added defensive measurements
This commit is contained in:
parent
4c16a2a545
commit
611827f4b1
|
|
@ -262,9 +262,102 @@ curl <host-IP>/shell.php?cmd=id
|
|||
|
||||
## Securing a Container
|
||||
|
||||
* Least Privileges
|
||||
* Seccomp
|
||||
* Securing Registry via TLS
|
||||
* Use Grype or CIS Benchmark for Vulnerability Checks
|
||||
|
||||
```sh
|
||||
grype $IMAGE_NAME --scope all-layers
|
||||
grype ./image.tar
|
||||
```
|
||||
|
||||
### Cgroups
|
||||
|
||||
Take a look at the cgroups of a container
|
||||
|
||||
```sh
|
||||
docker inspect $CONTAINER_ID
|
||||
```
|
||||
|
||||
Update cgroups of a container via
|
||||
|
||||
```sh
|
||||
docker update --cpus="4" --memory="512m"
|
||||
```
|
||||
|
||||
### Remove Capabilities
|
||||
|
||||
The count of capabilities should be minimized on every container.
|
||||
It should only contain the necessary caps.
|
||||
|
||||
```sh
|
||||
docker run -it --rm --cap-drop=ALL --cap-add=$NECESSARY_CAPS $CONTAINER_NAME
|
||||
```
|
||||
|
||||
Check the capabilities via
|
||||
|
||||
```sh
|
||||
capsh --print
|
||||
```
|
||||
|
||||
### SSH context
|
||||
|
||||
Create a profile to use a remote Docker daemon through SSH
|
||||
|
||||
```sh
|
||||
docker context create --docker host=ssh://$USER@$TARGET_IP --description "Attack" attack-host
|
||||
docker context use attack-host
|
||||
docker context use default
|
||||
```
|
||||
|
||||
### Enable TLS
|
||||
|
||||
Start a Docker daemon using TLS
|
||||
```sh
|
||||
dockerd --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=0.0.0.0:2376
|
||||
```
|
||||
|
||||
Connect to a TLS enabled Docker Daemon
|
||||
|
||||
```sh
|
||||
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$DOCKER_SERVER:2376 info
|
||||
```
|
||||
|
||||
### Seccomp
|
||||
|
||||
> The seccomp() system call operates on the Secure Computing (seccomp)
|
||||
> state of the calling process.
|
||||
|
||||
In strict mode it is described as follows
|
||||
> The only system calls that the calling thread
|
||||
> is permitted to make are read(2), write(2), _exit(2) (but not
|
||||
> exit_group(2)), and sigreturn(2).
|
||||
|
||||
Seccomp can also be configured to support other systemcalls.
|
||||
The configuration is done via JSON
|
||||
|
||||
```sh
|
||||
docker run --rm -it --security-opt seccomp=./profile.json $CONTAINER_NAME
|
||||
```
|
||||
|
||||
### Apparmor
|
||||
|
||||
Mandatory Acces Control measurement to limit permissions of execution and on resources.
|
||||
See the status of Apparmor via
|
||||
|
||||
```sh
|
||||
aa-status
|
||||
```
|
||||
|
||||
Create a profile and import it via
|
||||
|
||||
```sh
|
||||
apparmor_parser -r -W ./profile.json
|
||||
```
|
||||
|
||||
Apply the configuration to the container via
|
||||
|
||||
```sh
|
||||
docker run --rm -it --security-opt apparmor=./profile.json
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue