Do not use update instructions alone in the Dockerfile
Details Do not use update instructions such as apt-get update alone or in a single line in the Dockerfile.Adding the...
- Home
- Security Hardening
- CIS Docker 1.12.0 V1.0.0 L1 Docker
CIS Docker 1.12.0 V1.0.0 L1 Docker
Enable live restore
Details The ‘–live-restore’ enables full support of daemon-less containers in docker. It ensures that docker does not stop containers on...Open only needed ports on container
Details https://docs.docker.com/articles/networking/#binding-ports Solution Fix the Dockerfile of the container image to expose only needed ports by yourcontainerized application. You can...Rebuild the images to include security patches
Details https://docs.docker.com/userguide/dockerimages/ Solution Follow the below steps to rebuild the images with security patches-Step 1- ‘docker pull’ all the base...Restrict Linux Kernel Capabilities within containers
Details By default, Docker starts containers with a restricted set of Linux Kernel Capabilities. It means that any process may...Restrict network traffic between containers
Details https://docs.docker.com/articles/networking Solution Run the docker in daemon mode and pass ‘–icc=false’ as argument.For Example,/usr/bin/dockerd –icc=falseImpact-The inter container communication would...Set default ulimit as appropriate – default-ulimit
Details Set the default ulimit options as appropriate in your environment.ulimit provides control over the resources available to the shell...Set the logging level
Details https://docs.docker.com/engine/reference/commandline/daemon/ Solution Run the Docker daemon as below-dockerd –log-level=’info’Impact-None.Default Value-By default, Docker daemon is set to log level of...Use COPY instead of ADD in Dockerfile
Details https://docs.docker.com/engine/userguide/eng-image/dockerfile_best- practices/#/add-or-copy Solution Use COPY instructions in Dockerfiles.Impact-You would need to take care of the functionalities provided by ADD...Use trusted base images for containers
Details https://titanous.com/posts/docker-insecurity 2.https://registry.hub.docker.com/ 3.http://blog.docker.com/2014/10/docker-1-3-signed-images-process-injection-security-options-mac-shared-directories/ 4.https://github.com/docker/docker/issues/8093 5.http://docs.docker.com/reference/commandline/cli/#pull 6.https://github.com/docker/docker/pull/11109 7.https://blog.docker.com/2015/11/docker-trusted-registry-1-4/ NOTE: Nessus has provided the target output to assist in reviewing the...