Docker has quickly become one of the most popular platforms for software developers and teams that wish to streamline software development, shipping, and execution. However, most developers don’t secure their containers properly.
According to security analysis by Prevasio, of around 4 million Docker images, more than 2 million had critical vulnerabilities. That’s a damning statistic, and really underscores the importance of security for your Docker containers.
In the following article, we discuss the 14 best practices that you can follow to secure your Docker containers.
Table Of Contents
- Understanding Docker Concepts and Containerization
- What Is Docker Container Security?
- The 14 Best Ways To Secure a Docker Container
- 1. Regularly Update Docker and the Host OS
- 2. Reduce Default Privileges for Docker Containers
- 3. Reduce Your Attack Surface with Lean Containers
- 4. Monitor Container Activity
- 5. Set Volumes and File System Permissions to Read-Only
- 6. Regularly Scan and Verify Each Container Image Before Use
- 7. Tighten Security with Container Registries
- 8. Avoid Exposing the Docker Daemon Socket
- 9. Reduce Resources Available to Containers
- 10. Prevent Direct Access to Core Container Files
- 11. Only Use Base Images That You Trust
- 12. Avoid Upgrading System Packages
- 13. Avoid Using the ADD Command Unless Necessary
- 14. Steer Clear of Curl Bashing
- Frequently Asked Questions
- After Action Report – Secure Your Docker Containers
Understanding Docker Concepts and Containerization
Docker containers are essentially software units that isolate each instance of an application and all dependencies to allow the application to run faster and without any hiccups. Container images are simply standalone executables that package everything needed to run an application.
All software in Docker containers runs exactly the same, regardless of changes in infrastructure. The reason why software developers prefer Docker containers is because they help isolate software from the environment, and ensures uniform performance even if differences exist, such as between the development or staging environments.
While you may be tempted to compare Docker containers with VMs (virtual machines), there’s an important difference: the former simply virtualize the operating system, and pay no attention to the hardware. As a result, they’re more efficient and portable.
What Is Docker Container Security?
Since containerized environments are considerably more complex than traditional development environments, securing them is critically important. It is typical that in every production environment, a significant number of Docker containers are deployed.
More importantly, it’s imperative that security experts reevaluate their approach, as containerized environments often have more moving parts (such as resource quotas, container registries, firewall rules, etc.) that need to be secured than a conventional deployment environment.
Docker container security simply refers to the use of different practices and the implementation of effective security controls to protect the components within a Docker container, including the code, any system tools, libraries, or custom settings.
The 14 Best Ways To Secure a Docker Container
Container security should be taken seriously, as vulnerabilities could cause significant delays and lead to cost overruns throughout the development process. More importantly, traditional security methods are not always viable when securing Docker containers, as containerized environments aren’t as visible as traditional development environments.
Here are 14 best practices we highly recommend you follow to secure Docker containers.
1. Regularly Update Docker and the Host OS
Security breaches in obsolete versions of Docker often pose the biggest risk for developers. Updating your Docker version regularly is very important, as these updates often include bug fixes, and patches to improve performance and fix vulnerabilities.
But, that’s not all. You also need to update the host operating system. Should an attacker exploit a vulnerability within the host operating system, your container safeguards won’t be of much use.
That’s because containers generally run on top of the kernel as it’s more efficient. Make sure you update the base system as well as keeping Docker up to date. You can also subscribe to security updates or news, so you’re always in the know when a new security patch is released.
2. Reduce Default Privileges for Docker Containers
One of the many security threats that you need to be wary of is a “container breakout.” This occurs when the Docker container fails to abide by isolation checks and ends up accessing privileged information from the host.
The best way to mitigate the chances of this happening is to limit the default privileges granted to your containers. For instance, the daemon generally has root access, but you can always change that, or create another namespace with specific privileges.
You can drop any access control capabilities that you feel are not required by the application. Ideally, it’s best to revoke access to CAP_SYS_ADMIN, since it grants access to a range of root-level permissions that can be exploited by malicious actors.
And, more importantly, be very careful when running a sensitive container that requires root-level access. You can verify the Container image authenticity first before you run it.
3. Reduce Your Attack Surface with Lean Containers
By default, Docker containers are generally quite lightweight. However, in some cases, developers tend to treat them like servers. When you start adding files constantly to the containers, or stop updating them on a regular basis, you’re essentially increasing your attack surface.
A good practice is to try to reduce the number of components within each container as much as you can. Aim to keep the containers as lightweight as possible, so the attack surface is relatively narrow.
And, in case a vulnerability is detected in any Docker image, you should resolve the problem as quickly as possible and deploy a new container, instead of leaving it for later.
4. Monitor Container Activity
Since there are often multiple instances running in each Docker container image, it’s important that you take a viable approach to monitoring container activity. The dynamic nature of Docker containers often makes this difficult.
New versions and images are often launched at breakneck speeds, making tracking complicated. Another downside to this fast-paced approach is that should an issue arise, it can spread relatively quickly across different applications and containers.
That’s one of the main reasons why tracking container activity is crucial. It’s also essential to create internal controls that help you identify images that may contain vulnerabilities or faults. This way, administrators can quickly fix the issue and deploy new containers instead.
Ideally, you’d want to monitor activity across master nodes, workloads, and container engines. Third-party tools like Calico are an excellent choice for tracking container activity.
