These checkpoints referred to CIS Docker 1.13.0 Benchmark v1.0.0.
Create a user for the container
Create a non-root user for the container in the Dockerfile for the container image.
It is a good practice to run the container as a non-root user, if possible.
# Dockerfile
RUN useradd -d /home/dockle -m -s /bin/bash dockle
USER dockle
or
RUN addgroup -S dockle && adduser -S -G dockle dockle
USER dockle
Use trusted base images for containers
Dockle checks Content Trust.
Do not install unnecessary packages in the container
Not supported.
Scan and rebuild the images to include security patches
Not supported. Please check with Trivy.
Enable Content trust for Docker
Content trust is disabled by default. You should enable it.
$ export DOCKER_CONTENT_TRUST=1-
https://docs.docker.com/engine/security/trust/content_trust/#about-docker-content-trust-dct
Docker Content Trust (DCT) provides the ability to use digital signatures for data sent to and received from remote Docker registries.
Engine Signature Verification prevents the following:$ docker container runof an unsigned image.$ docker pullof an unsigned image.$ docker buildwhere the FROM image is not signed or is not scratch.
Add HEALTHCHECK instruction to the container image
Add
HEALTHCHECKinstruction in your docker container images to perform the health check on running containers.
Based on the reported health status, the docker engine could then exit non-working containers and instantiate new ones.
# Dockerfile
HEALTHCHECK --interval=5m --timeout=3s \
CMD curl -f http://localhost/ || exit 1
Do not use update instructions alone in the Dockerfile
Do not use
updateinstructions such asapt-get updatealone or in a single line in the Dockerfile.
Adding theupdateinstructions in a single line on the Dockerfile will cache the update layer.
RUN apt-get update && apt-get install -y package-aConfirm safety of setuid and setgid files
Removing
setuidandsetgidpermissions in the images would prevent privilege escalation attacks in the containers.
setuidandsetgidpermissions could be used for elevating privileges.
chmod u-s setuid-file
chmod g-s setgid-fileUse COPY instead of ADD in Dockerfile
Use
COPYinstruction instead ofADDinstruction in the Dockerfile.
ADDinstruction introduces risks such as adding malicious files from URLs without scanning and unpacking procedure vulnerabilities.
# Dockerfile
ADD test.json /app/test.json
↓
COPY test.json /app/test.json
Do not store secrets in Dockerfiles
Do not store any secrets in Dockerfiles.
the secrets within these Dockerfiles could be easily exposed and potentially be exploited.
Dockle checks ENVIRONMENT variables and credential files.
Install verified packages only
Not supported. It's better to use Trivy.
These checkpoints referred to Docker Best Practice and so on.
Avoid sudo command
-
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
Avoid installing or using sudo as it has unpredictable TTY and signal-forwarding behavior that can cause problems.
Avoid sensitive directory mounting
A volume mount makes weak points. This depends on mounting volumes.
Currently, Dockle checks following directories:
/dev,/proc,/sys
dockle only checks VOLUME statements, since we can't check docker run -v /lib:/lib ....
Avoid apt-get dist-upgrade
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get
Avoid RUN apt-get upgrade and dist-upgrade, as many of the “essential” packages from the parent images cannot upgrade inside an unprivileged container.
Use apk add with --no-cache
-
https://github.com/gliderlabs/docker-alpine/blob/master/docs/usage.md#disabling-cache
As of Alpine Linux 3.3 there exists a new
--no-cacheoption forapk. It allows users to install packages with an index that is updated and used on-the-fly and not cached locally:
...
This avoids the need to use--updateand remove/var/cache/apk/*when done installing packages.
Clear apt-get caches
Use apt-get clean && rm -rf /var/lib/apt/lists/* after apt-get install.
-
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get
In addition, when you clean up the
apt cacheby removing/var/lib/apt/listsit reduces the image size, since the apt cache is not stored in a layer. Since theRUNstatement starts withapt-get update, the package cache is always refreshed prior toapt-get install.
Avoid latest tag
-
https://vsupalov.com/docker-latest-tag/
Docker images tagged with
:latesthave caused many people a lot of trouble.
These checkpoints referred to Linux Best Practices and so on.
Avoid empty password
-
https://blog.aquasec.com/cve-2019-5021-alpine-docker-image-vulnerability
CVE-2019-5021: Alpine Docker Image "null root password" Vulnerability
Be unique UID/GROUPs
-
Contrary to popular belief, it is not necessary that each entry in the UID field be unique. However, non-unique UIDs can cause security problems, and thus UIDs should be kept unique across the entire organization.
Only put necessary files
Check .cache, .git and so on directories.