Container security configuration

Enterprise 2023-04-16 15:13:37 views: null

This blog address: https://security.blog.csdn.net/article/details/129677238

1. Principles of Container Security Hardening

From the perspective of security, container hosts should follow the following security hardening principles:

1. Minimal installation, do not install additional services and software, so as not to increase security risks;
2. Configure interactive user login timeout;
3. Disable unnecessary packet forwarding function;
4. Forbid ICMP redirection;
5. Configure The address range can be accessed remotely;
6. Delete or lock the permission settings of accounts, important files and directories that are not related to equipment operation and maintenance;
7. Shut down unnecessary processes and services, etc.

2. Container security configuration method

1. Allocate a separate partition for container storage

All Docker containers are stored under the /var/lib/docker directory along with their data and metadata. By default, /var/lib/docker will be mounted under the / or /var partition depending on availability. Docker relies on /var/lib/docker as the default directory, which stores all Docker related files, including image files. This directory can be maliciously filled to the point that Docker, and even the host machine, may become unusable. Therefore, it is recommended to create a separate partition (logical volume) for storing Docker files.

Check method: Execute the command, it should return the partition details of the /var/lib/docker mount point.

grep /var/lib/docker /etc/fstab

Hardening method: When newly installing Docker, create a separate partition for the /var/lib/docker mount point. For previously installed systems, use Logical Volume Manager (LVM) to create partitions.

2. Host security hardening

Ensure that the host complies with the corresponding security specifications, and perform effective vulnerability management and configuration management on it.

3. Update Docker to the latest version

The Docker software will be continuously updated, and the old version may have security vulnerabilities. Therefore, it is necessary to ensure that the discovered Docker software vulnerabilities are fixed as soon as possible, and regularly conduct risk assessments on the Docker version.

4. Control authority of the daemon process

Docker's daemon process requires root privileges, providing full root access to users added to the docker user group. Therefore, users in the docker user group must be strictly restricted on the container host, and all untrusted users should be deleted.

5. Audit the Docker daemon process

Audit all active Docker daemons, audit all Docker-related files and directories in addition to regular Linux filesystem and system calls. The Docker daemon runs with root privileges. Its operation depends on some key files and directories.

Inspection Method:

Audit rules that verify the existence of the Docker daemon and file directories.

auditctl -l | grep /usr/bin/docker
auditctl -l | grep /var/lib/docker
auditctl -l | grep /etc/docker
systemctl show -p FragmentPath docker.service
systemctl show -p FragmentPath docker.socket
auditctl -l | grep /etc/default/docker
auditctl -l | grep /etc/docker/daemon.json
auditctl -l | grep /usr/bin/docker-containerd
auditctl -l | grep /usr/bin/docker-runc

Reinforcement method:

Add the following configuration in the /etc/audit/audit.rules file.

-w /usr/bin/docker -k docker
-w /var/lib/docker -k docker
-w /etc/ docker -k docker
-w /usr/lib/systemd/system/docker.service -k docker
-w /usr/lib/systemd/system/docker.socket -k docker
-w /etc/default/docker -k docker
-w /etc/docker/daemon.json -k docker
-w /usr/bin/docker-containerd -k docker
-w /usr/bin/docker-runc -k docker

6. Audit Docker related files and directories

In addition to auditing the Docker daemon process, you also need to audit Docker-related files and directories, such as:

/var/lib/docker: Contains all information about containers
/etc/docker: Contains all keys and certificates for TLS communication between Docker daemon and Docker client
docker.service: Docker daemon run parameter configuration file
docker.socket : The socket on which the daemon process runs
/etc/default/docker: supports various parameters of the Docker daemon process
/etc/default/daemon.json: supports various parameters of the Docker daemon process
/usr/bin/docker-containerd, /usr/ bin/docker-runc: Docker depends on containerd and runC to generate containers

Guess you like

Origin blog.csdn.net/wutianxu123/article/details/129677238
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com