Research On Security Audit And Monitoring Of Container Level Virtualization

Container technology Docker widely used after it is released,but security issues have begun to attract attention.The main security issues of Docker include multitenant issues,internal DoS attacks,malicious images,and overall security assessment.At present,most of the solutions are difficult to be used in practical environment.The Docker official has given the best practice of security document named CIS Docker Benchmark,but did not give a quantitative method to assess containers security status.At the same time,the security audit tool given by Docker official is not suitable for cluster environment.In resource monitoring,cAdvisor as most popularly tool also could be decrease resource cost.Considering the above issues and environment of Docker cluster,this thesis given a scheme to security audit and monitoring.The detailed work is as follows:1)The thesis gives an assessment model to quantitative assess security status of the nodes based on the best practice of security document.Then designed and implemented a security audit and monitoring tool named sec-Agent.As an agent tool install on the node,its resource consumption is lower than cAdvisor.Using assessment model,sec-Agent could calculate the independent score that represents the node security status.In addition,sec-Agent could collect the resource usage of containers.2)The thesis established an overall security assessment model based on Bayesian network and penetration attack graph in Docker cluster.The thesis designed and implemented the sec-Master platform which used to collect and analyse the security data of all containers.Then calculate the overall security score to evaluate the security status of Docker cluster.Experiments show that the overall security score can represent the security status of Docker cluster.3)In order to solve the security management problems caused by a large number of security data,the thesis designed and implemented the dynamic monitoring web interface and sec-Board through the visualization technology.Compared with visualization interface of cAdvisor,the dynamic monitoring web interface of this thesis consume less resources at broswer.And sec-Board could display the cluster structure and security status at real-time.It could help address the high-risk containers and intuitively see the risk distribution of the Docker cluster.