18 novembre 202119 novembre 2021

Audit your DockerFile with ConfTest

Hi!

In this article, I will show you how you can audit your DockerFile with ConfTest.

This tool will help you to write tests against structured configuration data. Using Conftest you can write tests for your Kubernetes configuration, Terraform code, Serverless configs or any other config files.

For this blog post, we will create a ConfTest policies in rego to audit a DockerFile. In this DockerFile, I have included few bad practices and security weakness:

Hardcoded tokens
Looking for ADD command instead using COPY command
Usage of sudo

FROM ubuntu:latest
LABEL MAINTAINER "Maxime"

ENV SECRET AAAAAAAAAAAAAAAAAAA
ENV GITLAB_API_ID aaaaaaaaaaaaaaaaaaaaaaaaaaaaa 

WORKDIR /app

ADD app /app
COPY README.md /app/README.md
ADD code /tmp/code
RUN sudo apt-get udpate

RUN apt-get update && apt-get install -y htop

CMD ["/bin/bash", "/app/entrypoint.sh"]

Now, we will create a security policy to detect the previous security weakness:

package main

suspicious_env_keys = [
    "passwd",
    "password",
    "secret",
    "key",
    "access",
    "api_key",
    "apikey",
    "token",
]


# Looking for suspicious environemnt variables
deny[msg] {    
    input[i].Cmd == "env"
    val := input[i].Value
    contains(lower(val[_]), suspicious_env_keys[_])
    msg = sprintf("Suspicious ENV key found: %s", [val])
}

# Looking for ADD command instead using COPY command
deny[msg] {
    input[i].Cmd == "add"
    val := concat(" ", input[i].Value)
    msg = sprintf("Use COPY instead of ADD: %s", [val])
}

# sudo usage
deny[msg] {
    input[i].Cmd == "run"
    val := concat(" ", input[i].Value)
    contains(lower(val), "sudo")
    msg = sprintf("Avoid using 'sudo' command: %s", [val])
}

Install ConfTest: https://www.conftest.dev/install/ and run the analyze with the following command:

conftest test Dockerfile

Maxime.

17 novembre 202115 novembre 2021

Azure Security Benchmark (v3)

Hi!

At Ignite November 2021, Microsoft released a new version of the Azure Security Benchmark (v3).

The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. This benchmark is part of a set of holistic security guidance that also includes:

Cloud Adoption Framework: Guidance on security, including strategy, roles and responsibilities, Azure Top 10 Security Best Practices, and reference implementation.
Azure Well-Architected Framework: Guidance on securing your workloads on Azure.
Microsoft Security Best Practices: Recommendations with examples on Azure.
Microsoft Cybersecurity Reference Architectures (MCRA): Visual diagrams and guidance for security components and relationships

The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).

Here’s what’s new in the Azure Security Benchmark v3:

Mappings to the industry frameworks PCI-DSS v3.2.1 and CIS Controls v8 are added in addition to the existing mappings to CIS Controls v7.1 and NIST SP800-53 Rev4.
Refining the control guidance to be more granular and actionable, e.g., security guidance is now divided into two separate parts, Security Principle and Azure Guidance. Security Principle is the « what », explaining the control at the technology-agnostic level; Azure Guidance is focused on the « how », elaborating on the relevant technical features and ways to implement the controls in Azure.
The addition of new control(s), e.g., DevOps Security as a new control family which also includes topics such as threat modeling and software supply chain security. Key and certificate management was introduced to recommend key and certificate management best practices in Azure.

You can download the Azure Security Benchmark in spreadsheet format.

Maxime.

16 novembre 202115 novembre 2021

New alerts for Microsoft Defender for Kubernetes

Hi!

To expand the threat protections provided by Microsoft Defender for Kubernetes, we’ve added two preview alerts.

Alert (alert type)	Description	MITRE tactic	Severity
Anomalous pod deployment (Preview) (K8S_AnomalousPodDeployment)	Kubernetes audit log analysis detected pod deployment that is anomalous based on previous pod deployment activity. This activity is considered an anomaly when taking into account how the different features seen in the deployment operation are in relations to one another. The features monitored by this analytics include the container image registry used, the account performing the deployment, day of the week, how often does this account performs pod deployments, user agent used in the operation, is this a namespace which is pod deployment occur to often, or other feature. Top contributing reasons for raising this alert as anomalous activity are detailed under the alert extended properties.	Execution	Medium
Excessive role permissions assigned in Kubernetes cluster (Preview) (K8S_ServiceAcountPermissionAnomaly)	Analysis of the Kubernetes audit logs detected an excessive permissions role assignment to your cluster. From examining role assignments, the listed permissions are uncommon to the specific service account. This detection considers previous role assignments to the same service account across clusters monitored by Azure, volume per permission, and the impact of the specific permission. The anomaly detection model used for this alert takes into account how this permission is used across all clusters monitored by Azure Defender.	Privilege Escalation	Low

For a full list of the Kubernetes alerts, see Alerts for Kubernetes clusters.

Maxime.