The user space is a bit harder to understand. A kernel is fairly easy to understand, it’s a special program that runs on the hardware or virtual machine. That's it.Īn operating system, and more specifically, a Linux distro is made up of two main components: a kernel, and a user space. So-called "distroless" container images are typically very slimmed down user space environments without package managers, shells or other apps you might find in a typical distribution. Much like cloud, there is no such thing as distroless, just somebody else’s Linux distro. Fallacy #2 You Can Actually Remove the Operating System from a Container Image If everything can’t be run with the exact same distroless images, you will not benefit much from distroless. Stated another way, standardization and quality of the software in your direct execution path lowers your attack surface more than distroless does.
Standardizing on the exact same versions (Linux distribution and version) of this widely used software in the direct execution path (C libraries, web servers, encryption libraries, etc) reduces attack surface, and can make compliance and remediation easier. The software in the direct execution path which is used in many different container images (C libraries, web servers, encryption libraries, etc) contributes a larger share to the attack surface. The quality of software and configuration(aka files) in the direct execution path contribute to attack surface more than the size of the container image or the number of files contained in the image. Not all files in a container image contribute to attack surface equallyįiles which are directly in the execution path (web servers, C libraries, etc) are more likely to expand the attack surface than files that don’t (shells, config files, etc.) To truly understand attack surface, a security analyst must understand several things: These measurements are naive proxies for the actual attack surface. Often, the attack surface of a container image is measured by the number of files in it, or how many megabytes of space it uses on disk. In his paper An Attack Surface Metric, he states that “a system’s attack surface is the set of ways in which an adversary can enter the system and potentially cause damage.” But, how does this translate to containers and container images? Manadhata from Carnegie Mellon has an elegantly simple definition. Download the e-book today! Fallacy #1: Size is The Most Important to Attack Surface
0 kommentar(er)
