Versions Compared

Old Version 16

changes.mady.by.user Marius Ciepluch

Saved on

compared with

New Version 17

changes.mady.by.user Marius Ciepluch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Specific privileges can be assigned to select containers running capabilities. This is similar to running a packet sniffer such as Wireshark (tshark) as an un-elevated Linux user.

...

Top 3 security concerns

Privileged workstations or servers

Any docker host (such as a developer or DevOps workstation) which can (or does) run Docker containers as root is a privileged workstation or server. It can also mount the host operating system root and persist changes.

...

Solutions: rootless Docker

Cfm footnote
an.spaceKeyAD
texthttps://docs.docker.com/engine/security/rootless/
id8p7cx1grtuj

Software vulnerabilities

Any security vulnerability that’s reachable from the ENTRYPOINT

Cfm footnote
an.spaceKeyAD
texthttps://docs.docker.com/engine/reference/builder/
idyylk6jkirre
process can potentially be reached with injection attacks from software exploits.

...

Solutions: Application Security including Supply-Chain security including SCA (Software Composition Analysis)

Secrets management and omni-capable automation systems

A container gets instantiated with environment secrets (which allow access to confidential, business or proprietary data). The environment secrets can be widely accessible, and often get supplied from omni-capable automation systems, which allow full end-to-end control over production from one single system.

Solutions: CI / CD with secure secrets management, CI and (Micro-)service architecture with segregation

Handy snippets

List dockerized processes

...