Open EnigmaCurry opened 1 year ago
New make audit
target prints report on capabilities of each service container
https://github.com/EnigmaCurry/d.rymcg.tech/blob/master/MAKEFILE_OPS.md#make-audit
The following containers have been worked on to reduce privileges in #13 :
make traefik-user
In #14 worked on cryptpad, baikal, bitwarden, and archivebox, all perform CAP_DROP ALL
Efforts are on-going to reduce privileges, see SECURITY.md
I have added recommendations for dropping privileges in SECURITY.md
Many containers don't really need to run as root, or even if they do, they don't need quite as many capabilities as Docker gives by default.
There should also be a checker that finds the user that each container runs as, and show the capabilities added.
Making changes in #13