June 20, 2018
Have you actually ever verified it?
If you are a developer, you probably deal with already set up environment and your only job is to write a Dockerfile and push an image to a registry (or even less work if use Continues Integration). Altough I’m going to focus on production environment where Docker images are pulled and running, which is set up by DevOps or sysAdmiss, there’s still a good few things to check on your end to increase the level of security:
- keep one application per container
- don’t store credentials in containers
- if you pull images of uknown authors (like custom Debian built), verify Dockerfile used to build the image but always better to use trusted sources
- write secure code ;) (nothing can help if your code is vulnerable). Peer review and/or static code analysis helps a lot.
- use minimalistic base images like CoreOs
- check if there are security patches that should be applied to containers
- use resource limitations
Ok, but let’s come back to the actual production environment and focus only on the Docker setup, as protecting production hosts is a subject for many many articles.
- use your own Docker registry
- keep Docker up to date
- sign your images
- drop setuid and setgid from containers
- implement Docker monitoring
- …and run tools to perform security audit like Docker-Bench-Security, it can list a lot of potential issues
DOCKER BENCH SECURITY
It’s a tool build by Docker engineers and the git repo is a described as:
“The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.”
Installing it is straight forward, checkout instruction on https://github.com/docker/docker-bench-security.
This scan covers:
- Host configuration
- Docker daemon configuration
- Docker daemon configuration files
- Container Images and Build files
- Container Runtime
- Docker Security Operations
- Docker Swarm Configuration
A sample result:
- [ PASS ] All ok. No need to pay attention to it.
- [ INFO ] Requires review.
- [ WARN ] This needs to be fixed.
I hope this post will inspire you to look closer at your Docker configuration to see if it’s secure enough.