Staying on Top of
Server Security
A presentation by Justin Mayer
Friday, February 20, 2015
Foundation
Familiarity with Linux package management…
and Docker containers…
will be useful but not required ☺
2014
… not a great year for security
Unattended Upgrades
… are the first line of defense
Unattended Upgrades
… are not always unattended
Remember… physical servers?
Remember… plastic discs?
Guided installation of unattended upgrades
There has been a shift
from physical servers to virtual private servers
with optimized, one-step OS installation.
Sane defaults
There is no menu of choices
“Safer” not to upgrade automatically
Your system is now vulnerable
We’ll do it live!
Installing manually is easy enough:
apt-get install unattended-upgrades
… or is it?
Installed… but not enabled?
You think you are covered
… but you are probably wrong.
Manual text file editing to the rescue
Create /etc/apt/apt.conf.d/20auto-upgrades:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Rebooting
Kernel updates require a reboot to take effect
How do you know when that is? (when you log in)
Two solutions:
- email notifications
- automatic reboots
Live kernel patching to the rescue!
Just landed:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1d9c5d79e6e4385aea6f69c23ba543717434ed70
… but there are caveats:
- Not here yet
- May not be enabled by default
Docker security
It’s a different beast
The things we just learned
do not apply to containers.
What is Docker’s equivalent to unattended-upgrades?
Docker Hub
Mark the upstream repository as linked
Your image will be rebuilt when upstream image changes
Updating containers
Still need to pull the new image
… and respawn the container
You must figure out how to automate this
Thanks!
Thoughts?
Justin Mayer — @jmayer
Monitorial — @monitorial
This presentation:
justinmayer.com/talks/scale13x/server-security/