docker security analysis

Docker security analysis

carrés SecludIT

PROBLEM

Lionel DevOps wants to use containers technology to easily build his test environment. Until now, he has used virtual machines, but he wants to save storage capacity and be able to switch easily from a test environment to a production environment.
Lionel DevOps performs vulnerability testing on its infrastructure but does not have internal skills to handle Docker security. Since he will launch projects on Docker which include sensitive data, he wants to ensure his new deployment will not increase the attack surface. Furthermore, not being a security expert, he is afraid of wasting time with complex security solutions without Docker support because he needs to provide risk indicators to his management.

SOLUTION

ELASTIC WORKLOAD PROTECTOR

Docker and other container technologies are increasingly popular methods for deploying applications in DevOps environments, due to advantages in portability, efficiency in resource sharing and speed of deployment.
The properties that made Docker containers a must, however, can pose challenges for audit, and add complexity to security.

Elastic Workload Protector run a set of test issue from standard checklist recommendations:

CIS Docker 1.12.0 Benchmark
Checklist audit docker containers

CIS Docker Benchmarks and the SANS Checklist include an overview of results gathered from host configuration settings, Docker daemon settings, container images, runtime settings, and other Docker security settings.

As adoption of this technology grows and the technology evolves, it is necessary to be updated with standardized checklists to Docker security based on the latest tools and recommendations.

“SecludIT’s expertise, both in matters of AWS security best practices and technologies have been a valuable assistance to answer the security challenges of our PaaS and establish a solid security foundation.”

Samir Salibi, Wakanda.io Marketing Manager

EXAMPLE OF ELASTIC WORKLOAD PROTECTOR OUTCOME

CIS DOCKER 5.3 Restrict Linux Kernel Capabilities within containers

By default, Docker starts containers with a restricted set of Linux Kernel Capabilities. It means that any process may be granted the required capabilities instead of root access. Using Linux Kernel Capabilities, the processes do not have to run as root for almost all the specific areas where root privileges are usually needed.

Docker supports the addition and removal of capabilities, allowing use of a non-default profile. This may make Docker more secure through capability removal, or less secure through the addition of capabilities. It is thus recommended to remove all capabilities except those explicitly required for your container process.

Verify that the added and dropped Linux Kernel Capabilities are in line with the ones needed for container process for each container instance.

Execute the below command to add needed capabilities:
$> docker run –cap-add={“Capability 1″,”Capability 2”}
$> docker run –cap-drop={“Capability 1″,”Capability 2”}