Description
Book SynopsisExplore the latest and most comprehensive guide to securing your Cloud Native technology stack Cloud Native Security delivers a detailed study into minimizing the attack surfaces found on today's Cloud Native infrastructure. Throughout the work hands-on examples walk through mitigating threats and the areas of concern that need to be addressed. The book contains the information that professionals need in order to build a diverse mix of the niche knowledge required to harden Cloud Native estates. The book begins with more accessible content about understanding Linux containers and container runtime protection before moving on to more advanced subject matter like advanced attacks on Kubernetes. You'll also learn about: Installing and configuring multiple types of DevSecOps tooling in CI/CD pipelinesBuilding a forensic logging system that can provide exceptional levels of detail, suited to busy containerized estatesSecuring the most popular container orchestrator, KubernetesHardening c
Table of ContentsIntroduction xix
Part I Container and Orchestrator Security 1
Chapter 1 What is a Container? 3
Common Misconceptions 4
Container Components 6
Kernel Capabilities 7
Other Containers 13
Summary 14
Chapter 2 Rootless Runtimes 17
Docker Rootless Mode 18
Installing Rootless Mode 20
Running Rootless Podman 25
Setting Up Podman 26
Summary 31
Chapter 3 Container Runtime Protection 33
Running Falco 34
Configuring Rules 38
Changing Rules 39
Macros 41
Lists 41
Getting Your Priorities Right 41
Tagging Rulesets 42
Outputting Alerts 42
Summary 43
Chapter 4 Forensic Logging 45
Things to Consider 46
Salient Files 47
Breaking the Rules 49
Key Commands 52
The Rules 52
Parsing Rules 54
Monitoring 58
Ordering and Performance 62
Summary 63
Chapter 5 Kubernetes Vulnerabilities 65
Mini Kubernetes 66
Options for Using kube-hunter 68
Deployment Methods 68
Scanning Approaches 69
Hunting Modes 69
Container Deployment 70
Inside Cluster Tests 71
Minikube vs. kube-hunter 74
Getting a List of Tests 76
Summary 77
Chapter 6 Container Image CVEs 79
Understanding CVEs 80
Trivy 82
Getting Started 83
Exploring Anchore 88
Clair 96
Secure Registries 97
Summary 101
Part II DevSecOps Tooling 103
Chapter 7 Baseline Scanning (or, Zap Your Apps) 105
Where to Find ZAP 106
Baseline Scanning 107
Scanning Nmap’s Host 113
Adding Regular Expressions 114
Summary 116
Chapter 8 Codifying Security 117
Security Tooling 117
Installation 118
Simple Tests 122
Example Attack Files 124
Summary 127
Chapter 9 Kubernetes Compliance 129
Mini Kubernetes 130
Using kube-bench 133
Troubleshooting 138
Automation 139
Summary 140
Chapter 10 Securing Your Git Repositories 141
Things to Consider 142
Installing and Running Gitleaks 144
Installing and Running GitRob 149
Summary 151
Chapter 11 Automated Host Security 153
Machine Images 155
Idempotency 156
Secure Shell Example 158
Kernel Changes 162
Summary 163
Chapter 12 Server Scanning With Nikto 165
Things to Consider 165
Installation 166
Scanning a Second Host 170
Running Options 171
Command-Line Options 172
Evasion Techniques 172
The Main Nikto Configuration File 175
Summary 176
Part III Cloud Security 177
Chapter 13 Monitoring Cloud Operations 179
Host Dashboarding with NetData 180
Installing Netdata 180
Host Installation 180
Container Installation 183
Collectors 186
Uninstalling Host Packages 186
Cloud Platform Interrogation with Komiser 186
Installation Options 190
Summary 191
Chapter 14 Cloud Guardianship 193
Installing Cloud Custodian 193
Wrapper Installation 194
Python Installation 195
EC2 Interaction 196
More Complex Policies 201
IAM Policies 202
S3 Data at Rest 202
Generating Alerts 203
Summary 205
Chapter 15 Cloud Auditing 207
Runtime, Host, and Cloud Testing with Lunar 207
Installing to a Bash Default Shell 209
Execution 209
Cloud Auditing Against Benchmarks 213
AWS Auditing with Cloud Reports 215
Generating Reports 217
EC2 Auditing 219
CIS Benchmarks and AWS Auditing with Prowler 220
Summary 223
Chapter 16 AWS Cloud Storage 225
Buckets 226
Native Security Settings 229
Automated S3 Attacks 231
Storage Hunting 234
Summary 236
Part IV Advanced Kubernetes and Runtime Security 239
Chapter 17 Kubernetes External Attacks 241
The Kubernetes Network Footprint 242
Attacking the API Server 243
API Server Information Discovery 243
Avoiding API Server Information Disclosure 244
Exploiting Misconfigured API Servers 245
Preventing Unauthenticated Access to the API Server 246
Attacking etcd 246
etcd Information Discovery 246
Exploiting Misconfigured etcd Servers 246
Preventing Unauthorized etcd Access 247
Attacking the Kubelet 248
Kubelet Information Discovery 248
Exploiting Misconfigured Kubelets 249
Preventing Unauthenticated Kubelet Access 250
Summary 250
Chapter 18 Kubernetes Authorization with RBAC 251
Kubernetes Authorization Mechanisms 251
RBAC Overview 252
RBAC Gotchas 253
Avoid the cluster-admin Role 253
Built-In Users and Groups Can Be Dangerous 254
Read-Only Can Be Dangerous 254
Create Pod is Dangerous 256
Kubernetes Rights Can Be Transient 257
Other Dangerous Objects 258
Auditing RBAC 258
Using kubectl 258
Additional Tooling 259
Rakkess 259
kubectl-who-can 261
Rback 261
Summary 262
Chapter 19 Network Hardening 265
Container Network Overview 265
Node IP Addresses 266
Pod IP Addresses 266
Service IP Addresses 267
Restricting Traffic in Kubernetes Clusters 267
Setting Up a Cluster with Network Policies 268
Getting Started 268
Allowing Access 271
Egress Restrictions 273
Network Policy Restrictions 274
CNI Network Policy Extensions 275
Cilium 275
Calico 276
Summary 278
Chapter 20 Workload Hardening 279
Using Security Context in Manifests 279
General Approach 280
allowPrivilegeEscalation 280
Capabilities 281
privileged 283
readOnlyRootFilesystem 283
seccompProfile 283
Mandatory Workload Security 285
Pod Security Standards 285
PodSecurityPolicy 286
Setting Up PSPs 286
Setting Up PSPs 288
PSPs and RBAC 289
PSP Alternatives 291
Open Policy Agent 292
Installation 292
Enforcement Actions 295
Kyverno 295
Installation 296
Operation 296
Summary 298
Index 299
