{"id":361557,"date":"2021-11-02T15:15:20","date_gmt":"2021-11-02T12:15:20","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-harden-docker-images-for-maximum-security-cloudsavvy-it\/"},"modified":"2021-11-02T15:15:20","modified_gmt":"2021-11-02T12:15:20","slug":"how-to-harden-docker-images-for-maximum-security-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-harden-docker-images-for-maximum-security-cloudsavvy-it\/","title":{"rendered":"#How to Harden Docker Images For Maximum Security \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a288b0351c7a\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a288b0351c7a\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-harden-docker-images-for-maximum-security-cloudsavvy-it\/#What_Is_Image_Hardening\" >What Is Image Hardening?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-harden-docker-images-for-maximum-security-cloudsavvy-it\/#Scanning_Your_Image\" >Scanning Your Image<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-harden-docker-images-for-maximum-security-cloudsavvy-it\/#Review_Your_Analysis\" >Review Your Analysis<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-harden-docker-images-for-maximum-security-cloudsavvy-it\/#Implement_Your_Mitigation_Layers\" >Implement Your Mitigation Layers<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-harden-docker-images-for-maximum-security-cloudsavvy-it\/#Addressing_Vulnerabilities_Scans_Cant_Find\" >Addressing Vulnerabilities Scans Can\u2019t Find<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-harden-docker-images-for-maximum-security-cloudsavvy-it\/#Using_Pre-Hardened_Images\" >Using Pre-Hardened Images<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-harden-docker-images-for-maximum-security-cloudsavvy-it\/#More_to_Think_About\" >More to Think About<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-harden-docker-images-for-maximum-security-cloudsavvy-it\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Harden Docker Images For Maximum Security \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 1200px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage size-full wp-image-14601\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/cd8db06d.jpg?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/cd8db06d.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/cd8db06d.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Illustration of a padlock symbol atop a circuit board\" width=\"1200\" height=\"675\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-illustration\/cybersecurity-digital-technology-security-3d-illustration-1813101946\">JLStock\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>There are many factors that contribute towards your Docker security posture but using hardened images is one of the best steps you can take to protect yourself. Not all images have the same security characteristics and a poorly configured one could give an attacker the foothold they need.<\/p>\n<h2 id=\"what-is-image-hardening\"><span class=\"ez-toc-section\" id=\"What_Is_Image_Hardening\"><\/span>What Is Image Hardening?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u201cHardening\u201d an image refers to analyzing its current security status and then making improvements to address any concerns. Picking a prebuilt base image like <code>ubuntu:latest<\/code> may seem straightforward but using it as-is could expose you to lurking threats. It\u2019s a bit like provisioning a new bare metal server from the Ubuntu install image, then never updating it.<\/p>\n<p>Like that install image, Images on Docker Hub can come with outdated software packages too. Images may also be misconfigured with insecure defaults that put your workload at risk.<\/p>\n<p>By hardening the image, you can be confident it\u2019s suitable for your environment. A typical hardening process will address possible weaknesses by updating packages and actively looking for known vulnerabilities. It creates a new base image you can safely use within your pipelines.<\/p>\n<h2 id=\"scanning-your-image\"><span class=\"ez-toc-section\" id=\"Scanning_Your_Image\"><\/span>Scanning Your Image<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The first step is to analyze your chosen base image. Until you\u2019ve run a security scan, you\u2019ve no way of knowing whether your image is safe to use.<\/p>\n<p>There are several tools capable of scanning a Docker image for vulnerabilities. They <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a>ly run similar assessments, usually based on lists of known CVEs, that produce a list of problems you can audit and remedy.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12030\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/3ea5f5d3.jpg?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Screnshot of a Trivy report\" width=\"1332\" height=\"688\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Anchore is one such container scanning engine. It uses a client\/server architecture but can be run inline in your terminal for one-off scans. Trivy is a similar option which uses its own vulnerability database and presents issues in a nicely formatted table. Another alternative is Docker Scan, an integration with the Snyk scanning engine that\u2019s included with recent Docker CLI versions.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-11180\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/05\/e84a0bf6.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"964\" height=\"543\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Once you\u2019ve selected a tool, run it against your image to ascertain which kinds of issue are present. This will define the baseline you\u2019re starting from before you begin to layer up additional protections. It\u2019s a good idea to keep a record of your scan results so you can reference addressed vulnerabilities in the future.<\/p>\n<h2 id=\"review-your-analysis\"><span class=\"ez-toc-section\" id=\"Review_Your_Analysis\"><\/span>Review Your Analysis<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Next you need to carefully review the scan results to determine which issues are genuine security concerns and which can be safely overlooked. Don\u2019t expect every problem to be a hair-raising vulnerability. The chances are that heavy base images, such as those for popular operating systems or programming frameworks, will present some CVEs. Not all of them will necessarily be relevant to a Dockerized environment or your workload so take the time to inspect each one and weigh it against your priorities.<\/p>\n<p>If your tool reports CVE severities and CVSS scores, you can use those to weight each vulnerability. These scores can help you identify issues needing im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>te resolution. Keep assessing each report against your security model and your knowledge of your environment.