When enthusiasm for a technology reaches fever pitch, as it appears to have done for Docker, it can sometimes be easy to forget that using it securely needs a lot more work than clicking on an installer and getting on with things.
Enter VMware, Docker and pals, who have together penned a new security guide, which offers direction on how best to make a Docker rig safe in the real world.
The 118 page hardening guide [PDF] by the Centre for Internet Security advises administrators and developers how to best secure Docker version 1.6 for configuration of hosts, daemon, and containers.
Six technology vendors compiled the 84 recommendations in three months, VMware compliance boffin and lead author Pravin Goyal says.
"The aim of this security benchmark, like any other hardening guide or security documentation for any other vendor or product, is to highlight configuration parameters and other secure deployment considerations," Goyal says announcing the guide this week.
"It is designed as a definitive reference guide for customers wanting to understand how to securely provision containers to Linux OSes in production."
Of the long list of hardening recommendations only three are categorised as disruptive Level 2 changes.
Level 1 changes relate to the Linux Host operating system and are "practical and prudent" ways to provide "clear security benefits without 'unacceptable' inhibition to the technology.
Level 2 are high security priorities that serve as defense in depth and may "negatively inhibit the utility or performance of the technology".
In the latter camp is the recommendation to enforce AppArmor profiles that enforce policies on containers.
"The container (process) would have set of restrictions as defined in AppArmor profile. If your AppArmor profile is mis-configured, then the container may not entirely work as expected," the guide warns.
The second Level 2 requirement is that SELinux be flicked on. "If SELinux is applicable for your Linux OS, use it."
Endpoint protection platform controls round out the last level two requirement and come in lieu of a container-aware endpoint protection platform which the Centre says does not exist.
"Traditional endpoint protection platform and encryption vendors have not yet recognised containers as an area that they need to pursue and secure in the future."
Version 1.6 is tested against Debian 8 and RHEL 7. ®
- Black Hat
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Identity Theft
- Palo Alto Networks