Visão Geral

O curso Docker Security oferece uma visão geral prática e teoria de importantes recursos de segurança e práticas recomendadas para proteger serviços e hosts em contêineres. Você aprenderá como usar o Docker de maneira eficaz para criar imagens de contêiner seguras e de alto desempenho, como os contêineres Linux são construídos e protegidos, incluindo cgroups, namespaces, apparmor, filtragem seccomp e muito mais. Além disso, você aprenderá sobre clustering e orquestração de contêineres com Docker Swarm.
Todos esses recursos serão explicados e demonstrados com exemplos práticos no laboratório prático.

Publico Alvo

• Desenvolvedor
• Operações
• DevOps
• Arquitetos

Pre-Requisitos

• Forte domínio de Docker (treinamento recomendado: Docker Fundamentals e Docker Advanced ).

Materiais

Conteúdo Programatico

Docker Recap

1. Age of Virtualization
2. Why Containers?
3. Docker History
4. Containerization
5. OS Components (Namespaces, Control Groups)
6. Docker Engine
7. Containers and VMs
8. Docker Versions
9. Docker Update Channels
10. Installing Docker on Linux with steps
11. Docker Images
12. Image Contents
13. Image Layers
14. Multiple architectures support
15. Image registry
16. Image security
17. Repositories
18. Docker Commands
19. Running and stopping containers
20. Network types
21. Working with networks
22. Testing the network
23. Persistent Storage in Docker
24. Creating and mounting a volume
25. Listing, inspecting and deleting volumes
26. Logging Docker
27. Explaining different log types

Secure Docker Connectivity

1. Docker hub image vulnerabilities
2. Possible attack vectors
3. How does Docker handle security?
4. Different layers of security
5. Secure Docker connectivity overview
6. TLS explained
7. What is a Certificate Authority?
8. Configuring secure Docker connectivity with steps

Hands-on Lab: Secure Docker Connectivity

Secure Docker Registry

1. What is Docker Registry?
2. Securing a Docker registry
3. Authorization Options
4. Basic authentication configuration
5. Token-based authentication configuration

Hands-on Lab: Deploying a Secure Docker Registry

Module 4: Role-Based Access Control

1. Using authorization and roles
2. Docker’s Plugin API for RBA
3. Enabling the authorization plugin
4. Open Policy Agent (OPA) Configuration

Hands-on Lab: Implementing RBAC using AuthN and AuthZ in Docker

Docker Swarm

1. What is Docker Swarm?
2. Docker Swarm components explained
3. Docker CLI Cluster commands
4. Docker Swarm Security
5. Bootstrapping a Warm Cluster
6. Secrets in a Swarm Cluster with Secret rotation
7. Autolock in Warm Clusters
8. Backing up and recovering a Swarm Cluster

Hands-on Lab: Docker Swarm Installation and Secure Docker Swarm cluster

Networking

1. Network types
2. Working with networks
3. Testing the network

Hands-on Lab: Docker Networking

Managing Secrets

1. What are secrets
2. How to manage Docker Secrets

Hands-on Lab: Managing Secrets

Content Trust

1. Docker Content Trust
2. Image Tags signed or not signed
3. Docker Content Trust Key
4. Signing Images with DCT
5. What is Notary

Hands-on Lab: Docker Content Trust

Linux capabilities

1. What are Linux Capabilities?
2. Dropping capabilities
3. Using pscap tool
4. Whitelisting
5. Listing capabilities

Hands-on Lab: Linux Kernel Capabilities

Controlling Access to Resources with Control Groups

1. Control Group
2. Control Group Subsystems, hierarchy
3. Managing cgroup for Containers
4. Cgroup Parent Context
5. Docker Cgroup Resource Limits

Hands-on Lab: Docker and Cgroups

AppArmor

1. Linux Security Models
2. AppArmor explained
3. Developing an AppArmor Profile
4. Docker and AppArmor Profiles
5. Debugging AppArmor

Hands-on Lab: AppArmor and Docker

Seccomp

1. How does Docker use Seccomp?
2. Creating a custom Seccomp profile
3. Using custom profiles for all containers
4. Using the Whitelist

Hands-on Lab: Seccomp

SELinux

1. SELinux explained
2. SELinux Policy, labeling and type enforcement
3. Enable SELinux in Docker
4. Changing SELinux behavior per Container

Hands-on Lab: SELinux

DDos

1. Security approach of DoS Attacks

Hands-on Lab: Docker DDoS attacks performance

Tools for security

• Docker bench

1. What is Docker Bench
2. Docker Bench Options

• InSpec

1. What is InSpec
2. InSpec Install
3. Running Chef InSpec
4. InSpec Profile Structure
5. InSpec Community Profiles

• Anchore

1. How does Anchore work
2. Ancore Engine
3. Installing Anchore Engine
4. Using Anchore

• Jenkins pipelines

1. Continuous integration flow
2. Continuous delivery flow
3. Continuous deployment flow
4. What is Jenkins?
5. What is a pipeline?
6. Securing Jenkins CI/CD Pipeline with Anchore

• Dagda

1. What is Dagda?
2. Installing and running Dagda
3. Dagda database
4. Analyzing docker images/containers
5. Monitoring running containers
6. Getting Docker daemon events

• Sysdig Falco

1. What is Sisdig?
2. What is Falco?
3. Falco rules
4. Installing Falco
5. Running Falco as a daemon

Hands-on Lab:

1. Docker Bench
2. InSpec
3. Anchore
4. Create a Jenkins pipeline for docker image security scanning with anchore
5. Dagda
6. Sysdig Falco

Best Practices

1. Secure the build pipeline
2. Secure the Network
3. Secure the Host
4. Secure the Container Runtime
5. Secure the Orchestrator Config
6. Secure the Data