Top Docker Security Best Practices
While Docker provides an efficient development and deployment environment, compromised Docker components can infect your entire infrastructure. Docker containers can be used as an access point to other containers and host systems. This cheat sheet lists the unique issues posed by Docker containers, how to safeguard against them and how to set up a safe Docker configuration.
In this post:
- 6 Docker security risks
- Docker container security best practices
- The Docker CIS benchmark: creating a safe configuration
- Docker security benefits
6 Docker Security Risks
- Introducing vulnerabilities from container images—container images contain the DNA that makes up a container. If that DNA is contaminated, it affects all containers created from the same image. This is true for Docker images you create yourself, but the problem is much more severe when you use open source images from public repositories.
- Hard coding credentials in images—in order to keep container images reusable and secure, keep them clean of sensitive information. Storing secrets such as tokens, passwords, and API keys in image containers can grant access to unauthorized personnel. Storing this data in your application code can result in secrets being pushed to Git repositories and exposed to the public.
- Large attack surface—since Docker requires root privileges, anyone with access to the Docker hosts and Docker daemon automatically gains full control of all related Docker containers and images. Attackers with root privileges can create and stop containers, remove or pull images, inject commands into running containers, and expose sensitive information.
- Lack of granular Role-Based Access Control (RBAC)—while the Docker RBAC offers access control with roles such as users, teams, organizations, and service accounts, this setup doesn’t allow for complexity. In DevOps organizations, developers, testers and IT staff need access to the same containers at different points in the development pipeline. Some users need restricted access while others need the ability to modify and manage containers. It can be complex to set up this type of variable access.
- Lack of visibility—containers are dispensable, frequently dropped and replaced, and every few days they are updated with a new platform version. Each container is made up of a host, registry, and client, and multiple additional components. The complexity of Docker containers and their short lifespans make it difficult to keep track of them and manage security.
- Lateral network movement—lateral movement happens when attackers progress through a network, switching user names and penetrating additional systems until they reach their ultimate goal. Since one Docker host can infect any host connected to the same network, perimeter security enforced by traditional firewalls can’t protect Docker containers. Traditional firewalls aren’t built for the dynamic Docker ecosystem.
The following best practices can help you create a tight Docker security infrastructure:
Docker runtime security
Make sure you know the composition of your containers during runtime as well as build time. The main way to make changes to a container is by editing the container image and then deploying a new container. Creating a runtime security policy can help define appropriate response actions during runtime. If suspicious behavior is detected, the security policy will prompt alerts and remedies.
Docker image authenticity: do you trust the source?
Container images serve as a foundation for multiple systems, and vulnerable images can cause damage across an entire enterprise. You can ensure images are protected by scanning open source and third-party vendor containers and setting up a trusted registry of base images. Keep your systems simple and update your security measures regularly.
Managing sensitive data with Docker secrets
Secrets contain sensitive information such as passwords and addresses. To ensure the sensitive information is secure, you can deploy secrets to Docker containers during runtime through the orchestration platform, such as Kubernetes or Docker Swarm.
In Docker, secrets are encrypted during transit and at rest in a Docker swarm, and a specific secret can only be accessed by a service that has been given permission. Kubernetes automatically creates secrets which have credentials for accessing the API and it automatically adjusts your pod to use this form of secret. You don’t, however, have to use the automatic creation of API credentials.
The ability to run as many containers as needed gives you a lot of flexibility in production. However, this also creates major risks in the event containers are compromised. Make sure you monitor container activity and limit use of resources. Design errors, software bugs, or malware attacks can lead to a DoS. You can handle the large attack surface by limiting the number of system resources allotted for each container.
Using a SECCOMP profile to limit system call
SECCOMP is an open source Linux kernel mechanism used for runtime protection and Mandatory Access Control (MAC). SECCOMP provides a “sane default” which blocks 44 out of the 300+ system calls allowed on Docker containers, and lets you manage a whitelist to block additional types of calls. You can use a SECCOMP profile to prevent some types of attacks and preventing others from spreading to the rest of the infrastructure.
Granular access management
Docker access management solutions help reduce docker security risks by enabling granular RBAC management. Authorized access management solutions like Active Directory let you operate containers with minimal privileges and manage access across teams and development lifecycle stages.
Complete lifecycle management
Tools can help you monitor, manage, and analyze every aspect of the containers infrastructure. By scanning for vulnerabilities during the delivery lifecycle, you can prevent deployment of contaminated containers. Implementing complete lifecycle management ensures containers remain secure throughout all stages of development and deployment.
Monitoring container activity
Containers can be monitored using tools like Scout, Datadog and Prometheus. Monitoring systems can help you identify attacks, send alerts, and even automatically implement fixes. Periodically review log data generated by containers and use it to generate preventive security insights.
CIS Benchmarks are universal security best practices developed by cybersecurity professionals and experts. Each CIS Benchmark provides guidelines for creating a secure system configuration. The following table summarizes recommendations from the CIS Docker Community Edition Benchmark, specifying how to set up a safe docker configuration.
Download the full CIS Docker Benchmark.
- Create a separate partition for containers
- Harden the container host
- Update your Docker software on a regular basis
- Manage Docker daemon access authorization wisely
- Configure your Docker files directories, and
- Audit all Docker daemon activity.
Docker Daemon Configuration
- Restrict network traffic between default bridge containers and access to new privileges from containers.
- Enable user namespace support to provide additional, Docker client commands authorization, live restore, and default cgroup usage
- Disable legacy registry operations and Userland Proxy
- Avoid networking misconfiguration by allowing Docker to make changes to iptables, and avoid experimental features during production.
- Configure TLS authentication for Docker daemon and centralized and remote logging.