5. Set Volumes and File System Permissions to Read-Only
Instead of giving write access to containers, it might be a wise idea to run containers with a read-only file system. This can prevent malware from causing harm, such as propagating across the network or modifying the internal configuration of your network.
To set Docker containers to read-only, run the code below:
docker run -read-only alpine sh -c 'echo "running as read only" > /tmp'
6. Regularly Scan and Verify Each Container Image Before Use
Before you start using container images, it’s imperative that you scan and verify each image to detect vulnerabilities. This is all the more important if you’ve pulled an image from a public repository.
Should a vulnerability exist in a single component of your image, it’s going to propagate to all other containers that are created using that image. The vulnerability in the base image will likely spread to all other images, which could lead to harmful consequences.
Scanning container images is an excellent practice that can help you identify security issues and vulnerabilities. Unsafe images should never be added to the container registry that production systems can tap.
Most tools that focus on container scanning rely on the CVE (Common Vulnerability and Exposure) database, and test images to identify any CVEs. Regular scanning is a great way to ensure that threat levels remain low.
7. Tighten Security with Container Registries
Container registries are commonly used by development teams as they allow them to quickly download container images with a single click. This is great when they have to work with multiple images. You can also configure registry access management permissions.
While it saves a lot of time, it leads to an elevated security risk. How can you be confident about whether the image you’re pulling is trustworthy and free from malware or other vulnerabilities?
To prevent any issues, it’s best if you use a private registry that’s protected by your own firewall. Also, implement RBAC (Role Based Access Control) so that only authorized users are able to access and download images from the registry.
8. Avoid Exposing the Docker Daemon Socket
The Docker daemon socket is a Unix network socket that is used by the Docker API to allow for seamless communication. The root user has ownership of the Docker daemon socket, but if someone else is given access to the daemon socket, they’ll also have root-level permissions.
To avoid such an issue, it’s best that you avoid making the daemon socket available for remote connectivity. If you absolutely have to, always make sure that you use the encrypted HTTPS socket that Docker has.
9. Reduce Resources Available to Containers
If an attacker gains access to a container, they may try to use the host resources to perform malicious operations. A simple way to protect against this problem is to reduce CPU usage limits and Docker memory consumption so that breaches don’t lead to serious harm.
By default, Docker containers are given full access to all the underlying CPU and RAM resources available on the host. You can, however, set quotas so that each container only has a specific number of resources available to them. This ensures that other services running on the host aren’t affected.
10. Prevent Direct Access to Core Container Files
Because containers are regularly upgraded and bug fixes are implemented, files are often exposed every time they’re accessed by a user. Ideally, you don’t want to maintain container logs within the container itself.
If you keep the logs outside, it prevents users from accessing the container files directly. This means that team members can troubleshoot problems, if any arise, without directly accessing the container directory.
11. Only Use Base Images That You Trust
Supply chain attacks pose a serious risk, so it’s important that you avoid using base images that you can’t trust. Untrusted base images pose a serious issue, so it’s important that you avoid using them.
Thankfully, you can find a host of Docker Official Images for most operating systems. Ideally, you will want to avoid using unofficial and untrusted base images as much as possible.
12. Avoid Upgrading System Packages
There’s always a risk that things might go sideways when you upgrade your system packages since you’ll end up upgrading the latest version of all your software dependencies.
It’s best to pin them so you can cut down on the unpredictability as much as possible.
13. Avoid Using the ADD Command Unless Necessary
The ADD can be used when you want to copy files into a Docker image. However, you can also point it to a remote URL to allow it to fetch content when you’re building an image.
Ideally, you’d want to get the content first and inspect it carefully before you copy it instead of copying data remotely.
14. Steer Clear of Curl Bashing
Curl is a popular command line tool that’s used to copy content to and from a server. As you can imagine, it carries a significant amount of risk, especially if you aren’t copying data from a trusted source, or can’t authenticate the content that you’ve downloaded.
Frequently Asked Questions
Is Docker a Security Risk?
Docker doesn’t have to be a security risk as long as you update the platform and the host operating system and make sure you take proper steps to secure your containers.
Does Docker Help Security?
If used correctly, Docker can significantly improve security performance, especially since containerization greatly improves security when running isolated applications.
Can Docker Images Be Encrypted?
Yes, Docker images can be encrypted using containers or other tools. However, encrypting Docker images is not a straightforward process; it requires considerable expertise.
Can You Password Protect a Docker Container?
Since Docker containers don’t generally have conventional users, and you can’t log into a container, there’s no way to set passwords. Users simply run a command instead of accessing a container the conventional way.
What Is Docker Bench Security?
The Docker Bench for Security is simply a script that inspects for different best practices that focus on deploying Docker containers that are currently in production. All of the inspections are fully automated.
After Action Report – Secure Your Docker Containers
It’s very important for organizations to take security seriously, especially within a cloud-native development framework.
From taking simple steps such as enforcing encrypted communication, and using TLS Certificates to restricting container capabilities, it’s important that you review security practices regularly.
Always factor in vulnerabilities and discuss with your security experts how to mitigate the risk as much as possible. By creating a security policy that focuses mainly on container integrity and the infrastructure, organizations can reduce their threat levels by a significant margin.