Mastering Docker, Chapter 5: Docker Security

Side note:  This is another chapter that either should have been only a couple of pages long, or really should have been split into multiple smaller chapters.  There is just not very much good information here.  The gist is download and run Docker Bench from github, and fix everything that says warning.  While I agree that this is not a book on server security, there could have been a lot more discussion on common problems and how to actually fix them.

The not so bad

Anyone who as access to the docker daemon can do whatever they want to you docker container.  Run them, modify them, delete them.  Practice good server security management

What to look out for

Docker containers can contain malicious code.  You should only use docker images from trusted sources.

The Docker Commands

We will focus on docker run and docker diff to what is happening inside our machine.

docker run

With the --read-only switch we can control where our container can write to.  We set the entire container to read only.  We can also user the --device switch to mount a device into a Docker host.  The caveat is that the volume is completely open to the docker container.  You will need to set the correct permissions by user the :RWM at the end of the mount command.

docker diff

Using docker diff, we can see what commands have been run on our docker container.  If you are careful, you should be able to find malicious code?  Again, the author isn't really very clear on how you can use this command to make sure your container is uncompromised.

Docker security best practices

We will look at best practices from Docker and the CIS (Center for Internet Security).  They will be be broken down into the following sections:
  • host config
  • Docker daemon config
  • Docker daemon config files
  • container images/runtime
  • Docker security operations

Docker - best practices

  • one app per container
  • review who has access to your docker hosts
  • use the latest version of Docker
  • use the resources given

CIS guide - host configuration

CIS guide - Docker daemon config

CIS guide - Docker daemon config files

CIS guide - container images/runtime

CIS guide - Docker security operations

There is literally no information under any of these headings.   They are just placeholders for your own research, maybe?  I really have no idea what the author was going for here.  More pages for the published I guess.
Below is a link I managed to find:

The Docker Bench Security Application

All of the previous sections are rolled up into one application called Docker Bench. 

Running the tool

You can download the tool from Github, or of course you can always clone it.  The tool is open source, so you can modify it as needed.

Understanding the output

There are three types of output
  • PASS: everything is good
  • INFO: these items should be fixed if you think they might cause issues in your setup
  • WARN: These items need to be fixe.
There is a bunch of output that the author goes over, but it's all a little dry, and basically you will see it when you run the tool. 

Comments

Post a Comment

Popular posts from this blog

Go Programming Blueprints, Chapter 2, Adding User Accounts

A universal truth in programming is that there are relatively few unique unsolved problems.  What tasked with a new problem, always see what other solutions exist and how we can solve our new one.  In this instance, we are going to use open source solutions to auth against existing services. Handlers all the way down Everything we write will be http handlers.  This allows us to encapsulate objects as far down the chain as needed.  Making pretty social sign in page We get a quick lesson on bootstrap, and why and how to use it.  There are two methods to showing our bootst rap.  We can leave it hosted on a CDN or add it to our assets folder.  Endpoints with Dynamic Paths Go doesn't support the most robust path selections (/path/options), such as ruby on rails or Django python.  As with everything Go, there are open source packages we can use to help with this functionality.  We will use string.split to break our argument paths in the re...
Read more

Successful Big Game Hunting Chapter 10

Chapter 10: Short Course on Bear Hunting As with all the short course chapters, this is a quick chapter on hunting different types of bears.  Mr. Gilchrist has several tips on the different types of bears, and tips on how to distinguish between them.  In at least one western state, there is a test on how to visually tell the difference between a grizzly bear and a black bear. Of course he as tips on how to prepare a bear hide for for taxidermy, and how to score a bear as a trophy.  He also has several tips on how to tell if a bear is a trophy. Favorite Quote: "Bears often react violently to a superficial hit.  He may fall as though mortally wounded, when only hit in the paw"
Read more