20 Docker security tools compared

Source:- sysdig.com

There are quite a few Docker security tools in the ecosystem, how do they compare? This is a comprehensive list of Docker security tools that can help you implement some of the container security best practices.

Is Docker insecure? Not at all. Actually features like process isolation with user namespaces, resource encapsulation with cgroups, immutable images and shipping the minimal software and dependencies reduce the attack vector providing a great deal of protection. But, is there anything else we can do? There is much more than image vulnerability scanning and these are 20 container and Docker specific security tools that can help.

Anchore Navigator

anchore navigator

Homepage: https://anchore.io/

License: Commercial, some services are free to use.

Use Cases: Pre-production analysis, vulnerability newsfeed.

Anchore Navigator provides a free service for deep inspection of public Docker images. You can also explore their rich repository of dissected public images for full visibility of its content, build process, and discovered CVE threats together with a link with the issue complete description and known fixes.

Using this tool you can perform a deep analysis of your own images and subscribe to the images you frequently use for your deployments to receive security warnings when upgrading to the commercial version.

AppArmor

apparmor

Homepage: http://wiki.apparmor.net

License: Open Source.

Use Cases: Runtime protection, Mandatory Access Control (MAC).

AppArmor lets the administrator assign a security profile to each program in your system: filesystem access, network capabilities, link and execute rules, etc.

It’s a Mandatory Access Control (or MAC) system, meaning that it will prevent the forbidden action from taking place, although it can also report profile violation attempts.

AppArmor it’s sometimes considered a more accessible and simplified version of SELinux, both are closely related. You only need to learn the profile language syntax and fire your favorite editor to start writing your own AppArmor rules.

Docker context: Docker can automatically generate and load a default AppArmor profile for containers named docker-default. You can create specific security profiles for your containers or the applications inside them.

 

AquaSec

aquasec

Homepage: https://www.aquasec.com/

License: Commercial.

Use Cases: Pre-production analysis, runtime protection, compliance & audit, etc.

AquaSec is a commercial security suite designed with containers in mind. Security audit, container image verification, runtime protection, automated policy learning or intrusion prevention capabilities are some of the most relevant features.

AquaSec supports orchestration tools like Docker Swarm, Mesos, Kubernetes or OpenShift. The platform provides programmatic access to its API and can be deployed both locally or in the public cloud.

 

BlackDuck Docker Security

blackduck

Homepage:https://www.blackducksoftware.com

License: Commercial.

Use Cases: Pre-production analysis, vulnerability newsfeed, license/legal risks.

Black Duck Hub specializes in container inventory and reporting image inventory, mapping known security vulnerabilities to images indexes and cross project risk reports. You can easily pinpoint the specific libraries, software packages or binaries that are causing the security risk and the assistant will automatically offer you a list of known fixes.

As opposed to similar solutions, Black Duck Hub also analyzes the “License Risk” considering the different software licences that you are currently bundling together to build your containerized distributed system.

 

Cilium

cilium

Homepage: https://www.cilium.io/

License: Open Source.

Use Cases: HTTP-layer network security, network-layer security.

Cilium provides transparent network security between container applications. Based on a new Linux kernel technology called eBPF, allows to define and enforce both network-layer and HTTP-layer security policies based on container/pod identity.

Cilium leverages BPF to perform core data path filtering, mangling, monitoring and redirection. These BPF capabilities are available in any Linux kernel version 4.8.0 or newer.

 

CoreOS Clair

clair

Homepage:https://coreos.com/clair/docs/latest/

License: Open Source.

Use Cases: Pre-production analysis, vulnerability newsfeed.

Clair is an open source project for the static analysis of vulnerabilities in containers (currently supporting AppC and Docker). Clair periodically refreshes its vulnerability database from a set of configured CVE sources, scrubs the available container images and indexes the installed software packages. If any insecure software is detected, it can alert or block deployment to production.

Since Clair image analysis is static, containers never need to be actually executed, so you can detect a security threat before is already running in your systems. Clair is the security engine used internally for the CoreOS Quay container registry.

Docker capabilities and resource quotas

docker

Homepage: https://www.docker.com

License: Open Source.

Use Cases: Runtime protection, resource DoS protection.

We shouldn’t forget the basic security measures that come already bundled with our OS and the Docker engine.

Resource abuse and denial of service is an often overlooked but very real security problem in a containerized environment with vast amounts of software entities competing for the host resources.

