{"id":7894,"date":"2019-01-16T10:05:19","date_gmt":"2019-01-16T10:05:19","guid":{"rendered":"https:\/\/nsfocusglobal.com\/?p=7894"},"modified":"2019-01-16T10:05:19","modified_gmt":"2019-01-16T10:05:19","slug":"technical-report-container-security-iv-3","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/technical-report-container-security-iv-3\/","title":{"rendered":"Technical Report on Container Security (IV)-3"},"content":{"rendered":"<p><strong>Container Security Protection<\/strong> <strong>\u2013 Host Security<\/strong><\/p>\n<h2><strong>Host Security<\/strong><\/h2>\n<ol>\n<li>\n<h3><strong> Hardening of Basic Host Security<\/strong><\/h3>\n<\/li>\n<\/ol>\n<p>Containers share the operating system kernel with the host. Therefore, host configuration determines whether containers can be executed in a secure manner. For example, vulnerable software puts the host at risk of arbitrary code execution; opening ports at will exposes the host to the arbitrary access risk; misconfiguration of a firewall downgrades the host&#8217;s security; sudo login without key-based authentication may lead to brute-force cracking against the host.<\/p>\n<p>To enhance the security of the container host, users should adhere to the following principles:<\/p>\n<ul>\n<li>Follow the minimum installation principle and do not install extra services and software to introduce more security risks.<\/li>\n<li>Configure login timeout for interactive users.<\/li>\n<li>Disable unnecessary packet forwarding functions.<\/li>\n<li>Disable ICMP redirect.<\/li>\n<li>Configure ranges of remotely accessible IP addresses.<\/li>\n<li>Delete or lock accounts unnecessary for device running, maintenance, and other related work.<\/li>\n<li>Set permissions for important files and directories.<\/li>\n<li>Disable unnecessary processes and services.<\/li>\n<\/ul>\n<ol start=\"2\">\n<li>\n<h3><strong> Hardening of Container-related Security<\/strong><\/h3>\n<\/li>\n<\/ol>\n<p><strong>(1) Allocate a separate partition as the storage of containers.<\/strong><\/p>\n<p>By default, all Docker-related files are stored in the <strong>\/var\/lib\/docker<\/strong> directory. Where possible, a separate partition should be allocated for containers to ensure their security. Docker, after being installed, should be audited by running the<strong> grep \/var\/lib\/docker \/etc\/fstab<\/strong> command.<\/p>\n<p><strong>(2) Harden the security of hosts.<\/strong><\/p>\n<p>Ensure that hosts comply with related security specifications by conducting effective vulnerability and configuration management.<\/p>\n<p><strong>(3) Upgrade Docker to the latest version.<\/strong><\/p>\n<p>Docker frequently releases updates to fix security vulnerabilities in earlier versions. Therefore, it is important to make sure that the currently used Docker version is free from known vulnerabilities and regularly checked for security risks.<\/p>\n<p><strong>(4) Control privileges for the Docker daemon.<\/strong><\/p>\n<p>The Docker daemon requires root privileges and grants users within the &#8220;docker&#8221; user group full root access. Therefore, on the container host, it is important to strictly restrict users in the &#8220;docker&#8221; user group and delete all untrusted users.<\/p>\n<p><strong>(5) Audit the Docker daemon.<\/strong><\/p>\n<p>For containers, it is necessary to audit not only the regular Linux file system and system calls but also the activity and use of the Docker daemon. By default, the Docker daemon is not audited. Auditing the Docker daemon requires addition of an audit rule by using the <strong>auditctl -w \/usr\/bin\/docker -k docker<\/strong> command or a rule update by modifying the <strong>\/etc\/audit\/audit.rules<\/strong> file.<\/p>\n<p>Auditing the Docker daemon will generate a large number of log files, which should be archived regularly. It is advisable to use a separate audit partition for log storage to prevent normal business from being affected by the root system filled with log files.<\/p>\n<p><strong>(6) Audit Docker-related files and directories.<\/strong><\/p>\n<p>Besides auditing the Docker daemon, it is also necessary to audit Docker-related files and directories, such as <strong>\/var\/lib\/docker<\/strong> (containing all container-related information), <strong>\/etc\/docker<\/strong> (containing all keys and certificates for the TLS communication between the Docker daemon and Docker clients), <strong>docker.service<\/strong> (parameter configuration file of the Docker daemon), <strong>docker.socket<\/strong> (running sockets of the Docker daemon), <strong>\/etc\/default\/docker<\/strong> (supporting various parameters of the Docker daemon), <strong>\/etc\/default\/daemon.json<\/strong> (supporting various parameters of the Docker daemon), and <strong>\/usr\/bin\/docker-containerd<\/strong> and <strong>\/usr\/bin\/docker-runc<\/strong> (the two are used by Docker to generate containers).<\/p>\n<p>The method of auditing these files and directories is the same as that for auditing the Docker Daemon, namely, by modifying the configuration file or adding an audit rule with a command line.<\/p>\n<p><strong>(To be continued)<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Container Security Protection \u2013 Host Security Host Security Hardening of Basic Host Security Containers share the operating system kernel with the host. Therefore, host configuration determines whether containers can be executed in a secure manner. For example, vulnerable software puts the host at risk of arbitrary code execution; opening ports at will exposes the host [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":7895,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","footnotes":""},"categories":[15],"tags":[152],"class_list":["post-7894","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research-reports","tag-container-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Technical Report on Container Security (IV)-3 - NSFOCUS<\/title>\n<meta name=\"robots\" content=\"noindex, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Technical Report on Container Security (IV)-3 - NSFOCUS\" \/>\n<meta property=\"og:description\" content=\"Container Security Protection \u2013 Host Security Host Security Hardening of Basic Host Security Containers share the operating system kernel with the host.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/\" \/>\n<meta property=\"og:site_name\" content=\"NSFOCUS\" \/>\n<meta property=\"article:published_time\" content=\"2019-01-16T10:05:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-4.