Introduction to Docker Security 101

This is my second blog on Container security. In this post, I'm trying to cover the basics of docker security. What is docker? why do we need to learn docker? and its security best practices.

What is Docker?

Docker is a set of platform-as-a-service (PaaS) products that use OS-level virtualization to deliver software in packages called containers.

In layman's terms, Docker is an application build and deployment tool. It is based on the idea that you can package your code with dependencies into a deployable unit called a container.

Why Should you learn Docker?

4 reasons to learn Docker :

1. Dockerized apps don’t require their own operating system. So maintaining apps doesn’t also mean maintaining the system on which they run. Only your host system’s OS needs to be updated and secured, leaving you time to do the thousand other things SysAdmins need to do!
2. Each Dockerized app gets its own set of dependencies. There’s no longer any need to worry about conflicting versions of libraries. If one app needs PHP version 5.2 and another needs 5.4, with Docker that’s no problem!
3. Most of the heavy lifting is already done. The Docker community maintains the images at Docker Hub, which means setting up complete application environments is a simple one-line command. Rather than taking the time to set up the system your app requires, you can devote your time to developing your application.
4. Controlling Docker containers can be fully automated. Remember that single-line command for setting up an environment? It can be scripted or automated like any other command-line tool. That means you can programmatically scale and deploy applications without wasting valuable hands-on time.

Docker architecture and its components

Docker’s architecture is pretty simple and it has two main components

1. Docker Client (CLI):-The Docker client ( docker ) is the primary way that many Docker users interact with Docker. When you use commands such as docker run, the client sends these commands to docker, which carries them out. The docker command uses the Docker API.
2. Docker Server (Daemon):-Docker Enterprise allows you to run both Windows Server and Linux nodes in the same cluster, allowing organizations to secure and manage a diverse set of containerized applications.

What is docker security?

Securing a Docker container is no different than securing other containers. It requires an all-inclusive approach, securing everywhere from the host to the network and everything in between. Because of their moving parts, ensuring the security of containers is difficult for many organizations, and it requires more than a rudimentary level of vigilance. Security could be a major challenge once running applications in a very virtual atmosphere. Therefore, securing stevedore containers is significant. It needs securing all over from the host to the network.

Docker containers layout a lot of safe atmosphere for your systems than ancient virtual machines. they supply the way to separate up applications into smaller elements. The elements area unit isolated from each other, so serving to cut back attacks. Hackers area unit prevented from exploiting the pc systems and create it tougher for security breaches and attacks to occur. It is vital to understand and utilize the simplest practices to safeguard your pack applications. Below area unit of some essential tips accustomed secure applications hosted on an instrumentality platform.

What are the types of attacks on docker?

Docker’s attack surface in terms of these categories:-

• OS and kernel attacks
• Network-based attacks
• Daemon-based attacks
• Image-based attacks
• Application-based attacks.

Getting started with security best practices

1. Prefer minimal base images:-

The Docker images that are used have as many as 580 vulnerabilities in their system libraries

• Choose images with fewer OS libraries and tools lower the risk and attack surface of the container
• Prefer alpine-based images over full-blown system OS images

2. Least privileged user:-

Create a dedicated user and group on the image, with minimal permissions to run the application; use the same user to run this process.

3. Sign and verify images to mitigate:-

It is critical to make sure the image we’re pulling is the one pushed by the publisher, and that no one has tampered with it.

• Verify the trust and authenticity of the images you pull
• Sign your images with the help of Notar

4. Find, fix and monitor for open source vulnerabilities

Scan your Docker images for known vulnerabilities and integrate them as part of your continuous integration. Use commands that are mentioned below to scan and get detailed reports from

How to scan images:- $ docker scan hello-world

Get a detailed scan report:- $ docker scan — file Dockerfile docker-scan:e2e

Excluding the base image:- $ docker scan — file Dockerfile — exclude-base docker-scan:e2e

Checking the dependency tree:- $ docker scan — dependency-tree debian:buster

Limiting the level of vulnerabilities displayed:- $ docker scan — severity=medium docker-scan:e2e

5. Don’t leak sensitive information to Docker images

It’s easy to accidentally leak secrets, tokens, and keys into images when building them. To stay safe, follow these guidelines:

• Use multi-stage builds
• Use the Docker secrets feature to mount sensitive files without caching them (supported only from Docker 18.04)
• Use a .dockerignore file to avoid a hazardous COPY instruction, which pulls insensitive files that are part of the build context

6. Use fixed tags for immutability

Docker image owners can push new versions to the same tags, which may result in inconsistent images during builds, and makes it hard to track if a vulnerability has been fixed. Prefer one of the following:

• A verbose image tag with which to pin both version and operating system, for example: FROM node:8-alpine
• An image hash to pin the exact contact, for example: FROM node:

7. Use COPY instead of ADD:-

Arbitrary URLs specified for ADD could result in MITM attacks or sources of malicious data. In addition, ADD implicitly unpacks local archives which may not be expected and result in path traversal and Zip Slip vulnerabilities.

• Use COPY, unless ADD is specifically required.

8. Use metadata labels:-

Use and communicate a Responsible Security Disclosure policy by adopting a SECURITY.TXT policy file and providing this information in your images labels

9. Use a linter

Enforce Dockerfile best practices automatically by using a static code analysis tool such as hadolint linter, that will detect and alert for issues found in a Dockerfile.

Lastly, if you want to learn container security do check out practical-devsecops and even their blogs about docker security are just amazing links to their course, and blogs are mentioned in the references section.Check out my previous blog in order to understand container security

Contact me

Twitter:- https://twitter.com/mafiaaguy

LinkedIn:- https://www.linkedin.com/in/mafiaguy/

Github:-https://github.com/mafiaguy

References:-

• https://docs.docker.com/engine/scan/
• https://docs.docker.com/engine/security/
• https://res.cloudinary.com/snyk/image/upload/v1555510939/shifting_docker_security_left_2019.pdf
• https://snyk.io/blog/top-ten-most-popular-docker-images-each-contain-at-least-30-vulnerabilities/
• https://snyk.io/research/zip-slip-vulnerability
• https://design.jboss.org/redhatdeveloper/marketing/docker_cheatsheet/cheatsheet/images/docker_cheatsheet_r3v2.pdf
• https://dockerlux.github.io/pdf/cheat-sheet-v2.pdf
• https://www.practical-devsecops.com/certified-container-security-expert/
• https://www.practical-devsecops.com/lesson-1-understand-docker-from-a-security-perspective/