Containerization, which allows organizations to better their IT network effectiveness, is without a doubt a hot topic nowadays. But many of those embracing containers are unaware that misconfiguration of the container hosts can lead to an attacker having domain administrator privileges and potentially harming the entire IT network infrastructure.
Securing your container hosts' configurations is essential. The Center for Internet Security benchmarks which serve as guidelines for both Docker and Kubernetes hosts' configurations settings.
The following table presents the configuration value, it’s importance level, the rationale behind it and links with useful information.
| Configuration | Ranking level | Rationale | Remediation |
|---|---|---|---|
| Ensure a separate partition for containers has been created | Level 1 | Docker enables sharing a directory between the host and a container without restricting the container's access rights. This implies that a container, mapped to the host's / directory, can modify the host file system without constraints. Membership in the docker group allows starting a container that maps the root / directory, potentially leading to elevated privileges. | For new installations, you should create a separate partition for the /var/lib/docker mount point. For systems which have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition. |
| Ensure only trusted users are allowed to control Docker daemon | Level 1 | Docker enables sharing directories between the host and a container without restricting access rights. This allows a container to modify the host file system without constraints, potentially leading to elevated privileges for a user in the docker group. | You should remove any untrusted users from the docker group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes. |
| Ensure auditing is configured for the Docker daemon | Level 1 & Level 2 | As well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage. | You should add rules for the Docker daemon. |
| Ensure auditing is configured for Docker files and directories - /run/containerd | Level 1 & Level 2 | Audit not only the standard Linux file system and system calls but also scrutinize Docker-related files and directories. The Docker daemon operates with root privileges, and key directories like /run/containerd, containing vital container information, demand thorough auditing. | You should add a rule for the /run/containerd directory. |
| Ensure auditing is configured for Docker files and directories - /var/lib/docker | Level 1 & Level 2 | Audit both the standard Linux file system and system calls, along with Docker-related files and directories. Since the Docker daemon operates with root privileges, key directories like /var/lib/docker, containing essential container information, must undergo thorough auditing. | You should add a rule for the /var/lib/docker directory. |
| Ensure auditing is configured for Docker files and directories - /etc/docker | Level 1 & Level 2 | Audit both the standard Linux file system and system calls, along with Docker-related files and directories. Given that the Docker daemon operates with root privileges, key files and directories, including /etc/docker, which contains TLS certificates and keys for Docker daemon-client communication, should undergo auditing. | You should add a rule for the /etc/docker directory. |
| Ensure auditing is configured for Docker files and directories - docker.service | Level 2 | Audit the standard Linux file system and system calls, including Docker-related files and directories. As the Docker daemon operates with root privileges, key files like docker.service, which might contain modified daemon parameters, should be audited for various Docker daemon configurations. | If the file exists, a rule for it should be added. |
| Ensure auditing is configured for Docker files and directories - containerd.sock | Level 2 | Audit the Docker daemon, which operates with root privileges, in addition to the standard Linux file system and system calls. The Docker daemon's behavior relies on key files and directories, including containerd.sock, holding various parameters that should be subject to auditing. | If the file exists, you should add a rule for it. |
| Ensure auditing is configured for Docker files and directories - docker.socket | Level 2 | Audit the Docker daemon, crucial due to its root privileges, in addition to the standard Linux file system and system calls. The behavior of the Docker daemon is influenced by key files and directories, including docker.socket, which holds essential parameters and warrants auditing. | If the file exists, you should add a rule for it. |
| Ensure auditing is configured for Docker files and directories - /etc/default/docker | Level 2 | Audit the Linux file system, system calls, and all Docker-related files and directories. The Docker daemon, operating with root privileges, relies on key files, including /etc/default/docker, which contains parameters crucial for the Docker daemon and should be subject to auditing. | You should add a rule for the /etc/default/docker file. |
| Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json | Level 2 | Audit the Linux file system, system calls, and all Docker-related files and directories. Given that the Docker daemon operates with root privileges, key files like /etc/docker/daemon.json, containing crucial parameters for the Docker daemon, should undergo thorough auditing. | You should add a rule for the /etc/docker/daemon.json file. |
| Ensure auditing is configured for Docker files and directories - /etc/containerd/config.toml | Level 2 | Audit the Docker daemon, given its root privileges, alongside the standard Linux file system and system calls. Essential to the auditing process are key files and directories, with /etc/containerd/config.toml being one such file containing crucial parameters for the Docker daemon. Its presence necessitates careful auditing. | You should add a rule for /etc/containerd/config.toml file. |
| Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker | Level 2 | Audit the Docker daemon, essential due to its root privileges, in addition to standard Linux file system and system call auditing. Crucial to the Docker daemon's behavior are key files and directories, with /etc/sysconfig/docker being significant for CentOS and RHEL distributions, containing various parameters. If present, this file requires thorough auditing. | You should add a rule for /etc/sysconfig/docker file. |
One of the most critical but challenging tasks in this guide is the hardening container host. Whether your container host is based on Linux or Windows OS, hardening it is a completely separate challenge, often a hard, costly and time consuming one.
In order to achieve host hardening, you need to follow best practices benchmarks, such as CIS benchmarks or DISA STIG. These benchmarks often delivered by several hundred pages files with dozens of rules to follow. Each rule can affect differently on production environment; therefore, lab testing needs to be done before applying each rule or changing the production environment.
With CHS by CalCom hardening is no longer an issue. CHS will 'learn' your production environment dependencies and automatically inform you if any hardening action can cause outages to it. Based on best practices benchmarks CHS will ensure everlasting compliance with no need for lab testing and no risk for configuration drifts.