Control Groups (cgroups) is a feature of the Linux kernel that allows you to limit the access processes and containers have to system resources such as CPU, RAM, IOPS and network.

Capabilities allows you to break down the full root permissions into several split permissions, this way you can remove specific capabilities from the root account or augment the capabilities of user accounts at a more granular level.

 

Docker-bench security

docker-bench

Homepage:https://github.com/docker/docker-bench-security

License: Open Source.

Use Cases: Compliance & audit.

The Docker Bench for Security is a meta-script that checks for dozens of common best-practices around deploying Docker containers in production.

This script is conveniently packaged as a Docker container, just copying and pasting the docker run one-liner from its homepage you can instantly see the results of ~250 checks for your running Docker containers and the host running the Docker engine (Docker CE or Docker Swarm). Docker Bench tests are inspired by the CIS Docker Community Edition Benchmark v1.1.0.

Dockscan

dockscan

Homepage:https://github.com/kost/dockscan

License: Open Source.

Use Cases: Compliance & audit.

A simple ruby script that analyzes the Docker installation and running containers, both for local and remote hosts.

It’s easy to install and run with just one command and can generate HTML report files. Dockscan reports configured resource limits, containers spawning too many processes or with a high number of modified files, or if your Docker host is allowing containers to directly forward traffic to the host gateway, to name a few checks.

 

Falco

falco

Homepage: https://www.sysdig.org/falco/

License: Open Source.

Use Cases: Runtime alerting, forensics.

Sysdig Falco is an open source, behavioral monitoring software designed to detect anomalous activity based on the Sysdig monitoring technology. Sysdig Falco works as a intrusion detection system on any Linux host.

Falco is an auditing tool as opposed to enforcement tools like Seccomp or AppArmor. It runs in user space, using a kernel module to intercept system calls, while other similar tools perform system call filtering/monitoring at the kernel level. One of the benefits of a user space implementation is being able to integrate with external systems like Docker, Docker Swarm, Kubernetes, Mesos, etc and import its resources knowledge and tags.

Docker context: Falco supports container-specific context for its rules. Using this tool you can monitor the containers behaviour without instrumenting or modifying them in any way. Custom rule creation is very easy to grasp and the default rules file comes prepopulated with sane defaults.

 

HashiCorp Vault

vault

Homepage: https://www.vaultproject.io/

License: Free with enterprise version.

Use Cases: Secure container-aware credentials storage, trust management.

Hashicorp’s Vault is an advanced suite for managing secrets: Passwords, SSL/TLS certificates, API keys, access tokens, SSH credentials, etc. It supports time-based secret leases, fine-grained secret access, on-the-fly generation of new secrets, key rolling (renewing keys without losing access to secrets generated using the old one) and much more.

Vaults keeps a detailed audit log to keep track of all the secrets and the access and manipulations performed by each user/entity, so operators can easily trace any suspicious interaction.

Docker context: The secure distribution and traceability of secrets is a core concern in the new microservices and containerized environments, where software entities are constantly spawned and deleted. Vault itself can be deployed as a Docker container.

 

NeuVector

neuvector

Homepage: http://neuvector.com/

License: Commercial.

Use Cases: Runtime protection, compliance & audit.

NeuVector focuses on real-time security protection at runtime. Automatically discovers behavior of applications, containers, and services, detects security escalations and other related threats in a similar fashion to other Linux IDS. NeuVector privileged ‘enforcer’ containers are deployed on each physical host, with full access to the local Docker daemon, apart from that, the internal technology used by NeuVector is not thoroughly detailed in the publicly accessible documentation.

NeuVector aims to be a non-intrusive, plug&play security suite, performing automatic discovery of running containers and their default behavior to assist and counsel the operators in the design of their infrastructure security profiles.

 

Notary

notary

Homepage:https://github.com/docker/notary

License: Open Source

Use Cases: Trusted image repository, trust management and verifiability.

Image forgery and tampering is one major security concern for Docker-based deployments. Notary is a tool for publishing and managing trusted collections of content. You can approve trusted published and create signed collections, in a similar way to the software repository management tools present in modern Linux systems, but for Docker images.

Some of Notary goals include guaranteeing image freshness (most up to date content, to avoid known vulnerabilities), trust delegation between users or trusted distribution over untrusted mirrors or transport channels.

 

OpenSCAP

openscap

Homepage: https://www.open-scap.org/

License: Open Source.

