Wednesday, November 15, 2017

Essential (and free) security tools for Docker

Docker makes it easy for developers to package up and push out application changes, and spin up run-time environments on their own. Maybe too easy.

With Docker, developers can make their own decisions on how to configure and package applications. But this also means that they can make simple but dangerous mistakes that will leave the system unsafe without anyone noticing until it is too late.

Fortunately, there are some good tools that can catch many of these problems early, as part of your build pipelines and run-time configuration checks. Toni de la Fuente maintains a helpful list of Docker security and auditing tools here.

Unfortunately, many of the open source projects in this list have been shelved or orphaned. So, I want to put together a short list of the essential open source tools that are available today to help you secure your Docker environment.

Check your container configuration settings

As part of your build process and continuous run-time checks, it is important that you enforce safe and consistent configuration defaults for containers and the hosts that they run on.

The definitive guidelines for setting up Docker safely is the CIS Docker Benchmark, which lists over 100 recommendations and best practices for hardening the host configuration and Docker daemon configuration (including Swarm configuration settings), file permissions rules, container images and build file management, container runtime settings, and operations practices.

The Docker security team has provided a free tool, Docker Bench for Security, that checks Docker containers against this hardening guide (although the tests are organized a bit differently – the Swarm checks are all run together in a separate section for example). Docker Bench is updated for each release of the CIS benchmark guide, which is updated with each release of Docker, although there tends to be a brief lag.

Docker Bench ships as a small container which runs with high privilege, and executes a set of tests against all containers that it can find. Tests return PASS or WARN (clear fail) status, or INFO (for findings that need to be manually reviewed to see if they match expected results). NOTEs are printed for manual checks that need to be done separately.

After you run Docker Bench, you will need to work through fussy detailed findings and decide what makes sense for your environment. Docker Bench is an auditing tool, designed to be run and reviewed manually. Docker Bench Test shows how you can run Docker Bench in an automated test pipeline, by wrapping it inside the Bats test framework, although unfortunately it hasn’t been updated for a couple of years.

Another free auditing tool from the Docker security team is Actuary. According to Diogo Monica at Docker, Actuary checks the same rules as Docker Bench (for now), but runs across all nodes in a Docker Swarm. Actuary is positioned as a future replacement for Docker Bench: it is written in Go (instead of Bash scripts) and is more extensible, using configurable templates for checking and testing.

Image scanning and policy enforcement

In addition to making sure that your container run-time is configured correctly, you need to ensure that all of the image layers in a container are free from known vulnerabilities. This is done by static scanning of “cold images” in repos, or before they are pushed to a repo, as part of your image build process.

Commercial Docker customers can take advantage of Docker Security Scanning (DSS) (fka Nautilus) to automatically and continuously check images in private registries on Docker Hub or Docker Cloud for known vulnerabilities. DSS is also used to scan Official Repositories on Docker Hub.

If you’re using open source Docker, you’ll need to do your own checking. There are a few good open source tools available, all of which work basically the same way:

  • Scan the image (generally a binary scan), pull apart the layers, and build a detailed manifest or bill of materials of the contents
  • Take a snapshot of OS and software package vulnerability data
  • Compare the contents of the image manifest against the list of known vulnerabilities and report any matches

The effectiveness of these security scanning tools depends on:

  1. Depth and completeness of static analysis – the scanner’s ability to see inside image layers and the contents of those layers (packages and files)
  2. Quality of vulnerability feeds – coverage, and how up to date the vulnerability lists are
  3. How results are presented – is it clear what the problem is, where to find it, and what to do about it
  4. De-duplication and whitelisting capabilities to reduce noise
  5. Scanning speed

First, there is Clair from CoreOS, the scanning engine used in the Quay.io public container registry (an alternative to Docker Hub). Clair is a static analysis tool for Docker and appc containers, which scans an image and compares the vulnerabilities found against a whitelist to see if they have already been reviewed and accepted. It can be controlled through a JSON API or CLI.

