3. Agenda
● Introduction to docker security
● Security best practices
● Tools for auditing docker images
4. Docker
● “Docker containers wrap up a piece of
software in a complete filesystem that
contains everything it needs to run: code,
runtime, system tools, system libraries –
anything you can install on a server. This
guarantees that it will always run the same,
regardless of the environment it is running in.”
5. Docker Security
● Docker provides an additional layer of isolation, making
your infrastructure safer by default.
● Makes the application lifecycle fast and easier,reducing
risks in your applications
6. Docker Security
● Docker uses several mechanisms for security:
○ Linux kernel namespaces
○ Linux Control Groups (cgroups)
○ The Docker daemon
○ Linux capabilities (libcap)
○ Linux security mechanisms like AppArmor or
SELinux
7. Docker Security
● Namespaces:provides an isolated view of the
system where processes cannot see other
processes in other containers
● Each container also gets its own network stack.
● A container doesn’t get privileged access to the
sockets or interfaces of another container.
8. Docker Security
● Cgroups: kernel feature that limits and isolates the
resource usage(CPU,memory,network) of a collection of
processes.
● Linux Capabilities: divides the privileges of root into
distinct units and smaller groups of privileges.
11. Docker images
● Images are extracted in a chrooted sub process, being the
first-step in a wider effort toward privilege separation.
● From Docker 1.10, all images are stored and accessed by
the cryptographic checksums of their contents, limiting
the possibility of an attacker causing a collision with an
existing image Docker Content Trust.
12. Docker Content Trust
● Protects against untrusted images
● Can enable signing checks on every managed host
● Signature verification transparent to users
● Guarantee integrity of your images when pulled
● Provides trust from publisher to consumer
● export DOCKER_CONTENT_TRUST=1
● ~/.docker/trust/trusted-certificates/
14. DockerFile Security
● Do not write secrets(users and passwords).
● Remove unnecessary setuid, setgid permissions
(Privilege escalation)
● Download packages securely using GPG and certificates
● Try to restrict an image or container to one service
15. Security best practices
● To disable setuid rights, add the following to the
Dockerfile of your image
16. Security best practices
● Don’t run containers with --privileged flag
● The --privileged flag gives all capabilities to the
container.
● docker run --privileged ...
● docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN
...
17. Security best practices capabilities
● How do we add/remove capabilities?
● Use cap-add and cap-drop with docker run/create
● Drop all capabilities which are not required
● docker run --cap-drop ALL --cap-add $CAP
18. Security best practices capabilities
● Manual management within the container:
docker run --cap-add ALL
● Restricted capabilities with root:
docker run --cap-drop ALL --cap-add $CAP
● No capabilities:
docker run --user
21. Security best practices
● We can verify the integrity of the image
● Checksum validation when pulling image from docker hub
● Pulling by digest to enforce consistent
23. Docker security is about
limiting and controlling the
attack surface on the kernel.
24. Docker least privileges
● Do not run processes in a container as root to avoid root
access from attackers.
● Enable User-namespace (disabled by default)
● Run filesystems as read-only so that attackers can not
overwrite data or save malicious scripts to the image.
● Cut down the kernel calls that a container can make to
reduce the potential attack surface.
● Limit the resources that a container can use (SELinux/AppArmor)
29. Docker images scanning
● You can scan your images for known vulnerabilities
● There are tools for that, like Docker Security Scanning,
Docker Bench Security and CoreOS Clair
● Find known vulnerable binaries
31. Docker Security Scanning
● Checks against CVE database for image layers
● Binary scanning of all components in the image
● Performs binary scan to pick up on statically linked binaries
● Analyses libraries statically compiled in the image
● Generates a reports that shows if there are CVE in the
libraries inside the image
37. Clair Use cases
● You've found an image by searching the internet and want
to determine if it's safe enough for you to use in production.
● You're regularly deploying into a containerized production
environment and want operations to alert or block
deployments on insecure software.
41. Docker bench security
● Open-source tool for running automated tests
● Inspired by the CIS Docker 1.11 benchmark
● Runs against containers currently running on same host
● Checks for AppArmor, read-only volumes, etc...
48. Other tools
● OpenSCAP Container Compliance
● Lynis
● Twistlock
● Dockscan
● Aqua Security
● Dagda
49. OpenScap Clair Lynis TwistLock DockScan
Images and
Containers
Images and
Containers
DockerFile Images,
containers,
packages.
Kubernetes
Mesos.
Docker
server
RedHat
/Fedora
/CentOS based
containers
Debian
/Ubuntu
/CentOS
based
containers
Linux and
Unix based
Systems
Linux and Unix
based Systems
Docker and
container
installations
50. Lynis
● Lynis is a Linux, Mac and Unix security auditing
and system hardening tool that includes a
module to audit Dockerfiles.
● lynis audit dockerfile <file>