<\/p>\n<p>It\u2019s safe to discard vulnerabilities which you\u2019re confident you\u2019re already protected against but you should still document this course of action. This will help any future newcomers to the project understand why a CVE report was left unresolved.<\/p>\n<h2 id=\"implement-your-mitigation-layers\"><span class=\"ez-toc-section\" id=\"Implement_Your_Mitigation_Layers\"><\/span>Implement Your Mitigation Layers<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now you\u2019ve worked out what you\u2019re going to address, it\u2019s time to <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ly your protections to the Dockerfile. Create a new intermediary Dockerfile that sits between the base image you\u2019re hardening and your downstream application image:<\/p>\n<pre>FROM insecure-base-image:latest&#13;\nRUN apt update -y &amp;&amp; apt install -y unpatched-package<\/pre>\n<pre>docker build -t secure-base-image:latest .&#13;\ndocker push example.com\/secure-base-image:latest<\/pre>\n<p>Now modify your application\u2019s Dockerfile to reference the hardened version of the image:<\/p>\n<pre>--- FROM insecure-base-image:latest&#13;\n+++ FROM secure-base-image:latest<\/pre>\n<p>Of course your hardening steps will be more involved in the real world. You\u2019ll need to update all outdated packages, patch any config file problems, and apply the mitigations you need to fully resolve CVEs. Simultaneously, make sure your changes don\u2019t introduce a version conflict that breaks your software\u2019s dependency stack. Test your application with the hardened image to make sure everything functions as it should.<\/p>\n<p>Before you call it a day, scan your hardened image with the same security tool you used the first time around. Check the vulnerabilities you wanted to solve have dropped from the list, giving you peace of mind your workload is protected.<\/p>\n<h2 id=\"addressing-vulnerabilities-scans-cant-find\"><span class=\"ez-toc-section\" id=\"Addressing_Vulnerabilities_Scans_Cant_Find\"><\/span>Addressing Vulnerabilities Scans Can\u2019t Find<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A scan-based approach to hardening is effective at discovering known-to-the-community issues buried in your container\u2019s filesystem. Automated scanning can\u2019t find every problem though: some classes of vulnerability won\u2019t be matched by image analysis, so don\u2019t rely on scans as your only form of protection.<\/p>\n<p>Malicious code can creep in when you\u2019re downloading binaries in your Dockerfile. Source code dependencies added via a package manager are another viable attack vector.<\/p>\n<p>Image hardening involves an awareness of the threat entrypoints presented by Dockerfiles, not just use of a scanning tool. Regular manual reviews of your Dockerfile will help you reduce your susceptibility to supply chain attacks and other under the radar weaknesses.<\/p>\n<h2 id=\"using-pre-hardened-images\"><span class=\"ez-toc-section\" id=\"Using_Pre-Hardened_Images\"><\/span>Using Pre-Hardened Images<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>There are some pre-hardened images available when you don\u2019t want to formulate your own. The most high-profile set comes from the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.cisecurity.org\/cis-hardened-image-list\/\">Center for Internet Security<\/a> (CIS) and includes Debian, Ubuntu, CentOS, RHEL, SUSE, NGINX, PostgreSQL, and Windows Server options, among others. Each image is ready to deploy to popular cloud providers.<\/p>\n<p>Using a pre-hardened image comes with one big caveat: you need to ask yourself whether you really trust it. You may still want to scan it for vulnerabilities before you launch an instance into production. Although there should be far fewer issues than in an off-the-shelf Docker Hub image, running an audit yourself gives you a report to point to in case of future doubts.<\/p>\n<h2 id=\"more-to-think-about\"><span class=\"ez-toc-section\" id=\"More_to_Think_About\"><\/span>More to Think About<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Image hardening is only one facet of Docker security. A hardened image on its own may not be enough to defend your installation. You must review the security of your entire environment, including the Docker daemon\u2019s runtime configuration and enabled OS-level protections.<\/p>\n<p>Other tools are available to automate these procedures. Docker Bench is an official script to audit all aspects of your Docker installation, including daemon settings, Linux kernel security, and a basic check of your container images.<\/p>\n<p>If you\u2019re publishing images for others to use, consider signing them so their integrity can be verified. This helps minimize the risk of users being tricked into downloading a malicious lookalike.<\/p>\n<h2 id=\"conclusion\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Hardening a Docker image involves scanning it for vulnerabilities, building a new image with additional mitigating protections, then using that version as the base for your application. Although popular images usually rebuild frequently, the versions on Docker Hub could still be sufficiently outdated to include young vulnerabilities.<\/p>\n<p>Hardening is a continuous process; a hardened image won\u2019t stay that way forever. You need to scan and rebuild your images regularly, giving you confidence your production workloads are running the latest packages and patches.<\/p>\n<p>It\u2019s best to incorporate hardening into your image build pipeline from the outset. Scanning base images and your build output within your CI system will give you insights into your changing security posture and let you review new vulnerabilities as they emerge. Catching \u201csoft\u201d spots early lets you quickly toughen your image back up, reducing your exposure to threats.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/14600\/how-to-harden-docker-images-for-maximum-security\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Harden Docker Images For Maximum Security \u2013 CloudSavvy IT&#8221; JLStock\/Shutterstock.com There are many factors that contribute towards your Docker security posture but using hardened images is one of the best steps you can take to protect yourself. Not all images have the same security characteristics and a poorly configured one could give an&#8230;<\/p>\n","protected":false},"author":1,"featured_media":361558,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/cd8db06d.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-361557","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/361557","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=361557"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/361557\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/361558"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=361557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=361557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=361557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}