cis-docker rules provide potential for security hardening

[letharion]

Problem Statement

I'm not an expert in this, but I've been looking at cis-docker rules for improving the security of the sentry deployment, see for example here: https://www.aquasec.com/cloud-native-academy/docker-container/docker-cis-benchmark/

Before I start messing to much with my install, I'm wondering if any of this is interesting for the community, or maybe these are things that have already been considered and rejected?

Some of the suggested changes are to set the security option "no-new-priviliges", which I assume could be applied to most if not all of the containers.

Read-only container filesystems can probably work in a few places too, based on just the fact that many volumes are defined, but might also require some work.

There's further suggestions, but those seem like a good starting point.

Solution Brainstorm

No response

[emmatyping]

I think no-new-privileges makes a lot of sense. My biggest gripe with the docker security model is its really hard to find out what permissions an application needs if you don't know off the top of your head. In other words, I am nervous to lock things down because I don't want things to break due to permissions issues. I think once we have dogfooding we may be a bit more confident this won't break anything.

So I would definitely be interested in seeing changes if you want to test them, but I am unsure if this would be a "document some best practices for people to apply" or "add by default" situation.

[github-actions[bot]]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Backlog or Status: In Progress, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[aminvakil]

I think this would be a good enhancement, so I'd say keeping this open and see if someone wants to work on this later?