Express YourSelf !

1. Static Analysis

Clair

Two Parts

1. Service wrapper: HTTP Interface , Notifier, Notification Storage

2. ClairCore: Download vulnerabilities, compare against index of image

3 Phase/Function

1. Download image layers, scan and generate IndexReport

2. Compare IndexReport with known vulerabilities

3. As per configuration for notifier, notify about vulnerability. 

It uses alpine-secdb

Trivy

It retrieves vuln-list

Trivy checks middle layers of image

Easy to integrate with CICD

2. Dynamic Analysis

Linux commands: perf, ftrace

 Tracee (uses eBPF) :monitors system call and kernel events. 

- It captures :  (1) precise time stamp, (2) uts_name, (3) UID, (4) Command COMM (5) PID, (6) TID/host (7) return code, RET (8) event, and (9) arguments.

- At least 3 volume locations needed. (1) /lib/modules , (2) /usr/src , (3) /tmp/tracee Tracee provides in-depth tracing of container or pod. 

Falco by Sysdig: multiple components (user space program, configuration, driver) working together in order to evaluate system calls against rules, and generate alerts when a rule is broken:

rule has lists. rule can have reference to list. List can be part of macro and other list, in addition to part of rule.

rule has 5 k-v pairs. (1) name, (2) description , (3) condition : Filtering expression for events. (4) output, (5) priority. (emergency, alert, critical, error, warning, notice, informational, debug) 

rule has 4 optional K-v pairs.(1) enabled. default is true (2) tags (filesystem, software_mgmt, process, database, host, shell, container, cis, users, network) . -T option to disable rules with given tag. -t option to enable. (3) warn_evttypes default is true. (4) skip-if-unknown-filter default is false. 

initContainer based approach

Insert initContainer using dynamic admission controller. 

initContainer contains scan/verification tool in pod spec

only if initContainer has exit zero code, then rest of pod spec is passed to container engine for execution. 

Example: cloud security tools by TrendMicro: 

3. Immutable container 

Check periodically as security spring scanning. 

Verify: 

* container has read/write file system? 

* container has ability to elevate privileged users 

* other such features. 

1. SELinux: Debian, RH, SUSE

* SELinux meets Common Criteria, FIPS standard. SELinux has granular settings, based on user, role, category, sensitivity level etc.  

2. AppArmor: Debian, SUSE

* AppArmor is less complete and simple

3. Smack (Simplified MAC Kernel) used with Yocto Linux and Automotive Grade Linux. 

4. TOMOYO (by NTT Data corporation) pathname based MAC (Mandatory Access Control)

Use only one tool, instead of cascading multiple tools. so no confusion, which tool is responsible. 

5. seccomp: Linux kernel feature. first iteration only allowed system calls are: read, write, exit, sigreturn. with Mode 2, BPF/eBPF determines which system call are allowed. 

In K8s, seccomp is used to (1) syscall auditing (2) denial of disallowed call. pod enters to CrashLoopBackoff state. 

spec:
  securityContext:
    seccompProfile:
      type: Localhost
      localhostProfile: profiles/audit.json