Оглавление
Chris Binnie. Cloud Native Security
Table of Contents
List of Tables
List of Illustrations
Guide
Pages
Cloud Native Security
Introduction
Meeting the Challenge
What Does This Book Cover?
A Few Conventions
Companion Download Files
How to Contact the Publisher
Part I Container and Orchestrator Security
In This Part
CHAPTER 1 What Is A Container?
Common Misconceptions
NOTE
TIP
Container Components
Kernel Capabilities
Other Containers
Summary
CHAPTER 2 Rootless Runtimes
Docker Rootless Mode
Installing Rootless Mode
Running Rootless Podman
Setting Up Podman
Summary
CHAPTER 3 Container Runtime Protection
Running Falco
Configuring Rules
Changing Rules
Macros
Lists
Getting Your Priorities Right
Tagging Rulesets
Outputting Alerts
Summary
CHAPTER 4 Forensic Logging
Things to Consider
Salient Files
Breaking the Rules
Key Commands
The Rules
Parsing Rules
IMMUTABLE RULES
Monitoring
Ordering and Performance
Summary
CHAPTER 5 Kubernetes Vulnerabilities
Mini Kubernetes
Options for Using kube-hunter
Deployment Methods
Scanning Approaches
Hunting Modes
Container Deployment
Inside Cluster Tests
Minikube vs. kube-hunter
WARNING
Getting a List of Tests
Summary
CHAPTER 6 Container Image CVEs
Understanding CVEs
Trivy
Getting Started
TIP
Exploring Anchore
TIP
Clair
Secure Registries
Summary
Part II DevSecOps Tooling
In This Part
CHAPTER 7 Baseline Scanning (or, Zap Your Apps)
Where to Find ZAP
Baseline Scanning
NOTE
NOTE
Scanning Nmap's Host
Adding Regular Expressions
Summary
CHAPTER 8 Codifying Security
Security Tooling
Installation
NOTE
Simple Tests
Example Attack Files
TIP
Summary
CHAPTER 9 Kubernetes Compliance
Mini Kubernetes
Using kube-bench
Troubleshooting
Automation
Summary
CHAPTER 10 Securing Your Git Repositories
Things to Consider
Installing and Running Gitleaks
Installing and Running GitRob
Summary
CHAPTER 11 Automated Host Security
Machine Images
Idempotency
Secure Shell Example
NOTE
Kernel Changes
Summary
CHAPTER 12 Server Scanning With Nikto
Things to Consider
Installation
Scanning a Second Host
Running Options
Command-Line Options
Evasion Techniques
The Main Nikto Configuration File
Summary
Part III Cloud Security. In This Part
CHAPTER 13 Monitoring Cloud Operations
Host Dashboarding with NetData
Installing Netdata
Host Installation
Container Installation
Collectors
Uninstalling Host Packages
Cloud Platform Interrogation with Komiser
Installation Options
Summary
CHAPTER 14 Cloud Guardianship
Installing Cloud Custodian
Wrapper Installation
Python Installation
EC2 Interaction
More Complex Policies
IAM Policies
S3 Data at Rest
NOTE
Generating Alerts
Summary
CHAPTER 15 Cloud Auditing
Runtime, Host, and Cloud Testing with Lunar
Installing to a Bash Default Shell
Execution
Cloud Auditing Against Benchmarks
AWS Auditing with Cloud Reports
Generating Reports
EC2 Auditing
CIS Benchmarks and AWS Auditing with Prowler
Summary
CHAPTER 16 AWS Cloud Storage
Buckets
TIP
Native Security Settings
Automated S3 Attacks
Storage Hunting
Summary
Part IV Advanced Kubernetes and Runtime Security
In This Part
CHAPTER 17 Kubernetes External Attacks
The Kubernetes Network Footprint
Attacking the API Server
NOTE
API Server Information Discovery
Avoiding API Server Information Disclosure
Exploiting Misconfigured API Servers
NOTE
Preventing Unauthenticated Access to the API Server
Attacking etcd
etcd Information Discovery
Exploiting Misconfigured etcd Servers
Preventing Unauthorized etcd Access
Attacking the Kubelet
Kubelet Information Discovery
NOTE
Exploiting Misconfigured Kubelets
Preventing Unauthenticated Kubelet Access
Summary
CHAPTER 18 Kubernetes Authorization with RBAC
Kubernetes Authorization Mechanisms
RBAC Overview
RBAC Gotchas
Avoid the cluster-admin Role
Built-In Users and Groups Can Be Dangerous
Read-Only Can Be Dangerous
Create Pod Is Dangerous
Kubernetes Rights Can Be Transient
Other Dangerous Objects
Auditing RBAC
Using kubectl
Additional Tooling
Rakkess
kubectl-who-can
Rback
Summary
CHAPTER 19 Network Hardening
Container Network Overview
Node IP Addresses
Pod IP Addresses
Service IP Addresses
Restricting Traffic in Kubernetes Clusters
Setting Up a Cluster with Network Policies
Getting Started
WARNING
Allowing Access
Egress Restrictions
Network Policy Restrictions
CNI Network Policy Extensions
Cilium
Calico
Summary
CHAPTER 20 Workload Hardening
Using Security Context in Manifests
General Approach
allowPrivilegeEscalation
Capabilities
privileged
readOnlyRootFilesystem
seccompProfile
Mandatory Workload Security
Pod Security Standards
PodSecurityPolicy
Setting Up PSPs
Setting Up PSPs
PSPs and RBAC
PSP Alternatives
Open Policy Agent
Installation
Enforcement Actions
Kyverno
Installation
Operation
Summary
Index
About the Authors
About the Technical Editor
WILEY END USER LICENSE AGREEMENT
