8 Best Practices for Docker Host Security

8 Best Practices for Docker Host Security

The security of the host kernel and operating system directly correlates to the security of your Docker containers given their utilization of the host kernel. It is therefore vitally important to keep your host secure. The following steps outline various security best practices to consider for securing your Docker host:

  1. Secure and harden your host OS.

  2. Ensure your host is kept updated.

  3. Ensure you have the latest version of Docker running.

  4. Consider the use of a minimal Linux distribution such as Alpine that offers a much smaller threat surface.

  5. Add your host and containers to a robust vulnerability management plan and constantly scan your host and containers for vulnerabilities.

  6. Only run the services you need to run.

  7. Ensure your kernel is up to date.

  8. Keep up with the latest vulnerability news for the Linux kernel and the Docker platform.


Running Docker Containers with an Unprivileged User

RUN groupadd -r <USER> && useradd -r -g <GROUP> <USER>

Dockerfile

FROM ubuntu:18.04

LABEL maintainer="Akuma"

RUN groupadd -r akuma && useradd -r -g akuma akuma

RUN chsh -s /usr/sbin/nologin root

# Environment Variables
ENV HOME /root
ENV DEBIAN_FRONTEND=noninteractive

Preventing Privilege Escalation Attacks

It is recommended to run your containers with specific permissions and ensure that they cannot escalate their privileges. You can prevent privilege escalation through the exploitation of SETUID binaries by using the --security-opt=no-new-privileges flag when running containers:

docker run --security-opt=no-new-privileges <IMAGE-ID>

Limiting Docker Container Kernel Capabilities

Linux kernel capabilities are a set of privileges that can be used by privileged containers. However, it is always recommended to not run containers with the --privileged flag as it overrides any other user permission and security restrictions you have set. Instead, you can change and drop the capabilities required to harden your Docker containers, or you can add some capabilities with the following steps:

  1. Drop all kernel capabilities by running the following command:

docker run --cap-drop all <IMAGE-ID>
  1. You can also add the specific kernel capabilities required by your containers by running the following command, replacing <CAPABILITY> with the desired capability key:

docker run --cap-drop all --cap-add <CAPABILITY> <IMAGE-ID>

File System Permissions and Access

You also have the ability to specify file system permissions and access. This allows you to set up containers with a read only file system or a temporary file system. This is useful if you would like to control whether your Docker containers can store data or make changes to the file system.

  1. Run a Docker container with a read-only file system by running the following command:

docker run --read-only <IMAGE-ID>
  1. If your container has a service or application that requires the storage of data, you can specify a temporary file system by running the following command:

docker run --read-only --tmpfs /tmp <IMAGE-ID>

Disabling Inter-Container Communication

network audit

docker network ls

docker network inspect bridge    //by default bridge

//install the net-tools then inspect
apt update && apt install -y net-tools

apt search [ANYTHINGS]

Given the notion of virtual machine isolation, you can also isolate Docker containers from one another. This prevents them from communicating with each other. This can be helpful if you want to isolate a particular Docker container. By default, Docker does not isolate containers, allowing them to communicate with each other. Docker containers have outbound connectivity to the external network unless explicitly restricted.

  1. In order to disable inter-container communication, create a new Docker network with the enable_icc option set to false and replacing <NETWORK-NAME> with any desired name.

docker network create --driver bridge -o "com.docker.network.bridge.enable_icc"="false" <NETWORK-NAME>
  1. You can now run an isolated container by including the --network flag:

docker run --network <NETWORK-NAME> <IMAGE-ID>

Auditing Docker Security

[[Linode_eBook_HackerSploit_DockerSecurityEssentials.pdf]]

Docker security

CIS benchmark Docker

InSpec - Automated security and complience framework


Secure the Docker Host

  • Create an accountability like Audit log. If some breached or when someone logged in we can interogate. The detective mechanism is really something is after the fact. [off-site decentralized login server or audit server that all are logs can send.]

  • linux audit framework [auditing handle in kernel. application send log to kernel. then analyzed by the kernel. kernel then look for the auditing policy. then send to auditd. and get stored in logs via (aureport/ausearch/aulast)]

  • Auditctl -> manage and control the framework. also create audit rules.

  • when the system startup Auditd look for the audit rules.

lynis

lynis is a security auditing tool. in depth security scan.

lynis audit system

secure via ssh.config

//change the diffult port 

// give us as much as information
LogLevel VERBOSE

PermitRootLogin no
MaxAuthTries 2
Maxsessions 2

PasswordAuthentication no

ClientAliveCountMax 2
sudo systemctl restart ssh

secure via auditd


Securing The Docker Daemon

Domain Socket

In Docker, a domain socket, also known as a Unix socket, is a communication mechanism that allows processes on the same host to communicate with each other. It's essentially a special file that processes can use to send and receive data. Domain sockets are commonly used in Docker for communication between containers and between containers and the Docker daemon itself. They provide a more efficient and secure way for inter-process communication compared to network-based communication methods like TCP/IP. In the context of Docker, domain sockets are often used for Docker's client-server communication. The Docker daemon listens for commands from the Docker client using a Unix socket. This allows the Docker client to send commands to the Docker daemon without needing to expose network ports, which can improve security. Overall, domain sockets in Docker facilitate communication between Docker components and can enhance the performance and security of containerized applications.


Part 2 Alexis course in PDF

Chapter 1: Controlling Container Resource Consumption With Control Groups Chapter 2: Implementing Access Control For Containers With App Armor Chapter 3: Limiting Container System Calls With Seccomp Chapter 4: Vulnerability Scanning For Docker Containers Chapter 5: Building Secure Docker Images

Great Resource :

ssadf

Last updated