Docker-Security
Docker-Security copied to clipboard
OWASP
D04 - Secure Defaults
Am going to slowly add to this issue, and then eventually merge into repo:
-
apt install apt-transport-https
I think it's important to use TLS for all package installations. You'll have to have to separate install statements, which can cause slight increase in image size but is worth it.
-
apt-get --no-install-recommends -y install libtool
reduce surface area of attack by not installing extra packages during installation of packages too.
Hi @danehrlich1,
in order to put the cart behind the horse, intended is to provide a structure first for each single D-point. Technical hints will go into one of the parts of the structure.
D04 is specific for not only for the container / pod but also and mostly host and container orchestration tool. That is why it is @ #4. The main threat is supposed to be avoid on the system side exposed or misconfigured interfaces from kubernetes and friends. On the host e.g. a ~Debian default where rpc services are offered or any other network based service.
For the container part, yes there might be something I could think of. Transport via https doesn't seem so relevant to me as Debian packages you are referring to a signed (do a apt-key list). And if retrieving the Debian keys come via HTTPS 1) apt-transport-https is a privacy improvement, not a security improvement.
1) I haven't researched this but I know other distros which don't do this either.
Apologies and thanks for helping me understand the intended structure of the repo.
Also read over your other stuff and all good points / thanks for the information. I agree and you are right, particularly on the privacy vs actual security issue.
I’m going to hold off on anything else moving forward for now. Let me know if there is specific help you need or research I can do though in the meantime as the repo is built out.
On Fri, Dec 21, 2018 at 7:00 PM Dirk Wetter [email protected] wrote:
Hi @danehrlich1 https://github.com/danehrlich1,
in order to put the cart behind the horse, intended is to provide a structure first for each single D-point. Technical hints will go into one of the parts of the structure.
D04 is specific for not only for the container / pod but also and mostly host and container orchestration tool. That is why it is @ #4. The main threat is supposed to be avoid on the system side exposed or misconfigured interfaces from kubernetes and friends. On the host e.g. a ~Debian default where rpc services are offered or any other network based service.
For the container part, yes there might be something I could think of. Transport via https doesn't seem so relevant to me as Debian packages you are referring to a signed (do a apt-key list). And if retrieving the Debian keys come via HTTPS 1) apt-transport-https is a privacy improvement, not a security improvement.
- I haven't researched this but I know other distros which don't do this either.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OWASP/Docker-Security/issues/2#issuecomment-449532842, or mute the thread https://github.com/notifications/unsubscribe-auth/ADM6EjqKMaRk8r6yvzse2GKfpBF3bdMYks5u7YRHgaJpZM4ZfPTE .
The slides of my talk in Brussels might be useful to understand what is supposed to be in the D sections.
Because I saw too often open APIs or dashboards and e.g. Kubernetes does not seem to be able to clean up their crap (open kubelet, CVE-2018-1002105, etc.) D9 moved to D4 though.