 Good morning. Good evening and good afternoon based on the location where you're located. So yeah, hi So my name is Sumat and I'm here to present you on the topic of container security automation with Ansible so Currently I'm working with Ansible team as a senior software engineer and basically I'm part of Ansible content team where I directly contribute in Ansible security and the network team as well. So as you can see I have listed out on my github and IRC handle, which is J-U-S-T-G-I-S And I have also listed on my mail as well So at any point of time you guys have any query post this session as well with respect to container security Automation with Ansible. You can just ping me up Okay, so moving on on the agenda Okay, so the agenda for today is First one is understanding continuous security concept and This will basically tell us how and where it is important with respect to container security and how we used to Check for security and compliance and hardening of that. The second goes about tells you Using the scans using the Ansible automation platform The third one is understanding terminology Which is basically used for identifying the vulnerability and which is most commonly used in the current scenario and Again, then we'll talk about all automating vulnerability analysis of Docker containers And then we'll go about discuss the schedule scan using Ansible automation platform Which actually internally uses Ansible tower and then we'll go about discuss To fire integrity checks hostable monitoring and various compliance initiative so yep, so First one is understanding security concepts so as you well know that one of the key approaches to immerse out of DevOps is the idea of Continuous and immutable infrastructure It actually means that every time there there needs to be a runtime change and the application of quotes or configuration the containers are built to deploy and existing running ones are torn down and that actually allows for predictability resilience and It simplifies deployment choices at runtime and there is no surprise that many operation teams are already moving towards it also With that comes the question of when these container basically should be tested for security and compliance So and that point at that point it is like on the so by embracing the process of Continuous security and scanning and monitoring you can actually go ahead and automate the variety of work load and work Those were dr. Containers throws at you so here the best practices that we can see is like First one is ensure that there are no availability in your container. So the first one is basic so the second one is Every time you deploy on production system The image should be re-scan for any vulnerability that is that might have got crept in and third one is the Every time you do a rebuild you don't do a patch. You just do a rebuild instead and How answer well in an answerable automation platform can help here is like there are plenty of security tools that are available currently in the market, which actually Can be automated using ansible and ansible can ansible is all the news tools and needs to automate all those products And that can internally help in document a new security and scanning images So as as you see our first one is automating volume it is kind of like eco security and anchor and It can actually help in enabling programming Programmatic scanning and it can also help in automating runtime production tools to ensure images don't change during runtime Okay, so Now we can move to the next slide Okay, so as you know continuous security scanning requires us to manage In a software like answerable automation platform It actually most of the discussion with most of the discussed tool here can be used for scanning and maintaining a benchmark for security We should be we should think about the entire process as an incident response and threat detection workflow as well So how ansible security automation initiative helps here is like it helps you in prepare prepare the tool for automation it can actually help and detection in a detection analysis It can also help in containment eradication and recovery and at the end it can also help in post incident activity as well So before going and discussing about the Each an individual tool. I'll just be going through the basic and Understanding in terminology for which is being used currently for identifying the vulnerability So basically as a part of our preparation it may be useful to get familiar with the Like the following terms that are listed there. So First one is cv, which is common vulnerability and exposure. So basically it's a list of records where each container and Each containing an identification number and a description at least one public reference for the publicly known cyber security vulnerabilities, so the other one is All which is open vulnerability and assessment language It is actually an international information security community standard to promote open and publicly available security content The third one is CW which is a common weakness and enumeration And it's also a category system for software weaknesses and vulnerability and it's it's a sustained community project with the goals of understanding flaws in software and Creating automated tools that can be used to identify and fix the prev in those flaws And the very last one is NVD. So basically it's national vulnerability database And it is a US government database, which is Which takes care of vulnerability management database and it's available in Available to public in XML format. So going through the topic of Discussion