Skip to content

How to level up your Container Security Journey? Part 3

Container Security Part 3

From the last 2 parts we have understood the Attack Surface of a docker, How we can exploit a docker with known vulnerabilities and what are the critical key components of a container.

Let’s run a simple SAST tool for scanning known vulnerabilities –

Trivy

https://github.com/aquasecurity/trivy

This tool also fits well in CI/CD pipelines, So it can also be used in DevSecOps pipelines.

trivy image nginx:1.19.6

Docker Bench for Security

This tool should be run on every single host used to deploy Docker containers. You want to ensure every possible vulnerability is addressed.

https://github.com/docker/docker-bench-security.git

Configuring the Docker daemon

We need to modify the Docker daemon configuration file so it can be accessed by Docker Bench. Open the configuration file with the command:

sudo nano /etc/docker/daemon.json

At the bottom of that file, add the following lines:

1234567{    "icc": false,    "userns-remap": "default",    "live-restore": true,    "userland-proxy": false,    "no-new-privileges": true}

Save and close the file.

sudo apt-get install auditd -y

We can configure Auditd to work with Docker. Open the Auditd configuration file with:

sudo nano /etc/audit/audit.rules

At the bottom of that file, paste the following:

-w /usr/bin/docker -p wa

-w /var/lib/docker -p wa

-w /etc/docker -p wa

-w /lib/systemd/system/docker.service -p wa

-w /lib/systemd/system/docker.socket -p wa-w /etc/default/docker -p wa

-w /etc/docker/daemon.json -p wa

-w /usr/bin/docker-containerd -p wa

-w /usr/bin/docker-runc -p wa

Save and close the file.

While there are a lot of open-source container security options to choose from such as –

  • Clair
  • Cilium
  • Anchore
  • OpenSCAP Workbench

Secure Docker Container Images

Deploying an application in an insecure environment is a big no-no, hence you just cannot ignore the first level of containerizing an application: The Docker Image! Therefore, take a look at some of the best practices and tips that you should follow in order to build a secure and rigid environment for application deployment.

  • Choosing the right base image
  • Remove Exploitable and Non-Essential Software
  • Use multi-stage builds
  • Rebuilding images
  • Scanning images during development
  • Scanning containers during production
  • Vulnerability Management

There are no countable mitigation techniques available for docker security it totally depends on the configuration and what are the services running inside the container.

Apparmor profiles – It is a Linux security module which allows us to restrict program capabilities with AppArmor profiles. It also can be used to protect containers from security threats. When we start a container, we must provide a custom AppArmor security profile to it and docker expects to find an Apparmor policy loaded and enforced.

Seccomp profiles – It is another Linux kernel feature which can be used for filtering sys calls issued by a program. It acts as a firewall and loads these profiles on each container.

Docker Content Trust – It is a feature to force the docker client to download only signed images.

Running a container with —privileged a flag will override all defences.

Thanks for staying tuned for this.