Technical Report on Container Security (IV)-3

Technical Report on Container Security (IV)-3

January 16, 2019 | Adeline Zhang

Container Security Protection – Host Security

Host Security

  1. Hardening of Basic Host Security

Containers share the operating system kernel with the host. Therefore, host configuration determines whether containers can be executed in a secure manner. For example, vulnerable software puts the host at risk of arbitrary code execution; opening ports at will exposes the host to the arbitrary access risk; misconfiguration of a firewall downgrades the host’s security; sudo login without key-based authentication may lead to brute-force cracking against the host.

To enhance the security of the container host, users should adhere to the following principles:

  • Follow the minimum installation principle and do not install extra services and software to introduce more security risks.
  • Configure login timeout for interactive users.
  • Disable unnecessary packet forwarding functions.
  • Disable ICMP redirect.
  • Configure ranges of remotely accessible IP addresses.
  • Delete or lock accounts unnecessary for device running, maintenance, and other related work.
  • Set permissions for important files and directories.
  • Disable unnecessary processes and services.
  1. Hardening of Container-related Security

(1) Allocate a separate partition as the storage of containers.

By default, all Docker-related files are stored in the /var/lib/docker directory. Where possible, a separate partition should be allocated for containers to ensure their security. Docker, after being installed, should be audited by running the grep /var/lib/docker /etc/fstab command.

(2) Harden the security of hosts.

Ensure that hosts comply with related security specifications by conducting effective vulnerability and configuration management.

(3) Upgrade Docker to the latest version.

Docker frequently releases updates to fix security vulnerabilities in earlier versions. Therefore, it is important to make sure that the currently used Docker version is free from known vulnerabilities and regularly checked for security risks.

(4) Control privileges for the Docker daemon.

The Docker daemon requires root privileges and grants users within the “docker” user group full root access. Therefore, on the container host, it is important to strictly restrict users in the “docker” user group and delete all untrusted users.

(5) Audit the Docker daemon.

For containers, it is necessary to audit not only the regular Linux file system and system calls but also the activity and use of the Docker daemon. By default, the Docker daemon is not audited. Auditing the Docker daemon requires addition of an audit rule by using the auditctl -w /usr/bin/docker -k docker command or a rule update by modifying the /etc/audit/audit.rules file.

Auditing the Docker daemon will generate a large number of log files, which should be archived regularly. It is advisable to use a separate audit partition for log storage to prevent normal business from being affected by the root system filled with log files.

(6) Audit Docker-related files and directories.

Besides auditing the Docker daemon, it is also necessary to audit Docker-related files and directories, such as /var/lib/docker (containing all container-related information), /etc/docker (containing all keys and certificates for the TLS communication between the Docker daemon and Docker clients), docker.service (parameter configuration file of the Docker daemon), docker.socket (running sockets of the Docker daemon), /etc/default/docker (supporting various parameters of the Docker daemon), /etc/default/daemon.json (supporting various parameters of the Docker daemon), and /usr/bin/docker-containerd and /usr/bin/docker-runc (the two are used by Docker to generate containers).

The method of auditing these files and directories is the same as that for auditing the Docker Daemon, namely, by modifying the configuration file or adding an audit rule with a command line.

(To be continued)