here you'll get to like I'll be using CVs most often because that is how most often we categorize the Issues that we find in container security world. So moving on So as you can see, there are many different ways of evaluating the security of containers as containers are everywhere At this point of time There are very various tools and techniques that are available to perform scans and assist the docker containers and the environment. So These are the tools that I'll be discussing during the presentation and I'll be going through each of these tools individually as well. And I'll also have a demo prepared So at this point, I understand that I'll have to switch between the tabs So I'll stop sharing and reshare again. So bear with me for that So, yeah, so first one is docker bench and as I told you so this would I would Go in detail for this individual tool as well in upcoming slides But yeah, just to give a basic idea that what is docker tool a docker benches It's basically a share a security shell script, which actually performs checks Based on the CS which is a center for information security and The second one is clear. So Claire is also a tool to perform static vulnerability analysis based on the CV database so CV is the thing that we discussed in the last slide and Accuracy can anchor these are two tools that perform variety of docker and cubanities or security Things but I'll be discussing over a few of the things that I wanted to bring about in this particular presentation So yeah, I was a can anchor a platform to perform security evaluation and make runtime policy decisions and The part of aquasic is aquasectry 3v And it's basically a simple and comprehensive vulnerability image scanner for containers and the lastly We have OS query. So it actually doesn't Fit in the container side world because it actually goes ahead and check for the OS related thing in your inside your container So actually if you think it is an analytics to do the ideas, which is host intrusion detection system type of activities So yep, I'll be discussing and going over these tools Individually and upcoming sites. So first one is the docker bench. So I hope you guys are able to see the screen Yana, can you confirm? Yes, we can see Cool, thanks. Thanks for the confirmation. Okay, so the first one is the docker bench And it's the docker bench for security as I told you it's a basically basically a shell script that checks for dozens of common best practices around deploying docker containers introduction and the tests here are all automated and Is inspired by CIS docker benchmarks where CIS is Center for Information Security So as you see I have listed down what all checks docker bench reforms and It's basically host configuration your docker demon configuration and files docker container images Docker runtime and docker security operation and docker swarm configuration. So Before like going to the presentation part So I have like recorded a demo for this particular tool, but I wanted to cover Claire as well because if I'll be switching between the slides I think it will take a bit of time and I wanted to cover during Allocated time the entire presentation so Before going to the presentation, I'll discuss the Claire tool as well and post that I'll be going through the demo recording of docker bench So yeah, so the other tool that I wanted to discuss is Claire it's basically open source project and it is used for static analysis of vulnerability and it is a static analysis Against containers and it can help and helps by checking with the existing vulnerability database so Claire actually may maintains a vulnerability database and Based on that a database actually the player is kind of performs the scan on the docker images and throws you the result with all the required CVs and Severity level information. So yeah more details about this Claire scan can easily be found over the GitHub repo of Claire because it's an open source project so everything is available on GitHub and now it is part of it's a part of core OS and It is now part of quay as well So yeah, it actually uses a clear API index to their for the container images and it checks for known vulnerabilities and Claire scanner is a tool that can actually trigger and help in Getting through the clear database and give you the exact result So for Claire, I have just Focused on the playbook and it's playbook run. So as you see on the left hand side I have the entire playbook for Claire scanner and as you see the name of the playbook is scanning containers using Claire scanner and host have kept us as local host because As you see local host I'll run this particular answer will playbook on my local box So because of that, I've kept it as local host and let's suppose if somebody wants to check for a docker container And inside that so they can just give the inventory details here and they can just run it Here I am making gather fax as falls because I'm not bothered about collecting the answer variables on his information Become is yes, but I'm doing it because I wanted to escalate privileges to pseudo level So I'm using two variables as also one is image to scan the second one is Claire server Here I'll be trying to scan. Sorry Here I'll try to scan the debian sID image and I'll I've already have a setup ready with the clear server So this particular playbook talks about only The Claire scanner so Claire server you need to set up the Claire server before you go ahead and run the Claire scanner So this particular playbook only talks about the Claire scanner So yeah, Claire server setup is at this particular location. So what