Docker is a software platform that makes it easier to create, deploy, and run applications. It was built so environments would be easy to replicate, giving teams a quick and easy way of deploying programs and updates.
A software framework for building, running, and managing containers on servers of the cloud and a subset of the Moby project, the term “docker” may refer to either the tools (the commands and a daemon) or to the Dockerfile file format.
Unlike traditional infrastructure, where applications were hosted on bare-metal servers or virtual machines, Docker involves the use of containers, which breaks a lot of prior assumptions about visibility. As a result, many companies run into problems as they migrate to Docker and scale their container usage. Without proper configuration and regular maintenance, you can end up with disorganized servers and containers, as well as many blind spots, making for a vulnerable environment.
In this article, we’ll discuss Docker security best practices, giving you the checklist you need to optimize your container environment.
Unfortunately, most companies don't have a well-defined strategy to manage their migration to a Docker container-based system. Typically, companies first introduce containers for specific development projects or applications and use ad hoc methods for Docker security scanning. As they add more containers, the dynamics of their security infrastructure change, and things can quickly get out of control.
Here is a Docker security checklist to keep you on track:
Docker images are files, consisting of multiple layers, which developers use to execute code in Docker containers. Your security team can download pre-configured images with Docker, and start using them right away. (Tweet this!)
However, it's important only to use container images from trusted vendors because there are a lot of poorly-configured containers online; also, some people publish containers with malware included.
To avoid disreputable vendors, enable the Docker Content Trust (DCT) within the Docker platform. It allows you to check the digital signatures of the containers that you receive so you can verify they are properly signed by the genuine publisher.
Containers are supposed to be lightweight and ephemeral. If you're using containers like a server, continually adding files to them and only updating every few weeks or months, then you aren't getting the full benefit. This approach could actually weaken your security posture because you are building a larger attack surface that is not regularly maintained.
Minimize the number of things secured in each container to keep your containers thin, which, in turn, will reduce your attack surface. Also, when you identify vulnerabilities in standard images, resolve the issue, then deploy new, clean containers.
Some cloud vendors provide shared container infrastructures for multiple customers. However, this setup demands a high level of security maturity and monitoring, which is not usually possible for the average business.
In your enterprise, it’s wise to avoid mixing containers with different security requirements on the same host. For example, if you have containers that are exposed to the internet, don’t run them on the same host as your most critical financial application. Instead, assume that the level of isolation of containers on a host is never perfect, and with that in mind, always separate loads on different hosts.
Docker Bench Security is an auditing tool that will analyze your configuration settings and let you know if you have made any errors.
Before using it, you should harden your Docker servers in accordance with the CIS hardening benchmarks. After doing that, you can use Docker Bench Security to confirm your server settings are properly set up, as it runs its checks based on the CIS benchmarks.
If you have a Linux configuration, you can use a security platform like Uptycs to perform file integrity monitoring, scanning the Docker configuration files to be sure they don't get modified.
Maintain an inventory of your containers so you know what processes are running in which containers and what is running on the host.
Also, avoid running containers as a highly-privileged account, such as root. If you run workloads in containers in these types of accounts, it can expose your host to threats. If the container is compromised, the entire host will be in trouble.
Using Uptycs, you can track the inventory of images with tables like Docker images and Docker containers, which will tell you the containers running on each host. You can also confirm that all your containers are running non-privileged, with security profiles properly configured. These checks are possible using open-source osquery, but with Uptycs you have a centralized environment to track and manage your container configurations.
Another way of reducing your attack surface is to use the smallest possible Linux distribution to get started. You want to be confident that if one container gets hacked, the attacker can't bring down the entire host—and all other containers on the machine.
If your server will run containers only, it doesn't need many other services. So you might consider using distributions explicitly made for this purpose, like CoreOS, and leveraging Linux security features like SELinux.
Ultimately, by making the host as resistant as possible, it’s less likely that a compromised container will instantly result in a compromised host.
All the containers on a host share a single Linux kernel. If a kernel vulnerability exists, the host could be in trouble. You can use seccomp (secure computing mode) filters to limit the attack surface of the shared Linux kernel, as these filters enable you to choose which system calls a container is allowed to make to the kernel.
For example, let’s say you have 50 containers on a server. You know they will never need to play sound, so you can use seccomp to filter out all the system calls that relate to using audio. If the audio subsystem has a security bug, attackers won’t be able to exploit it from your containers because the audio syscalls have been blocked.
In essence, seccomp is like a firewall for system calls. Start with the default profile, and then you can create more restrictive filters once you have gained some experience.
Due to the ephemeral nature and need for constant updates, containers can be exposed every time your team needs to work on them. You can combat this problem by designing a secure way to maintain your containers.
Limit SSH access as much as possible by making logs available outside of the container. That way, administrators can troubleshoot your Docker registry security platform without logging in, so they can deploy a new, fixed container, and get rid of a broken one, without connecting to it at all.
Uptycs is an osquery-powered security analytics platform that you can use to monitor container processes. It provides a high level of Docker telemetry that allows you to keep track of what’s going on as easily as if your container processes were running directly on a Linux server.
By installing osquery on the host, you can see the processes and network connections being established in any given container. Uptycs helps you manage your attack surface, by allowing you to monitor IPs, ports, mounts, processes and much more. Uptycs also records the container activity data. So, if something happened on a container that has since been removed from the server, you can query historical data to see the state of the container at that time.
With trusted images, well-configured containers, and good visibility through Uptycs, it's possible to use containers to improve the security of your environment. You can take advantage of easy deployment, segment workloads, and more easily address vulnerabilities. Ultimately, this well-thought-out approach paves the way to secure, standardized systems that your enterprise can scale.