Skip to main content

Container security

Container Security
Secure your container environment

How to follow container security best practices

Reducing the container attack surface

CIS benchmark Docker

 

We run a set of test issue from standard checklist recommendations:

  • CIS Docker Benchmarks and the SANS Checklist include an overview of results gathered from host configuration settings, Docker daemon settings, container images, runtime settings, and other Docker security settings.
  • As adoption of this technology grows and the technology evolves, it is necessary to be updated with standardized checklists to Docker security based on the latest tools and recommendations. 
Identify container security
Identify
Security analysis are based on Docker benchmark from Center for Internet Security and best security practices for container environment. Our solution is able to identify all new vulnerabilities thanks to daily update vulnerability databases. Elastic Workload Protector automatically tests new container images for the vulnerability, ensuring continuous protection.


remediate container security
Remediate
Get a comprehensive and understandable reports with your cyber risk exposure. Thanks to our key risk indicators you will be able to address first the critical vulnerabilities on your sensitive assets.
Customized reports included solution to help your security team.



Monitor container security
Monitor
Organization should continuously monitor that all applications are properly updated and secured.
Our solution monitor container for vulnerabilities, best practices compliance and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Example of Elastic Workload Protector Outcome

 

CIS DOCKER 5.3 Restrict Linux Kernel Capabilities within containers

By default, Docker starts containers with a restricted set of Linux Kernel Capabilities. It means that any process may be granted the required capabilities instead of root access. Using Linux Kernel Capabilities, the processes do not have to run as root for almost all the specific areas where root privileges are usually needed.

Docker supports the addition and removal of capabilities, allowing use of a non-default profile. This may make Docker more secure through capability removal, or less secure through the addition of capabilities. It is thus recommended to remove all capabilities except those explicitly required for your container process.

Verify that the added and dropped Linux Kernel Capabilities are in line with the ones needed for container process for each container instance.

Execute the below command to add needed capabilities:
$> docker run --cap-add={"Capability 1","Capability 2"}
$> docker run --cap-drop={"Capability 1","Capability 2"}

We all understand what happens when security is not the company priority... Containers provide a great opportunity to work faster and better because they already have automation in place. Automating security processes into operational workflows may be new to security, but it’s not new to containers, where automation is everywhere (networking, storage, and so on). Security becomes simply another automation feed and Elastic Workload Protector will help you to do it.

Implementation of Docker CIS benchmark
Real-time alerts on configuration issues
Agentless Scanning & Automation

Looking for anything in particular?

Type your search word here