Unix Timesharing System Network USER NS Linux 3.8 (2013) • Docker Linux 2.6.19 (2006) Linux 2.6.24 (2008) • CGROUP Linux 2.6.29 (2009) Inter-process communication Linux 2.6.19 (2006) Linux 2.4.19 (2002) Mount
link add veth0 type veth peer name veth1 - ip link list Commans clone_flag = CLONE_NEWNET - routes - firewall rules - network devices - ip address Network stack Bridge, host or overlay networks veth interface allocated on a bridge 172.17.0.1/16 Network Network Namespace
Docker Docker-bench-security API listen on /var/run/docker.sock Don’t mount the docker socket docker container run -d --v /var/run/docker.sock:/var/run/docker.sock eu/danger Sign container images Docker Content Trust guarantees the integrity of the publisher and the integrity of the contents of a container image export DOCKER_CONTENT_TRUST=1
non-root users RUN groupadd -r user && useradd -r -g user user USER user Disable setuid rights in Dockerfile: RUN find / -perm +6000 -type f -exec chmod a-s {} \; \ || true
and control how they are handled. These filters can significantly limit a containers access to the Docker Host’s Linux kernel - especially for simple containers/applications.
"name": "fchmod", "action": "SCMP_ACT_ALLOW", "args": [] }, { "name": "fchmodat", "action": "SCMP_ACT_ALLOW", "args": [] }, The default.json profile has the chmod(), fchmod(), and chmodatsyscalls included in its whitelist..
supply chain ◉ Sysdig: container troubleshooting and security investigation ◉ CoreOs / Clair: Vulnerability Static Analysis for Containers ◉ Aqua / Microscanner: Scan your container images for package vulnerabilities ◉ Anchore: Detailed analysis on their container images, run queries, produce reports and define policies that can be used in CI/CD pipelines ◉ Lynis ◉ Dagda ◉ Tenable ◉ Twistlock