AKUMA
  • README 🥷🏽
  • Red Teaming 👹
    • Loading 50% 😒
  • 👿BLUE TEAM
    • YARA rules
  • 📦Containers
    • DOCKER
      • Docker Security & Pentesting
        • Commond Docker error
      • 8 Best Practices for Docker Host Security
  • Windows Hardening 🛡️
    • Windows Active Directory Pentesting
      • Dll Hijacking
      • MSDT - Microsoft Support Diagnostic Tool Vulnerability
      • AD Enumeration TOOL
      • AD Certificate Templates
      • Kerberos Delegation
    • Windows Security Controls
      • Applocker Basics
    • Powershell Cheat sheet
    • AMSI Bypass
  • Linux Hardening 🛡️
    • Page 1
  • Network Services Pentesting
    • Footprinting Cheat sheet
      • 21-FTP
      • 161-SNMP
      • 445-SMB-139
      • 2049-NFS
      • 53-DNS
      • 587-SMTP
      • 143-IMAP/POP3
    • Juicy Curl
  • Pentesting Web
    • 100 Web Vulnerabilities, categorized into various types
    • Deserialization
      • Node.js Deserialization
    • SHODAN DORK
    • Vulnerabilities PAYLOADS
      • Directory Traversal Payload
      • Html-Injection-Read-FIle
      • Html-Injection
      • OS-Command-Injection
      • SQL-Injection-Auth-Bypass
      • PHP-Code-Injection
      • SQL-Injection
      • SSRF Basic
      • SSRF
      • XML-External-Entity
      • XSLT (eXtensible Stylesheet Language Transformations)
      • XSS Cheat Sheet
        • XSS
        • XSS -
        • XSS-polyglots
        • Cloudflare's XSS protection
    • Base Information
      • File-Extension-Inclusion
        • File-Inclusion-Windows
        • File-Inclusion-Linux
        • File-Extension
      • Media-Type-(MIME)
      • Windows-Sensitive-Files
      • Linux-Sensitive-Files
      • Linux-Log-Files
  • Blogs
    • How I Passed HTB Certified Penetration Testing Specialist
    • A comparative analysis of Open Source Web Application vulnerability scanners (Rana Khalil)
    • Sean Metcalfe Path for AD
    • Secure Docker - HackerSploit
  • Projects
    • HOME LAB
      • HOME LAB Blogs | Active Directory
        • Active Directory Lab Setup - 101
        • Active Directory Lab Setup - 102
        • Active Directory Lab Setup [ AD Enumeration ] - 103
        • Active Directory Lab Setup [AD Attacks ] - 104
      • Home Lab | Splunk Setup & Configuration
    • HOSTING A WEBSITE AND HARDENING ITS SECURITY
  • CTF- Writeups/ Solutions
    • HTB - Advanced Labs
      • Fortress
        • Jet
        • Akerva
        • Context
        • Synacktv
        • Faraday
        • AWS
      • Endgames
        • Ascension
        • RPG
        • Hades
        • Xen
        • P.O.O.
    • idekCTF 2024 🚩
    • TFC CTF 2024 🏳
    • DeadSec CTF 2024 🏴
      • Bing2 (web)
      • Mic_check (misc)
      • Windows Server (OSINT)
    • ImaginaryCTF 2024 🚩
      • cartesian-1 [Forensics]
      • packed [FORENSICS]
      • bom [FORENSICS]
      • BANK [MISC]
    • NahamCon CTF 2024 🏳
      • all WARMUPs
      • Base3200
      • The Hacker Webstore
      • iDoor
      • All About Robots
      • Thomas DEVerson
      • Helpful Desk
      • Curly Fries
    • Cyber Apocalypse 2024: Hacker Royale 🏴
      • Unbreakable [MISC]
      • StopDropAndRoll [MISC]
      • Character [MISC]
      • Delulu [pwn]
      • Tutorial [pwn]
      • Maze [Hardware]
      • TimeKORP [web]
  • Tools
    • Content Discovery & Form Manipulation
      • ffuf
      • RustScan
      • Feroxbuster
      • Dirsearch
      • Gobuster
      • Wfuzz
      • Webshell
      • websocket
Powered by GitBook
On this page
  • 8 Best Practices for Docker Host Security
  • Running Docker Containers with an Unprivileged User
  • Preventing Privilege Escalation Attacks
  • Limiting Docker Container Kernel Capabilities
  • File System Permissions and Access
  • Disabling Inter-Container Communication
  • Auditing Docker Security
  • Secure the Docker Host
  • secure via ssh.config
  • secure via auditd
  • Securing The Docker Daemon
  • Part 2 Alexis course in PDF
  1. Blogs

Secure Docker - HackerSploit

Its a Free live Course.

PreviousSean Metcalfe Path for ADNextHOME LAB

Last updated 9 months ago

8 Best Practices for Docker Host Security

The security of the host kernel and operating system directly correlates to the security of your Docker containers given their utilization of the host kernel. It is therefore vitally important to keep your host secure. The following steps outline various security best practices to consider for securing your Docker host:

  1. your host OS.

  2. Ensure your host is kept updated.

  3. Ensure you have the latest version of Docker running.

  4. Consider the use of a minimal Linux distribution such as Alpine that offers a much smaller threat surface.

  5. Add your host and containers to a robust vulnerability management plan and constantly scan your host and containers for vulnerabilities.

