Securing Docker - 6 best practices

Docker containers have revolutionized the software industry. Docker images enable developers using Windows machines to work on applications that use Linux dependencies and different libraries. But with such a large attack surface and the risk of hackers successfully exploiting privileged containers, Securing Docker containers and images is crucial. 

Putting containers into production can therefore have a number of security implications, particularly surrounding three main areas: images, networks, and privileges. This guide presents techniques and best practices for securing your Docker containers, today a major aspect of your vulnerability management program.

Prerequisites for Securing Docker

Before getting started, you’ll need to have Docker and Docker Desktop installed. In addition, you’ll need running containers.

1. Scan Docker images

Docker offers the built-in docker scan command, which scans your images and provides a comprehensive report on any vulnerabilities detected. This means you don’t have to install extra plugins just to scan your images to detect critical vulnerabilities.

Start by listing all the available Docker images to get comprehensive details about images using the following command:

$ docker image ls

You will get the following output:

REPOSITORY                    TAG       IMAGE ID       CREATED         SIZE getting-started               latest    d01d0ef3eb7c   12 days ago     404MB gcr.io/k8s-minikube/kicbase   v0.0.30   1312ccd2422d   9 months ago    1.14GB kindest/node                  <none>    32b8b755dee8   17 months ago   1.12GB

 

Next, use the docker scan command followed by <REPOSITORY:TAG> (If TAG is “latest,” you can omit it.) to scan one of the images listed in the output above.

$ docker scan getting-started

The scan report will indicate the severity score of the detected vulnerability. There are four severity score categories:

1. Critical
2. High
3. Medium 
4. Low

Any vulnerabilities that are classified as “Critical” or “High” should be resolved immediately, before attackers can exploit them. In most cases, this can be achieved by updating your images.

The scan report will also provide the description of the vulnerability, with the “Info” field containing a link to the documentation about the vulnerability.

✗ Medium severity vulnerability found in openssl/libcrypto1.1   Description: Inadequate Encryption Strength   Info: https://security.snyk.io/vuln/SNYK-ALPINE315-OPENSSL-2941810   Introduced through: openssl/libcrypto1.1@1.1.1n-r0, openssl/libssl1.1@1.1.1n-r0, apk-tools/apk-tools@2.12.7-r3, libretls/libretls@3.3.4-r3, python2/python2@2.7.18-r4   From: openssl/libcrypto1.1@1.1.1n-r0   From: openssl/libssl1.1@1.1.1n-r0 > openssl/libcrypto1.1@1.1.1n-r0   From: apk-tools/apk-tools@2.12.7-r3 > openssl/libcrypto1.1@1.1.1n-r0   and 6 more...   Image layer: 'apk add --no-cache python2 g++ make'   Fixed in: 1.1.1q-r0

 

The scan report will list many detected vulnerabilities. At the end of the scan report, you will find a summary indicating the number of tested vulnerabilities, platform, and the base image being tested. Below is the full summary:

Package manager:   apk Project name:      docker-image|getting-started Docker image:      getting-started Platform:          linux/amd64 Base image:        node:12.22.12-alpine3.15 Tested 39 dependencies for known vulnerabilities, found 8 vulnerabilities. Base Image                Vulnerabilities  Severity node:12.22.12-alpine3.15  8                1 critical, 0 high, 7 medium, 0 low

You should scan your Docker images regularly to make sure that vulnerabilities are detected and remediated before they can be exploited by malicious actors.

2. Update Docker images

Both Docker and Docker Desktop updates introduce security patches and features to improve efficiency. As shown previously, when scanning Docker images, Docker may recommend upgrading your packages to help resolve issues.

Issues to fix by upgrading:   Upgrade [email protected] to [email protected] to fix   ✗ Regular Expression Denial of Service (ReDoS) [Low Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-1536758] in [email protected]     introduced by [email protected] > [email protected] > [email protected]   ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SQLITE3-2388645] in [email protected]     introduced by [email protected]

Updating your containers is crucial: All of the detected critical vulnerabilities listed in the above code block can be eliminated through regular Docker updates.

To update a Docker image, start by listing all available images so that you can get the version number of the image shown in the “Tag” field.

