- Moby - a collaborative project for the container ecosystem to assemble container-based system.
- Traefik - open source reverse proxy/load balancer provides easier integration with Docker and Let's encrypt.
- kong - The Cloud-Native API Gateway.
- rancher - complete container management platform.
Container logging and analysis revolves around 3 areas:
- Container Service Logs - Service daemons record key events
- Daemon events - Errors, status, and general events
- Remote calls to APIs
- Creation/Modification/Deletion of containers
- Host operating system/platform logs
- Amazon EKS offers logging events to Cloudwatch
- Service logs
- Persistent data volume or bind mount - Log data is sent to a persistent location outside of the container. Often with syslog directly to the host OS
- Application inside container - If the application itself has logging capabilities, they can be logged to locations outside of the container
- Monitoring container (Sidecar) - A container for collecting logs from other containers
- Daemon log drivers - Captures stdout and stderr of containers
- Security Auditing and Vulnerability Scanners
- Clair - Vulnerability Static Analysis for Containers
- WhaleScan - Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container
- Trivy - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues
- SecretScanner - Find secrets and passwords in container images and file systems
- sandbox-attacksurface-analysis-tools - Set of tools to analyze Windows sandboxes for exposed attack surface.
- DFIR
- sysdig-inspect - A powerful opensource interface for container troubleshooting and security investigation
- Container Management
- Enumeration
- Container Escapes
- https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
- https://pwning.systems/posts/escaping-containers-for-fun/
- Container Breakout - PTFM: Container Breakout - pg. 145
- Tools
- kubesploit - Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments.
Docker - A Docker container is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.
- Basic and Reference
- Operator Handbook: Docker Commands - pg. 61
- Offensive Testing
- deepce - Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)
- PENTESTING-BIBLE/DockerforPentesters
- PayloadsAllTheThings/DockerPentest
- https://blog.ropnop.com/docker-for-pentesters/
- Operator Handbook: Docker Exploit- pg. 64
- Defense and Hardening
- docker-bench-security - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
- Anchore - A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification
- https://blog.gitguardian.com/how-to-improve-your-docker-containers-security-cheat-sheet/
- https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
- Misc
- Whaler - Program to reverse Docker images into Docker files
{% file src=".gitbook/assets/Docker-Security-Cheatsheet_hp8lh3.pdf" %}
{% embed url="https://youtu.be/KINjI1tlo2w" %}
- Container Management
- KubeCTL Kubernetes command line tool
- https://kubernetes.io/docs/reference/kubectl/cheatsheet/
- GitHub - lightspin-tech/red-kube: Red Team KubeCTL Cheat Sheet
- Operator Handbook: KubeCTL- pg. 111
- kubebox - Terminal and Web console for Kubernetes
- kubernetes-the-hard-way - bootstrap Kubernetes the hard way on Google Cloud Platform. No scripts.
- kubernetes-the-easy-way - bootstrap Kubernetes the easy way on Google Cloud Platform. No scripts.
- Hubble is a Network, Service & Security Observability for Kubernetes using eBPF.
- KubeCTL Kubernetes command line tool
- Offensive tools
- peirates - a Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service accounts, obtain further code execution, and gain control of the cluster.
- Kubestroyer - Kubestroyer aims to exploit Kubernetes clusters misconfigurations and be the swiss army knife of your Kubernetes pentests
- Security auditing
- kubesec - Security risk analysis for Kubernetes resources
- netassert - This is a security testing framework for fast, safe iteration on firewall, routing, and NACL rules for Kubernetes (Network Policies, services) and non-containerised hosts (cloud provider instances, VMs, bare metal).
- KubiScan - A tool to scan Kubernetes cluster for risky permissions
- rbac-police - Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego
- Basics and Reference
- https://xapax.github.io/security/#attacking_kubernetes/basics_of_kubernetes/
- https://intellipaat.com/blog/tutorial/devops-tutorial/kubernetes-cheat-sheet/
- kubernetes-production-best-practices - checklists with best-practices for production-ready Kubernetes.
- Operator Handbook: Kubernetes - pg. 107
- Security Auditing and Hardening
- NSA Kubernetes hardening guide
- https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html
- kubernetes-security-best-practice
- k8s-security - kubernetes security notes and best practices.
- Pen Testing
- https://xapax.github.io/security/#attacking_kubernetes/attacking_kubernetes/
- https://xapax.github.io/security/#attacking_kubernetes/attacking_kubernetes_checklist/
- Operator Handbook: Kubernetes Exploit - pg. 108
- Training
- kubernetes-simulator - Kubernetes Security Training Platform - Focusing on security mitigation
- https://madhuakula.com/kubernetes-goat/ - Interactive Kubernetes Security Learning Playground