added defensive measurements
This commit is contained in:
parent
4c16a2a545
commit
611827f4b1
|
|
@ -262,9 +262,102 @@ curl <host-IP>/shell.php?cmd=id
|
||||||
|
|
||||||
## Securing a Container
|
## Securing a Container
|
||||||
|
|
||||||
* Least Privileges
|
* Use Grype or CIS Benchmark for Vulnerability Checks
|
||||||
* Seccomp
|
|
||||||
* Securing Registry via TLS
|
```sh
|
||||||
|
grype $IMAGE_NAME --scope all-layers
|
||||||
|
grype ./image.tar
|
||||||
|
```
|
||||||
|
|
||||||
|
### Cgroups
|
||||||
|
|
||||||
|
Take a look at the cgroups of a container
|
||||||
|
|
||||||
|
```sh
|
||||||
|
docker inspect $CONTAINER_ID
|
||||||
|
```
|
||||||
|
|
||||||
|
Update cgroups of a container via
|
||||||
|
|
||||||
|
```sh
|
||||||
|
docker update --cpus="4" --memory="512m"
|
||||||
|
```
|
||||||
|
|
||||||
|
### Remove Capabilities
|
||||||
|
|
||||||
|
The count of capabilities should be minimized on every container.
|
||||||
|
It should only contain the necessary caps.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
docker run -it --rm --cap-drop=ALL --cap-add=$NECESSARY_CAPS $CONTAINER_NAME
|
||||||
|
```
|
||||||
|
|
||||||
|
Check the capabilities via
|
||||||
|
|
||||||
|
```sh
|
||||||
|
capsh --print
|
||||||
|
```
|
||||||
|
|
||||||
|
### SSH context
|
||||||
|
|
||||||
|
Create a profile to use a remote Docker daemon through SSH
|
||||||
|
|
||||||
|
```sh
|
||||||
|
docker context create --docker host=ssh://$USER@$TARGET_IP --description "Attack" attack-host
|
||||||
|
docker context use attack-host
|
||||||
|
docker context use default
|
||||||
|
```
|
||||||
|
|
||||||
|
### Enable TLS
|
||||||
|
|
||||||
|
Start a Docker daemon using TLS
|
||||||
|
```sh
|
||||||
|
dockerd --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=0.0.0.0:2376
|
||||||
|
```
|
||||||
|
|
||||||
|
Connect to a TLS enabled Docker Daemon
|
||||||
|
|
||||||
|
```sh
|
||||||
|
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$DOCKER_SERVER:2376 info
|
||||||
|
```
|
||||||
|
|
||||||
|
### Seccomp
|
||||||
|
|
||||||
|
> The seccomp() system call operates on the Secure Computing (seccomp)
|
||||||
|
> state of the calling process.
|
||||||
|
|
||||||
|
In strict mode it is described as follows
|
||||||
|
> The only system calls that the calling thread
|
||||||
|
> is permitted to make are read(2), write(2), _exit(2) (but not
|
||||||
|
> exit_group(2)), and sigreturn(2).
|
||||||
|
|
||||||
|
Seccomp can also be configured to support other systemcalls.
|
||||||
|
The configuration is done via JSON
|
||||||
|
|
||||||
|
```sh
|
||||||
|
docker run --rm -it --security-opt seccomp=./profile.json $CONTAINER_NAME
|
||||||
|
```
|
||||||
|
|
||||||
|
### Apparmor
|
||||||
|
|
||||||
|
Mandatory Acces Control measurement to limit permissions of execution and on resources.
|
||||||
|
See the status of Apparmor via
|
||||||
|
|
||||||
|
```sh
|
||||||
|
aa-status
|
||||||
|
```
|
||||||
|
|
||||||
|
Create a profile and import it via
|
||||||
|
|
||||||
|
```sh
|
||||||
|
apparmor_parser -r -W ./profile.json
|
||||||
|
```
|
||||||
|
|
||||||
|
Apply the configuration to the container via
|
||||||
|
|
||||||
|
```sh
|
||||||
|
docker run --rm -it --security-opt apparmor=./profile.json
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue