Security for Docker containers

Note. transl.: The topic of Docker security is perhaps one of the eternal ones in the modern IT world. Therefore, without further explanation, we present a translation of the next selection of relevant recommendations. If you have already been interested in this issue, many of them will be familiar to you. And we supplemented the selection itself with a list of useful utilities and several resources for further study of the issue.

I bring to your attention a guide to securing Docker'a. Feedback is welcome, as this is more of a collection of excerpts from various resources, and not all of them have been thoroughly reviewed. Recommendations are divided into three categories:

1. Necessary measures inside the host operating system when working with Docker;
2. Instructions related to the build configuration file and creating containers;
3. Security tools that can integrate with specific Docker Enterprise features.

The guide is based on various resources, many of which are listed below. It's not exhaustive, but it covers all the basics. Additional information can be found in the description of the CIS tests (the link is provided at the end of this guide), as well as in the documentation for Docker.

Docker Security Benchmark

Docker Bench for Security automatically checks your Docker against the most common best practices. The script is a good heuristic security test, but it should not be considered as a tool for complex analysis.

host OS

Obviously, a Docker container cannot be secure if the host system itself is not secure. Therefore, it is necessary to follow the best practices in the field of operating system security. In addition, it would be wise to conduct a vulnerability analysis in addition to the following recommendations.

Audit Rules

Create and use audit rules for Docker-related files with auditctl. For example, you can add -w /usr/bin/dockerd -k docker к /etc/audit.rules and restart the audit service.

FIPS Mode

Enabling FIPS mode forces cryptographic tools to switch to FIPS-listed algorithms (American Federal Information Processing Standards - approx. transl.)thus complying with federal and industry regulations and requirements. If the host OS supports FIPS mode, you can enable it by running the following commands:

sed -i 's/GRUB_CMDLINE_LINUX="/GRUB_CMDLINE_LINUX="fips=1 /g' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg && reboot

You also need to enable FIPS in Docker Engine:

mkdir -p /etc/systemd/system/docker.service.d 2>&1; echo -e "[Service]n Environment="DOCKER_FIPS=1"" > /etc/systemd/system/docker.service.d/fips-module.conf; systemctl daemon-reload; systemctl restart docker

See the documentation for more information. Docker и Red Hat.

Docker Secrets

Confidential data must be kept as secrets. You can start the corresponding service using the docker service create command:

docker service create --label com.docker.ucp.access.label=/prod --name nginx --publish 443 --secret source=orcabank_prod_mobile.ca.pem.v1,target=ca.pem nginx

See details in documentation.

Docker configuration file

The following settings can be added to the configuration file /etc/docker/daemon.json:

• "icc":false - disables communication between containers to avoid unnecessary information leakage.
• log-level: "info" - captures all logs except debug ones.

• {
    "log-driver": "syslog",
    "log-opts": {
      "syslog-address": "udp://1.2.3.4:1111"
    }
  }

  - connects remote logging, sends them to the specified address. Only works if the syslog daemon is running. TCP and UDP are accepted as options. It is also possible to connect for each specific container. To do this, a special flag is set when Docker starts (--log-opt syslog-address=ADDRESS).

• "userns-remap": "Your_User" - prevents privilege escalation by isolating the namespace for a specific user.

Transport Layer Security

The ability to connect to the Docker daemon (if remote access is needed) should only be available to users with access to TLS client credentials.

Authorization plugins

Decide which users are allowed to execute which commands, and create an appropriate authorization plugin for Docker. Then start the Docker daemon and add the plugin to it:

dockerd --authorization-plugin=PLUGIN_ID

To learn more about creating authorization plugins, see documentation.

Daemon Options

The Docker daemon runs with a set of default options.

• --live-restore - This option helps to reduce the idle time of containers when shutting down or rebooting the system. It becomes easier to patch or update them with minimal downtime;
• --userland-proxy=false - when hairpin NATs are available or used, the user-space proxy becomes a redundant service, which only increases the number of possible attack vectors;
• --no-new-privileges - prevents containers from gaining additional privileges using suid or sguid;
• --seccomp-profile /path/to/profile - if you have your own seccomp profile, you can apply it using this flag. Learn more about Seccomp and Docker here.

Configuration of containers and assembly files

User creation

Make sure a user is created for the container and run it as that user (DO NOT run the container as root).

Remote access

Deny remote access to the daemon. If you still need it, protect it with certificates.

Isolate the user's namespace

It's especially important to make sure that the Docker usernamespace is sandboxed, as it is shared with the hostnamespace by default. In some cases, this can be used to elevate privileges or even exit the container. You can isolate the user namespace by editing the configuration file (as described in the Docker Configuration File section above). The additional mention of this issue here is due to its importance.

