPF (Berkeley Packet Filter) programs. These filters can be used to allow or deny an arbitrary set of system calls, as well as filter on system call arguments (numeric values only; pointer arguments can't be dereferenced). Additionally, instead of simply terminating the process, the filter can raise a signal, which allows the signal handler to simulate the effect of a disallowed system call (or simply gather more information on the failure for debugging purposes). Seccomp-bpf is available since Linux version 3.5 and is usable on the ARM architecture since Linux version 3.10. Several backports are available for earlier kernel versions. 6 | 7 | 8 | ### How to call Seccomp-bpf? 9 | 10 | ``` 11 | #include 12 | #include 13 | [...] 14 | prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog) 15 | ``` -------------------------------------------------------------------------------- /linuxarch/syscalls.md: -------------------------------------------------------------------------------- 1 | ### System Calls 2 | 3 | >In computing, a system call is the programmatic way in which a computer program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system. 4 | 5 | Basically system calls allow the Ring 3 processes to do privileged operations. System calls send a software interrupt to the CPU and the Kernel performs the operations required. 6 | 7 | ### Interrupts 8 | 9 | >In system programming, an interrupt is a signal to the processor emitted by hardware or software indicating an event that needs immediate attention. An interrupt alerts the processor to a high-priority condition requiring the interruption of the current code the processor is executing. 10 | 11 | Interrupts allow an immediate request to be processed when the CPU is busy with something else. 12 | 13 | ### Steps 14 | 1. User process needs to perform a privileged action, so initiates an interrupt to the CPU. 15 | 2. The interrupt puts the CPU in Ring 0 and passes control to Kernel. 16 | 3. The kernel determines if the user process should be granted the system call (based on privileges). 17 | 4. If granted, the kernel will execute the system call 18 | 5. Once finished, the kernel initiates the change to Ring 3. 19 | 20 | 21 | -------------------------------------------------------------------------------- /linuxarch/memorymanage.md: -------------------------------------------------------------------------------- 1 | ### Linux memory Management 2 | 3 | - Kernel keeps track of all RAM and how it's shared between processes. 4 | - The kernel splits the RAM into pages and maintains the state information about these subdivisions at all time. 5 | - Kernel effectively sandboxes memory of various processes 6 | - Shared memory is taken from free memory 7 | - Paging is also handled by kernel 8 | 9 | ### Kernel Space vs User Space 10 | 11 | >Kernel space is strictly reserved for running a privileged operating system kernel, kernel extensions, and most device drivers. In contrast, user space is the memory area where application software and some drivers execute. 12 | 13 | No user process can access the Kernel Space. Additionally User space is also sandboxed for each process. Shared memory can be facilitated. 14 | 15 | 16 | ### Virtual Memory 17 | 18 | ![Virtual memory](../static/virtmem.png) 19 | 20 | Every process sees only this continuous chunk of Virtual Memory. 21 | 22 | ### Memory Management Unit 23 | 24 | ![MMU](../static/mmu1.gif) 25 | 26 | - The MMU is a unit inside the CPU, and does the Virtual to Physical Address translation. 27 | - The kernel maintains a page table, which maps a processes virtual addresses to the Physical addresses. 28 | - Each page has a PTE (Page Table Entry) 29 | - Each PTE has a PAGE_USER bit to specify if it is user space accessible. 30 | 31 | 32 | ### Page Faults 33 | 34 | A page fault occurs when the required page is not loaded in to the memory. 