Cloud Native Security
✍ Chris Binnie; Rory McCune
📂 Library
📅 2021
🏛 Willey
🌐 English
✦ LIBER ✦
📁
Cloud Native Security
✍ Scribed by Chris Binnie, Rory McCune
- Publisher
- Wiley
- Year
- 2021
- Tongue
- English
- Leaves
- 334
- Edition
- 1
- Category
- Library
⬇ Acquire This Volume
No coin nor oath required. For personal study only.
✦ Synopsis
Explore the latest and most comprehensive guide to securing your Cloud Native technology stack
Cloud Native Security delivers a detailed study into minimizing the attack surfaces found on today’s Cloud Native infrastructure. Throughout the work hands-on examples walk through mitigating threats and the areas of concern that need to be addressed. The book contains the information that professionals need in order to build a diverse mix of the niche knowledge required to harden Cloud Native estates.
The book begins with more accessible content about understanding Linux containers and container runtime protection before moving on to more advanced subject matter like advanced attacks on Kubernetes. You’ll also learn about:
- Installing and configuring multiple types of DevSecOps tooling in CI/CD pipelines
- Building a forensic logging system that can provide exceptional levels of detail, suited to busy containerized estates
- Securing the most popular container orchestrator, Kubernetes
- Hardening cloud platforms and automating security enforcement in the cloud using sophisticated policies
Perfect for DevOps engineers, platform engineers, security professionals and students, Cloud Native Security will earn a place in the libraries of all professionals who wish to improve their understanding of modern security challenges.
✦ Table of Contents
Cover
Title Page
Copyright Page
About the Authors
About the Technical Editor
Contents at a Glance
Contents
Introduction
Meeting the Challenge
What Does This Book Cover?
A Few Conventions
Companion Download Files
How to Contact the Publisher
Part I Container and Orchestrator Security
Chapter 1 What Is A Container?
Common Misconceptions
Container Components
Kernel Capabilities
Other Containers
Summary
Chapter 2 Rootless Runtimes
Docker Rootless Mode
Installing Rootless Mode
Running Rootless Podman
Setting Up Podman
Summary
Chapter 3 Container Runtime Protection
Running Falco
Configuring Rules
Changing Rules
Macros
Lists
Getting Your Priorities Right
Tagging Rulesets
Outputting Alerts
Summary
Chapter 4 Forensic Logging
Things to Consider
Salient Files
Breaking the Rules
Key Commands
The Rules
Parsing Rules
Monitoring
Ordering and Performance
Summary
Chapter 5 Kubernetes Vulnerabilities
Mini Kubernetes
Options for Using kube-hunter
Deployment Methods
Scanning Approaches
Hunting Modes
Container Deployment
Inside Cluster Tests
Minikube vs. kube-hunter
Getting a List of Tests
Summary
Chapter 6 Container Image CVEs
Understanding CVEs
Trivy
Getting Started
Exploring Anchore
Clair
Secure Registries
Summary
Part II DevSecOps Tooling
Chapter 7 Baseline Scanning (or, Zap Your Apps)
Where to Find ZAP
Baseline Scanning
Scanning Nmap’s Host
Adding Regular Expressions
Summary
Chapter 8 Codifying Security
Security Tooling
Installation
Simple Tests
Example Attack Files
Summary
Chapter 9 Kubernetes Compliance
Mini Kubernetes
Using kube-bench
Troubleshooting
Automation
Summary
Chapter 10 Securing Your Git Repositories
Things to Consider
Installing and Running Gitleaks
Installing and Running GitRob
Summary
Chapter 11 Automated Host Security
Machine Images
Idempotency
Secure Shell Example
Kernel Changes
Summary
Chapter 12 Server Scanning With Nikto
Things to Consider
Installation
Scanning a Second Host
Running Options
Command-Line Options
Evasion Techniques
The Main Nikto Configuration File
Summary
Part III Cloud Security
Chapter 13 Monitoring Cloud Operations
Host Dashboarding with NetData
Installing Netdata
Host Installation
Container Installation
Collectors
Uninstalling Host Packages
Cloud Platform Interrogation with Komiser
Installation Options
Summary
Chapter 14 Cloud Guardianship
Installing Cloud Custodian
Wrapper Installation
Python Installation
EC2 Interaction
More Complex Policies
