🌱Technologies

Technology used

Docker and Docker-compose

Docker is a lightweight and portable platform for packaging and deploying applications in containers, while Docker Compose is a tool for managing multi-container applications using declarative configuration in a YAML file.

Together, Docker and Docker Compose provide a powerful and convenient way to create, deploy and manage applications in container environments.

Docker images

A Docker image is a basic template from which containers are created. It contains all the elements needed to run an application, including the operating system, libraries and application code.

Docker images are created from configuration files called Dockerfile, which specify the steps required to build the image.

Docker containers

A Docker container is an executable instance of a Docker image. It is an "isolated" (in fact not completely, but we'll see with gvisor and the other types of security I've tried to implement) environment containing all the elements required to run the application.

Docker containers are lightweight, quick to start up and easy to distribute across different machines.

Docker compose

Docker Compose is a tool that facilitates the deployment and management of multi-container applications. It allows you to describe the application architecture in a YAML configuration file, specifying services, networks, volumes and so on.

Docker Compose simplifies the process of starting, stopping and scaling applications composed of multiple containers.

Gvisor

gVisor is a sandboxing technology for containers that provides enhanced isolation and increased security by running applications in a more controlled and minimalist environment.

It is an intermediary between the host core and the containers, providing an additional layer of isolation.

Unlike other lightweight virtualization solutions, gVisor does not use virtual machines or full guest kernels. Instead, it implements its own minimal kernel and provides Linux system call emulation for applications running in containers.

Seccomp

Seccomp, also known as Secure System Call Filtering Mode, is a security mechanism in Linux operating systems that restricts the system calls available to a running process.

It provides an extra layer of protection by limiting the functionality and actions a process can perform, thus reducing the potential impact of software vulnerabilities and attacks.

Main objective

Seccomp's main objective is to enhance security by isolating a process and limiting its access to sensitive system functionality.

This can reduce the potential impact of security breaches and attacks, because even if a process is compromised, the malicious actions it can undertake will be limited by Seccomp's filtering rules.

It is important to note that the correct installation and configuration of Seccomp requires a thorough understanding of the system calls used by an application.

Moreover, since our project involves pentest tools, it is difficult for me to define exactly what should and should not be blocked, that's why a default profile is provided for correct security without being too restrictive.

https://gvisor.dev/blog/2020/09/18/containing-a-real-vulnerability/

Apparmor

AppArmor is a security framework for Linux operating systems, designed to restrict the actions and privileges of processes. It provides Mandatory Access Control (MAC) by defining security policies based on containment profiles.

Our goal

AppArmor is commonly used in environments where security is a major concern, such as servers, containers, security-oriented Linux distributions and embedded systems. It can be used to confine individual applications or sets of applications, depending on specific security needs.

But as with seccomp, the use of AppArmor requires a thorough understanding of the containment profiles and security rules associated with each application to avoid potential compatibility or operating problems. and as our case is related to pentesting, to avoid excessive restrictions we're going to use the default profile for docker

The important thing for us is to achieve cascading in order to protect and isolate our containers as much as possible !