Docker Containers Security

December 27, 2016 | Views: 5003

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION Already a Member Login Here

Docker container is an open source project (Apache License 2.0). Containers allow developers to package up their applications without worrying about libraries and dependencies, a headache, allowing them to ship their applications among any system running Linux operating system.You can look at them like Virtual machines but without the need for creating a whole virtual operating system.

Image result for docker container architecture

Docker comes with security measures. It is secure by default (as it seems) but to use your docker safely, you need to be aware of many threats.

1- KERNEL EXPLOITS

Setuid and setgid bins can be exploited by attackers.So you need to disable the SETUID rights by adding this lines to the Dockerfile:

FROM debian:Xenial

RUN find / -perm +6000 -type f -exec chmod a-s {} ;

|| true

2- DENIAL OF SERVICE (DOS) Threats

To avoid a denial of service attempts while docker is using kernel resources you need to make sure that containers are belonging to many users and different VMs and by modifying the container CPU share (1024 by default) in addition of limiting the maximum memory consumed by every container.

$ docker run -d -c 512 someimage

$ docker run -m 512m someimage

3- BREAKOUT and Access to the Host:

Don’t forget to turn off the INTER-CONTAINER COMMUNICATION because by default it is enabled.

$ docker -d –icc=false –iptables

Image result for docker container security

4- POISONED IMAGES

To defend against poisoned Images(for example Injected images) you need to verify them.Because you need to make sure that the images are trusted and signed.

$ docker pull someimage@sha256:a25306f3850e1bd44541976aa7b5fd0a29be (succeed if the image is signed)

To enable content trust in a bash shell

export DOCKER_CONTENT_TRUST=1

5- Database Passwords and data theft:

To prevent attackers from taking control and gaining access you need to follow this steps:

-Make the filesystem Read-Only by setting CONTAINER FILE SYSTEM TO READ-ONLY:

$ docker run –read-only debian touch x

– Don’t run Docker as root and set a User:

RUN groupadd -r user && useradd -r -g user user

USER user

– Don’t use environment variables to share secrets and don’t run containers with the –privileged FLAG

Share with Friends

Use Cybytes and
Tip the Author!

Join

Share with Friends

Ready to share your knowledge and expertise?

Submit to 0P3N

3 Comments

Gat0n3grO
11:30 am on January 20, 2017

You might be aware about that interesting document about hardening Docker :
https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.12.0_Benchmark_v1.0.0.pdf

Log in to Reply
G4njawizard
4:02 pm on December 28, 2016

Good to know! THX Bro!

Log in to Reply
lsangine
2:37 pm on December 27, 2016

Really helpful! Thanks

Log in to Reply

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.