CN114265663A - Endogenous safety protection method for complete lifecycle of docker - Google Patents
Endogenous safety protection method for complete lifecycle of docker Download PDFInfo
- Publication number
- CN114265663A CN114265663A CN202111059623.2A CN202111059623A CN114265663A CN 114265663 A CN114265663 A CN 114265663A CN 202111059623 A CN202111059623 A CN 202111059623A CN 114265663 A CN114265663 A CN 114265663A
- Authority
- CN
- China
- Prior art keywords
- docker
- security
- program
- policy
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000012544 monitoring process Methods 0.000 claims abstract description 7
- 230000006399 behavior Effects 0.000 claims description 18
- 238000005538 encapsulation Methods 0.000 claims description 12
- 238000005259 measurement Methods 0.000 claims description 12
- 238000011217 control strategy Methods 0.000 claims description 7
- 238000004806 packaging method and process Methods 0.000 claims description 4
- 102220480414 Adhesion G-protein coupled receptor D1_S13A_mutation Human genes 0.000 claims description 3
- 102220560218 Calcium/calmodulin-dependent protein kinase type IV_S12A_mutation Human genes 0.000 claims description 3
- 102200048773 rs2224391 Human genes 0.000 claims description 3
- 238000011161 development Methods 0.000 description 7
- 230000009286 beneficial effect Effects 0.000 description 5
- 238000012423 maintenance Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012858 packaging process Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses an endogenous safety protection method for a complete lifecycle of docker, which comprises the following steps: s1, encapsulating the security policy into the original docker mirror image to obtain a docker mirror image carrying the security policy; s2, monitoring the starting behavior of the Docker image carrying the security policy through the Docker host security program, and executing the security policy to complete security protection of the entire lifecycle of the Docker; the invention solves the problem that the security policy can not be freely migrated along with the docker mirror image.
Description
Technical Field
The invention relates to the technical field of docker safety, in particular to an endogenous safety protection method for the complete lifecycle of docker.
Background
With the coming of the cloud era in recent years, developers are guided to transfer applications to cloud, and the problem of hardware management is solved, but the problem related to middleware environment deployment still exists. The Docker deploys a packaging function by virtue of a strong environment, simplifies environment configuration, quickly builds a development environment, saves storage space, improves development efficiency, is deeply favored by vast software developers, and is just like a novel virtualization service mode.
Docker is an open source project and can easily help developers to quickly construct lightweight and portable software containers, so that various links such as application program development, testing and deployment are simplified. However, due to the mechanism that the docker container and the host can access each other, the development, operation and maintenance work is facilitated, and meanwhile, greater potential safety hazards are caused, as long as one of the host or the docker is broken, an attacker can easily cause harm to the host or the docker, and the docker can migrate randomly in the K8S environment, so that the threat degree of the harm is further increased. Although the security industry has introduced security mechanisms such as MAC access control and mirror image signature mechanism of the Apparmor, the security mechanisms are manually intervened by operation and maintenance personnel only at the later stage of project development, and with the development of docker set technologies such as pod, it is difficult to accurately grasp the protection key points of the docker container, and the overall development process of the docker project is greatly burdened.
The current docker security technologies have at least two on-the-spot problems: firstly, deployment and implementation of a docker safety protection technology are mainly focused on an operation and maintenance stage after a whole project is delivered, safety operation and maintenance personnel are generally responsible for making a safety strategy, project developers rarely or cannot participate in making the strategy, but the personnel most knowing about the protection key points of the docker project are generally developers of the project, so that a large amount of time is consumed in the safety protection stage of the whole docker project, and the safety protection strategy is easy to miss, so that the overall safety of the project is influenced; second, the docker container can migrate among different nodes in environments such as K8S, but the original security policy of the docker container is generally located on a host machine, but it is difficult to freely migrate along with the docker.
Disclosure of Invention
Aiming at the defects in the prior art, the endogenous safety protection method for the complete lifecycle of the docker provided by the invention solves the problem that the safety strategy cannot be freely migrated along with the docker image.
In order to achieve the purpose of the invention, the invention adopts the technical scheme that: an endogenous safety protection method for a docker full life cycle comprises the following steps:
s1, encapsulating the security policy into the original docker mirror image to obtain a docker mirror image carrying the security policy;
s2, monitoring the starting behavior of the Docker image carrying the security policy through the Docker host security program, executing the security policy, and completing security protection of the Docker full life cycle.
