-
Notifications
You must be signed in to change notification settings - Fork 198
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
74135a0
commit 4108656
Showing
1 changed file
with
42 additions
and
1 deletion.
There are no files selected for viewing
43 changes: 42 additions & 1 deletion
43
...-CI/3-1-Static-analysis/3-1-3-Container-Security/3-1-3-2-Container-hardening.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,42 @@ | ||
TBD | ||
## Container Hardening | ||
Containers have revolutionized the way applications are deployed and managed, offering flexibility and scalability. However, like any other technology, containers are not immune to security risks. To mitigate these risks, it is crucial to implement container hardening practices. This document outlines best practices and guidelines for securing containers and provides references for further information. | ||
|
||
### Container Hardening Best Practices | ||
|
||
- **Use Only Trusted Base Images** | ||
Ensure that you use base images from trusted sources, such as official repositories or reputable vendors. Regularly update base images to include the latest security patches and fixes. | ||
|
||
- **Apply Security Patches** | ||
Keep all container software and dependencies up to date by regularly applying security patches. This includes the host system, container runtime, and any additional software or libraries. | ||
|
||
- **Implement Principle of Least Privilege** | ||
Apply the principle of least privilege to container configurations. Limit container capabilities, such as restricting root access and minimizing privilege escalation opportunities. | ||
|
||
- **Enable Resource Limitations** | ||
Define resource limitations for containers to prevent resource exhaustion attacks. Set appropriate limits for CPU, memory, and network bandwidth to ensure fair resource sharing and protect against DoS attacks. | ||
|
||
- **Use Image Vulnerability Scanning** | ||
Employ image vulnerability scanning tools to identify and remediate known vulnerabilities in container images. These tools can provide valuable insights into security risks and suggest appropriate fixes. Check out [Container Vulnerability Scanning](3-1-3-1-Container-scanning.md) for more information. | ||
|
||
- **Employ Secure Network Configuration** | ||
Implement network security controls, such as container network segmentation and isolation. Use firewalls and network policies to restrict container communication and prevent unauthorized access. | ||
|
||
- **Harden Host Systems** | ||
Ensure that host systems running container engines are hardened and regularly updated. Follow best practices for securing the underlying infrastructure, including patch management, access control, and intrusion detection. | ||
|
||
- **Implement Container Runtime Security Measures** | ||
Utilize security features provided by container runtimes, such as SELinux, AppArmor, or seccomp, to enforce additional security policies and restrict container behavior. | ||
|
||
- **Monitor Container Activity** | ||
Implement logging and monitoring mechanisms to detect and respond to security incidents. Monitor container behavior, access logs, and system logs to identify any suspicious activity. | ||
|
||
- **Secure Container Registry** | ||
Protect container images by securing the container registry. Implement authentication, access controls, and encryption to ensure that only authorized users can access and modify container images. | ||
|
||
--- | ||
### References | ||
+ [Docker Security](https://docs.docker.com/engine/security/) | ||
+ [Kubernetes Security](https://kubernetes.io/docs/concepts/security/) | ||
+ [CIS Benchmarks for Docker and Kubernetes](https://www.cisecurity.org/benchmark/docker/) | ||
+ [OWASP Docker Security Project](https://owasp.org/www-project-docker-security/) | ||
+ [NIST Special Publication 800-190: Application Container Security Guide](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf) |