Tips on Container Security

Written By Stephane Larue

 

This week I had long discussion on container security with one of our client. I decided to put some of the base ideas in the below post. I hope this set of security tips helps readers to improve container and golden image security.

 

Tips 1 – Select wisely your Base Image

  • Use Minimal Base Images: Start with a minimal base image to reduce the attack surface. Try to avoid base image directly downloaded from non trusted vendors.

  • Trusted Sources: Always use base images from trusted sources and verify their integrity. Try to build a process to vet your image providers.

Tip 2 – Use hardening baseline and security standard Benchmarks

  • Hardening of golden image: Follow the Center for Internet Security (CIS) Benchmarks for hardening guideline or create your own standard hardening baseline. These baselines provide detailed recommendations for securing container images. Some vulnerability management tool on the market allow to scan golden images against specific hardening baseiling. Look for those on the market or contact us for more information on possible tools.

  • Compliance Standards: Ensure compliance with relevant standards such as PCI DSS, NIST, and DISA STIG when possible

 Tip 3 – Clean and Manage your image

  • Remove Unnecessary Packages: Only include necessary packages and dependencies to minimize vulnerabilities.

  • Regular Updates: Keep all packages and dependencies up to date with the latest security patches in your image.

  • Unmutable containers: Ensure all your containers are unmutable and use regular release process when you re-build containers.

Tipe 4 – Do not forget to tune permissions

  • Non-Root User: Avoid running containers with root user or privileged users. Create and use a non-root user with limited permissions.

  • File Permissions: Set appropriate file permissions to restrict access to sensitive files.

Tip 5 – Look at Network Security

  • Limit Network Exposure: Configure network settings to limit exposure. Use network policies to control traffic between containers.

  • Disable Unused Ports: Close any unnecessary ports to reduce potential entry points for attackers.

  • Isolation: Use container isolation features like namespaces and cgroups to limit the impact of a compromised container. Mind also to correctly manage the isolation of the conainer management infrastructure itself.

 

Tips 6 – Monitor your container infra

  • Enable Logging: Ensure that logging is enabled for monitoring container activities. If you have a SOC or security provider supporting you, ensure specific use cases related to containers are available. If not look to create these use cases with your security experts.

  • Centralized Monitoring: Use centralized monitoring tools to collect and analyze logs for suspicious activities.

·        Security Policies: Implement runtime security policies to detect and prevent malicious activities.

Tip 7 - Ensure Vulnerability Scanning of your images

  • Regular Scans: Perform regular vulnerability scans using tools like Trivy or Clair to identify and remediate vulnerabilities. Try also to perform scan against your hardening baseline.

  • Automated Scanning: Integrate automated scanning into your CI/CD pipeline to catch vulnerabilities early.

Tip 8 - Manage the Configuration of your containers

  • Immutable Infrastructure: Treat your container images as immutable. Avoid making changes to running containers; instead, rebuild and redeploy.

  • Configuration Files: Secure configuration files and avoid hardcoding sensitive information.

 

Further reading.

CIS Hardening: CIS Hardened Images 

Build CIS hardened golden images: : Building CIS Hardened Golden Images 

Stephane Larue
Next

How to Fix the Microsoft CVE-2013-3900 Vulnerability