- Set the logging level to 'info', and set an appropriate default ulimit
- Don’t use insecure registries and aufs storage drivers
- Apply base device size for containers and a daemon-wide custom SECCOMP profile to limit calls.
Container Images and Build File
- Create a user for the container
- Ensure containers use only trusted images
- Ensure unnecessary packages are not installed in the container
- Include security patches during scans and rebuilding processes
- Enable content trust for Docker
- Add HEALTHCHECK instructions to the container image
- Remove setuid and setgid permissions from the images
- Use COPY is instead of ADD in Dockerfile
- Install only verified packages
- Don’t use update instructions in a single line or alone in the Dockerfile
- Don’t store secrets in Dockerfiles
- Restrict containers from acquiring additional privileges and restrict Linux Kernel Capabilities.
- Enable AppArmor Profile.
- Avoid use of privileged containers during runtime, running ssh within containers, mapping privileged ports within containers.
- Ensure sensitive host system directories aren’t mounted on containers, the container's root filesystem is mounted as read-only, the Docker socket is not mounted inside any containers.
- Set appropriate CPU priority for the container, set 'on-failure' container restart policy to '5', and open only necessary ports on the container.
- Apply per need SELinux security options, and overwrite the default ulimit at runtime.
- Don’t share the host's network namespace and the host's process namespace, the host's IPC namespace, mount propagation mode, the host's UTS namespace, the host's user namespaces.
- Limit memory usage for container and bind incoming container traffic is to a specific host interface.
- Don’t expose host devices directly to containers, don’t disable the default SECCOMP profile, don’t use docker exec commands with privileged and user option, and don’t use Docker's default bridge docker0.
- Confirm cgroup usage and use PIDs cgroup limit, check container health at runtime, and always update docker commands with the latest version of the image.
Avoid image sprawl and container sprawl.
Docker Swarm Configuration
- Enable swarm mode only if needed
- Create a minimum number of manager nodes in a swarm
- Bind swarm services are bound to a specific host interface
- Encrypt containers data exchange on different overlay network nodes
- Manage secrets in a Swarm cluster with Docker's secret management commands
- Run swarm manager in auto-lock mode
- Rotate swarm manager auto-lock key periodically
- Rotate node and CA certificates as needed
- Separate management plane traffic from data plane traffic
Docker Security Benefits
Docker containers don’t only create docker security issues, they also have security benefits. Here are three ways Docker can improve your security posture.
- Immutability and change management—Docker offers an immutable approach to infrastructure that enables development teams to update software by launching new containers rather than overwriting existing ones. Docker can help you safely record changes and roll back to previous versions in an efficient and cost-effective way.
- Increased isolation between processes—the Docker platform enables isolation of stack layers, from the kernel to the network. You can create a layer of isolation between containers with core Linux security features such as AppArmor, SELinux, Namespaces, SECCOMP and CGGroups, and secure the entire infrastructure with RBAC and policy-based networking solutions
- “Reverse uptime”—you can prevent persistent attacks by refreshing and replacing containers. Attackers find it harder to target containers that are frequently shut down and replaced by new container instances.
Holistic Docker Security with Aqua
Aqua provides a platform that secures Cloud Native, serverless and container technologies like Docker. Aqua offers end-to-end security for applications running Docker Enterprise Edition or Community Edition, and protects you throughout the full lifecycle of your continuous delivery and DevOps pipeline: from the point where you shift left, through to runtime controls, firewall, audit, and compliance.
Continuous Image Assurance
Aqua scans images for malware, vulnerabilities, embedded secrets, configuration issues and OSS licensing. You can develop policies that outline, for example, which images can run on your Docker hosts. Aqua’s vulnerabilities database, founded on a continuously updated data stream, is aggregated from several sources and consolidated to make sure only the latest data is used, promoting accuracy and limiting false positives and negligible CVEs.
Aqua offers a new tool, called MicroScanner, which lets you scan your container images for package vulnerabilities. MicroScanner uses the same vulnerability database as Aqua’s commercial scanner. The key difference is that MicroScanner runs according to the build steps created within your Dockerfile.
Runtime Security for Docker
Aqua protects Docker application at runtime, ensuring container immutability and prohibiting changes to running containers, isolating the container from the host via custom machine-learned SECCOMP profiles. It also ensures least privileges for files, executables and OS resources using a machine-learned behavioral profile, and manages network connections with a container firewall.
Aqua further enhances securing Docker as follows:
- Event logging and reporting—granular audit trails of access activity, scan Docker commands, events, and coverage, container activity, system events, and secrets activity.
- CIS certified benchmark checks—assess node configuration against Docker and K8s CIS benchmarks with scheduled reporting and testing or Aqua OSS tools.
- Global compliance templates—pre-defined compliance policies meet security standards such as HIPPA, CIS, PCI, and NIST.
- Full user accountability—uses granular user accountability and monitored super-user permissions.
- “Thin OS” host compliance—monitor and scan host for malware, vulnerabilities, login activity, and to identify scan images kept on hosts.
- Compliance enforcement controls—only images and workloads that pass compliance checks can run in your environment.
Container Firewall for Docker
Aqua’s container firewall lets you visualize network connections, develop rules based on application services, and map legitimate connections automatically. Only whitelisted connections will be allowed, both within a Swarm or Kubernetes cluster, and also between clusters.
Store your credentials as secrets, don't leave them in your source code. Aqua securely transfers secrets to containers at runtime, encrypted at rest and in transit, and places them in memory with no persistence on disk, so they are only visible to the relevant container. Integrate Aqua’s solution with your current enterprise vault, including CyberArk, Hashicorp, AWS KMS or Azure Vault. You can revoke, update, and rotate secrets without restarting containers.