Cargando…
Cloud Native Security /
Explore the latest and most comprehensive guide to securing your Cloud Native technology stack Cloud Native Security delivers a detailed study into minimizing the attack surfaces found on today's Cloud Native infrastructure. Throughout the work hands-on examples walk through mitigating threats...
| Clasificación: | Libro Electrónico |
|---|---|
| Autores principales: | , |
| Formato: | Electrónico eBook |
| Idioma: | Inglés |
| Publicado: |
Hoboken, NJ :
John Wiley & Sons,
[2021]
|
| Temas: | |
| Acceso en línea: | Texto completo (Requiere registro previo con correo institucional) |
Tabla de Contenidos:
- Introduction xix
- Part I Container and Orchestrator Security 1
- Chapter 1 What is a Container? 3
- Common Misconceptions 4
- Container Components 6
- Kernel Capabilities 7
- Other Containers 13
- Summary 14
- Chapter 2 Rootless Runtimes 17
- Docker Rootless Mode 18
- Installing Rootless Mode 20
- Running Rootless Podman 25
- Setting Up Podman 26
- Summary 31
- Chapter 3 Container Runtime Protection 33
- Running Falco 34
- Configuring Rules 38
- Changing Rules 39
- Macros 41
- Lists 41
- Getting Your Priorities Right 41
- Tagging Rulesets 42
- Outputting Alerts 42
- Summary 43
- Chapter 4 Forensic Logging 45
- Things to Consider 46
- Salient Files 47
- Breaking the Rules 49
- Key Commands 52
- The Rules 52
- Parsing Rules 54
- Monitoring 58
- Ordering and Performance 62
- Summary 63
- Chapter 5 Kubernetes Vulnerabilities 65
- Mini Kubernetes 66
- Options for Using kube-hunter 68
- Deployment Methods 68
- Scanning Approaches 69
- Hunting Modes 69
- Container Deployment 70
- Inside Cluster Tests 71
- Minikube vs. kube-hunter 74
- Getting a List of Tests 76
- Summary 77
- Chapter 6 Container Image CVEs 79
- Understanding CVEs 80
- Trivy 82
- Getting Started 83
- Exploring Anchore 88
- Clair 96
- Secure Registries 97
- Summary 101
- Part II DevSecOps Tooling 103
- Chapter 7 Baseline Scanning (or, Zap Your Apps) 105
- Where to Find ZAP 106
- Baseline Scanning 107
- Scanning Nmap’s Host 113
- Adding Regular Expressions 114
- Summary 116
- Chapter 8 Codifying Security 117
- Security Tooling 117
- Installation 118
- Simple Tests 122
- Example Attack Files 124
- Summary 127
- Chapter 9 Kubernetes Compliance 129
- Mini Kubernetes 130
- Using kube-bench 133
- Troubleshooting 138
- Automation 139
- Summary 140
- Chapter 10 Securing Your Git Repositories 141
- Things to Consider 142
- Installing and Running Gitleaks 144
- Installing and Running GitRob 149
- Summary 151
- Chapter 11 Automated Host Security 153
- Machine Images 155
- Idempotency 156
- Secure Shell Example 158
- Kernel Changes 162
- Summary 163
- Chapter 12 Server Scanning With Nikto 165
- Things to Consider 165
- Installation 166
- Scanning a Second Host 170
- Running Options 171
- Command-Line Options 172
- Evasion Techniques 172
- The Main Nikto Configuration File 175
- Summary 176
- Part III Cloud Security 177
- Chapter 13 Monitoring Cloud Operations 179
- Host Dashboarding with NetData 180
- Installing Netdata 180
- Host Installation 180
- Container Installation 183
- Collectors 186
- Uninstalling Host Packages 186
- Cloud Platform Interrogation with Komiser 186
- Installation Options 190
- Summary 191
- Chapter 14 Cloud Guardianship 193
- Installing Cloud Custodian 193
- Wrapper Installation 194
- Python Installation 195
- EC2 Interaction 196
- More Complex Policies 201
- IAM Policies 202
- S3 Data at Rest 202
- Generating Alerts 203
- Summary 205
- Chapter 15 Cloud Auditing 207
- Runtime, Host, and Cloud Testing with Lunar 207
- Installing to a Bash Default Shell 209
- Execution 209
- Cloud Auditing Against Benchmarks 213
- AWS Auditing with Cloud Reports 215
- Generating Reports 217
- EC2 Auditing 219
- CIS Benchmarks and AWS Auditing with Prowler 220
- Summary 223
- Chapter 16 AWS Cloud Storage 225
- Buckets 226
- Native Security Settings 229
- Automated S3 Attacks 231
- Storage Hunting 234
- Summary 236
- Part IV Advanced Kubernetes and Runtime Security 239
- Chapter 17 Kubernetes External Attacks 241
- The Kubernetes Network Footprint 242
- Attacking the API Server 243
- API Server Information Discovery 243
- Avoiding API Server Information Disclosure 244
- Exploiting Misconfigured API Servers 245
- Preventing Unauthenticated Access to the API Server 246
- Attacking etcd 246
- etcd Information Discovery 246
- Exploiting Misconfigured etcd Servers 246
- Preventing Unauthorized etcd Access 247
- Attacking the Kubelet 248
- Kubelet Information Discovery 248
- Exploiting Misconfigured Kubelets 249
- Preventing Unauthenticated Kubelet Access 250
- Summary 250
- Chapter 18 Kubernetes Authorization with RBAC 251
- Kubernetes Authorization Mechanisms 251
- RBAC Overview 252
- RBAC Gotchas 253
- Avoid the cluster-admin Role 253
- Built-In Users and Groups Can Be Dangerous 254
- Read-Only Can Be Dangerous 254
- Create Pod is Dangerous 256
- Kubernetes Rights Can Be Transient 257
- Other Dangerous Objects 258
- Auditing RBAC 258
- Using kubectl 258
- Additional Tooling 259
- Rakkess 259
- kubectl-who-can 261
- Rback 261
- Summary 262
- Chapter 19 Network Hardening 265
- Container Network Overview 265
- Node IP Addresses 266
- Pod IP Addresses 266
- Service IP Addresses 267
- Restricting Traffic in Kubernetes Clusters 267
- Setting Up a Cluster with Network Policies 268
- Getting Started 268
- Allowing Access 271
- Egress Restrictions 273
- Network Policy Restrictions 274
- CNI Network Policy Extensions 275
- Cilium 275
- Calico 276
- Summary 278
- Chapter 20 Workload Hardening 279
- Using Security Context in Manifests 279
- General Approach 280
- allowPrivilegeEscalation 280
- Capabilities 281
- privileged 283
- readOnlyRootFilesystem 283
- seccompProfile 283
- Mandatory Workload Security 285
- Pod Security Standards 285
- PodSecurityPolicy 286
- Setting Up PSPs 286
- Setting Up PSPs 288
- PSPs and RBAC 289
- PSP Alternatives 291
- Open Policy Agent 292
- Installation 292
- Enforcement Actions 295
- Kyverno 295
- Installation 296
- Operation 296
- Summary 298
- Index 299.