
Ready to Start Your Career?

By: chiheb chebbi
December 27, 2016
Docker Containers Security
By: chiheb chebbi
December 27, 2016

By: chiheb chebbi
December 27, 2016


1- KERNEL EXPLOITS
Setuid and setgid bins can be exploited by attackers.So you need to disable the SETUID rights by adding this lines to the Dockerfile:FROM debian:XenialRUN find / -perm +6000 -type f -exec chmod a-s {} ; || true2- DENIAL OF SERVICE (DOS) Threats
To avoid a denial of service attempts while docker is using kernel resources you need to make sure that containers are belonging to many users and different VMs and by modifying the container CPU share (1024 by default) in addition of limiting the maximum memory consumed by every container.$ docker run -d -c 512 someimage$ docker run -m 512m someimage3- BREAKOUT and Access to the Host:
Don’t forget to turn off the INTER-CONTAINER COMMUNICATION because by default it is enabled.$ docker -d --icc=false --iptables
4- POISONED IMAGES
To defend against poisoned Images(for example Injected images) you need to verify them.Because you need to make sure that the images are trusted and signed.$ docker pull someimage@sha256:a25306f3850e1bd44541976aa7b5fd0a29be (succeed if the image is signed)To enable content trust in a bash shellexport DOCKER_CONTENT_TRUST=15- Database Passwords and data theft:
To prevent attackers from taking control and gaining access you need to follow this steps:-Make the filesystem Read-Only by setting CONTAINER FILE SYSTEM TO READ-ONLY: $ docker run --read-only debian touch x- Don’t run Docker as root and set a User:RUN groupadd -r user && useradd -r -g user userUSER user- Don’t use environment variables to share secrets and don’t run containers with the --privileged FLAGBuild your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry