in a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in.”
Linux kernel namespaces ◦ Linux Control Groups (cgroups) ◦ The Docker daemon ◦ Linux capabilities (libcap) ◦ Linux security mechanisms like AppArmor or SELinux
where processes cannot see other processes in other containers • Each container also gets its own network stack. • A container doesn’t get privileged access to the sockets or interfaces of another container.
the resource usage(CPU,memory,network) of a collection of processes. • Linux Capabilities: divides the privileges of root into distinct units and smaller groups of privileges.
process, being the first-step in a wider effort toward privilege separation. • From Docker 1.10, all images are stored and accessed by the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image Docker Content Trust.
enable signing checks on every managed host • Signature verification transparent to users • Guarantee integrity of your images when pulled • Provides trust from publisher to consumer • export DOCKER_CONTENT_TRUST=1 • ~/.docker/trust/trusted-certificates/
Remove unnecessary setuid, setgid permissions (Privilege escalation) • Download packages securely using GPG and certificates • Try to restrict an image or container to one service
container as root to avoid root access from attackers. • Enable User-namespace (disabled by default) • Run filesystems as read-only so that attackers can not overwrite data or save malicious scripts to the image. • Cut down the kernel calls that a container can make to reduce the potential attack surface. • Limit the resources that a container can use (SELinux/AppArmor)
known vulnerabilities • There are tools for that, like Docker Security Scanning, Docker Bench Security and CoreOS Clair • Find known vulnerable binaries
layers • Binary scanning of all components in the image • Performs binary scan to pick up on statically linked binaries • Analyses libraries statically compiled in the image • Generates a reports that shows if there are CVE in the libraries inside the image
the internet and want to determine if it's safe enough for you to use in production. • You're regularly deploying into a containerized production environment and want operations to alert or block deployments on insecure software.
2.1- Restrict network traffic between containers • [WARN] 4.1 - Create a user for the container [WARN] * Running as root: • [WARN] 5.4 - Restrict Linux Kernel Capabilities within containers [WARN] * Capabilities added: CapAdd=[audit_control] • [WARN] 5.13 - Mount container's root filesystem as readonly [WARN] * Container running with root FS mounted R/W:
Containers DockerFile Images, containers, packages. Kubernetes Mesos. Docker server RedHat /Fedora /CentOS based containers Debian /Ubuntu /CentOS based containers Linux and Unix based Systems Linux and Unix based Systems Docker and container installations
jmortega
ma3tk
kaz29
bobtani
kaz1437
nakasho
rinchsan
ham0215
konifar
andpad
visional_engineering_and_design
kenjikondobai
yajihum
jennybc
andyhume
maltzj
iamctodd
denniskardys
marktimemedia
panda_program
shpigford
michaelherold
cassininazir
edds
colly
![Docker bench security • The Docker daemon configuration • [WARN]](https://files.speakerdeck.com/presentations/f93b3c8559af4f72ab66321b4a8857c1/slide_44.jpg){kind=link}
