diff --git a/Exploits/Containers/Docker.md b/Exploits/Containers/Docker.md index 89be3db..c6e05a8 100644 --- a/Exploits/Containers/Docker.md +++ b/Exploits/Containers/Docker.md @@ -262,9 +262,102 @@ curl /shell.php?cmd=id ## Securing a Container -* Least Privileges -* Seccomp -* Securing Registry via TLS +* Use Grype or CIS Benchmark for Vulnerability Checks + +```sh +grype $IMAGE_NAME --scope all-layers +grype ./image.tar +``` + +### Cgroups + +Take a look at the cgroups of a container + +```sh +docker inspect $CONTAINER_ID +``` + +Update cgroups of a container via + +```sh +docker update --cpus="4" --memory="512m" +``` + +### Remove Capabilities + +The count of capabilities should be minimized on every container. +It should only contain the necessary caps. + +```sh +docker run -it --rm --cap-drop=ALL --cap-add=$NECESSARY_CAPS $CONTAINER_NAME +``` + +Check the capabilities via + +```sh +capsh --print +``` + +### SSH context + +Create a profile to use a remote Docker daemon through SSH + +```sh +docker context create --docker host=ssh://$USER@$TARGET_IP --description "Attack" attack-host +docker context use attack-host +docker context use default +``` + +### Enable TLS + +Start a Docker daemon using TLS +```sh +dockerd --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=0.0.0.0:2376 +``` + +Connect to a TLS enabled Docker Daemon + +```sh +docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$DOCKER_SERVER:2376 info +``` + +### Seccomp + +> The seccomp() system call operates on the Secure Computing (seccomp) +> state of the calling process. + +In strict mode it is described as follows +> The only system calls that the calling thread +> is permitted to make are read(2), write(2), _exit(2) (but not +> exit_group(2)), and sigreturn(2). + +Seccomp can also be configured to support other systemcalls. +The configuration is done via JSON + +```sh +docker run --rm -it --security-opt seccomp=./profile.json $CONTAINER_NAME +``` + +### Apparmor + +Mandatory Acces Control measurement to limit permissions of execution and on resources. +See the status of Apparmor via + +```sh +aa-status +``` + +Create a profile and import it via + +```sh +apparmor_parser -r -W ./profile.json +``` + +Apply the configuration to the container via + +```sh +docker run --rm -it --security-opt apparmor=./profile.json +``` ## References