$ docker image ls

You will get the following output:

REPOSITORY                    TAG       IMAGE ID       CREATED         SIZE gcr.io/k8s-minikube/kicbase   v0.0.30   1312ccd2422d   9 months ago    1.14GB

 

The above output displays the image version. If the version is not the most recent, updating the image is recommended. Use the following command to pull the latest image version:

$ sudo docker pull [enter image name here]

After pulling the image, you will have to remove the old container before you can proceed to run the newly downloaded image.

3. Avoid using containers with escalated privileges

Containers that run with escalated privileges put your system at higher risk during a data breach. A privileged container has root access to the host machine. Attackers can exploit the host machine through the privileged containers thus causing greater damage. A privileged container has root access to the host machine. Privileged containers can even escape SELinux confinement and are often able to bypass security checks.

To check if your container is running with privileged rights, use the following command that includes the container’s ID:

$ docker inspect --format='{{.HostConfig.Privileged}}' db95f531cf8a

If the container is running with privileged rights, the output will be true, and false if not. Best practice is to avoid giving containers privileged access.

4. Implement container resource quotas

Ensuring containers have sufficient resources is one way to minimize the impact of a cyber attack or data breach. When a container uses more resources than necessary, this can result in more severe consequences if it is compromised by malicious actors. This is because the attacker would be able to seize many resources since the container was allocated more than the required resources.

Docker has hard limits and soft limits. Hard limits mean that containers cannot use more than the allocated memory. Soft limits allow the container to use as much memory as it needs. 

There are four important parameters to know about when setting container resource limits:

• –memory=: Specifies the amount of memory the container is allowed to use.
• –memory-swap*: Specifies the amount of memory the container is allowed to swap.
• –oom-kill-disable: Prevents the kernel from killing container processes in case of an out-of-memory error.
• –kernel-memory: Sets the maximum kernel memory a container can use.

Use the –cpus=<value> parameter to set the amount of CPU resources a container can use.

Following is an example of how to use the —cpu quota:

$ docker run --cpus=2 nginx

Following is an example of how to use the –memory quota:

$ docker run -m 512m nginx

5. Use the restart policy

Containers that keep on exiting and restarting can lead to DoS attacks. This is because when the container stops and exits, applications experience downtime, which can leave legitimate users unable to access the application service. It is therefore important to configure your containers with a restart policy that specifies what the container should do if it exits unexpectedly.

Use the following command to restart the container every time it exits:

docker run -d --restart unless-stopped [enter image name here]

6. Inspect Docker container logs

Logs and statuses enable you to detect vulnerabilities that could have disastrous consequences if attackers manage to exploit them. Logs are therefore crucial when it comes to ensuring the health of your containers.

To view your logs in Docker, use the docker logs command, which will print the STDOUT and STDERR. To view service logs, use the docker service logs command.

You can use the following parameters to get more details about the logs:

• –details: Provides more log details.
• –since: Displays logs that have been logged from a specified point in time.
• –timestamps: Shows the time display.
• –until: Shows logs before the timestamp in which they were generated.

Securing Docker – the bottom line

Securing your Docker containers requires consistency and ensuring the most up-to-date security implementations. But the best implementation you can add to your workflow to improve security is automation. Tests must be triggered when code changes and images should be scanned regularly using auditing tools such as Inspec, which provides in-depth scanning of your Docker configuration.

Applying the techniques covered in this guide and using automation to fill security gaps your team may have neglected or been unaware of will keep you ahead of the game.

Prioritize and manage vulnerabilities from your container images and across assets, at scale, with the Vulcan Cyber® risk management platform. Claim your free trial, and start owning your risk.

FAQs

Can I access a Docker container from the outside?

While your Docker container is able to establish external connections, external entities are generally unable to establish connections with your container. To enable external access to the ports, either with other containers not on the same network or for general external use, the -P (publish all available ports) or -p (publish specific ports) flag will need to be utilized.

Can Docker be used without internet access?

Yes, Docker Desktop can be used offline without any issues, but some features that require an internet connection will not be available.

Can Docker be encrypted?

By default, control plane traffic within Docker overlay networks is encrypted. However, in order to encrypt data plane traffic, the –opt encrypted flag must be included when creating the Docker network via the docker network create command.