Docker Security 101

Securing your containerized application is not a trivial task. This is a collection of of container security best practices.

Docker Security involves securing the host, docker daemon, and several hardening practices. The following sections describe various activities and best practices in securing docker install.

Host Security

• Use minimal linux distributions and avoid extraneous programs, services
• Keep OS , Kernel and necessary packages up to date
• Run latest version of docker
• Scan the host for vulnerabilities and apply patches.
• Harden the host
• Disable root login, shell access
• Disable ssh based login and use ssh key pairs
• Use limited user accounts and groups to run docker with sudo privileges
• Enable Linux Audit Framework for auditing system events

Docker Daemon

• Enable TLS Encryption between docker daemon and client
• Configure docker to run in user namespace in stead of default namespace

Container Security

• Run the container as unprivileged user by adding an user in the Dockerfile and running as that user
• Disbale root user in Dockerfile
• Use docker flags to prevent privilege escalation.
• Limit container capabilities
• Limit file systems to read-only when warranted
• Leverage docker networks to disable inter-container communication
• Limit container resources using cgroups

Security Frameworks

Make use of the following security frameworks to implement pre-defined access policies

• AppArmor (debian/ubuntu)
• Selinux (fedroa/redhat)
• Seccomp (restrict system calls)

Vulnerability Scanning

Its important to identify vulnerabilities of packages in the container image. These vulnerabilities need to be patched or fixed. Several tools like Trivy are available for scanning images.

Secure Image building

Security misconfigurations can be identified at build stage using tooks like Dockle. Some best practices are

• Use minimal images like Alpine Linux
• Use specific tag in stead of latest
• Remove unwanted packges
• Avoid storing secrets in Dockerfile and image
• Sign and Verify the images

References

• Docker Security Essentials
• Docker security essentials video series
• Docker engine security

About the Author

I am a freelance writer in the cloud, containers and security space. The views and opinions expressed in this writing are solely my own and do not represent the views of my employer or any other organization that I may be affiliated with.