In the early days of Docker container technology, container security concerns have been a major barrier to adoption of Docker in production environments for many enterprises. However, over the past year, many open source projects, startups, cloud providers, and even Docker itself, have begun to build new solutions for hardening Docker environments, and container security concerns and challenges are gradually being addressed. Today, many container security tools address all aspects of a container's entire lifecycle.
Docker's security tools can be divided into the following categories:
● Kernel security tools : These tools originated from the Linux open source community, and they have been absorbed by container systems such as docker as basic security tools at the kernel level.
● Image scanning tool : Docker Hub is the most popular container image repository, but there are many other image repositories to choose from besides Docker Hub. Most image repositories now have solutions for scanning container images for known vulnerabilities.
● Orchestration security tools : Kubernetes and Docker Swarm are two commonly used orchestration tools. And their security features have been enhanced over the past year.
● Network security tools : In container-driven distributed systems, the network is more important than ever. Policy-based network security is gaining prominence on perimeter-based firewalls.
Security benchmarking tools : The Center for Internet Security (CIS ) provides guidelines for container security, which have been adopted by Docker Bench and similar security benchmarking tools.
● **Security of CaaS Platforms**: AWS ECS, GKE, and other CaaS platforms typically build their security capabilities on top of their parent company's IaaS platform. Then add container-specific features or borrow security features from Docker, Kubernetes.
● **Container-specific security tools**: This is the best choice for container security. Among them, machine learning is the central stage, because such tools can build intelligent solutions for container security.
Below is a checklist of available Docker security tools according to the Docker Stack Tools Security section.
Kernel Security Tools
■ Namespaces (Namespaces) This tool isolates adjacent processes and limits what the container can see, thus preventing the spread of attacks.
■ cgroups
This tool limits the resources used by the container, limiting the content that the container can use, thereby preventing the infected container from occupying all the resources.
■ SeLinux
This tool provides access control to the kernel. It enforces "mandatory access control (MAC)", which controls how containers access the kernel based on policy.
■ AppArmor This tool enables process access control, can be set to enforce policies, and can be set to report only when policies are violated.
■ Seccomp This tool allows a process to interact with the kernel in a "safe" state where only a limited number of commands can be executed. If the command is exceeded, the process will be terminated.
Mirror Scanning Tool
■ Docker Hub Security Scanning This tool scans images downloaded from Docker Hub against Common Vulnerabilities and Exposures (CVEs).
■ Docker Content Trust This tool can verify images downloaded from third-party repositories against the author, who can be an individual or an organization.
■ Quay Security Scanner This tool is powered by CoreOS Clair. This is the Quay Docker Security Scan version, which scans container images for vulnerabilities.
■ AWS ECR As part of AWS ECS, ECR encrypts images at rest in S3 and transfers over HTTPS. It uses AWS IAM to control access to image repositories.
Orchestrate Security Tools
■ Docker Swarm Secret Management This tool provides a secure way to store passwords, tokens, and other confidential data using Docker Swarm.
■ Kubernetes Security Context
ensures the security of containers and pods in Kubernetes clusters, and provides access control and Linux kernel security modules such as SELinux and AppArmor.
Network Security Tools
■ Project Calico secures the container network by providing policy-based security and ensuring that services can only access the services and resources they need.
■ Weave This tool enforces policy-based security for container networking and provides firewalls for each container rather than the entire environment.
■ Canal
integrates the security features of Project Calico and the connectivity features of Flannel to provide a comprehensive network solution for containers.
Security Benchmarking Tool
■ Docker Bench This is a script to check the security posture of containers in production environments against a benchmark checklist created by the Center for Internet Security (CIS).
■ Inspec This is a testing framework built by Chef that treats compliance and security as code. Additionally, it can scan images and have a version of Docker Bench of its own.
Security of CaaS Platforms
■ AWS ECS In AWS ECS, containers are run inside virtual machines, which provides the first layer of security protection for containers. ECS also adds AWS security features such as IAM, security groups, and network ACLs.
■ Azure Container Service
Azure Container Service has its own container registry to scan images, while also taking advantage of Azure's default security features such as IAM.
■ GKE GKE takes Kubernetes' security features and adds some of its own Google Cloud security features, such as IAM and RBAC.
Container-specific security tools
■ Twistlock
is an end-to-end container security platform. It leverages machine learning to automatically analyze applications.
■ Aqua Security An end-to-end container platform that provides mature APIs that are easily extensible.
■ Anchore This tool scans container images and enforces security policies for container platforms. At the same time it integrates the CI/CD workflow with Jenkins.
■ NeuVector This tool secures container operations by enforcing service policies. And the ability to automatically start or stop containers based on automated whitelisting.
■ Deepfence This tool is a CI/CD integrated security tool that protects against known attacks.
■ StackRox, a container security tool that leverages machine learning to provide "adaptive threat protection"
■ Tenable This is a managed security solution that scans container images and even allows enterprises to enforce security policies within their environment.
■ Cavirin This is a continuous security assessment tool that tests vulnerabilities against CIS benchmarks.
Feel the magic of Docker security tools
This article is a very comprehensive checklist of Docker security tools. From this list, it is clear that securing Docker requires the cooperation of multiple tools. Because each tool has its strengths and areas of focus. There are solutions for each layer of the container stack's kernel, image repositories, networking, orchestration tools, and CaaS platforms. Best of all, most of the tools, or at least the common tools in most container workloads, are great for integrating with each other.
With a solid understanding of the capabilities and features of each security tool, you can create a secure, secure container environment for enterprise-grade production workloads. This has always been a promise of Docker, and container security tools have turned that promise into reality.