Table of contents
Enter the container to view details
View changes to the file system inside the container
View the processes running in the container
View container log information
View container resource usage in real time
View the configuration and status of the Docker network
Emergency measures for collapsed containers
Third-party tools for deeper security intrusion detection
Check container operation
View currently running containers. You can use this command to check if any unusual or unknown containers are running.
docker ps
Enter the container to view details
docker exec -it [容器名称/ID] /bin/bash
Enter the container's shell environment for further inspection and analysis. This command allows you to execute commands within the container and check information such as files, processes, and network connections in the container.
Get container details
docker inspect [容器名称/ID]
Get detailed information about a container, including its configuration, network settings, and mounted volumes. This command can help you understand the running environment and related configuration of the container.
//获取容器名
docker inspect -f {
{.Name}} dvwa
//获取容器网络的相关信息
docker inspect -f {
{.NetworkSettings}} dvwa
docker inspect -f {
{.NetworkSettings.IPAddress}} dvwa
//目录在宿主机的具体挂载位置
docker inspect -f="{
{json .Mounts}}" dvwa
docker inspect -f "{
{range .Mounts}} {
{println .Source .Destination}} {
{end}}" dvwa
//查看网络信息
docker inspect -f="{
{json .NetworkSettings}}" dvwa
View changes to the file system inside the container
docker diff [容器名称/ID]
Three states (A - Add, D - Delete, C - Change)
You can use this command to check if a container has been modified or had files added that should not exist.
View the processes running in the container
docker top [容器名称/ID]
You can use this command to check whether the processes running in the container are normal and whether there are any abnormal processes.
View container log information
docker logs [容器名称/ID]
By reviewing logs, you can detect unusual behavior, error messages, or suspicious activity.
View container resource usage in real time
docker stats [容器名称/ID]
Including CPU utilization, memory usage, network traffic, etc. This command can help you detect abnormal resource usage.
View the configuration and status of the Docker network
docker network ls
You can use this command to check for unknown or abnormal network connections.
Emergency measures for collapsed containers
After confirming that the container has collapsed, we can generally take emergency measures by suspending the container, isolating the container, or even killing the container.
(1) Use docker pause to pause all processes in the container.
(2) Use docker commit to build an image of the compromised container, thereby retaining on-site traces for traceability.
(3) Disable the network for the running Docker container.
//将运行中的容器与用户定义的网桥断开连接
[root@localhost ~]#docker network disconnect bridge <container-name>
//禁用veth
[root@localhost ~]#docker exec -it <container-name> cat /sys/class/net/eth0/iflink
29
[root@localhost ~]#ip link show |grep 29
29: vethbf5239e@if28: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue masteefault
[root@localhost ~]# ip link set vethbf5239e down
(4) Use docker kill to kill the running container.
docker kill -s KILL <container-name>
Third-party tools for deeper security intrusion detection
-
Docker Bench for Security: This is an open source tool officially provided by Docker to check whether the security configuration of Docker containers and hosts conforms to best practices.
-
Clair: This is a tool for scanning vulnerabilities in Docker images, which can help you find security issues in container images.
-
Trivy:https://github.com/aquasecurity/trivy
- A comprehensive and versatile security scanner. Trivy has scanners that look for security issues and target places where they can be found.
- container image
- File system
- Git repository (remote)
- virtual machine image
- Kubernetes
- AWS