Cloud Native Security

Explore the latest and most comprehensive guide to securing your Cloud Native technology stack Cloud Native Security delivers a detailed study into minimizing the attack surfaces found on today's Cloud Native infrastructure. Throughout the work hands-on examples walk through mitigating threats and the areas of concern that need to be addressed. The book contains the information that professionals need in order to build a diverse mix of the niche knowledge required to harden Cloud Native estates. The book begins with more accessible content about understanding Linux containers and container runtime protection before moving on to more advanced subject matter like advanced attacks on Kubernetes. You'll also learn about: Installing and configuring multiple types of DevSecOps tooling in CI/CD pipelines Building a forensic logging system that can provide exceptional levels of detail, suited to busy containerized estates Securing the most popular container orchestrator, Kubernetes Hardening cloud platforms and automating security enforcement in the cloud using sophisticated policies Perfect for DevOps engineers, platform engineers, security professionals and students, Cloud Native Security will earn a place in the libraries of all professionals who wish to improve their understanding of modern security challenges.

Table of Contents:
Introduction xix Part I Container and Orchestrator Security 1 Chapter 1 What is a Container? 3 Common Misconceptions 4 Container Components 6 Kernel Capabilities 7 Other Containers 13 Summary 14 Chapter 2 Rootless Runtimes 17 Docker Rootless Mode 18 Installing Rootless Mode 20 Running Rootless Podman 25 Setting Up Podman 26 Summary 31 Chapter 3 Container Runtime Protection 33 Running Falco 34 Configuring Rules 38 Changing Rules 39 Macros 41 Lists 41 Getting Your Priorities Right 41 Tagging Rulesets 42 Outputting Alerts 42 Summary 43 Chapter 4 Forensic Logging 45 Things to Consider 46 Salient Files 47 Breaking the Rules 49 Key Commands 52 The Rules 52 Parsing Rules 54 Monitoring 58 Ordering and Performance 62 Summary 63 Chapter 5 Kubernetes Vulnerabilities 65 Mini Kubernetes 66 Options for Using kube-hunter 68 Deployment Methods 68 Scanning Approaches 69 Hunting Modes 69 Container Deployment 70 Inside Cluster Tests 71 Minikube vs. kube-hunter 74 Getting a List of Tests 76 Summary 77 Chapter 6 Container Image CVEs 79 Understanding CVEs 80 Trivy 82 Getting Started 83 Exploring Anchore 88 Clair 96 Secure Registries 97 Summary 101 Part II DevSecOps Tooling 103 Chapter 7 Baseline Scanning (or, Zap Your Apps) 105 Where to Find ZAP 106 Baseline Scanning 107 Scanning Nmap’s Host 113 Adding Regular Expressions 114 Summary 116 Chapter 8 Codifying Security 117 Security Tooling 117 Installation 118 Simple Tests 122 Example Attack Files 124 Summary 127 Chapter 9 Kubernetes Compliance 129 Mini Kubernetes 130 Using kube-bench 133 Troubleshooting 138 Automation 139 Summary 140 Chapter 10 Securing Your Git Repositories 141 Things to Consider 142 Installing and Running Gitleaks 144 Installing and Running GitRob 149 Summary 151 Chapter 11 Automated Host Security 153 Machine Images 155 Idempotency 156 Secure Shell Example 158 Kernel Changes 162 Summary 163 Chapter 12 Server Scanning With Nikto 165 Things to Consider 165 Installation 166 Scanning a Second Host 170 Running Options 171 Command-Line Options 172 Evasion Techniques 172 The Main Nikto Configuration File 175 Summary 176 Part III Cloud Security 177 Chapter 13 Monitoring Cloud Operations 179 Host Dashboarding with NetData 180 Installing Netdata 180 Host Installation 180 Container Installation 183 Collectors 186 Uninstalling Host Packages 186 Cloud Platform Interrogation with Komiser 186 Installation Options 190 Summary 191 Chapter 14 Cloud Guardianship 193 Installing Cloud Custodian 193 Wrapper Installation 194 Python Installation 195 EC2 Interaction 196 More Complex Policies 201 IAM Policies 202 S3 Data at Rest 202 Generating Alerts 203 Summary 205 Chapter 15 Cloud Auditing 207 Runtime, Host, and Cloud Testing with Lunar 207 Installing to a Bash Default Shell 209 Execution 209 Cloud Auditing Against Benchmarks 213 AWS Auditing with Cloud Reports 215 Generating Reports 217 EC2 Auditing 219 CIS Benchmarks and AWS Auditing with Prowler 220 Summary 223 Chapter 16 AWS Cloud Storage 225 Buckets 226 Native Security Settings 229 Automated S3 Attacks 231 Storage Hunting 234 Summary 236 Part IV Advanced Kubernetes and Runtime Security 239 Chapter 17 Kubernetes External Attacks 241 The Kubernetes Network Footprint 242 Attacking the API Server 243 API Server Information Discovery 243 Avoiding API Server Information Disclosure 244 Exploiting Misconfigured API Servers 245 Preventing Unauthenticated Access to the API Server 246 Attacking etcd 246 etcd Information Discovery 246 Exploiting Misconfigured etcd Servers 246 Preventing Unauthorized etcd Access 247 Attacking the Kubelet 248 Kubelet Information Discovery 248 Exploiting Misconfigured Kubelets 249 Preventing Unauthenticated Kubelet Access 250 Summary 250 Chapter 18 Kubernetes Authorization with RBAC 251 Kubernetes Authorization Mechanisms 251 RBAC Overview 252 RBAC Gotchas 253 Avoid the cluster-admin Role 253 Built-In Users and Groups Can Be Dangerous 254 Read-Only Can Be Dangerous 254 Create Pod is Dangerous 256 Kubernetes Rights Can Be Transient 257 Other Dangerous Objects 258 Auditing RBAC 258 Using kubectl 258 Additional Tooling 259 Rakkess 259 kubectl-who-can 261 Rback 261 Summary 262 Chapter 19 Network Hardening 265 Container Network Overview 265 Node IP Addresses 266 Pod IP Addresses 266 Service IP Addresses 267 Restricting Traffic in Kubernetes Clusters 267 Setting Up a Cluster with Network Policies 268 Getting Started 268 Allowing Access 271 Egress Restrictions 273 Network Policy Restrictions 274 CNI Network Policy Extensions 275 Cilium 275 Calico 276 Summary 278 Chapter 20 Workload Hardening 279 Using Security Context in Manifests 279 General Approach 280 allowPrivilegeEscalation 280 Capabilities 281 privileged 283 readOnlyRootFilesystem 283 seccompProfile 283 Mandatory Workload Security 285 Pod Security Standards 285 PodSecurityPolicy 286 Setting Up PSPs 286 Setting Up PSPs 288 PSPs and RBAC 289 PSP Alternatives 291 Open Policy Agent 292 Installation 292 Enforcement Actions 295 Kyverno 295 Installation 296 Operation 296 Summary 298 Index 299

About the Author :
CHRIS BINNIE is a Technical Consultant who has worked for almost 25 years with critical Linux systems in banking and government, both on-premise and in the cloud. He has written two Linux books, has written for Linux and ADMIN magazines and has five years of experience in DevOps security consultancy roles. RORY MCCUNE has over 20 years of experience in the Information and IT security arenas. His professional focus is on container, cloud, and application security and he is an author of the CIS Benchmarks for Docker and Kubernetes and has authored and delivered container security training at conferences around the world.