Securing Docker The Attack and by Nitin Sharma

Author:Nitin Sharma
Language: eng
Format: mobi, epub
Published: 0101-01-01T00:00:00+00:00

Note: Let us understand what every line here in Docker’s ‘daemon.json’ means and how it is a best practice.

70

i.

“icc”: false → ‘icc’ stands for inter container communication which gets disabled by this line ii.

“userns-remap”: “default” → User namespace remapping allows processes to run as root in a container while being remapped to a less privileged user on the host.

iii.

“log-driver”: “syslog” → This will configure syslog to forward logs to a centralized syslog server.

iv.

“disable-legacy-registry”: true → This disables an insecure legacy image registry protocol.

However, this flag might be deprecated as of now.

v.

“live-restore”: true → This will allow containers to continue running when the Docker Daemon is not. This is important as it will improve container uptime during updates of the host system and other stability issues.

vi.

“userland-proxy”: false → This will disable the docker-proxy userland process that by default handles forwarding host ports to containers and replace it with iptables rules.

vii.

“no-new-privileges”: true → This will prevent privilege escalation from inside the containers using ‘setuid’ or ‘setgid’ binaries.

When you are done with adding the following lines, restart the docker service.

$ sudo systemctl restart docker

All these things, we have done in Step 5 and Step 6 are actually the part of checklist from Docker Bench Security script.

Step 7: Let’s run it and observe if we got a pass against them.

$ sudo ./docker-bench-security.sh

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.