1
00:00:02,470 --> 00:00:05,889
‫Moving on from those, we have

2
00:00:06,460 --> 00:00:07,767
‫runtime bad behavior.

3
00:00:07,990 --> 00:00:10,749
‫I won't really talk a lot about this one, but this is the

4
00:00:10,750 --> 00:00:11,949
‫newest one on my list.

5
00:00:12,610 --> 00:00:15,699
‫The Sysdig Falco is a tool that,

6
00:00:16,090 --> 00:00:18,219
‫there are other similar tools, but none that I've seen that

7
00:00:18,220 --> 00:00:21,609
‫are as easy or as designed for containers as Falco.

8
00:00:22,420 --> 00:00:25,329
‫Falco essentially takes

9
00:00:25,600 --> 00:00:28,660
‫a common little list of bad behaviors, or

10
00:00:28,930 --> 00:00:31,092
‫what I would say behaviors that are suspect, right.

11
00:00:32,020 --> 00:00:34,990
‫Things that shouldn't necessarily be happening a lot, like

12
00:00:35,500 --> 00:00:37,841
‫execing into a running container on a production server.

13
00:00:37,842 --> 00:00:41,200
‫Or, copying files into those containers on running servers.

14
00:00:41,650 --> 00:00:44,860
‫Or, bind mounting sensitive data from

15
00:00:45,070 --> 00:00:47,618
‫the host operating system into the container itself,

16
00:00:48,034 --> 00:00:49,034
‫right.

17
00:00:50,440 --> 00:00:52,449
‫They'll show you a little example here on

18
00:00:53,680 --> 00:00:56,170
‫exactly what you do. They're basically running Falco agents

19
00:00:56,200 --> 00:00:59,499
‫on every server and then doing certain behaviors

20
00:00:59,560 --> 00:01:01,840
‫in containers that might be suspicious.

21
00:01:02,380 --> 00:01:05,799
‫The goal of Falco is to audit and log

22
00:01:05,890 --> 00:01:07,654
‫those behaviors for you to basically

23
00:01:09,190 --> 00:01:12,219
‫track any bad behavior and alert on those logs if you need

24
00:01:12,220 --> 00:01:13,220
‫to. You can

25
00:01:15,420 --> 00:01:16,989
‫see them here running some certain things and seeing what

26
00:01:16,990 --> 00:01:18,959
‫the logs are outputting. The coolest part about this is

27
00:01:18,960 --> 00:01:20,519
‫that it comes with a default set.

28
00:01:20,710 --> 00:01:23,739
‫Because a lot of us don't know all the

29
00:01:23,740 --> 00:01:26,435
‫bad behaviors. Like, we don't know everything you could

30
00:01:26,670 --> 00:01:27,922
‫possibly do if you're a bad actor.

31
00:01:28,510 --> 00:01:30,960
‫The nice thing about Falco is it does come with a default

32
00:01:30,961 --> 00:01:35,099
‫list, and then you can add more rules on your own in

33
00:01:35,100 --> 00:01:36,276
‫your applications. You can make custom list, add them to

34
00:01:37,040 --> 00:01:38,040
‫Falco when it runs.

35
00:01:38,450 --> 00:01:39,711
‫That's a free open source tool.

36
00:01:39,730 --> 00:01:42,182
‫That, I would definitely say, is getting more advanced,

37
00:01:42,183 --> 00:01:44,529
‫right. As you can see, this list, as we go down the list,

38
00:01:44,530 --> 00:01:45,831
‫getting more advanced.

39
00:01:46,590 --> 00:01:49,351
‫But, I think that's something that's worth adding to your

40
00:01:49,352 --> 00:01:50,352
‫production servers.

41
00:01:50,690 --> 00:01:53,189
‫Even if you don't monitor those logs constantly and

42
00:01:54,060 --> 00:01:57,239
‫you don't alert on them, just having those logs so

43
00:01:57,240 --> 00:01:59,788
‫that when you have something that's problematic, you

44
00:02:01,620 --> 00:02:03,959
‫can go back and see if there was any behavior and what that

45
00:02:03,960 --> 00:02:05,691
‫behavior was to sort of trace your steps, right.

46
00:02:07,020 --> 00:02:08,460
‫I definitely would put that in your toolkit.

47
00:02:09,630 --> 00:02:12,423
‫Next up is content trust. I don't really have a demo or a

48
00:02:13,020 --> 00:02:15,564
‫way to show content trust because it's a set of tools.

49
00:02:15,780 --> 00:02:17,750
‫Docker provides a lot of them. On making

50
00:02:19,350 --> 00:02:22,079
‫sure that everything in your pipeline, from code signing in

51
00:02:22,080 --> 00:02:24,285
‫your git repos, all the way to making sure in

52
00:02:25,380 --> 00:02:26,540
‫production that only images

53
00:02:28,710 --> 00:02:30,654
‫signed by your team are allowed to run on servers.