If you’re using OpenSCAP there is the oscap-docker util which can be used to scan Docker images and running containers for CVEs, and compliance violations against SCAP policy guides.

Anchore is a powerful and flexible automated scanning and policy enforcement engine that is easy to integrate into your CI/CD build pipelines to check for CVEs – and much more – in Docker images. You can create whitelists (to suppress findings that you’ve determined are not exploitable) and blacklists (for required packages or banned packages, and prohibited content such as source code or secrets), as well as custom checks on container or application configuration rules, etc.

Anchore is available as a free SaaS online Navigator for public registries, and an open source engine for on prem scanning. The scanning engine can be wired in to your CI/CD pipelines using CLI or REST or a Jenkins plug in, to automatically analyze images as changes are checked in, and fail the build if checks don’t pass. A nice overview of running Anchore can be found here.

Anchore comes with a built-in set of security and compliance policies, analysis functions and decision gates. You can write your own analysis modules and policies, reports and certification workflows in a high-level language, or extend the analysis engine with custom plugins.

You can also integrate the Anchore scanning engine with Anchore Navigator, so that you can define policies and whitelists using Navigator’s graphical editor. Anchore will subscribe to updates so that you will be automatically notified of new CVEs, or updates to images in public registries.

Anchore (the company) offers premium support subscriptions, and enterprise solutions to discover, explore and analyze images, with additional analysis modules and policies, data feeds, tooling, and workflow integration options.

Another new and ambitious open source container scanner is Dagda. Dagda builds a consolidated vulnerability database, taking snapshots of CVE information from NIST’s NVD, publicly-reported security bugs in the SecurityFocus Bugtraq database, and known exploits from the Offensive Security database, and uses OWASP Dependency Check and Retire.JS to analyze dependencies, to identify known security vulnerabilities in Docker images. Dagda can be controlled through the command line or its REST API, and keeps a history of all checks for auditing and trend analysis.

It also runs ClamAV against Docker images to check for trojans and other malware, and integrates with Sysdig’s powerful (and free) Falco run-time anomaly checker to monitor containers on Linux hosts. Falco is installed as an agent on each host, which taps into kernel syscalls and filters against rules in a signature database to identify suspicious activity and catch attacks or operational problems on the host and inside containers.

Dagda throws everything but the kitchen sink at container security. It is a lot of work to set this up and keep all of it working, but it shows you how far you can go without having to roll out a commercial container protection solution like Twistlock or AquaSec.

Don’t leave container security up to chance

What makes Docker so compelling is also what makes it dangerous: it takes work and decisions out of ops hands, and gives it to developers who may not understand (or care about) the details or why they are important. Using Docker moves responsibility for packaging and configuring application run-times from ops (who are responsible for making sure that this is done carefully and safely) to developers (who want to get it done quickly and simply).

This is why it is so important to add checks that can be run continuously to catch mistakes and known vulnerabilities in dependencies, and to enforce security and compliance policies when changes are made. The tools listed here can help you to reduce operational risks, without getting in the way of teams getting valuable work done.

37 comments:

website designing company meerut said...

Hey, I am really glad I have found this information
website designing company Aligarh
website designing company Modinagar
website designing company Saharanpur
website designing company Kanpur

Radha Sai said...

Nice post.Keep updating Devops online course

Packers And Movers Chennai said...

Really impressive post. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog.
Packers And Movers in Chennai

Priya Rajesh said...

Excellent and useful blog, reallly helpful. Keep up the good work and share more like this.
RPA Training in Chennai | Blue Prism Training in Chennai | ccna Training in Chennai | UiPath Training in Chennai |

Nicole said...

Really nice and definitely it will be useful for many people. Kindly keep update like this.

Logistics Software
Fleet Management Software
ERP Software Companies

Unknown said...


Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.
java developers in hyderabad
java developers in gachibowli
java developing companies in hyderabad
java developing companies in gachibowli
java developing companies ameerpet
java development company in hyderabad

Radha Sai said...