I do is I am using answer module get URL and Command body. So get URL is doing the Claire scanner So as you see by the name it is suggesting that downloading and setting up the Claire scanner library primary. Sorry So from this particular GitHub repo, it is trying to download it and move to the destination folder I'm making the execution privileges as set and now with the Claire scanner command I'm trying to run the Claire scanner on the image of debian sID So and this will particularly put adjacent format and then I'm registering the output and then downloading the report locally And on the left hand side, if you see I am counting the result so if you see my image name is a debian sID and unapproved CVs are all the CV that I've founded and the vulnerability that are available in this So as you see for both Docker Bench and Claire is used for your image based It can actually check on image based vulnerabilities and first one is Docker Bench and it is actually a Docker product and Claire is an open source project which is held by the community and actually is a static tools It's not a dynamic tool because it has a database set on the non-valuability and on the basis of that It actually goes ahead and fire the CLS Claire scanner which on particular Docker image and gets you the result So all these tools that I'm talking about currently can easily be part of the CI system I can actually help in Docker process compliance and Docker security compliance and it's hardening So yeah, so let me just stop the sharing and share the Docker Bench Demo just hold on Now I'll be sharing the entire screen. I think Because I wanted to share Okay, I hope you guys are able to see the entire screen now. Yes, we can see this screen Okay Cool, so this is the recording demo So I'll be going a live demo for anchor but rest of the demo are recorded So this is the Docker Bench demo. So as you see, I'm creating a Docker Bench playbook and Here again, I'm using host as local host because I'm running on My local box and here become is yes because I want to escalate the true pseudo privileges And here I'm making gather fax is true because I wanted to gather ansible a daytime variable which I'm using here So first one first task is download and download the document security. It is also Available on your GitHub profile as it's part of Docker. So I'm transferring the content to destination and then I'm trying to running I run the actual Docker shell script. So I'm trying to change the directory here and Then I'll be going through the command Dot Docker and I'm trying to run the shell script and transfer the output log Then I'm trying to download the report locally and then I'm transferring the report location to the user Okay so I think before Starting before firing the playbook. I just wanted to show you guys that currently I'm using ansible version 294 which is kind of latest because ansible 297, I think is already there and I'm using currently 294. So here goes the play run so as you see currently it is gathering facts and Download and document security since it's already downloaded is not showing changed as true So now it is running document security scan It is taking a bit of time because I have like close to five images already in my box. So it is taking comparatively How's the time so yeah, as you can see the reports can run scan completed And now the report is generated and I'm just throwing out to the user that where your particular report is located so now if I'll open the particular log you must see all the Return output that docker-bends gives you and all those is depending on your All those result basically. Okay. Sorry Yeah, so The configuration that you the log that gives is related on on this all this point Who's configuration your docker-demon configuration and files your docker enterprise configurations So as you see, there are n number of results and it's logged as a pass one info and one So only the one condition is should be checked properly Otherwise you can skip and you can also filter out the results. So as I told you so this is standing for almost five images So it is quite long. Otherwise for one particular image You will get a shorter way result, but it will have all the details with respect to the docker-bench Categories So yeah, I think I can stop it because this will go ahead and Take through all those So as you can see container runtime docker swarm configuration So yeah, so based on the log you can also filter out the result based on the images that you provide So at this point, I'll just close it and go back to the presentation Sorry guys for switching back and forth Because I wanted to show you the demo and so I have to share the entire screen Okay, I hope you guys are able to see the screen again cool It's my day night Everything is working. Cool So I Have finished till Claire. Okay. So schedule scans Why schedule scan is important because Security is a continuous process, right? So it is a kind of loop of planning doing starting and acting. It's kind of The thing that I've depicted is the deming circle. It's actually depicts the same So because if you are not doing it again and again at any point Things might go wrong and things might go south and you'll be able you'll not be able to Like catch those of things and you'll be in trouble. So continue security Is required from that prospectus and because of that schedule scan helps and using answer the automation platform offering like answerable tower You can schedule scan and get to the result every time you want it and at the time you want it. So That is how it helps so let me So, yeah, this is