Skip to content

How to level up your Container Security Journey? Part 3

Container Security Part 3

From the last 2 parts we have understood the Attack Surface of a docker, How we can exploit a docker with known vulnerabilities and what are the critical key components of a container.

Let’s run a simple SAST tool for scanning known vulnerabilities –


This tool also fits well in CI/CD pipelines, So it can also be used in DevSecOps pipelines.

trivy image nginx:1.19.6

Docker Bench for Security

This tool should be run on every single host used to deploy Docker containers. You want to ensure every possible vulnerability is addressed.

Configuring the Docker daemon

We need to modify the Docker daemon configuration file so it can be accessed by Docker Bench. Open the configuration file with the command:

sudo nano /etc/docker/daemon.json

At the bottom of that file, add the following lines:

1234567{    "icc": false,    "userns-remap": "default",    "live-restore": true,    "userland-proxy": false,    "no-new-privileges": true}

Save and close the file.

sudo apt-get install auditd -y

We can configure Auditd to work with Docker. Open the Auditd configuration file with:

sudo nano /etc/audit/audit.rules

At the bottom of that file, paste the following:

-w /usr/bin/docker -p wa

-w /var/lib/docker -p wa

-w /etc/docker -p wa

-w /lib/systemd/system/docker.service -p wa

-w /lib/systemd/system/docker.socket -p wa-w /etc/default/docker -p wa

-w /etc/docker/daemon.json -p wa

-w /usr/bin/docker-containerd -p wa

-w /usr/bin/docker-runc -p wa

Save and close the file.

While there are a lot of open-source container security options to choose from such as –

  • Clair
  • Cilium
  • Anchore
  • OpenSCAP Workbench

Secure Docker Container Images

Deploying an application in an insecure environment is a big no-no, hence you just cannot ignore the first level of containerizing an application: The Docker Image! Therefore, take a look at some of the best practices and tips that you should follow in order to build a secure and rigid environment for application deployment.

  • Choosing the right base image
  • Remove Exploitable and Non-Essential Software
  • Use multi-stage builds
  • Rebuilding images
  • Scanning images during development
  • Scanning containers during production
  • Vulnerability Management

There are no countable mitigation techniques available for docker security it totally depends on the configuration and what are the services running inside the container.

Apparmor profiles – It is a Linux security module which allows us to restrict program capabilities with AppArmor profiles. It also can be used to protect containers from security threats. When we start a container, we must provide a custom AppArmor security profile to it and docker expects to find an Apparmor policy loaded and enforced.

Seccomp profiles – It is another Linux kernel feature which can be used for filtering sys calls issued by a program. It acts as a firewall and loads these profiles on each container.

Docker Content Trust – It is a feature to force the docker client to download only signed images.

Running a container with β€”privileged a flag will override all defences.

Thanks for staying tuned for this.