Open westonbelk opened 7 years ago
Docker cannot be used for security. The fundamental issue is that Linux does not have proper user-namespace or sys-v ipc namespace support. CONFIG_USER_NS
(if it is even enabled on your distribution; redhat/centos for a long time did not) brings the kernel closer to supporting proper jailed environments, but not all aspects of the kernel properly check whether or not the user is namespaced which allow for root user privilege escalation and container escaping.
Additionally Docker does NOT support older distributions very well. From past experience trying to do this without a time crunch, you will be pulling your hair out trying to install it during competitions. @fkmclane I would recommend closing this issue.
A machine we are getting for PCDC 2017 will have containers of some sort according to the network diagram so I thought it would be useful to include information on how to interact with them. This isn't intended for setting them up for securities sake, but rather for dealing with some that we may inherit and have to maintain during the competition
It would be useful to note that they should not be used for security due to the reasons you listed
This link summarizes most of the issues and documents how to do the best you can with the security model docker uses. I am just warning you it is mostly a lost cause.
https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
On Wed, Mar 29, 2017 at 11:39 Weston Belk notifications@github.com wrote:
A machine we are getting for PCDC 2017 will have containers of some sort according to the network diagram so I thought it would be useful to include information on how to interact with them. This isn't intended for setting them up for securities sake, but rather for dealing with some that we may inherit and have to maintain during the competition
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/CUCyber/hackpack/issues/72#issuecomment-290130315, or mute the thread https://github.com/notifications/unsubscribe-auth/AHQH9GT0cgB5zPjq_JHkJ2hfvK7ZkyAOks5rqnsVgaJpZM4MtJMi .
You can find a markdown overview of Docker here
https://github.com/clemsonacm/presentations/blob/master/sources/docker/docker.md
On Wed, Mar 29, 2017 at 11:40 Weston Belk notifications@github.com wrote:
It would be useful to note that they should not be used for security due to the reasons you listed
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/CUCyber/hackpack/issues/72#issuecomment-290130887, or mute the thread https://github.com/notifications/unsubscribe-auth/AHQH9KLZDHY5b5O9albWyHUEoeaEfRBtks5rqnuFgaJpZM4MtJMi .
@robertu94 To clarify, we have a "Debian Container Server" which will presumably be running Docker.
@westonbelk As far as securing Docker goes, Robert is right in that you inherently can't secure Docker. Our focus should likely be on securing the containerized application either through reverse proxy or other means of isolating the services on it to reduce surface area. I would opt to not thoroughly discuss containers in the hackpack as there is no information we could put that would be helpful. The helpful information would be on the services themselves.
Add information and examples on how to administrate, secure, and use docker containers.
Possibly create and file under a new section for containers.