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Technical Report on Container Security (IV)-3 - NSFOCUS\" \/>\n<meta name=\"twitter:description\" content=\"Container Security Protection \u2013 Host Security Host Security Hardening of Basic Host Security Containers share the operating system kernel with the host.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-4.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. tempo de leitura\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-3\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-3\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\"},\"headline\":\"Technical Report on Container Security (IV)-3\",\"datePublished\":\"2019-01-16T10:05:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-3\\\/\"},\"wordCount\":584,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-3\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/1107-4.jpg\",\"keywords\":[\"Container Security\"],\"articleSection\":[\"Research &amp; Reports\"],\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-3\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-3\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-3\\\/\",\"name\":\"Technical Report on Container Security (IV)-3 - NSFOCUS\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-3\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-3\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/1107-4.jpg\",\"datePublished\":\"2019-01-16T10:05:19+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-3\\\/#breadcrumb\"},\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-3\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-3\\\/#primaryimage\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/1107-4.jpg\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/1107-4.jpg\",\"width\":549,\"height\":389,\"caption\":\"Illustrations of educational tools and concepts.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-3\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/nsfocusglobal.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Technical Report on Container Security (IV)-3\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#website\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/\",\"name\":\"NSFOCUS\",\"description\":\"Security Made Smart and Simple\",\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pt-BR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\",\"name\":\"NSFOCUS\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"width\":248,\"height\":36,\"caption\":\"NSFOCUS\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\\\/\\\/nsfocusglobal.com\"],\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Technical Report on Container Security (IV)-3 - NSFOCUS","robots":{"index":"noindex","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"pt_BR","og_type":"article","og_title":"Technical Report on Container Security (IV)-3 - NSFOCUS","og_description":"Container Security Protection \u2013 Host Security Host Security Hardening of Basic Host Security Containers share the operating system kernel with the host.","og_url":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/","og_site_name":"NSFOCUS","article_published_time":"2019-01-16T10:05:19+00:00","og_image":[{"url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-4.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_title":"Technical Report on Container Security (IV)-3 - NSFOCUS","twitter_description":"Container Security Protection \u2013 Host Security Host Security Hardening of Basic Host Security Containers share the operating system kernel with the host.","twitter_image":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-4.jpg","twitter_misc":{"Escrito por":"admin","Est. tempo de leitura":"3 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/#article","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/"},"author":{"name":"admin","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d"},"headline":"Technical Report on Container Security (IV)-3","datePublished":"2019-01-16T10:05:19+00:00","mainEntityOfPage":{"@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/"},"wordCount":584,"commentCount":0,"publisher":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization"},"image":{"@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-4.jpg","keywords":["Container Security"],"articleSection":["Research &amp; Reports"],"inLanguage":"pt-BR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/","url":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/","name":"Technical Report on Container Security (IV)-3 - NSFOCUS","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#website"},"primaryImageOfPage":{"@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/#primaryimage"},"image":{"@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-4.jpg","datePublished":"2019-01-16T10:05:19+00:00","breadcrumb":{"@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/"]}]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/#primaryimage","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-4.jpg","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-4.jpg","width":549,"height":389,"caption":"Illustrations of educational tools and concepts."},{"@type":"BreadcrumbList","@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-3\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nsfocusglobal.com\/"},{"@type":"ListItem","position":2,"name":"Technical Report on Container Security (IV)-3"}]},{"@type":"WebSite","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#website","url":"https:\/\/nsfocusglobal.com\/pt-br\/","name":"NSFOCUS","description":"Security Made Smart and Simple","publisher":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nsfocusglobal.com\/pt-br\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Organization","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization","name":"NSFOCUS","url":"https:\/\/nsfocusglobal.com\/pt-br\/","logo":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/logo\/image\/","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","width":248,"height":36,"caption":"NSFOCUS"},"image":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d","name":"admin","image":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/nsfocusglobal.com"],"url":"https:\/\/nsfocusglobal.com\/pt-br\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/7894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/comments?post=7894"}],"version-history":[{"count":0,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/7894\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media\/7895"}],"wp:attachment":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media?parent=7894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/categories?post=7894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/tags?post=7894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}