IAM Policies
S3 Data at Rest
Generating Alerts
Summary
Chapter 15 Cloud Auditing
Runtime, Host, and Cloud Testing with Lunar
Installing to a Bash Default Shell
Execution
Cloud Auditing Against Benchmarks
AWS Auditing with Cloud Reports
Generating Reports
EC2 Auditing
CIS Benchmarks and AWS Auditing with Prowler
Summary
Chapter 16 AWS Cloud Storage
Buckets
Native Security Settings
Automated S3 Attacks
Storage Hunting
Summary
Part IV Advanced Kubernetes and Runtime Security
Chapter 17 Kubernetes External Attacks
The Kubernetes Network Footprint
Attacking the API Server
API Server Information Discovery
Avoiding API Server Information Disclosure
Exploiting Misconfigured API Servers
Preventing Unauthenticated Access to the API Server
Attacking etcd
etcd Information Discovery
Exploiting Misconfigured etcd Servers
Preventing Unauthorized etcd Access
Attacking the Kubelet
Kubelet Information Discovery
Exploiting Misconfigured Kubelets
Preventing Unauthenticated Kubelet Access
Summary
Chapter 18 Kubernetes Authorizationwith RBAC
Kubernetes Authorization Mechanisms
RBAC Overview
RBAC Gotchas
Avoid the cluster-admin Role
Built-In Users and Groups Can Be Dangerous
Read-Only Can Be Dangerous
Create Pod Is Dangerous
Kubernetes Rights Can Be Transient
Other Dangerous Objects
Auditing RBAC
Using kubectl
Additional Tooling
Rakkess
kubectl-who-can
Rback
Summary
Chapter 19 Network Hardening
Container Network Overview
Node IP Addresses
Pod IP Addresses
Service IP Addresses
Restricting Traffic in Kubernetes Clusters
Setting Up a Cluster with Network Policies
Getting Started
Allowing Access
Egress Restrictions
Network Policy Restrictions
CNI Network Policy Extensions
Cilium
Calico
Summary
Chapter 20 Workload Hardening
Using Security Context in Manifests
General Approach
allowPrivilegeEscalation
Capabilities
privileged
readOnlyRootFilesystem
seccompProfile
Mandatory Workload Security
Pod Security Standards
PodSecurityPolicy
Setting Up PSPs
Setting Up PSPs
PSPs and RBAC
PSP Alternatives
Open Policy Agent
Installation
Enforcement Actions
Kyverno
Installation
Operation
Summary
Index
EULA
📜 SIMILAR VOLUMES
Cloud Native Security Cookbook
✍ Josh Armitage
📂 Library
📅 2022
🏛 O'Reilly Media
🌐 English
With the rise of the cloud, every aspect of IT has been shaken to its core. The fundamentals for building systems are changing, and although many of the principles that underpin security still ring true, their implementation has become unrecognizable. This practical book provides recipes for AWS, Az
Cloud Native Security Cookbook: Recipes
✍ Josh Armitage
📂 Library
📅 2022
🏛 O'Reilly Media
🌐 English
With the rise of the cloud, every aspect of IT has been shaken to its core. The fundamentals for building systems are changing, and although many of the principles that underpin security still ring true, their implementation has become unrecognizable. This practical book provides recipes for AWS, Az
Policy as Code: Improving Cloud Native S
✍ Jimmy Ray
📂 Library
📅 2024
🏛 O'Reilly Media
🌐 English
<p><span>In today's cloud native world, where we automate as much as possible, everything is code. With this practical guide, you'll learn how Policy as Code (PaC) provides the means to manage the policies, related data, and responses to events that occur within the systems we maintain—Kubernetes, c
Policy as Code: Improving Cloud Native S
✍ Jimmy Ray
📂 Library
📅 2024
🏛 O'Reilly Media
🌐 English
<p><span>In today's cloud native world, where we automate as much as possible, everything is code. With this practical guide, you'll learn how Policy as Code (PaC) provides the means to manage the policies, related data, and responses to events that occur within the systems we maintain—Kubernetes, c
Policy as Code: Improving Cloud Native S
✍ Jimmy Ray
📂 Library
📅 2024
🏛 O'Reilly Media
🌐 English
<p><span>In today's cloud native world, where we automate as much as possible, everything is code. With this practical guide, you'll learn how Policy as Code (PaC) provides the means to manage the policies, related data, and responses to events that occur within the systems we maintain—Kubernetes, c