Cloud Native Security

Explore the latest and most comprehensive guide to securing your Cloud Native technology stack Cloud Native Security delivers a detailed study into minimizing the attack surfaces found on today’s Cloud Native infrastructure. Throughout the work hands-on examples walk through mitigating threats and the areas of concern that need to be addressed. The book contains the information that professionals need in order to build a diverse mix of the niche knowledge required to harden Cloud Native estates. The book begins with more accessible content about understanding Linux containers and container runtime protection before moving on to more advanced subject matter like advanced attacks on Kubernetes. You’ll also learn about: Installing and configuring multiple types of DevSecOps tooling in CI/CD pipelines Building a forensic logging system that can provide exceptional levels of detail, suited to busy containerized estates Securing the most popular container orchestrator, Kubernetes Hardening cloud platforms and automating security enforcement in the cloud using sophisticated policies Perfect for DevOps engineers, platform engineers, security professionals and students, Cloud Native Security will earn a place in the libraries of all professionals who wish to improve their understanding of modern security challenges. Cover Title Page Copyright Page About the Authors About the Technical Editor Contents at a Glance Contents Introduction Meeting the Challenge What Does This Book Cover? A Few Conventions Companion Download Files How to Contact the Publisher Part I Container and Orchestrator Security Chapter 1 What Is A Container? Common Misconceptions Container Components Kernel Capabilities Other Containers Summary Chapter 2 Rootless Runtimes Docker Rootless Mode Installing Rootless Mode Running Rootless Podman Setting Up Podman Summary Chapter 3 Container Runtime Protection Running Falco Configuring Rules Changing Rules Macros Lists Getting Your Priorities Right Tagging Rulesets Outputting Alerts Summary Chapter 4 Forensic Logging Things to Consider Salient Files Breaking the Rules Key Commands The Rules Parsing Rules Monitoring Ordering and Performance Summary Chapter 5 Kubernetes Vulnerabilities Mini Kubernetes Options for Using kube-hunter Deployment Methods Scanning Approaches Hunting Modes Container Deployment Inside Cluster Tests Minikube vs. kube-hunter Getting a List of Tests Summary Chapter 6 Container Image CVEs Understanding CVEs Trivy Getting Started Exploring Anchore Clair Secure Registries Summary Part II DevSecOps Tooling Chapter 7 Baseline Scanning (or, Zap Your Apps) Where to Find ZAP Baseline Scanning Scanning Nmap’s Host Adding Regular Expressions Summary Chapter 8 Codifying Security Security Tooling Installation Simple Tests Example Attack Files Summary Chapter 9 Kubernetes Compliance Mini Kubernetes Using kube-bench Troubleshooting Automation Summary Chapter 10 Securing Your Git Repositories Things to Consider Installing and Running Gitleaks Installing and Running GitRob Summary Chapter 11 Automated Host Security Machine Images Idempotency Secure Shell Example Kernel Changes Summary Chapter 12 Server Scanning With Nikto Things to Consider Installation Scanning a Second Host Running Options Command-Line Options Evasion Techniques The Main Nikto Configuration File Summary Part III Cloud Security Chapter 13 Monitoring Cloud Operations Host Dashboarding with NetData Installing Netdata Host Installation Container Installation Collectors Uninstalling Host Packages Cloud Platform Interrogation with Komiser Installation Options Summary Chapter 14 Cloud Guardianship Installing Cloud Custodian Wrapper Installation Python Installation EC2 Interaction More Complex Policies IAM Policies S3 Data at Rest Generating Alerts Summary Chapter 15 Cloud Auditing Runtime, Host, and Cloud Testing with Lunar Installing to a Bash Default Shell Execution Cloud Auditing Against Benchmarks AWS Auditing with Cloud Reports Generating Reports EC2 Auditing CIS Benchmarks and AWS Auditing with Prowler Summary Chapter 16 AWS Cloud Storage Buckets Native Security Settings Automated S3 Attacks Storage Hunting Summary Part IV Advanced Kubernetes and Runtime Security Chapter 17 Kubernetes External Attacks The Kubernetes Network Footprint Attacking the API Server API Server Information Discovery Avoiding API Server Information Disclosure Exploiting Misconfigured API Servers Preventing Unauthenticated Access to the API Server Attacking etcd etcd Information Discovery Exploiting Misconfigured etcd Servers Preventing Unauthorized etcd Access Attacking the Kubelet Kubelet Information Discovery Exploiting Misconfigured Kubelets Preventing Unauthenticated Kubelet Access Summary Chapter 18 Kubernetes Authorizationwith RBAC Kubernetes Authorization Mechanisms RBAC Overview RBAC Gotchas Avoid the cluster-admin Role Built-In Users and Groups Can Be Dangerous Read-Only Can Be Dangerous Create Pod Is Dangerous Kubernetes Rights Can Be Transient Other Dangerous Objects Auditing RBAC Using kubectl Additional Tooling Rakkess kubectl-who-can Rback Summary Chapter 19 Network Hardening Container Network Overview Node IP Addresses Pod IP Addresses Service IP Addresses Restricting Traffic in Kubernetes Clusters Setting Up a Cluster with Network Policies Getting Started Allowing Access Egress Restrictions Network Policy Restrictions CNI Network Policy Extensions Cilium Calico Summary Chapter 20 Workload Hardening Using Security Context in Manifests General Approach allowPrivilegeEscalation Capabilities privileged readOnlyRootFilesystem seccompProfile Mandatory Workload Security Pod Security Standards PodSecurityPolicy Setting Up PSPs Setting Up PSPs PSPs and RBAC PSP Alternatives Open Policy Agent Installation Enforcement Actions Kyverno Installation Operation Summary Index EULA **Explore the latest and most comprehensive guide to securing your Cloud Native technology stack** __Cloud Native Security__ delivers a detailed study into minimizing the attack surfaces found on today’s Cloud Native infrastructure. Throughout the work hands-on examples walk through mitigating threats and the areas of concern that need to be addressed. The book contains the information that professionals need in order to build a diverse mix of the niche knowledge required to harden Cloud Native estates. The book begins with more accessible content about understanding Linux containers and container runtime protection before moving on to more advanced subject matter like advanced attacks on Kubernetes. You’ll also learn about: * Installing and configuring multiple types of DevSecOps tooling in CI/CD pipelines * Building a forensic logging system that can provide exceptional levels of detail, suited to busy containerized estates * Securing the most popular container orchestrator, Kubernetes * Hardening cloud platforms and automating security enforcement in the cloud using sophisticated policies