These checkpoints referred to CIS Docker 1.13.0 Benchmark v1.0.0.
Create a user for the container
Create a non-root user for the container in the Dockerfile for the container image.
It is a good practice to run the container as a non-root user, if possible.
# Dockerfile
RUN useradd -d /home/dockle -m -s /bin/bash dockle
USER dockle
or
RUN addgroup -S dockle && adduser -S -G dockle dockle
USER dockle
Use trusted base images for containers
Dockle checks Content Trust.
Do not install unnecessary packages in the container
Not supported.
Scan and rebuild the images to include security patches
Not supported. Please check with Trivy.
Enable Content trust for Docker
Content trust is disabled by default. You should enable it.
$ export DOCKER_CONTENT_TRUST=1
-
https://docs.docker.com/engine/security/trust/content_trust/#about-docker-content-trust-dct
Docker Content Trust (DCT) provides the ability to use digital signatures for data sent to and received from remote Docker registries.
Engine Signature Verification prevents the following:$ docker container run
of an unsigned image.$ docker pull
of an unsigned image.$ docker build
where the FROM image is not signed or is not scratch.
Add HEALTHCHECK
instruction to the container image
Add
HEALTHCHECK
instruction in your docker container images to perform the health check on running containers.
Based on the reported health status, the docker engine could then exit non-working containers and instantiate new ones.
# Dockerfile
HEALTHCHECK --interval=5m --timeout=3s \
CMD curl -f http://localhost/ || exit 1
Do not use update
instructions alone in the Dockerfile
Do not use
update
instructions such asapt-get update
alone or in a single line in the Dockerfile.
Adding theupdate
instructions in a single line on the Dockerfile will cache the update layer.
RUN apt-get update && apt-get install -y package-a
Confirm safety of setuid
and setgid
files
Removing
setuid
andsetgid
permissions in the images would prevent privilege escalation attacks in the containers.
setuid
andsetgid
permissions could be used for elevating privileges.
chmod u-s setuid-file
chmod g-s setgid-file
Use COPY
instead of ADD
in Dockerfile
Use
COPY
instruction instead ofADD
instruction in the Dockerfile.
ADD
instruction introduces risks such as adding malicious files from URLs without scanning and unpacking procedure vulnerabilities.
# Dockerfile
ADD test.json /app/test.json
↓
COPY test.json /app/test.json
Do not store secrets in Dockerfiles
Do not store any secrets in Dockerfiles.
the secrets within these Dockerfiles could be easily exposed and potentially be exploited.
Dockle
checks ENVIRONMENT variables and credential files.
Install verified packages only
Not supported. It's better to use Trivy.
These checkpoints referred to Docker Best Practice and so on.
Avoid sudo
command
-
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
Avoid installing or using sudo as it has unpredictable TTY and signal-forwarding behavior that can cause problems.
Avoid sensitive directory mounting
A volume mount makes weak points. This depends on mounting volumes.
Currently, Dockle
checks following directories:
/dev
,/proc
,/sys
dockle
only checks VOLUME
statements, since we can't check docker run -v /lib:/lib ...
.
Avoid apt-get dist-upgrade
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get
Avoid RUN apt-get upgrade
and dist-upgrade
, as many of the “essential” packages from the parent images cannot upgrade inside an unprivileged container.
Use apk add
with --no-cache
-
As of Alpine Linux 3.3 there exists a new
--no-cache
option forapk
. It allows users to install packages with an index that is updated and used on-the-fly and not cached locally:
...
This avoids the need to use--update
and remove/var/cache/apk/*
when done installing packages.
Clear apt-get
caches
Use apt-get clean && rm -rf /var/lib/apt/lists/*
after apt-get install
.
-
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get
In addition, when you clean up the
apt cache
by removing/var/lib/apt/lists
it reduces the image size, since the apt cache is not stored in a layer. Since theRUN
statement starts withapt-get update
, the package cache is always refreshed prior toapt-get install
.
Avoid latest
tag
-
https://vsupalov.com/docker-latest-tag/
Docker images tagged with
:latest
have caused many people a lot of trouble.
These checkpoints referred to Linux Best Practices and so on.
Avoid empty password
-
https://blog.aquasec.com/cve-2019-5021-alpine-docker-image-vulnerability
CVE-2019-5021: Alpine Docker Image "null root password" Vulnerability
Be unique UID/GROUPs
-
Contrary to popular belief, it is not necessary that each entry in the UID field be unique. However, non-unique UIDs can cause security problems, and thus UIDs should be kept unique across the entire organization.
Only put necessary files
Check .cache
, .git
and so on directories.