Further, step S1 includes the following substeps:
S11A, selecting an original docker mirror image;
S12A, deploying original codes corresponding to the security policies in the original docker image;
S13A, scanning a Docker image carrying an original code by adopting a Docker policy encapsulation tool to generate a security policy;
S14A, packaging the security policy into the original docker image by adopting a docket commit command to obtain the docker image carrying the security policy.
The beneficial effects of the above further scheme are: and directly calling the docker commit command to encapsulate the mirror image, so that the current mirror image can be ensured to contain the complete operating environment of the whole project, and the newly packaged mirror image can completely meet the standards of project service and safety. The automatic packaging process can avoid a plurality of deployment works and reduce the operation and maintenance pressure and cost.
Further, step S1 includes the following substeps:
S11B, establishing a dockerfile;
S12B, adding and calling a docker policy encapsulation tool in the docker file to generate a security policy;
S13B, repackaging the mirror image by adopting a docker build command to obtain the docker mirror image carrying the security policy.
The beneficial effects of the above further scheme are: and the docker file is used for encapsulating the docker mirror image, so that the full-automatic operation of the encapsulating process is ensured, the manual intervention is reduced as much as possible, the mirror image construction time is effectively shortened, and the correct submission of the project modification content is ensured.
Further, the security policy in step S1 includes: and performing credibility measurement on the executing program and performing access control on the sensitive file.
Further, the method for performing the credibility measurement on the execution program comprises the following steps:
a1, scanning all executive programs in the docker image by adopting a docker strategy encapsulation tool to obtain a hash value of each executive program;
a2, saving the hash value of each executive program into a trusted program policy file;
a3, acquiring hash values of all executive programs in the Docker image when the executive programs are started through the safety program of the Docker host, comparing the hash values with the hash values in the credible program strategy file, starting the executive programs corresponding to the hash values with unknown resistance values, and finishing credible measurement of the executive programs.
The beneficial effects of the above further scheme are: the hash values of all executive programs in the docker image are placed in the trusted program policy file, after the docker image is started, the executive programs corresponding to unknown hash values can be prevented from being started by comparing the hash values, and finally the purpose of blocking the running of malicious programs is achieved.
Further, the method for controlling access to the sensitive file comprises the following steps:
b1, establishing an access control policy file of the sensitive file in the docker image by adopting a docker policy encapsulation tool;
b2, acquiring process information of the sensitive file during the operation of the Docker image through the security program of the Docker host, comparing the process information with the trusted process in the access control strategy file, and completing access control on the sensitive file by the access behavior of the unauthorized process with resistance value.
The beneficial effects of the above further scheme are: the process information of the sensitive file is stored through the access control strategy file, so that the access behavior of an unauthorized process can be prevented when the docker image runs, and the purpose of blocking malicious unauthorized access is finally achieved.
Further, step S2 includes the following substeps:
s21, monitoring the starting behaviors of all Docker images through a Docker host security program, identifying security policies in the Docker images, and intercepting the starting behaviors of the Docker images without the security policies inside to obtain the Docker images with the security policies;
s22, loading a trusted program strategy file through a security program of the Docker host, executing a method for performing trusted measurement on an executive program, and intercepting the starting of the executive program corresponding to an unknown hash value in a Docker image containing the security strategy;
s23, loading the access control strategy file of the sensitive file through the security program of the Docker host, executing the access control method of the sensitive file, intercepting the access behavior of the unauthorized process in the Docker image containing the security strategy, realizing the security strategy execution, and finishing the security protection of the whole lifecycle of the Docker.
In conclusion, the beneficial effects of the invention are as follows: the Docker host security program monitors the starting behaviors of all the Docker images, but the Docker images without the security policy are eliminated, the access behaviors of unauthorized processes and the starting of the executive programs corresponding to unknown hash values are intercepted in the Docker images with the security policy, and the security of the entire life cycle of the development of the Docker project is further ensured.
Drawings
Fig. 1 is a flow chart of an endogenous security protection method for a docker full lifecycle.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate the understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and it will be apparent to those skilled in the art that various changes may be made without departing from the spirit and scope of the invention as defined and defined in the appended claims, and all matters produced by the invention using the inventive concept are protected.
As shown in fig. 1, an endogenous safety protection method for a docker full life cycle includes the following steps:
s1, encapsulating the security policy into the original docker mirror image to obtain a docker mirror image carrying the security policy;
s2, monitoring the starting behavior of the Docker image carrying the security policy through the Docker host security program, executing the security policy, and completing security protection of the Docker full life cycle.