Use Cases: Compliance & audit, certification

OpenSCAP provides a suite of automated audit tools to examine the configuration and known vulnerabilities in your software, following the NIST-certified Security Content Automation Protocol (SCAP).

You can create your own custom assertions and rules and routinely check that any software deployed in your organization strictly abides.

These set of tools is not only focused on the security itself, but also on providing the formal tests and reports that you may need to meet an official security standard.

Docker context: The OpenSCAP suite provides a Docker-specific tool oscap-docker to audit your images, assessing both running containers and cold images.

 

REMnux

remnux

Homepage: https://remnux.org/

License: Open Source.

Use Cases: Forensics.

A security oriented distribution based on Ubuntu. REMnux is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software, commonly known as forensics. As you can guess, this system bundles a vast amount of pre installed analysis and security tools: Wireshark, ClamAV, tcpextract, Rhino debugger, Sysdig, vivisect… just to name a few.

REMnux aims to be swiss knife that you carry around in a usb memory in case you suspect any of your systems have been compromised.

Docker context: The REMnux project conveniently provides several of its integrated security tools as Docker containers, so you can instantly launch difficult-to-install security applications when you most need them.

 

SELinux

selinux

Homepage: https://selinuxproject.org

License: Open Source.

Use Cases: Runtime protection, Mandatory Access Control (MAC).

Security-Enhanced Linux (SELinux) is a Linux kernel security module. It is often compared with AppArmor, and it’s also a Mandatory Access Control system. SELinux provides security capabilities from mandatory access controls to mandatory integrity controls, role-based access control (RBAC) and type enforcement architecture.

SELinux has a reputation of being particularly complex but powerful, fine-grained and flexible.

Docker context: Similarly to AppArmor, SELinux offers an extra layer of access policies and isolation between the host and the containerized apps.

 

Seccomp

seccomp

Homepage: https://www.kernel.org

License: Open Source.

Use Cases: Runtime protection, Mandatory Access Control (MAC).

Seccomp is not so much a tool but rather a sandboxing facility in the Linux kernel. You can think of it as an iptables rules-based firewall but for system calls. It uses Berkeley Packet Filter (BPF) rules to filter syscalls and control how they are handled.

With Seccomp you can selectively choose which syscalls are forbidden/allowed to each container. For example, you can forbid file-permissions manipulations inside your container.

You may have noticed the similarities with Falco, both are closely related to the Linux Syscall API. This articlecompares these two (with AppArmor and SELinux) solutions. TL;DR: Unlike the others, Falco integrates rich high level container specific context to build rules.

Docker context: Docker has used Seccomp since version 1.10 of the Docker Engine, Docker has its own JSON-based DSL that allows you to define profiles that will be compiled to seccomp filters.

 

Sysdig

sysdig

Homepage: https://www.sysdig.org/

License: Open source, commercial products built on top of the free technology.

Use Cases: Anomalous behaviour debugging, forensics.

Sysdig is a full-system exploration, troubleshooting and debugging tool for Linux systems. It records all system calls made by any process, allowing system administrators to find bugs in the operating system or any processes running on it.

Sysdig has a command line interface with a syntax similar to tcpdump and a ncurses interface to visually navigate and filter through the events, in a similar fashion to htop or wireshark. The system call capture files allows you to perform forensics on your containers even if they are long gone.

 

Tenable Flawcheck

flawcheck

Homepage:https://www.tenable.com/flawcheck

License: Commercial.

Use Cases: Pre-production analysis, vulnerability newsfeed.

Tenable, the company perhaps best know for Nessus, the security scanner, acquired Flawcheck, a specific container-focused security solution.

FlawCheck, like other commercial tools in this list, stores container images and scans them as they’re built, before they can reach production. FlawCheck leverages Tenable/Nessus know-how and database of vulnerabilities, malware and intrusion vectors and adapts it to containerized and agile CI/CD environments.

 

Twistlock

twistlock

Homepage: https://www.twistlock.com/

License: Commercial.

Use Cases: Pre-production analysis, runtime protection, compliance & audit, etc.

A commercial security suite built to support containerized environments: vulnerability management, access control, analytics and forensics to security standards compliance.

Twistlock integrates with your continuous integration / continuous delivery pipeline, providing native plugins for popular tools like Jenkins or TeamCity and callable webhooks, so you can trigger the indexing and scanning process for every build and testing environment.

Leave a Reply