Container security extends into all aspects of the container ecosystem, and not just to the well-known registries like Docker or those offered within the cloud service providers. Securing a container deployment may include best practices for companies supporting: the developer workspace, continuous integration, build automation, testing frameworks, release automation, and operations tools.
Docker yesterday released Version 1.13 and today, we are announcing the release of CIS Docker 1.13 Benchmark, with Cavirin as a key contributor. The CIS Docker community has worked extremely hard to ensure that the time lag between the software availability and security recommendations is almost zero, a leading example of the concurrent availability of security guidance with implementations.
2.8 Enable user namespace support - Updated Audit Procedure
2.5 Avoid container sprawl - Updated Remediation and Audit Procedure
2.3 Keep Docker up to date - Re-worded
Rules deleted in the Docker 1.13 benchmark
1.2 Use the updated Linux Kernel
1.3 Remove all non-essential services from the host
It is easy to understand new additions to the benchmark given the pace of innovation at Docker and the energetic community behind it. But, you might be curious to know why we deleted a couple of rules above?
CIS benchmark development is community-consensus driven. Every change to the benchmark is vetted for consistency, technical accuracy and alignment with current requirements in production.
Rule 1.2 has become obsolete given that most of the Linux distributions are now shipped with the updated kernel that fulfils Docker install kernel requirements. When Docker began, that was really an important thing to check for to run production workloads to ensure reliability.
Rule 1.3 is typically addressed in their respective CIS Linux benchmarks. Hence, this was a duplicate from other benchmarks and got deleted as well. CIS Docker benchmark provides core security guidance for Docker deployments and eliminates obsolete recommendations.
Cavirin Systems automatically scans container workloads against the CIS benchmark. Its agentless discovery mechanism quickly builds inventory of your Docker host instances and containers and runs a deep inspection against the entire CIS benchmark.
The first step in building a secure infrastructure is to understand the threats. Threats are potential events which lead to something useful for the attacker. It could be money, it could be bragging rights, or it could just be pure fun mutilating the reputation of a business entity. Threat risk modelling is an essential exercise to categorize threats and determine strategies for mitigating them. One such threat assessment model is STRIDE.
STRIDE is an acronym for six threat categories as outlined below:
Spoofing Identity – An attacker could prove that she is an authorized user of the system
Tampering with Data – An attacker could successfully add, modify or delete data
Repudiation – An attacker could deny or make it impossible to prove his delinquency
Information disclosure – An attacker could gain access to privileged Information
Denial of Service – An attacker could make the system unresponsive to legitimate usage
Elevation of privilege – An attacker could elevate her privileges
The STRIDE threat model forces you to think about securing your infrastructure from a threat perspective.
Docker is a framework making it easy to create, deploy, run, and orchestrate applications by using containers. Basically, a container is another form of virtualization. A minimal image contains functionality of an operating system, but depends on the host for all of its system calls. For a complete overview tutorial on Docker and for Docker security, we recommended more reading from the Docker Inc. site.