54
00:02:31,630 --> 00:02:32,976
‫That whole process is known as content trust.

55
00:02:34,290 --> 00:02:35,540
‫It's a pipeline of trust.

56
00:02:35,760 --> 00:02:37,160
‫It's a pipeline of signing different

57
00:02:38,790 --> 00:02:40,390
‫parts of the tooling, your images, your code to

58
00:02:42,030 --> 00:02:45,509
‫ensure that nothing runs in Docker on your servers unless

59
00:02:45,510 --> 00:02:46,889
‫you specifically allowed it through signing.

60
00:02:46,920 --> 00:02:48,145
‫OK. So, that's a project.

61
00:02:49,142 --> 00:02:50,493
‫That's definitely a project, right?

62
00:02:50,940 --> 00:02:52,280
‫We're getting down to the bottom of this list.

63
00:02:52,970 --> 00:02:55,469
‫When you start talking about secure development and

64
00:02:56,610 --> 00:02:58,815
‫secure deployments, this is one of those more

65
00:02:59,850 --> 00:03:01,981
‫advanced features because it requires your developers to be

66
00:03:01,982 --> 00:03:03,200
‫involved, your security team.

67
00:03:04,150 --> 00:03:06,720
‫It requires code signing, and image signing, which Docker's

68
00:03:06,780 --> 00:03:09,429
‫tooling definitely makes easier, but they're not going to

69
00:03:09,430 --> 00:03:11,851
‫do it all for you. All right. You're going to have to

70
00:03:11,852 --> 00:03:12,852
‫implement these things in your teams.

71
00:03:13,780 --> 00:03:14,780
‫Next up

72
00:03:16,860 --> 00:03:18,929
‫is something that takes a lot of work and may not give you a lot

73
00:03:18,930 --> 00:03:19,930
‫of advantages.

74
00:03:20,690 --> 00:03:23,669
‫That is taking all those default profiles that I

75
00:03:23,670 --> 00:03:26,512
‫talked about earlier and taking all those default profiles

76
00:03:26,551 --> 00:03:28,511
‫of AppArmor, SELinux, Seccomp and "Linux

77
00:03:30,210 --> 00:03:32,562
‫capabilities". Put that in quotes because that's

78
00:03:33,180 --> 00:03:36,389
‫actually a feature in the kernel. There's like 300

79
00:03:36,390 --> 00:03:39,085
‫capabilities or something, and Docker will take certain

80
00:03:39,720 --> 00:03:40,791
‫ones and remove them.

81
00:03:41,160 --> 00:03:43,171
‫But you can change those. You can customize those on the

82
00:03:43,172 --> 00:03:45,720
‫fly. You can actually lock down more or you can open

83
00:03:46,590 --> 00:03:48,212
‫up Docker, depending on your needs.

84
00:03:48,580 --> 00:03:50,981
‫If you learn about your specific applications, if

85
00:03:51,630 --> 00:03:52,810
‫you dive in deep, you

86
00:03:54,810 --> 00:03:55,810
‫can learn about how to lock these down more.

87
00:03:56,420 --> 00:03:59,249
‫You might even find that some of your applications that you

88
00:03:59,250 --> 00:04:02,729
‫buy, or get from open source, like Nginx, they

89
00:04:02,730 --> 00:04:05,082
‫might have custom templates for these tools that

90
00:04:06,450 --> 00:04:09,509
‫you can download and apply specifically when

91
00:04:09,510 --> 00:04:11,222
‫you run that image. Because Docker itself doesn't know

92
00:04:11,223 --> 00:04:13,321
‫what's running in your container. It doesn't know that

93
00:04:13,322 --> 00:04:15,860
‫you're running my MySQL, right. So, it can't apply

94
00:04:16,660 --> 00:04:19,199
‫a MySQL specific policy. But, you might be able to find

95
00:04:19,200 --> 00:04:21,390
‫one. You might be able to create a better one that's a

96
00:04:21,391 --> 00:04:22,391
‫little bit more secure.

97
00:04:23,650 --> 00:04:25,373
‫That's pretty advanced. You have to be pretty

98
00:04:27,300 --> 00:04:29,669
‫knowledgeable about systems, internals and how that all

99
00:04:29,670 --> 00:04:31,250
‫works. But, Docker supports it all.

100
00:04:31,760 --> 00:04:35,129
‫This is a per container feature, which

101
00:04:35,130 --> 00:04:36,480
‫means you can change it for each container you're running,

102
00:04:36,490 --> 00:04:37,672
‫depending on your requirements.

103
00:04:38,070 --> 00:04:39,351
‫Check that out.

104
00:04:39,360 --> 00:04:42,022
‫Your security team will love you for that.

105
00:04:42,120 --> 00:04:44,619
‫If you can get this stuff implemented and not break

106
00:04:44,792 --> 00:04:46,579
‫anything, that's the key. Don't break anything.

107
00:04:46,580 --> 00:04:48,809
‫Your security team will be big fans of that.