Docker containers have revolutionized the software industry. Docker images enable developers using Windows machines to work on applications that use Linux dependencies and different libraries. But with such a large attack surface and the risk of hackers successfully exploiting privileged containers, Securing Docker containers and images is crucial.
Putting containers into production can therefore have a number of security implications, particularly surrounding three main areas: images, networks, and privileges. This guide presents techniques and best practices for securing your Docker containers, today a major aspect of your vulnerability management program.
Prerequisites for Securing Docker
Before getting started, you’ll need to have Docker and Docker Desktop installed. In addition, you’ll need running containers.
1. Scan Docker images
Docker offers the built-in docker scan command, which scans your images and provides a comprehensive report on any vulnerabilities detected. This means you don’t have to install extra plugins just to scan your images to detect critical vulnerabilities.
Start by listing all the available Docker images to get comprehensive details about images using the following command:
You will get the following output:
Next, use the docker scan command followed by <REPOSITORY:TAG> (If TAG is “latest,” you can omit it.) to scan one of the images listed in the output above.
The scan report will indicate the severity score of the detected vulnerability. There are four severity score categories:
Any vulnerabilities that are classified as “Critical” or “High” should be resolved immediately, before attackers can exploit them. In most cases, this can be achieved by updating your images.
The scan report will also provide the description of the vulnerability, with the “Info” field containing a link to the documentation about the vulnerability.
The scan report will list many detected vulnerabilities. At the end of the scan report, you will find a summary indicating the number of tested vulnerabilities, platform, and the base image being tested. Below is the full summary:
You should scan your Docker images regularly to make sure that vulnerabilities are detected and remediated before they can be exploited by malicious actors.
2. Update Docker images
Both Docker and Docker Desktop updates introduce security patches and features to improve efficiency. As shown previously, when scanning Docker images, Docker may recommend upgrading your packages to help resolve issues.
Updating your containers is crucial: All of the detected critical vulnerabilities listed in the above code block can be eliminated through regular Docker updates.
To update a Docker image, start by listing all available images so that you can get the version number of the image shown in the “Tag” field.
You will get the following output:
The above output displays the image version. If the version is not the most recent, updating the image is recommended. Use the following command to pull the latest image version:
After pulling the image, you will have to remove the old container before you can proceed to run the newly downloaded image.
3. Avoid using containers with escalated privileges
Containers that run with escalated privileges put your system at higher risk during a data breach. A privileged container has root access to the host machine. Attackers can exploit the host machine through the privileged containers thus causing greater damage. A privileged container has root access to the host machine. Privileged containers can even escape SELinux confinement and are often able to bypass security checks.
To check if your container is running with privileged rights, use the following command that includes the container’s ID:
If the container is running with privileged rights, the output will be true, and false if not. Best practice is to avoid giving containers privileged access.
4. Implement container resource quotas
Ensuring containers have sufficient resources is one way to minimize the impact of a cyber attack or data breach. When a container uses more resources than necessary, this can result in more severe consequences if it is compromised by malicious actors. This is because the attacker would be able to seize many resources since the container was allocated more than the required resources.
Docker has hard limits and soft limits. Hard limits mean that containers cannot use more than the allocated memory. Soft limits allow the container to use as much memory as it needs.
There are four important parameters to know about when setting container resource limits:
- –memory=: Specifies the amount of memory the container is allowed to use.
- –memory-swap*: Specifies the amount of memory the container is allowed to swap.
- –oom-kill-disable: Prevents the kernel from killing container processes in case of an out-of-memory error.
- –kernel-memory: Sets the maximum kernel memory a container can use.
Use the –cpus=<value> parameter to set the amount of CPU resources a container can use.
Following is an example of how to use the —cpu quota:
Following is an example of how to use the –memory quota:
5. Use the restart policy
Containers that keep on exiting and restarting can lead to DoS attacks. This is because when the container stops and exits, applications experience downtime, which can leave legitimate users unable to access the application service. It is therefore important to configure your containers with a restart policy that specifies what the container should do if it exits unexpectedly.
Use the following command to restart the container every time it exits:
6. Inspect Docker container logs
Logs and statuses enable you to detect vulnerabilities that could have disastrous consequences if attackers manage to exploit them. Logs are therefore crucial when it comes to ensuring the health of your containers.
To view your logs in Docker, use the docker logs command, which will print the STDOUT and STDERR. To view service logs, use the docker service logs command.
You can use the following parameters to get more details about the logs:
- –details: Provides more log details.
- –since: Displays logs that have been logged from a specified point in time.
- –timestamps: Shows the time display.
- –until: Shows logs before the timestamp in which they were generated.
Securing Docker – the bottom line
Securing your Docker containers requires consistency and ensuring the most up-to-date security implementations. But the best implementation you can add to your workflow to improve security is automation. Tests must be triggered when code changes and images should be scanned regularly using auditing tools such as Inspec, which provides in-depth scanning of your Docker configuration.
Applying the techniques covered in this guide and using automation to fill security gaps your team may have neglected or been unaware of will keep you ahead of the game.
Prioritize and manage vulnerabilities from your container images and across assets, at scale, with the Vulcan Cyber® risk management platform. Claim your free trial, and start owning your risk.
Can I access a Docker container from the outside?
While your Docker container is able to establish external connections, external entities are generally unable to establish connections with your container. To enable external access to the ports, either with other containers not on the same network or for general external use, the -P (publish all available ports) or -p (publish specific ports) flag will need to be utilized.
Can Docker be used without internet access?
Yes, Docker Desktop can be used offline without any issues, but some features that require an internet connection will not be available.
Can Docker be encrypted?
By default, control plane traffic within Docker overlay networks is encrypted. However, in order to encrypt data plane traffic, the –opt encrypted flag must be included when creating the Docker network via the docker network create command.