Docker安全基线检查

Ethanhuang
2,155 阅读3分钟

概述

推荐系统项目部署到阿里云时,在通过Standard Docker Security Baseline Check后,发现了若干安全漏洞。绝大部分都是docker服务配置的问题,记录下来,以供参考。

问题

主要是以下5个待修复的漏洞:

检查点检查类型
限制容器间网络互联Service configuration
限制容器内存使用Service configuration
开启Docker内容信任机制Service configuration
挂载容器根文件系统为只读模式Service configuration
审计Docker文件和目录Security audit

解决方法

1、限制容器间网络互联

  • 描述:

    By default, all network traffic is allowed between containers on the same host. If not desired, restrict all the inter container communication. Link specific containers together that require inter communication.By default, unrestricted network traffic is enabled between all containers on the same host. Thus, each container has the potential of reading all packets across the container network on the same host. This might lead to unintended and unwanted disclosure of information to other containers. Hence, restrict the inter container communication.

  • 推荐方案:

    Run the docker in daemon mode and pass '--icc=false' as argument. For Example

    /usr/bin/dockerd --icc=false

    If you use systemctl to manage the docker service, you need to edit it.

    /usr/lib/systemd/system/docker.service

    Add the --icc=false option to the ExecStart parameter in the file. restart dockerd

    systemctl daemon-reload
systemctl restart docker

2、限制容器内存使用

  • 描述:

    By default, all containers on a Docker host share the resources equally. By using the resource management capabilities of Docker host, such as memory limit, you can control the amount of memory that a container may consume.
    By default, container can use all of the memory on the host. You can use memory limit mechanism to prevent a denial of service arising from one container consuming all of the host’s resources such that other containers on the same host cannot perform their intended functions. Having no limit on memory can lead to issues where one container can easily make the whole system unstable and as a result unusable.

  • 推荐方案:

    Run the container with only as much memory as required. Always run the container using the '--memory' argument. You should start the container as below:

    docker run --interactive --tty --memory 256m <Container Image Name or ID>

3、开启Docker内容信任机制

  • 描述:

    Content trust is disabled by default. You should enable it.
    Content trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the integrity and publisher of specific image tags. This ensures provenance of container images

  • 推荐方案:

    To enable content trust in a bash shell, enter the following command: export DOCKER_CONTENT_TRUST=1
    Alternatively, set this environment variable in your profile file so that content trust in enabled on every login.
    Content trust is currently only available for users of the public Docker Hub. It is currently not available for the Docker Trusted Registry or for private registries.

4、挂载容器根文件系统为只读模式

  • 描述:

    The container's root file system should be treated as a 'golden image' and any writes to the root filesystem should be avoided. You should explicitly define a container volume for writing. You should not be writing data within containers. The data volume belonging to a container should be explicitly defined and administered. This is useful in many cases where the admin controls where they would want developers to write files and errors.

  • 推荐方案:

    docker run --interactive --tty --read-only --volume <writable-volume> <Container Image Name or ID> <Command>
    If you are a container arranged by k8s or other container orchestration software, please configure it according to the corresponding security policy or ignore it.

5、审计Docker文件和目录

  • 描述:

    Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with 'root' privileges. Its behavior depends on some key files and directories. /var/lib/docker is one such directory. It holds all the information about containers. It must be audited.Such as /var/lib/docker, /etc/docker, docker.service, docker.socket, /usr/bin/docker-containerd, /usr/bin/docker-runc, etc.

  • 推荐方案:

    Add the line as below in /etc/audit/audit.rules and /etc/audit/rules.d/audit.rules files:

    -w /usr/bin/docker -k docker
-w /var/lib/docker -k docker
-w /etc/docker -k docker
-w /usr/lib/systemd/system/docker.service -k docker
-w /usr/lib/systemd/system/docker.socket -k docker
-w /usr/bin/docker-containerd -k docker
-w /usr/bin/docker-runc -k docker

    Then, restart the audit daemon. For example

    service auditd restart
avatar
文章
阅读
粉丝