Nice post. Keep sharing Devops Online Course

sivasurya rg said...

Data science is a fast-moving field – if you’re pursuing a data science career, or even if you’re just interested in data-related topics, you need to invest time to keep up with the trends. Following a few top blogs is a great way to stay abreast of developments in data analysis, statistical software, data visualization, and more. These AUTOMATIONMINDS bloggers consistently offer great resources and tutorials, along with opportunities to connect with and learn from other leading data science professionals.
DATA SCIENCE training in chennai

Anbarasan14 said...

Thanks for this kind of worthy information. this was really very helpful to me. keep continuing.

TOEFL Classes in Chennai
Best TOEFL Classes in Chennai
TOEFL in Chennai
TOEFL Classes near me
Spanish Classes in Chennai
Spanish Language Course in Chennai
Spanish Courses in Chennai

divya radhika said...

SQream Technologies provides you with a state of the art software which combines modern GPU technology (Graphic Processing Units) with the best practices in today’s Big Data platforms, providing up to 100x faster insights from data.
Bigdata Training in Chennai OMR

pavithra dass said...

You have provided a nice article, Thank you very much for this one. And I hope this will be useful for many people. And I am waiting for your next post keep on updating these kinds of knowledgeable things
RPA Training in Chennai
Selenium Training in Chennai
Robotic Process Automation Certification
RPA Training
Software testing selenium training
Selenium testing training

Anoushka Sakthi said...

This is the best article on recent technology. Thanks for taking your own time to share your knowledge,
Selenium training in Chennai
Selenium Courses in Chennai
ios developer training in chennai
Best ios Training institute in Chennai
iOS Course Chennai
JAVA Training Institutes in Chennai
Java Courses in Chennai

Radha Sai said...

Nice post. Keep updating Devops Online Course

Anjali Siva said...

Thanks for taking time to share this valuable information admin. Really informative, keep sharing more like this.
ccna Training institute in Chennai
ccna institute in Chennai
ccna Training center in Chennai
Best CCNA Training Institute in Chennai
ccna certification in Chennai
ccna Training in Velachery

Shadeep shree said...

Great information!!! Thanks for your blog
Computer Education Franchise in India
Franchise in Education Sector
Franchise India
Franchise Business in India
Top 10 Franchise Business in India

Arunaram said...

Your blog is very interesting. Thank you for your sharing this post. I want more information in your blog...!
Web Designing Training in Saidapet
Web Designing Course in Aminjikarai
Web Designing Training in Vadapalani
Web Designing Training in Kelambakkam
Web Designing Training in Karappakkam
Web Designing Course in Padur

nanadhini chandran said...

This blog is more effective and it is very much useful for me.
we need more information please keep update more.
Best Cloud computing Training in Bangalore
Cloud Computing Training in Thirumangalam
Cloud Computing Training in Vadapalani
Cloud Computing Training in Kelambakkam

sharmi chithra said...

Nice post. I learned some new information. Thanks for sharing.

Xamarin Training in Chennai
Xamarin Course in Chennai
Xamarin Training
Xamarin Course
Xamarin Training Course
Xamarin Classes
Best Xamarin Course

pavithra dass said...

Thank you for sharing such great information with us. I really appreciate everything that you’ve done here and am glad to know that you really care about the world that we live in.
Hadoop Training in Chennai
CCNA Training in Chennai
Big Data Course in Chennai
Big Data Hadoop Training in Chennai
CCNA institute in Chennai
CCNA Training center in Chennai

LindaJasmine said...

Thanks for sharing such an amazing post. Your style of writing is very unique. It made me mesmerized in your words. Keep on writing.
Informatica Training chennai
Informatica Training institutes in Chennai
Best Informatica Training Institute In Chennai
Best Informatica Training center In Chennai
Informatica institutes in Chennai
Informatica courses in Chennai
Informatica MDM Training in Chennai

vishnu said...

It is an informative article. Keep posting more like this.

C++ programming course
C Language Training in Chennai
C Language Training in Tambaram
C Language Training in Velachery
C Language Training in Adyar

Aruna ram said...

Fantastic concept, this is very helpful for improve my knowledge. I like more content from your blog....
Machine Learning Training in Nungambakkam
Machine Learning Course in Saidapet
Machine Learning Training in Aminjikarai
Machine Learning Course in Vadapalani
Machine Learning Course in Chennai

aruna ram said...

What a wonderful information, how you had written this content. This content is very helpful for me. Thank you for your nice post!!!
Big Data Hadoop Course in Bangalore
Big Data Hadoop Training institutes in Bangalore
Big Data Hadoop Training institute in Bangalore
Best Big Data Hadoop Training in Bangalore
Big Data Training in Tambaram
Big Data Hadoop Training in sholinganallur

swetha singh said...

This information is impressive; I am inspired with your post. Keep posting like this, This is very useful.Thank you so much. Waiting for more blogs like this.
Aviation Academy in Chennai
Aviation Courses in Chennai
aviation industry in chennai
fly aviation academy chennai

Benaam said...

Great post man thanks for sharing this useful information but I was i serach for Mega Premium free accounts and finally i found one original and working Mega Premium account free-No Mega Upload limit/Mega Download limit for free follow the link to read more.

venu bharath said...

The post was amazing. It showcases your knowledge on the topic. Thanks for Posting.
Informatica Training in Chennai
Informatica Training center Chennai
Informatica Training Institute in Chennai
Best Informatica Training in Chennai
Informatica Course in Chennai
Informatica Training center in Chennai
Informatica Training chennai
Informatica Training institutes in Chennai

Mr Walker said...

Nice Work and best article Visit here

Anonymous said...

I really appreciate your efforts towards Console Jailbreak , I really hope to have one day fully jailbroken console to get full potential for the money I have paid to buy a machine. I was in search for PS3 Jailbreak Download free no survey and PS4 Games PKG Download finally found it.

advanced java training in Badlapur said...

i appreciate your efforts regarding this blog, thanks for sharing such a wonderful information...

ajay prakash said...

Very useful information, Keep posting more blog like this, Thank you.
Airport management courses in chennai
Airport Management Training in Chennai
airport courses in chennai
airline and airport management courses in chennai

Unknown said...

nice blog, thanks for sharing!!
DevOps Online Training

venu bharath said...


Amazing Post. It showcases your in-depth knowledge on the topic. Thanks for Posting.
SAS Training in Chennai
SAS Course in Chennai
SAS Training Institutes in Chennai
SAS Institute in Chennai
Drupal Training in Chennai
Drupal Certification Training
Drupal Training
Drupal 8 Training

kavinilavu G said...

Really Nice..Thanks for posting.keep update php training in chennai | php training in velachery chennai

Roja Priya said...


Thank you for sharing your article. Great efforts put it to find the list of articles which is very useful to know, Definitely will share the same to other forums.

best openstack training in chennai | openstack course fees in chennai | openstack certification in chennai | redhat openstack training in chennai

sathyaramesh said...

Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
Big Data Course in Chennai
Big Data Hadoop Training in Chennai
Hadoop Course in Chennai
CCNA Training Chennai
CCNA Training institutes in Chennai
CCNA Training near me

LindaJasmine said...

Awesome Blog. You are an amazing writer. Pls keep on wiriting.
Primavera Training in Chennai
Primavera Course in Chennai
Primavera Software Training in Chennai
Best Primavera Training in Chennai
Primavera p6 Training in Chennai
IELTS coaching in Chennai
IELTS Training in Chennai

Anonymous said...

I really appreciate your efforts towards Console Jailbreak , I really hope to have one day fully jailbroken console to get full potential for the money I have paid to buy a machine. I was in search for PS3 Jailbreak and PS4 Jailbreak Download finally found it.

Site Meter