the tool or platform compliance that I wanted to talk about so basically anchor Anchor region is an open source project which actually provides a centralized service for inspection analysis and certification of container images it also has a restful APIs and Why is anchor CLI you can actually go ahead and perform the scans the anchor engineers provided is a Docker container image as well the which can actually be run as a standalone with an orchestration platform and It can actually Help in high-level operations like policy evaluation operations your image operations your policy operations Your registry operations your subscription ops operations and system operations So quite a few operations, but yeah, it's anchor and aqua security is kind of compliance tool which actually takes care of much more Things that I'm talking about here since this particular topic is only allowing around container security So I will be dealing only with continuous security work So yeah, and the second one that I wanted to talk about is a car security trivy and it actually is a very useful tool and it can actually be very easily implemented into your CI system because it is Very simple and it's just that you need to download the aqua security trivy tool from that is here a security GitHub repo and then it is very easy to use because it says that TV is a CLI Come on and you give it the image and you just run it You'll be able to see that okay your TV performs the analysis and give you the result in a JSON format and so it can actually be a Used in your depth of copper pipeline So like your CI CD pipeline and it actually helps and supports multiple formats as well So at this point again, I'll stop sharing and go back to the demo section because I want you to demo the anchor one through Ansible Tower Okay, so before going through the demo content on the playbook. I'll just want to Give you give you guys a heads up that all the playbook that I am showing in this particular presentation is Already checked in and ansible security demo content and under playbook. You will see there are Platforms available and these are the platform of discussion. You can just go ahead and check for the playbook and try it yourself Okay, so first one is anchor server because before firing the ansible CLI scanner I have to set up the server. So as I think like Close to my timeline. So I'll just skip it because this is a server setup based on the conflict file and then Comes the anchor CLI scan so if you see the CLI scan actually it is trying to scan the image of Docker Debian latest and it is using Ansible wars and Your ansible is set up on the sorry anchor CLI set up on this anchor server is set up on this local host 8284 and default username and password is admin and foobar and This I'll try to run through ansible tower. Let me just log into it So yeah, why I'm using tower is like because I wanted to demo the schedule scan part because it's very important to Schedule the scan for every time you run it every time you want to check for a particular image or if you want to If you have a certain Container image that is being modified So yeah, the first one is project how I am setting the anchors can project is like I am giving us Anchors scan project and I'm getting the git repo where it will fetch the playbook from Then I'm giving the inventory details inventory in this case would be the my would be my AWS instance because Here it is when to system. That's why you're seeing your public IP and the private IPs with respect to AWS instance, you need to provide your credential as well because When you try to log in through console, right? You give the pen pin file credentials, right? The key. That's how you give in The same you do it in your tower as well. So here I'm giving anchor create machine Type is machine and my username is Ubuntu and then I'm giving the file Then I'm creating the template from the same thing and this is my anchors scan template and if you see I'm using all those details and Here is the fun part is like I can create a schedule and based on the schedule. It'll run This particular template every time it has this particular condition Fulfilled so as you see I have schedule all the things and these are the occurrences It will happen in during the entire 21 and it has given for March, right? So fair been March. So I'll just fire on-demand scan because Even to ask you have scheduled it. Sometimes you might need an on-demand scan. So let's just launch it Hopefully it works Yeah, it's job is still running and now it's running and as you can see it's gathering facts first So anchor scan is using the same Anger CLI playbook. So as you see installing anchor CLI It should turn out as changed balls because anger CLI might have already been installed because I have run it a couple of times showing Successful, but I'm not able to browse through the section. Why? Fun for a live demo Okay, let me run it again. So I have done that again. Hopefully this time I am able to see the result Okay, so I am closing on my finish time. So I'll just try to finish everything bit quickly now So as you see it is trying to add image for analysis And then it is waiting on the analysis to complete and here is your result and if you click on it You get the Jason output for it with all the details for a CVs and your package name Severity and let's suppose if there is a fix that is available. Yeah, it will tell you the fix as well so this is how your anchor CLI works and If I'll run the triv scan as well, and this is that particular demo. So if you see This playbook is very short because as as I told you trivy is