35 | 36 | ``` 37 | ps -eo min_flt,maj_flt,cmd 38 | 39 | ``` 40 | -------------------------------------------------------------------------------- /references.md: -------------------------------------------------------------------------------- 1 | ### List of references 2 | 3 | - http://man7.org/linux/man-pages/man7/namespaces.7.html6 4 | - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/overview_of_containers_in_red_hat_systems/introduction_to_linux_containers#linux_containers_architecture 5 | - http://man7.org/linux/man-pages/man7/mount_namespaces.7.html 6 | - http://man7.org/linux/man-pages/man7/user_namespaces.7.html 7 | - http://man7.org/linux/man-pages/man7/pid_namespaces.7.html 8 | - http://man7.org/linux/man-pages/man7/capabilities.7.html 9 | - https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities 10 | - https://docs.oracle.com/cd/E37670_01/E75728/html/section_mf3_vb5_dq.html 11 | - https://www.cloudsigma.com/manage-docker-resources-with-cgroups/ 12 | - http://manpages.ubuntu.com/manpages/xenial/en/man7/apparmor.7.html 13 | - https://www.digitalocean.com/community/tutorials/how-to-create-an-apparmor-profile-for-nginx-on-ubuntu-14-04 14 | - https://www.kernel.org/doc/Documentation/security/LSM.txt 15 | - http://securingthestack.com/linux/ 16 | - https://opensource.com/resources/what-are-linux-containers 17 | 18 | 19 | ### Resources 20 | - https://www.youtube.com/playlist?list=PLbzoR-pLrL6pq6qCHZUuhbXsTsyz1N1c0 21 | - https://www.slideshare.net/jpetazzo/anatomy-of-a-container-namespaces-cgroups-some-filesystem-magic-linuxcon 22 | - http://contained.af/ 23 | - https://www.linux.com/learn/overview-linux-kernel-security-features 24 | - https://www.cl.cam.ac.uk/~lc525/files/Linux_Containers.pdf 25 | - https://docs.docker.com/engine/security/security/ 26 | - https://mobyproject.org/ 27 | - https://github.com/linuxkit/linuxkit 28 | - http://wiki.apparmor.net/index.php/Main_Page 29 | - https://en.wikipedia.org/wiki/Seccomp 30 | - http://subuser.org/ 31 | - https://www.youtube.com/watch?v=BfFBDDQtSlk 32 | - https://www.coursera.org/learn/embedded-operating-system/lecture/UhvJm/module-3-lecture-2-linux-kernel-functions-and-advantages 33 | - https://sysadmincasts.com/episodes/14-introduction-to-linux-control-groups-cgroups 34 | - https://speakerdeck.com/vpetersson/an-introduction-to-cgroups-and-cgroupspy 35 | - https://events.linuxfoundation.org/sites/events/files/slides/linux_kernel_security_linuxconeu2016.pdf 36 | - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project 37 | - http://training.play-with-docker.com/ 38 | - https://www.katacoda.com/ 39 | - https://linuxcontainers.org/ 40 | - https://www.youtube.com/watch?v=1qlLUf7KtAw 41 | - https://github.com/jessfraz/bane 42 | - https://www.youtube.com/watch?v=Cd4JU7qzYbE 43 | - https://wiki.gnome.org/Projects/SandboxedApps 44 | - https://github.com/projectatomic/bubblewrap 45 | - https://subgraph.com 46 | -------------------------------------------------------------------------------- /linux-containers.md: -------------------------------------------------------------------------------- 1 | ### What are Linux Contianers? 2 | 3 | 4 | > Before moving on, let’s understand the difference between the containers and the virtual machine. 5 | 6 | 7 | ![Virtual Machines vs Containers](static/container_vs_vm.jpg) 8 | 9 | http://patg.net/containers,virtualization,docker/2014/06/05/docker-intro/ 10 | 11 | 12 | Linux containers, in short, contain applications in a way that keep them isolated from the host system that they run on. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package. And they are designed to make it easier to provide a consistent experience as developers and system administrators move code from development environments into production in a fast and replicable way. 13 | 14 | Note: This is achieved through a combination of kernel security features such as namespaces, mandatory access control and control groups. 15 | 16 | 17 | ### Virtual Machines vs Containers 18 | 19 | | Virtual Machines | Containers | 20 | |:----------------------------------------------------------------------------------------------------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| 21 | | Includes the application, the necessary binaries and libraries, and an entire guest operating system | Include the application and all of its dependencies, but share the kernel with other containers, running as isolated processes in user space on the host operating system. | 22 | | Tied to platform (virtualization software) | Works everywhere (Computer, Cloud, etc.) | 23 | | Size in GB’s | Size in MB’s | 24 | | Takes minutes to start | Takes seconds to start | 25 | | Costly | Cheaper | 26 | 27 | 28 | 29 | ### What is Docker? 