![]() ![]() Any changes made to the root filesystem will likely be for a malicious objective. Once running, containers don’t need changes to the root filesystem. Set the container’s root filesystem to read-only. As a general rule of thumb, ensure only needed ports are open on the container.Ģ1. By default, Docker maps container ports to one that’s within the 49153 - 65525 range, but it allows the container to be mapped to a privileged port. Don’t map any ports below 1024 within a container as they are considered privileged because they transmit sensitive data. By default, the ssh daemon will not be running in a container, and you shouldn’t install the ssh daemon to simplify security management of the SSH server.ġ8. ![]() Don’t mount sensitive host system directories on containers, especially in writable mode that could expose them to being changed maliciously in a way that could lead to host compromise.ġ7. By default, containers run with root privileges as the root user inside the container.ġ6. As a best practice, run your containers as a non-root user (UID not 0). Secure all Docker files and directories (see 4.2 above) by ensuring they are owned by the appropriate user (usually the root user) and their file permissions are set to a restrictive value (see the CIS benchmarks section on Docker daemon configuration files).Ĩ. What follows is a list of best practices derived from industry standards and StackRox customers for securely configuring your Docker containers and images.Ĥ.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |