What is a Docker?

Docker is a virtualized scalable solution that is currently replacing classic virtualization solutions like hypervisors. Why? Because Docker requires far fewer resources, is easy to deploy and starts fast. This allows you to have higher density, meaning that it allows you to run more services on the same hardware unit, thereby reducing costs.

Here’s a quick 101 of why the use of Docker can be beneficial to you?

This is why use of Docker or container technology in general is on the rise. Since the advent of Docker in 2013, according to a datadog report, 20% of all hosts across environments run on Docker. But technologies with such rapidly growing adoption rates invite high volumes of malicious intent, thereby mandating robust container security considerations. Which is why, further to our previous Docker security listicle, I’ve penned down the five most pertinent security threats to your Docker deployments and ways in which you can secure it best.

 

      • Always set container file system to read-only.
      • Run the application with a least privileged user.
      • Never use environment variables to share secrets.
      • Never run a container with root privileged i.e –privileged flag.
      • Always verify Docker images with MD5/SHA1 hashing.
    • Defragging SETUID/SETGID binaries that might help an attacker to gain root shell.
    • Always set container file system/Volumes to read-only as this will help a 3rd party to not gain access or execute malicious payloads.
    • Always run a Docker with a least privileged user.
    • Never run a container with root privileged i.e –privileged flag.
    • It is advisable to turn off Inter-container communication unless needed.
    • Always use packages that are absolutely needed for running the application.

Container security Learning path CTA banner

Here’s why this would work:

Defragging SETUID/SETGID binaries –  Setuid/setgid binaries are the endpoints for the attackers to privilege escalate to root i.e leading to a complete compromise of the host.

Disable them by “`RUN find / -perm +6000 -type f -exec chmod a-s {} ; || true“`

 

    • Try to allot required kernel resources from the VM level or have some kind of memory limiter in place for not over exhausting resources.

 

      • Try to allot required kernel resources from the VM level or have some kind of memory limiter in place for not over exhausting resources.
      • Always use packages that are absolutely needed for running the application.
      • Never run a container with root privileged i.e –privileged flag.
      • Always run a Docker with a least privileged user.

In case you run into roadblocks implementing these safeguards drop a comment here and I promise you a response.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.