The method for obtaining the docker image carrying the security policy in step S1 includes the following two methods.
The first method comprises the following steps:
S11A, selecting an original docker mirror image;
S12A, deploying original codes corresponding to the security policies in the original docker image;
S13A, scanning a Docker image carrying an original code by adopting a Docker policy encapsulation tool to generate a security policy;
S14A, packaging the security policy into the original docker image by adopting a docket commit command to obtain the docker image carrying the security policy.
And the second method comprises the following steps:
S11B, establishing a dockerfile;
S12B, adding and calling a docker policy encapsulation tool in the docker file to generate a security policy;
S13B, repackaging the mirror image by adopting a docker build command to obtain the docker mirror image carrying the security policy.
The security policy in step S1 includes: and performing credibility measurement on the executing program and performing access control on the sensitive file.
The method for performing credibility measurement on the execution program comprises the following steps:
a1, scanning all executive programs in the docker image by adopting a docker strategy encapsulation tool to obtain a hash value of each executive program;
a2, saving the hash value of each executive program into a trusted program policy file;
a3, acquiring hash values of all executive programs in the Docker image when the executive programs are started through the safety program of the Docker host, comparing the hash values with the hash values in the credible program strategy file, starting the executive programs corresponding to the hash values with unknown resistance values, and finishing credible measurement of the executive programs.
The method for controlling the access of the sensitive file comprises the following steps:
b1, establishing an access control policy file of the sensitive file in the docker image by adopting a docker policy encapsulation tool;
b2, acquiring process information of the sensitive file during the operation of the Docker image through the security program of the Docker host, comparing the process information with the trusted process in the access control strategy file, and completing access control on the sensitive file by the access behavior of the unauthorized process with resistance value.
Step S2 includes the following substeps:
s21, monitoring the starting behaviors of all Docker images through a Docker host security program, identifying security policies in the Docker images, and intercepting the starting behaviors of the Docker images without the security policies inside to obtain the Docker images with the security policies;
s22, loading a trusted program strategy file through a security program of the Docker host, executing a method for performing trusted measurement on an executive program, and intercepting the starting of the executive program corresponding to an unknown hash value in a Docker image containing the security strategy;
s23, loading the access control strategy file of the sensitive file through the security program of the Docker host, executing the access control method of the sensitive file, intercepting the access behavior of the unauthorized process in the Docker image containing the security strategy, realizing the security strategy execution, and finishing the security protection of the whole lifecycle of the Docker.
Claims (7)
1. An endogenous safety protection method for a complete lifecycle of docker, comprising the steps of:
s1, encapsulating the security policy into the original docker mirror image to obtain a docker mirror image carrying the security policy;
s2, monitoring the starting behavior of the Docker image carrying the security policy through the Docker host security program, executing the security policy, and completing security protection of the Docker full life cycle.
2. The endogenous safety protection method for a docker full life cycle according to claim 1, wherein the step S1 comprises the following substeps:
S11A, selecting an original docker mirror image;
S12A, deploying original codes corresponding to the security policies in the original docker image;
S13A, scanning a Docker image carrying an original code by adopting a Docker policy encapsulation tool to generate a security policy;
S14A, packaging the security policy into the original docker image by adopting a docket commit command to obtain the docker image carrying the security policy.
3. The endogenous safety protection method for a docker full life cycle according to claim 1, wherein the step S1 comprises the following substeps:
S11B, establishing a dockerfile;
S12B, adding and calling a docker policy encapsulation tool in the docker file to generate a security policy;
S13B, repackaging the mirror image by adopting a docker build command to obtain the docker mirror image carrying the security policy.
4. The endogenous security protection method for docker full lifecycle according to claim 1, wherein the security policy in step S1 comprises: and performing credibility measurement on the executing program and performing access control on the sensitive file.
5. The endogenous safeguard method for docker full lifecycle according to claim 4, characterized in that the method of performing trusted measurement on the execution program is:
a1, scanning all executive programs in the docker image by adopting a docker strategy encapsulation tool to obtain a hash value of each executive program;
a2, saving the hash value of each executive program into a trusted program policy file;
a3, acquiring hash values of all executive programs in the Docker image when the executive programs are started through the safety program of the Docker host, comparing the hash values with the hash values in the credible program strategy file, starting the executive programs corresponding to the hash values with unknown resistance values, and finishing credible measurement of the executive programs.
