Details

<p>Introduction xix</p> <p><b>Part I Container and Orchestrator Security 1</b></p> <p><b>Chapter 1 What is a Container? 3</b></p> <p>Common Misconceptions 4</p> <p>Container Components 6</p> <p>Kernel Capabilities 7</p> <p>Other Containers 13</p> <p>Summary 14</p> <p><b>Chapter 2 Rootless Runtimes 17</b></p> <p>Docker Rootless Mode 18</p> <p>Installing Rootless Mode 20</p> <p>Running Rootless Podman 25</p> <p>Setting Up Podman 26</p> <p>Summary 31</p> <p><b>Chapter 3 Container Runtime Protection 33</b></p> <p>Running Falco 34</p> <p>Configuring Rules 38</p> <p>Changing Rules 39</p> <p>Macros 41</p> <p>Lists 41</p> <p>Getting Your Priorities Right 41</p> <p>Tagging Rulesets 42</p> <p>Outputting Alerts 42</p> <p>Summary 43</p> <p><b>Chapter 4 Forensic Logging 45</b></p> <p>Things to Consider 46</p> <p>Salient Files 47</p> <p>Breaking the Rules 49</p> <p>Key Commands 52</p> <p>The Rules 52</p> <p>Parsing Rules 54</p> <p>Monitoring 58</p> <p>Ordering and Performance 62</p> <p>Summary 63</p> <p><b>Chapter 5 Kubernetes Vulnerabilities 65</b></p> <p>Mini Kubernetes 66</p> <p>Options for Using <i>kube-hunter </i>68</p> <p>Deployment Methods 68</p> <p>Scanning Approaches 69</p> <p>Hunting Modes 69</p> <p>Container Deployment 70</p> <p>Inside Cluster Tests 71</p> <p>Minikube vs. <i>kube-hunter </i>74</p> <p>Getting a List of Tests 76</p> <p>Summary 77</p> <p><b>Chapter 6 Container Image CVEs 79</b></p> <p>Understanding CVEs 80</p> <p>Trivy 82</p> <p>Getting Started 83</p> <p>Exploring Anchore 88</p> <p>Clair 96</p> <p>Secure Registries 97</p> <p>Summary 101</p> <p><b>Part II DevSecOps Tooling 103</b></p> <p><b>Chapter 7 Baseline Scanning (or, Zap Your Apps) 105</b></p> <p>Where to Find ZAP 106</p> <p>Baseline Scanning 107</p> <p>Scanning Nmap’s Host 113</p> <p>Adding Regular Expressions 114</p> <p>Summary 116</p> <p><b>Chapter 8 Codifying Security 117</b></p> <p>Security Tooling 117</p> <p>Installation 118</p> <p>Simple Tests 122</p> <p>Example Attack Files 124</p> <p>Summary 127</p> <p><b>Chapter 9 Kubernetes Compliance 129</b></p> <p>Mini Kubernetes 130</p> <p>Using <i>kube-bench </i>133</p> <p>Troubleshooting 138</p> <p>Automation 139</p> <p>Summary 140</p> <p><b>Chapter 10 Securing Your Git Repositories 141</b></p> <p>Things to Consider 142</p> <p>Installing and Running Gitleaks 144</p> <p>Installing and Running GitRob 149</p> <p>Summary 151</p> <p><b>Chapter 11 Automated Host Security 153</b></p> <p>Machine Images 155</p> <p>Idempotency 156</p> <p>Secure Shell Example 158</p> <p>Kernel Changes 162</p> <p>Summary 163</p> <p><b>Chapter 12 Server Scanning With Nikto 165</b></p> <p>Things to Consider 165</p> <p>Installation 166</p> <p>Scanning a Second Host 170</p> <p>Running Options 171</p> <p>Command-Line Options 172</p> <p>Evasion Techniques 172</p> <p>The Main Nikto Configuration File 175</p> <p>Summary 176</p> <p><b>Part III Cloud Security 177</b></p> <p><b>Chapter 13 Monitoring Cloud Operations 179</b></p> <p>Host Dashboarding with NetData 180</p> <p>Installing Netdata 180</p> <p>Host Installation 180</p> <p>Container Installation 183</p> <p>Collectors 186</p> <p>Uninstalling Host Packages 186</p> <p>Cloud Platform Interrogation with Komiser 186</p> <p>Installation Options 190</p> <p>Summary 191</p> <p><b>Chapter 14 Cloud Guardianship 193</b></p> <p>Installing Cloud Custodian 193</p> <p>Wrapper Installation 194</p> <p>Python Installation 195</p> <p>EC2 Interaction 196</p> <p>More Complex Policies 201</p> <p>IAM Policies 202</p> <p>S3 Data at Rest 202</p> <p>Generating Alerts 203</p> <p>Summary 205</p> <p><b>Chapter 15 Cloud Auditing 207</b></p> <p>Runtime, Host, and Cloud Testing with Lunar 207</p> <p>Installing to a Bash Default Shell 209</p> <p>Execution 209</p> <p>Cloud Auditing Against Benchmarks 213</p> <p>AWS Auditing with Cloud Reports 215</p> <p>Generating Reports 217</p> <p>EC2 Auditing 219</p> <p>CIS Benchmarks and AWS Auditing with Prowler 220</p> <p>Summary 223</p> <p><b>Chapter 16 AWS Cloud Storage 225</b></p> <p>Buckets 226</p> <p>Native Security Settings 229</p> <p>Automated S3 Attacks 231</p> <p>Storage Hunting 234</p> <p>Summary 236</p> <p><b>Part IV Advanced Kubernetes and Runtime Security 239</b></p> <p><b>Chapter 17 Kubernetes External Attacks 241</b></p> <p>The Kubernetes Network Footprint 242</p> <p>Attacking the API Server 243</p> <p>API Server Information Discovery 243</p> <p>Avoiding API Server Information Disclosure 244</p> <p>Exploiting Misconfigured API Servers 245</p> <p>Preventing Unauthenticated Access to the API Server 246</p> <p>Attacking etcd 246</p> <p>etcd Information Discovery 246</p> <p>Exploiting Misconfigured etcd Servers 246</p> <p>Preventing Unauthorized etcd Access 247</p> <p>Attacking the Kubelet 248</p> <p>Kubelet Information Discovery 248</p> <p>Exploiting Misconfigured Kubelets 249</p> <p>Preventing Unauthenticated Kubelet Access 250</p> <p>Summary 250</p> <p><b>Chapter 18 Kubernetes Authorization with RBAC 251</b></p> <p>Kubernetes Authorization Mechanisms 251</p> <p>RBAC Overview 252</p> <p>RBAC Gotchas 253</p> <p>Avoid the <i>cluster-admin </i>Role 253</p> <p>Built-In Users and Groups Can Be Dangerous 254</p> <p>Read-Only Can Be Dangerous 254</p> <p>Create Pod is Dangerous 256</p> <p>Kubernetes Rights Can Be Transient 257</p> <p>Other Dangerous Objects 258</p> <p>Auditing RBAC 258</p> <p>Using <i>kubectl </i>258</p> <p>Additional Tooling 259</p> <p><i>Rakkess </i>259</p> <p><i>kubectl-who-can </i>261</p> <p><i>Rback </i>261</p> <p>Summary 262</p> <p><b>Chapter 19 Network Hardening 265</b></p> <p>Container Network Overview 265</p> <p>Node IP Addresses 266</p> <p>Pod IP Addresses 266</p> <p>Service IP Addresses 267</p> <p>Restricting Traffic in Kubernetes Clusters 267</p> <p>Setting Up a Cluster with Network Policies 268</p> <p>Getting Started 268</p> <p>Allowing Access 271</p> <p>Egress Restrictions 273</p> <p>Network Policy Restrictions 274</p> <p>CNI Network Policy Extensions 275</p> <p>Cilium 275</p> <p>Calico 276</p> <p>Summary 278</p> <p><b>Chapter 20 Workload Hardening 279</b></p> <p>Using Security Context in Manifests 279</p> <p>General Approach 280</p> <p>allowPrivilegeEscalation 280</p> <p>Capabilities 281</p> <p>privileged 283</p> <p>readOnlyRootFilesystem 283</p> <p>seccompProfile 283</p> <p>Mandatory Workload Security 285</p> <p>Pod Security Standards 285</p> <p>PodSecurityPolicy 286</p> <p>Setting Up PSPs 286</p> <p>Setting Up PSPs 288</p> <p>PSPs and RBAC 289</p> <p>PSP Alternatives 291</p> <p>Open Policy Agent 292</p> <p>Installation 292</p> <p>Enforcement Actions 295</p> <p>Kyverno 295</p> <p>Installation 296</p> <p>Operation 296</p> <p>Summary 298</p> <p>Index 299</p>

<p><b>CHRIS BINNIE</b> is a Technical Consultant who has worked for almost 25 years with critical Linux systems in banking and government, both on-premise and in the cloud. He has written two Linux books, has written for <i>Linux</i> and <i>ADMIN</i> magazines and has five years of experience in DevOps security consultancy roles.</p><p><b>RORY MCCUNE</b> has over 20 years of experience in the Information and IT security arenas. His professional focus is on container, cloud, and application security and he is an author of the CIS Benchmarks for Docker and Kubernetes and has authored and delivered container security training at conferences around the world.</p>

<p><b>DISCOVER A COMPREHENSIVE GUIDE TO SECURING YOUR CLOUD NATIVE TECH STACK</b></p> <p>In <i>Cloud Native Security</i>, accomplished IT security professionals and authors Chris Binnie and Rory McCune deliver a detailed treatment of how to minimize the attack surfaces found on today’s Cloud Native infrastructure. Incorporating hands-on examples, the book teaches you to mitigate threats and eliminate areas of concern that tend to lead to security compromises. The book contains the information that security professionals need to know in order to operate secure, hardened and therefore reliable Cloud Native estates.</p> <p>Beginning with accessible and easy-to-understand content about Linux containers and container runtime protection, the book moves on to more advanced subjects, like complex attacks on Kubernetes. You’ll learn about forensic logging and Kubernetes vulnerabilities, Common Vulnerability and Exploit scanning tools (CVEs), baseline scans, how to codify security, and how to scan popular code repositories for vulnerabilities.</p> <p>You’ll also discover how to use Configuration Management tools like Ansible to enforce security controls and help mitigate against attackers gaining a foothold and create predictable, reliable, and secure hosts. Finally, topics like network policies, pod hardening, and Kubernetes Role Based Access Control (RBAC) functionality are all covered in extensive depth.</p> <p>Perfect for DevOps engineers, platform engineers, security professionals, and students, <i>Cloud Native Security</i> will earn a place in the libraries of all professionals who need to improve their understanding of modern security vulnerabilities and challenges.</p> <p><b>The book delivers thorough and comprehensive explanations of:</b></p> <ul> <li><b>Installing and configuring multiple types of DevSecOps tooling in CI/CD pipelines</b></li> <li><b>Building forensic logging systems that provide exceptional levels of detail in busy containerized estates</b></li> <li><b>How to secure Kubernetes, the most popular container orchestrator</b></li> <li><b>Hardening cloud platforms and automating security enforcement in the cloud with sophisticated policies</b></li> </ul>

US