Healthchecks

Healthcheck (health check) is a powerful tool that allows you to check the integrity of a container. It is configured in the Dockerfile using the instructions HEALTHCHECK. Healthchecks allow you to make sure that the container is working properly. In the example below, the health check ends with 0 if the server is up, and 1 if it is "down":

HEALTHCHECK CMD curl --fail http://localhost || exit 1

SELinux

If SELinux supported by the host operating system, create or import SE policyLinux and run Docker in daemon mode with SE enabledLinux:

docker daemon --selinux-enable

In this case, Docker containers can be run with security options, for example:

docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash

Network interfaces

By default, Docker listens on all network interfaces. Since in most cases traffic is expected on only one of them, this approach unnecessarily increases the risk of an attack. Therefore, when starting a container, you can bind its ports to specific interfaces on the host:

docker run --detach --publish 10.2.3.4:49153:80 nginx

Cached versions of images

When downloading images, make sure the local cache matches the contents of the repository. Otherwise, you may end up with an outdated version of the image or an image that contains vulnerabilities.

network bridge

network model by default, docker0, vulnerable to ARP-spoofing and MAC-flooding attacks. To solve this problem, create a network bridge according to your specifications, as described here.

Docker socket warning

Never forward a Docker socket inside a container. Otherwise, the container will be able to execute Docker commands and therefore communicate with and control the host operating system. Do not do that.

Configuring Docker Enterprise

Docker Trust

Docker Trust allows you to generate keys that can be used to verify the cryptographic integrity of images. Docker Trust keys can be used to sign Docker images with private keys, which are verified by public keys on Notary Server. Additional Information - here. Enabling Docker Trust in Enterprise Engine is detailed in this section of the documentation.

Vulnerability Scanning

Docker Enterprise has a built-in vulnerability scanner that allows you to download the CVE database for offline scanning of vulnerabilities in images. Regular scanning of images helps to make them more secure: the user immediately receives warnings about vulnerabilities found. For more information on how this can be done, see here.

Note. transl.: There are also Open Source vulnerability scanners in Docker images, examples of which can be found at the end of the material.

LDAP and UCP integration

Universal Control Plane can be integrated with LDAP. The result will be a simplified authentication system that avoids unnecessary duplication. You can read more about this in the article. Integrate with an LDAP directory.

Other materials

More information on Docker security best practices can be found at docs.docker.com. We also recommend downloading Center for Internet Security tests for Docker.

Translator Bonus

As a logical addition to this article, we publish a list of 10 Popular Open Source Docker Security Tools. It was borrowed from another article (by Bill Doerrfeld of Doerrfeld.io).

NB: Read more about many of the projects mentioned here in the article "33+ Kubernetes security tools».

1. Docker Bench for Security - the script already mentioned at the very beginning of the article that checks Docker containers for compliance with common security practices.

   

2. Clair — is probably the most popular utility for static analysis of vulnerabilities in a container. It uses numerous CVE vulnerability databases (including trackers of leading Linux-distributions such as Red Hat, Debian, Ubuntu). It offers an API for developers and easy functionality extension (by adding "drivers"). It is used in the popular public container image registry (similar to Docker Hub) — Quay.io.
3. cilium is a kernel-level network security solution based on BPF network packet filtering technology.
4. Anchor - a utility for analyzing the contents of images for security vulnerabilities based on CVE. In addition, it allows you to apply custom policies (based on various data including white / black lists, file contents, etc.) to assess the security of containers.
5. OpenSCAP Workbench — a whole ecosystem for creating and maintaining security policies on different platforms. To check containers offers a utility oscap-docker.
6. day by day is a utility for scanning Docker containers for vulnerabilities, Trojans, viruses and malware. CVE databases include OWASP dependency checks, Red Hat Oval database, Exploit Database exploits repository.
7. Notary is a framework for signing Docker images, originally created by Docker Inc (and then transferred to CNCF for development). Its use allows you to delegate roles and distribute responsibilities across containers, as well as verify the cryptographic integrity of images.
8. Grafaes - An API for metadata designed to manage internal security policies. As an example, it improves the performance of container security scanners. Shopify uses this API to manage metadata for its 500K looks.
9. Sysdig Falco — a Kubernetes utility that monitors system behavior: activity in containers, on hosts, and on the network. It allows you to configure continuous infrastructure checks, anomaly detection, and alerts for any system calls. Linux.
10. Banyanops Collector is another tool for static analysis of Docker container images. Allows you to "look" into the image files, collecting the necessary data, applying the necessary policies, etc.

Another good collection of practical advice How to make Docker more secure can be found in this article Aqua Security. Many of her tips overlap with those already mentioned above, but there are others. For example, the authors suggest organizing activity monitoring in containers and indicate what to look for when using Docker Swarm.

For those who want to dive into this topic in more detail, last year book "Docker Security: Quick Reference», fragments of which are freely available here.

Finally, for a practical introduction to some aspects of Docker security: Seccomp profiles and the use of capabilities Linux-cores in containers - you can go through the corresponding laboratory work on Play with Docker resource* - see section "Security".

* About this resource itself, we told two years ago, and in November 2018, a very interesting (from a security point of view) story happened to him. In short, the specialists from CyberArk Software Ltd. managed to crack it: to achieve the ability to execute commands outside of containers, i.e. on the host system. A great illustration of the security issue in Docker, isn't it? Read about all the details of what happened here.

PS from translator

Read also on our blog:

• «Vulnerable Docker VM - a puzzle virtual machine for Docker and pentesting";
• «19% of the top Docker images don't have a root password";
• «33+ Kubernetes security tools";
• «Docker and Kubernetes in security-demanding environments";
• «9 Kubernetes Security Best Practices";
• «OPA and SPIFFE are two new projects at CNCF for cloud application security».

Source: habr.com