6. The endogenous security protection method for docker full lifecycle according to claim 4, wherein the method of access control for sensitive files is:
b1, establishing an access control policy file of the sensitive file in the docker image by adopting a docker policy encapsulation tool;
b2, acquiring process information of the sensitive file during the operation of the Docker image through the security program of the Docker host, comparing the process information with the trusted process in the access control strategy file, and completing access control on the sensitive file by the access behavior of the unauthorized process with resistance value.
7. The endogenous safety protection method for a docker full life cycle according to claim 1, wherein the step S2 comprises the following substeps:
s21, monitoring the starting behaviors of all Docker images through a Docker host security program, identifying security policies in the Docker images, and intercepting the starting behaviors of the Docker images without the security policies inside to obtain the Docker images with the security policies;
s22, loading a trusted program strategy file through a security program of the Docker host, executing a method for performing trusted measurement on an executive program, and intercepting the starting of the executive program corresponding to an unknown hash value in a Docker image containing the security strategy;
s23, loading the access control strategy file of the sensitive file through the security program of the Docker host, executing the access control method of the sensitive file, intercepting the access behavior of the unauthorized process in the Docker image containing the security strategy, realizing the security strategy execution, and finishing the security protection of the whole lifecycle of the Docker.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111059623.2A CN114265663A (en) | 2021-09-10 | 2021-09-10 | Endogenous safety protection method for complete lifecycle of docker |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111059623.2A CN114265663A (en) | 2021-09-10 | 2021-09-10 | Endogenous safety protection method for complete lifecycle of docker |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114265663A true CN114265663A (en) | 2022-04-01 |
Family
ID=80824561
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111059623.2A Pending CN114265663A (en) | 2021-09-10 | 2021-09-10 | Endogenous safety protection method for complete lifecycle of docker |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114265663A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104951708A (en) * | 2015-06-11 | 2015-09-30 | 浪潮电子信息产业股份有限公司 | File measurement and protection method and device |
| CN109992956A (en) * | 2017-12-29 | 2019-07-09 | 华为技术有限公司 | The processing method and relevant apparatus of the security strategy of container |
-
2021
- 2021-09-10 CN CN202111059623.2A patent/CN114265663A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104951708A (en) * | 2015-06-11 | 2015-09-30 | 浪潮电子信息产业股份有限公司 | File measurement and protection method and device |
| CN109992956A (en) * | 2017-12-29 | 2019-07-09 | 华为技术有限公司 | The processing method and relevant apparatus of the security strategy of container |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106775716B (en) | Trusted PLC (programmable logic controller) starting method based on measurement mechanism | |
| US10534915B2 (en) | System for virtual patching security vulnerabilities in software containers | |
| CN110110522B (en) | Kernel repairing method and device | |
| US9690498B2 (en) | Protected mode for securing computing devices | |
| US9389898B2 (en) | System and method for enforcement of security controls on virtual machines throughout life cycle state changes | |
| US10310992B1 (en) | Mitigation of cyber attacks by pointer obfuscation | |
| KR102105020B1 (en) | Dynamic self mutation system using virtual machine based code transformation technology | |
| US10997283B2 (en) | System for securing software containers with encryption and embedded agent | |
| EP3451221B1 (en) | Binary suppression and modification for software upgrades | |
| CN110188547B (en) | Trusted encryption system and method | |
| CN101872400B (en) | Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request | |
| CN104933354A (en) | Trusted computing based white list static measurement method | |
| CN105069352A (en) | Method for constructing operating environment of trusted application program on server | |
| CN113051034A (en) | Container access control method and system based on kprobes | |
| CN114528603B (en) | Isolation dynamic protection method, device, equipment and storage medium of embedded system | |
| CN115097807A (en) | Memory attack detection method and system for programmable logic controller | |
| CN113239359A (en) | Block chain trusted container security reinforcement system and method | |
| CN117032831A (en) | Trusted DCS upper computer system, starting method thereof and software starting method thereof | |
| CN114265663A (en) | Endogenous safety protection method for complete lifecycle of docker | |
| CN113821790A (en) | Industrial credible computing dual-system architecture implementation method based on Trustzone | |
| CN112269995A (en) | Trusted computing platform for parallel computing and protection of smart power grid environment | |
| CN116401671B (en) | Centralized computing method and device based on trusted execution environment | |
| CN115617379B (en) | Java application bug hot-update repairing method based on Javaagent | |
| CN112269994A (en) | Dynamic measurement method for trusted computing platform with parallel computing and protection in smart grid environment | |
| CN116661811B (en) | Closed-loop containerized controllable service cluster construction method and service cluster device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |