|
| 1 | +--- |
| 2 | + |
| 3 | +title: Container security |
| 4 | +layout: col-document |
| 5 | +tags: OWASP Developer Guide |
| 6 | +contributors: Shruti Kulkarni |
| 7 | +document: OWASP Developer Guide |
| 8 | +order: 741 |
| 9 | +permalink: /draft/appendices/implementation_dos_donts/container_security/ |
| 10 | + |
| 11 | +--- |
| 12 | + |
| 13 | +{% include breadcrumb.html %} |
| 14 | + |
| 15 | +### 12.1.1 Container security |
| 16 | + |
| 17 | +This is a collection of Do's and Don'ts when it comes to container security, gathered from practical experiences. |
| 18 | +Some of these are language specific and others have more general applicability. |
| 19 | + |
| 20 | +Container image security, host security, client security, daemon security, runtime security: |
| 21 | + |
| 22 | +* Choose the right base image |
| 23 | +* Include only the required packages in the image |
| 24 | +* If using Docker images, use multi-stage builds |
| 25 | +* Use layer caching and multi stage builds to: |
| 26 | + * Separate build-time dependencies from runtime dependencies |
| 27 | + * Remove special permissions from images |
| 28 | + * `find / -perm /6000 -type f -exec ls -ld {} \;` |
| 29 | + * RUN `find / -xdev -perm /6000 -type f -exec chmod a-s {} \; || true` |
| 30 | +* Reduce overall image size by shipping only what your app needs to run, |
| 31 | + see the [Docker documentation][docker] for more information |
| 32 | +* Remove unused images with prune: `docker image prune [OPTIONS]` |
| 33 | +* Do not embed any secrets, passwords, keys, credentials, etc in images |
| 34 | +* Use a read-only file system |
| 35 | +* Sign images with cryptographic keys and not with username/password combination |
| 36 | +* Secure your code and its dependencies |
| 37 | +* Test your images for vulnerabilities |
| 38 | +* Monitor container runtimes |
| 39 | +* Docker Content Trust (DCT) is enabled on Docker clients |
| 40 | +* Check freshness security of images with the provided timestamp key that is associated with the registry. |
| 41 | +* Create the timestamp key by Docker and store on the server |
| 42 | +* Use tagging keys associated with a registry. |
| 43 | + Such that a poisoned image from a different registry cannot be pushed into a registry. |
| 44 | +* Use offline keys to sign the tagging keys. |
| 45 | +* Offline keys are owned by the organisation and secured in an out-of-band location. |
| 46 | +* Scan images frequently for any vulnerabilities. Rebuilt all images to include patches |
| 47 | + and instantiate new containers from them |
| 48 | +* Remove `setuid` and `setgid` permissions from the images. |
| 49 | +* Where applicable, use 'copy' instruction in place of 'add' instruction. |
| 50 | +* Verify authenticity of packages before installing them into images |
| 51 | +* Use namespaces and control groups for containers |
| 52 | +* Use bridge interfaces for the host |
| 53 | +* Authenticity of packages is verified before installing them into images |
| 54 | +* Mount files on a separate partition to address any situation where the mount becomes full, |
| 55 | + but the host still remains usable |
| 56 | +* Mark registries as private and only use signed images. |
| 57 | +* Pass commands through the authorization plugin to ensure that only authorised client connects to the daemon |
| 58 | +* TLS authentication is configured to restrict access to the Docker daemon |
| 59 | +* Namespaces are enabled to ensure that |
| 60 | +* Leave control groups (cgroups) at default setting to ensure that tampering does not take place |
| 61 | + with excessive resource consumption. |
| 62 | +* Do not enable experimental features for Docker |
| 63 | +* set docker.service file ownership to root:root. |
| 64 | +* Set docker.service file permissions to either 644 or to a more restrictive value. |
| 65 | +* Set docker.socket file ownership and group ownership to root. |
| 66 | +* Set file permissions on the docker.socket file to 644 or more restrictively |
| 67 | +* Set /etc/docker directory ownership and group ownership to root |
| 68 | +* Set /etc/docker directory permissions to 755 or more restrictively |
| 69 | +* Set ownership of registry certificate files (usually found under `/etc/docker/certs.d/<registry-name>` directory) |
| 70 | + to individual ownership and is group owned by root. |
| 71 | +* Set registry certificate files (usually found under `/etc/docker/certs.d/<registry-name>` directory) |
| 72 | + permissions to 444 or more restrictively. |
| 73 | +* Acquire and ship daemon logs to SIEM for monitoring |
| 74 | +* Inter-container network connections are restricted and enabled on a requirement basis. |
| 75 | + By default containers cannot capture packets that have other containers as destination |
| 76 | +* Where hairpin NAT is enabled, userland proxy is disabled |
| 77 | +* Docker daemon is run as a non-root user to mitigate lateral privilege escalation |
| 78 | + due to any possible compromise of vulnerabilities. |
| 79 | +* `No_new_priv` is set (but not to false) to ensure that containers cannot gain additional privileges |
| 80 | + via `suid` or `sgid` |
| 81 | +* Default SECCOMP profile is applied for access control. |
| 82 | +* TLS CA certificate file on the image host (the file that is passed along with the `--tlscacert` parameter) |
| 83 | + is individually owned and group owned by root |
| 84 | +* TLS CA certificate file on the image host (the file that is passed along with the `--tlscacert` parameter) |
| 85 | + has permissions of 444 or is set more restrictively |
| 86 | +* Containers should run as a non-root user. |
| 87 | +* Containers should have as small a footprint as possible, and should not contain unnecessary software packages |
| 88 | + which could increase their attack surface |
| 89 | +* Docker default bridge 'docker0' is not used to avoid ARP spoofing and MAC flooding attacks |
| 90 | +* Either Dockers AppArmor policy is enabled or the Docker hosts AppArmor is enabled. |
| 91 | +* SELinux policy is enabled on the Docker host. |
| 92 | +* Linux kernel capabilities are restricted within containers |
| 93 | +* privileged containers are not used |
| 94 | +* sensitive host system directories are not mounted on containers |
| 95 | +* `sshd` is not run within containers |
| 96 | +* privileged ports are not mapped within containers (TCP/IP port numbers below 1024 are considered privileged ports) |
| 97 | +* only needed ports are open on the container. |
| 98 | +* the hosts network namespace is not shared. |
| 99 | +* containers root filesystem is mounted as read only |
| 100 | +* Do not use docker exec with the `--privileged` option. |
| 101 | +* docker exec commands are not used with the user=root option |
| 102 | +* cgroup usage is confirmed |
| 103 | +* The `no_new_priv` option prevents LSMs like SELinux from allowing processes to acquire new privileges |
| 104 | +* Docker socket is not mounted inside any containers to prevent processes running within the container |
| 105 | + to execute Docker commands which would effectively allow for full control of the host. |
| 106 | +* incoming container traffic is bound to a specific host interface |
| 107 | +* hosts process namespace is not shared to ensure that processes are separated |
| 108 | +* hosts IPC namespace is not shared to ensure that inter-process communications does not take place |
| 109 | +* host devices are not directly exposed to containers |
| 110 | +* hosts user namespaces are not shared to ensure isolation of containers |
| 111 | +* CPU priority is set appropriately on containers |
| 112 | +* memory usage for containers is limited. |
| 113 | +* 'on-failure' container restart policy is set to '5' |
| 114 | +* default `ulimit` is overwritten at runtime if needed |
| 115 | +* container health is checked at runtime |
| 116 | +* PIDs cgroup limit is used (limit is set as applicable) |
| 117 | +* The Docker host is hardened to ensure that only Docker services are run on the host |
| 118 | +* Secure configurations are applied to ensure that the containers do not gain access to the host via the Docker daemon |
| 119 | +* Docker is updated with the latest patches such that vulnerabilities are not compromised |
| 120 | +* The underlying host is managed to ensure that vulnerabilities are identified and mitigated with patches |
| 121 | +* Docker server certificate file (the file that is passed along with the `--tlscert` parameter) |
| 122 | + is individual owned and group owned by root. |
| 123 | +* Docker server certificate file (the file that is passed along with the `--tlscert` parameter) |
| 124 | + has permissions of 444 or more restrictive permissions. |
| 125 | +* Docker server certificate key file (the file that is passed along with the `--tlskey` parameter) |
| 126 | + is individually owned and group owned by root. |
| 127 | +* Docker server certificate key file (the file that is passed along with the `--tlskey` parameter) has permissions of 400 |
| 128 | +* Docker socket file is owned by root and group owned by docker. |
| 129 | +* Docker socket file has permissions of 660 or are configured more restrictively |
| 130 | +* ensure `daemon.json` file individual ownership and group ownership is correctly set to root, if it is in use |
| 131 | +* if `daemon.json` file is present its file permissions are correctly set to 644 or more restrictively |
| 132 | + |
| 133 | +---- |
| 134 | + |
| 135 | +The OWASP Developer Guide is a community effort; if there is something that needs changing |
| 136 | +then [submit an issue][issue140101] or [edit on GitHub][edit140101]. |
| 137 | + |
| 138 | +[docker]: https://docs.docker.com/get-started/09_image_best/ |
| 139 | +[edit140101]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/14-appendices/01-implementation-dos-donts/01-container-security.md |
| 140 | +[issue140101]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=enhancement&template=request.md&title=Update:%20/14-appendices/01-implementation-dos-donts/01-container-security |
| 141 | + |
| 142 | +\newpage |
0 commit comments