30 | 31 | Docker is an application that enables build, ship and run your code anywhere. Docker containers wraps your code, runtime, system tools and libraries and creates an image which can be distributed to the others and it guarantees that it will always run regardless of the environment. Docker is originally used LXC (LinuX container) technology, but later switched to runC (known as libcontainer). It uses resource isolation feature of the linux kernel to create a container such as name space, layered filesystem, network space and cgroups, etc. 32 | 33 | Learn more about docker here [https://training.docker.com/category/self-paced-online](https://training.docker.com/category/self-paced-online) 34 | 35 | 36 | ### Overview 37 | ![Docker Overview](static/docker-overview.png) 38 | 39 | 40 | ### Scenario Demo 41 | 42 | - How long does it take to setup an wordpress site for you? 43 | 44 | ``` 45 | $ docker run --name mysql -e MYSQL_ROOT_PASSWORD=wordpress -d mysql 46 | 47 | $ docker run --name some-wordpress --link mysql:mysql -p 8080:80 -d wordpress 48 | ``` 49 | 50 | 51 | ### Super cool demo with HTOP 52 | 53 | - Running `htop` command in container and assigning host processes (example of giving privileges to containers) 54 | 55 | ``` 56 | $ docker run --rm -it --pid host jess/htop 57 | ``` 58 | -------------------------------------------------------------------------------- /linux-namespaces.md: -------------------------------------------------------------------------------- 1 | ### What are the Linux name spaces? 2 | 3 | #### PID namespace 4 | 5 | PID namespaces isolate the process ID number space, meaning that processes in different PID namespaces can have the same PID. PID namespaces allow containers to provide functionality such as suspending/resuming the set of processes in the container and migrating the container to a new host while the processes inside the container maintain the same PIDs. 6 | 7 | For example, while running nginx docker container inside container we always see nginx PID 1 but outside host we see different PID like `9989` 8 | 9 | ``` 10 | $ docker run --name=samplewebapp1 -d nginx:alpine 11 | $ ps auxxx | grep nginx 12 | $ docker exec -it samplewebapp1 sh 13 | # top 14 | 15 | $ docker run --name=samplewebapp2 -d nginx:alpine 16 | $ ps auxxx | grep nginx 17 | $ docker exec -it samplewebapp2 sh 18 | # top 19 | ``` 20 | 21 | 22 | #### Mount namespace 23 | 24 | > Mount namespaces provide isolation of the list of mount points seen by the processes in each namespace instance. Thus, the processes in each of the mount namespace instances will see distinct single-directory hierarchies. 25 | 26 | For example, in docker we use `-v` option to volume mount the directories from host system to container. 27 | 28 | ``` 29 | $ docker run --name=sampleapp1 -d alpine sleep 1000 30 | $ sudo cat /proc/[PID]/mountstats 31 | $ docker exec -it sampleapp1 sh 32 | # ls /data/ 33 | 34 | $ mkdir testmount 35 | $ touch testmount/samplefile.txt 36 | $ docker run --name=sampleapp2 -d -v testmount:/data alpine sleep 1000 37 | $ sudo cat /proc/[PID]/mountstats 38 | $ docker exec -it sampleapp2 sh 39 | # ls /data/ 40 | ``` 41 | 42 | 43 | #### UTS namespace 44 | 45 | UTS namespaces provide isolation of two system identifiers: the hostname and the NIS domain name. 46 | 47 | For example, we can see these by running the below commands 48 | 49 | ``` 50 | $ hostname 51 | 52 | $ uname 53 | 54 | 55 | $ docker run -it alpine sh 56 | # hostname 57 | 58 | # uname 59 | ``` 60 | 61 | 62 | #### Network namespace 63 | 64 | Network namespace provide isolation of network controllers, system resources associated with networking, firewall and routing tables. This allows container to use separate virtual network stack, loopback device and process space. You can add virtual or real devices to the container, assign them their own IP Addresses and even full iptables rules. 65 | 66 | For example, we can view the different network settings by executing the `ip addr` command on the host and inside the container. 67 | 68 | ``` 69 | $ ip addr 70 | 71 | $ docker run --name=samplenetapp -d alpine sleep 1000 72 | $ ps auxxx | grep sleep 73 | $ sudo ls /proc/[pid]/net/ 74 | $ docker exec -it samplenetapp sh 75 | # ip addr 76 | ``` 77 | 78 | 79 | #### IPC namespace 80 | 81 | Each IPC namespace has its own set of System V IPC identifiers and its own POSIX message queue filesystem. Objects created in an IPC namespace are visible to all other processes that are members of that namespace, but are not visible to processes in other IPC namespaces. 82 | 83 | For example, check the `/proc/sysvipc` in system to see the (sem, shm, msg) 84 | 85 | 86 | #### User namespace 87 | 88 | User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs, the root directory, keys, and capabilities. 89 | 90 | In particular, a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace. -------------------------------------------------------------------------------- /apparmor.md: -------------------------------------------------------------------------------- 1 | ### What is apparmor? 