Docker host and kernel security |
Risk:- If host is compromised, the container isolation won’t make much of a difference
- Kernel exploits
Best practices:- Keep base system updated
- Use minimal, container-centric host systems (CoreOS)
- Enforce Mandatory Access Control to prevent undesired operations -both on the host and on the containers- at the kernel level (Seccomp, AppArmor, SELinux)
|
Container resource abuse |
Risk:- If resource limits are not configured, DoS can be caused by software bugs, design miscalculations or malware attacks
Best practices:- Control groups (cgroups) are a feature of the Linux kernel that allow you to limit the access processes and containers have to system resources
- Load testing by replicating the production loads on pre-production
- Implement Docker monitoring and alerting
|
Container image authenticity |
Risk:- Running unverified software and/or from sources not trusted explicitly
Best practices:- Download images from trusted sources, like trusted Docker registry
- Enable docker trust enforcement (
export DOCKER_CONTENT_TRUST=1 ) - Enforce mandatory signature verification for any image that is going to be pulled or run
|
Container image vulnerabilities |
Risk:- Security vulnerabilities present in the static image
- A container is running version X.Y.Z of the web server which happens to suffer from a critical security flaw
- This flaw has been fixed long ago upstream, but not in the local image
- Inconsistent update and patching
Best practices:- Update and rebuild images periodically to grab the newest security patches
- Integrate a vulnerability scanner (Clair) as a mandatory step of the CI/CD
|
Compromised secrets |
Risk:Best practices:- Do not use environment variables for secrets
- Do not embed any secrets in the container image
- Use a credentials/secrets storage (Vault)
|
Container network traffic |
Risk:- Unsecured communication and unrestricted network traffic
- By default all network traffic is allowed between containers on the same host
- This increases the risk of unintended and unwanted disclosure of information to other containers
Best practices:- Communications with Docker registries should be encrypted over TLS
- Only allow intercommunication that is necessary by linking specific containers
Ports:- Port
2375/TCP & 2376/TCP : docker daemon - Port
5000/TCP : registry
|
Container breakout |
Risk:Best practices:- Drop capabilities that are not required (see Docker Capabilities)
- Monitor dangerous mountpoints from the host
- e.g., the Docker socket (
/var/run/docker.sock ), /proc , /dev - exposing the file system with read-only privileges should be enough, don't give RW
- Create an isolated user namespace
- to limit the maximum privileges of the containers over the host to the equivalent of a regular user
|