Very lightweight tool and you just need to install the trivy tool And then the comma you using the command module and just trying to fire the trivy command with on this goal line image So if I'll run this playbook It's giving me all the details of my package name What is there with the severity at medium level and the package name is lip crypto 101 and the second Package that is having a severity of medium is Livers cell 101 So this I am filtering from the result. So Just kind of shut it off because I wanted to give time for me as well 12 minutes you have still so just not Okay Okay, cool. Thanks. Yeah, no again going back to the presentation. I hope you guys can still this you still see the screen and yes So the last part that I wanted to discuss the bird is like OS Security and compliance check based on the OS level So while this may not eliminate the case for a purpose where it Oh, she intrusion detection system But in many cases we can execute the same kind of security task Using the tools which is available Like OS query, which is which was actually developed by Facebook and now it has been open source So how it can help it can actually go ahead and check for file harsh is your network connection and your list of running processes since It can actually if you think that way it can actually act as a lightweight host based into intrusion detection system So I have not included the demo for OS carry I think that can be considered as a to-do for from if you guys are interested and You can go ahead and look for always query. It's an open source tool And you can just create a ansible paper to run this particular tool It's very easy and let's suppose if you have any difficulty in finding that I'll just Post the always query playbook as well in the demo content and some security. So, yeah, so OS query Is this it's Is an operating system instrumentation framework which was designed actually by Facebook and basically written in C++ or blah, blah so and it actually supports multiple platforms like Windows Linux Mac OS and other operating system as well And it actually performs a low level activities such as running processes kernel configuration your network connection and filing degree checks and it also helps in performing centralized monitoring and security management solutions as well So it's sometimes also described as SQL powered operating system instrumentation monitoring and analytics So yeah, now coming to the most important part of the presentation is the call for action so Yeah, so as you guys all know that containers are rapidly changing the world of developers and its operation teams and By leveraging our knowledge of using ansible and for scripting the play by play commands or by using the ansible integrated modules With a cross security anchor and OS very tools we can measure analyze and benchmark a container for security This also allows us to build end-to-end automatic process for securing scanning and remediating the containers So at this very point, I just want to call out to you guys that okay we at Ansible security are actually looking on to the use cases and You guys can help us to fulfill those use cases and complete those use cases by giving your inputs and thoughts that how Ansible can how Ansible you see as a better fit for continuous security world and For now, I have demoed through Ansible modules like Ansible core engine modules But in future, we are talking with the vendors like a car security anchor stack rocks and prismaclau twist lock and new vector and more So we are talking with these vendors to come up with the integration plan. So like you see for With Docker, we have a particular Ansible module like right the Docker image the Docker container module the same way You will have the modules for a car security anchor and other platforms as well so that will actually help in getting the integration going and so at this point the answer would also love to partner with all the Container security vendors which can actually help in automation opportunities So if you want to get in touch with us, we have IRC handles of and hashtag Ansible security Ansible devil and Ansible communities and We have also offered our Initiative Ansible security automation initiative on Ansible.com and you can check out the ebooks that are already present for the automation security initiative so yep and or as I told you already that all the demo contents and playbooks are already available on this particular GitHub link you can just browse through the particular link and get to all the playbooks and Yes, I think This was the last part of the discussion and thanks a lot for joining in and hope you guys have got something from the container security world and I'm open for questions time and If just the question to answer whenever you have the question now, it's a right time to ask in the Q&A Section, there's actually one question to me to you from the chat Jan was asking if you have some published playbooks roles that are to make setting up their server And I can see one question from Pavel What do you think so meet about the integration of Claire? Yeah, other scanners with egg docker Repositories like harbour Say a power I haven't used harbour, but I think so So you are asking about the integration of Claire and other scanners With talk repositories like harbour. So I am I have not used harbour that well So I might not be the best person to look into that or answer to that particular question But definitely I'll check on that and probably If you can let me know your IRC handle or let me know how I can reach you I can just let you know with the session