8 Best Practices for Docker Host Security
8 Best Practices for Docker Host Security
The security of the host kernel and operating system directly correlates to the security of your Docker containers given their utilization of the host kernel. It is therefore vitally important to keep your host secure. The following steps outline various security best practices to consider for securing your Docker host:
Secure and harden your host OS.
Ensure your host is kept updated.
Ensure you have the latest version of Docker running.
Consider the use of a minimal Linux distribution such as Alpine that offers a much smaller threat surface.
Add your host and containers to a robust vulnerability management plan and constantly scan your host and containers for vulnerabilities.
Only run the services you need to run.
Ensure your kernel is up to date.
Keep up with the latest vulnerability news for the Linux kernel and the Docker platform.
Running Docker Containers with an Unprivileged User
Dockerfile
Preventing Privilege Escalation Attacks
It is recommended to run your containers with specific permissions and ensure that they cannot escalate their privileges. You can prevent privilege escalation through the exploitation of SETUID binaries by using the --security-opt=no-new-privileges
flag when running containers:
Limiting Docker Container Kernel Capabilities
Linux kernel capabilities are a set of privileges that can be used by privileged containers. However, it is always recommended to not run containers with the --privileged
flag as it overrides any other user permission and security restrictions you have set. Instead, you can change and drop the capabilities required to harden your Docker containers, or you can add some capabilities with the following steps:
Drop all kernel capabilities by running the following command:
You can also add the specific kernel capabilities required by your containers by running the following command, replacing
<CAPABILITY>
with the desired capability key:
File System Permissions and Access
You also have the ability to specify file system permissions and access. This allows you to set up containers with a read only file system or a temporary file system. This is useful if you would like to control whether your Docker containers can store data or make changes to the file system.
Run a Docker container with a read-only file system by running the following command:
If your container has a service or application that requires the storage of data, you can specify a temporary file system by running the following command:
Disabling Inter-Container Communication
network audit
Given the notion of virtual machine isolation, you can also isolate Docker containers from one another. This prevents them from communicating with each other. This can be helpful if you want to isolate a particular Docker container. By default, Docker does not isolate containers, allowing them to communicate with each other. Docker containers have outbound connectivity to the external network unless explicitly restricted.
In order to disable inter-container communication, create a new Docker network with the
enable_icc
option set tofalse
and replacing<NETWORK-NAME>
with any desired name.
You can now run an isolated container by including the
--network
flag:
Auditing Docker Security
[[Linode_eBook_HackerSploit_DockerSecurityEssentials.pdf]]
InSpec - Automated security and complience framework
Secure the Docker Host
Create an accountability like Audit log. If some breached or when someone logged in we can interogate. The detective mechanism is really something is after the fact. [off-site decentralized login server or audit server that all are logs can send.]
linux audit framework [auditing handle in kernel. application send log to kernel. then analyzed by the kernel. kernel then look for the auditing policy. then send to auditd. and get stored in logs via (aureport/ausearch/aulast)]
Auditctl -> manage and control the framework. also create audit rules.
when the system startup Auditd look for the audit rules.
lynis
lynis is a security auditing tool. in depth security scan.
secure via ssh.config
secure via auditd
Securing The Docker Daemon
Domain Socket
In Docker, a domain socket, also known as a Unix socket, is a communication mechanism that allows processes on the same host to communicate with each other. It's essentially a special file that processes can use to send and receive data. Domain sockets are commonly used in Docker for communication between containers and between containers and the Docker daemon itself. They provide a more efficient and secure way for inter-process communication compared to network-based communication methods like TCP/IP. In the context of Docker, domain sockets are often used for Docker's client-server communication. The Docker daemon listens for commands from the Docker client using a Unix socket. This allows the Docker client to send commands to the Docker daemon without needing to expose network ports, which can improve security. Overall, domain sockets in Docker facilitate communication between Docker components and can enhance the performance and security of containerized applications.
Part 2 Alexis course in PDF
Chapter 1: Controlling Container Resource Consumption With Control Groups Chapter 2: Implementing Access Control For Containers With App Armor Chapter 3: Limiting Container System Calls With Seccomp Chapter 4: Vulnerability Scanning For Docker Containers Chapter 5: Building Secure Docker Images
Great Resource :
ssadf
Last updated