OWasp Docker Security Cheat Sheet

Question 1

RULE #0: Keep Host and Docker Up to Date

Why is keeping the host and Docker updated important?

Answer 1

Containers share the host’s kernel, so vulnerabilities like Dirty COW in the host kernel can result in root access on the host.

Question 2

RULE #0: Keep Host and Docker Up to Date

What components should be regularly updated?

Answer 2

The host kernel and the Docker Engine.

Question 3

RULE #1: Do Not Expose the Docker Daemon Socket

Why should the Docker daemon socket not be exposed?

Answer 3

The socket, /var/run/docker.sock, grants unrestricted root access to the host.

Question 4

RULE #1: Do Not Expose the Docker Daemon Socket

What should you avoid enabling for Docker daemon socket?

Answer 4

Avoid enabling unencrypted and unauthenticated TCP access (-H tcp://0.0.0.0:XXX).

Question 5

RULE #2: Set a User

How can privilege escalation attacks be prevented?

Answer 5

Configure containers to use unprivileged users during runtime or build time.

Question 6

RULE #2: Set a User

What Kubernetes field is used to set a user for a Pod?

Answer 6

The runAsUser field in the SecurityContext.

Question 7

RULE #3: Limit Capabilities

What is the safest way to configure Linux kernel capabilities for containers?

Answer 7

Drop all capabilities (–cap-drop all) and add only the required ones (–cap-add).

Question 8

RULE #3: Limit Capabilities

Why should you not use the –privileged flag?

Answer 8

It adds all Linux kernel capabilities to the container, creating security risks.

Question 9

ULE #4: Prevent In-Container Privilege Escalation

How can privilege escalation within a container be disabled?

Answer 9

Use the –security-opt=no-new-privileges option during runtime.

Question 10

ULE #4: Prevent In-Container Privilege Escalation

What Kubernetes field prevents privilege escalation?

Answer 10

allowPrivilegeEscalation: false in the SecurityContext.

Question 11

RULE #5: Be Mindful of Inter-Container Connectivity

How can inter-container communication be restricted in Docker?

Answer 11

Use custom Docker networks instead of relying on the default docker0 bridged network.

Question 12

RULE #5: Be Mindful of Inter-Container Connectivity

What Kubernetes feature helps regulate pod interactions?

Answer 12

Network Policies.

Question 13

RULE #6: Use Linux Security Modules

What security profiles should be considered for Docker containers?

Answer 13

Use Linux Security Modules such as seccomp, AppArmor, or SELinux.

Question 14

RULE #6: Use Linux Security Modules

What Kubernetes resource configures security profiles?

Answer 14

Security Context in Pods or Containers.

Question 15

RULE #9: Integrate Container Scanning Tools into Your CI/CD Pipeline

Why is integrating container scanning tools into a CI/CD pipeline important?

Answer 15

It ensures security checks, such as linting, static code analysis, and container scanning, are part of the software development lifecycle to prevent vulnerabilities.

Question 16

Best Practices

What are some best practices for writing a secure Dockerfile?

Answer 16

Specify a USER directive.
Pin the base image version.
Pin OS package versions.
Use COPY instead of ADD.
Avoid curl bashing in RUN directives.