2 | 3 | AppArmor is a Linux kernel security module that allows system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. (wikipedia) 4 | 5 | Note: AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). 6 | 7 | 8 | ### AppArmor Modes 9 | 10 | AppArmor works in two different modes 11 | 12 | ***Enforcement*** 13 | 14 | In the enforce mode, system begins enforcing the rules and report the violation attempts in syslog or auditd (only if auditd is installed) and operation will not be permitted. 15 | 16 | ***Complain*** 17 | 18 | In the complain mode, system doesn’t enforce any rules. It will only log the violation attempts. 19 | 20 | 21 | ### Scenario Demo 22 | 23 | - Create two directories for static content 24 | 25 | ``` 26 | $ sudo mkdir -p /data/www/safe 27 | $ sudo mkdir -p /data/www/unsafe 28 | ``` 29 | 30 | - Add a file with below content `sudo vi /data/www/safe/index.html` 31 | 32 | ``` 33 | 34 | Hello! Accessing this file is allowed. 35 | 36 | ``` 37 | 38 | - Add a file with below content `sudo vi /data/www/unsafe/index.html` 39 | 40 | ``` 41 | 42 | Hello! Accessing this file is NOT allowed. It has secrets 43 | 44 | ``` 45 | 46 | - Now let's configure nginx to serve the static content `sudo vi /etc/nginx/nginx.conf` 47 | 48 | ``` 49 | user www-data; 50 | worker_processes 4; 51 | pid /run/nginx.pid; 52 | 53 | events { 54 | worker_connections 768; 55 | } 56 | 57 | http { 58 | sendfile on; 59 | tcp_nopush on; 60 | tcp_nodelay on; 61 | keepalive_timeout 65; 62 | types_hash_max_size 2048; 63 | 64 | include /etc/nginx/mime.types; 65 | default_type application/octet-stream; 66 | 67 | access_log /var/log/nginx/access.log; 68 | error_log /var/log/nginx/error.log; 69 | 70 | gzip on; 71 | gzip_disable "msie6"; 72 | 73 | include /etc/nginx/conf.d/*.conf; 74 | 75 | server { 76 | listen 8080; 77 | location / { 78 | root /data/www; 79 | } 80 | } 81 | } 82 | ``` 83 | 84 | - Save and update the changes by running the below command 85 | 86 | ``` 87 | $ sudo nginx -s reload 88 | ``` 89 | 90 | - Now let's configure apparmor 91 | 92 | ``` 93 | $ cd /etc/apparmor.d/ 94 | $ sudo aa-autodep nginx 95 | ``` 96 | 97 | - The `aa-autodep` command to create a new blank profile. The profile will be created in `/etc/apparmor.d`. 98 | 99 | - Once the profile is created, use aa-complain to put the profile in complain mode. 100 | 101 | ``` 102 | $ sudo aa-complain nginx 103 | ``` 104 | 105 | - Restart nginx service 106 | 107 | ``` 108 | $ sudo service nginx restart 109 | ``` 110 | 111 | - Open a browser, and visit `http://:8080/safe/index.html`. This will trigger the normal entries for accessing the safe website to appear in your Nginx logs. 112 | 113 | - Now we'll use an AppArmor utility to go through the Nginx logs and approve or disapprove each action it finds there. 114 | 115 | ``` 116 | $ sudo aa-logprof 117 | ``` 118 | 119 | - Select which has to allow and which has to deny and save 120 | - You can also edit the profile by `sudo vi /etc/apparmor.d/usr.sbin.nginx` 121 | 122 | ``` 123 | #include 124 | 125 | /usr/sbin/nginx { 126 | #include 127 | #include 128 | #include 129 | 130 | capability setgid, 131 | capability setuid, 132 | 133 | /data/www/safe/* r, 134 | deny /data/www/unsafe/* r, 135 | /etc/group r, 136 | /etc/nginx/conf.d/ r, 137 | /etc/nginx/mime.types r, 138 | /etc/nginx/nginx.conf r, 139 | /etc/nsswitch.conf r, 140 | /etc/passwd r, 141 | /etc/ssl/openssl.cnf r, 142 | /run/nginx.pid rw, 143 | /usr/sbin/nginx mr, 144 | /var/log/nginx/access.log w, 145 | /var/log/nginx/error.log w, 146 | } 147 | ``` 148 | 149 | - The AppArmor Nginx profile is ready. Use the aa-enforce to put the profile in enforce mode. 150 | 151 | ``` 152 | $ sudo aa-enforce nginx 153 | ``` 154 | 155 | - To apply the change restart the services 156 | 157 | ``` 158 | $ sudo /etc/init.d/apparmor reload 159 | $ sudo service nginx restart 160 | ``` 161 | 162 | - You can check the apparmor status by running 163 | 164 | ``` 165 | $ sudo apparmor_status 166 | ``` 167 | 168 | - Go back to the browser and visit `http://:8080/safe/index.html`. You should be able to see the page. Then visit `http://:8080/unsafe/index.html`. 169 | - You can see the error logs 170 | 171 | ``` 172 | $ sudo tail -f /var/log/nginx/error.log 173 | ``` 174 | 175 | - Check out references and resource section for more. --------------------------------------------------------------------------------