  6. Only run the services you need to run.

  7. Ensure your kernel is .

  8. Keep up with the latest vulnerability news for the Linux kernel and the Docker platform.


Running Docker Containers with an Unprivileged User

RUN groupadd -r <USER> && useradd -r -g <GROUP> <USER>

Dockerfile

FROM ubuntu:18.04

LABEL maintainer="Akuma"

RUN groupadd -r akuma && useradd -r -g akuma akuma

RUN chsh -s /usr/sbin/nologin root

# Environment Variables
ENV HOME /root
ENV DEBIAN_FRONTEND=noninteractive

Preventing Privilege Escalation Attacks

It is recommended to run your containers with specific permissions and ensure that they cannot escalate their privileges. You can prevent privilege escalation through the exploitation of SETUID binaries by using the --security-opt=no-new-privileges flag when running containers:

docker run --security-opt=no-new-privileges <IMAGE-ID>

Limiting Docker Container Kernel Capabilities

  1. Drop all kernel capabilities by running the following command:

docker run --cap-drop all <IMAGE-ID>
docker run --cap-drop all --cap-add <CAPABILITY> <IMAGE-ID>

File System Permissions and Access

You also have the ability to specify file system permissions and access. This allows you to set up containers with a read only file system or a temporary file system. This is useful if you would like to control whether your Docker containers can store data or make changes to the file system.

  1. Run a Docker container with a read-only file system by running the following command:

docker run --read-only <IMAGE-ID>
  1. If your container has a service or application that requires the storage of data, you can specify a temporary file system by running the following command:

docker run --read-only --tmpfs /tmp <IMAGE-ID>

Disabling Inter-Container Communication

network audit

docker network ls

docker network inspect bridge    //by default bridge

//install the net-tools then inspect
apt update && apt install -y net-tools

apt search [ANYTHINGS]

  1. In order to disable inter-container communication, create a new Docker network with the enable_icc option set to false and replacing <NETWORK-NAME> with any desired name.

docker network create --driver bridge -o "com.docker.network.bridge.enable_icc"="false" <NETWORK-NAME>
  1. You can now run an isolated container by including the --network flag:

docker run --network <NETWORK-NAME> <IMAGE-ID>

Auditing Docker Security

[[Linode_eBook_HackerSploit_DockerSecurityEssentials.pdf]]


Secure the Docker Host

  • Create an accountability like Audit log. If some breached or when someone logged in we can interogate. The detective mechanism is really something is after the fact. [off-site decentralized login server or audit server that all are logs can send.]

  • linux audit framework [auditing handle in kernel. application send log to kernel. then analyzed by the kernel. kernel then look for the auditing policy. then send to auditd. and get stored in logs via (aureport/ausearch/aulast)]

  • Auditctl -> manage and control the framework. also create audit rules.

  • when the system startup Auditd look for the audit rules.

lynis

lynis is a security auditing tool. in depth security scan.

lynis audit system

secure via ssh.config

//change the diffult port 

// give us as much as information
LogLevel VERBOSE

PermitRootLogin no
MaxAuthTries 2
Maxsessions 2

PasswordAuthentication no

ClientAliveCountMax 2
sudo systemctl restart ssh

secure via auditd

[[Linode_eBook_HackerSploit_DockerSecurityEssentials.pdf]]


Securing The Docker Daemon

![[screenshot-www.youtube.com-2024.02.29-01_00_34.png]]

Domain Socket

In Docker, a domain socket, also known as a Unix socket, is a communication mechanism that allows processes on the same host to communicate with each other. It's essentially a special file that processes can use to send and receive data. Domain sockets are commonly used in Docker for communication between containers and between containers and the Docker daemon itself. They provide a more efficient and secure way for inter-process communication compared to network-based communication methods like TCP/IP. In the context of Docker, domain sockets are often used for Docker's client-server communication. The Docker daemon listens for commands from the Docker client using a Unix socket. This allows the Docker client to send commands to the Docker daemon without needing to expose network ports, which can improve security. Overall, domain sockets in Docker facilitate communication between Docker components and can enhance the performance and security of containerized applications.


Part 2 Alexis course in PDF

Chapter 1: Controlling Container Resource Consumption With Control Groups Chapter 2: Implementing Access Control For Containers With App Armor Chapter 3: Limiting Container System Calls With Seccomp Chapter 4: Vulnerability Scanning For Docker Containers Chapter 5: Building Secure Docker Images

Linux kernel are a set of privileges that can be used by privileged containers. However, it is always recommended to not run containers with the --privileged flag as it overrides any other user permission and security restrictions you have set. Instead, you can change and drop the capabilities required to harden your Docker containers, or you can add some capabilities with the following steps:

You can also add the specific kernel capabilities required by your containers by running the following command, replacing <CAPABILITY> with the desired :

Given the notion of , you can also isolate Docker containers from one another. This prevents them from communicating with each other. This can be helpful if you want to isolate a particular Docker container. By default, Docker does not isolate containers, allowing them to communicate with each other. Docker containers have outbound connectivity to the external network unless explicitly restricted.

Secure and harden
up to date
capabilities
capability key
virtual machine isolation
Docker security
CIS benchmark Docker
InSpec - Automated security and complience framework
2MB
Linode_eBook_HackerSploit_DockerSecurityEssentials.pdf
pdf