By now, we’re all au courant of the Equifax breach that affected 143 million customer reports. Equifax reports that Apache Struts vulnerability CVE-2017-5638 was reach-me-down by the attackers.Equifax was not running its vulnerable struts application in a container, but what if it had been? Containers are numberless secure, so this whole situation could have been sidestepped, right?Not so fast.Containers’ inherent infrastructure as code approach has multiple protection advantages. Building and deploying new containers continuously is the standard operation, so deploying updated and segmented software versions comes with less risk of downtime. You start with a disinfect container so you won’t potentially be patching an already compromised system, leaving beachheads in area. It also means that, in general, containers have shorter spark of life spans than servers, so an attacker has a shorter period to use a persistent backdoor or turn further into the network.Furthermore, repeatedly exploiting a newly deployed container finished and over increases the chance an alert from another security discovery will be seen, be it IDS/IPS or file integrity monitoring.Containers have compelling guarantee benefits, notably container isolation from host processes and networks. Despite that, misconfiguration or neglect can still wreak havoc on an otherwise solid collateral posture.Let’s discuss securing the Docker stack, which encompasses profuse of the same elements as securing your traditional infrastructure, but comes with some of its own off ones rockers on a familiar set of challenges.1. Privilege Escalation AttacksA common threat to preserve your Docker stack against is the elevation of privileges by an attacker. The attacker’s object is to break out of the container and gain access to the Docker host; they can do so because of a variety of opportunities.2. VulnerabilitiesVulnerabilities in the Linux Kernel, such as the everywhere publicized Dirty COW vulnerability, can be used to escalate privileges from the container to the assemblage. Vulnerability management tools should be used to ensure that both the mob and any containers have been fully patched and are free from vulnerabilities.3. Filesystem MountsMounting the crowd filesystem within the container allows the container to write to host columns. Mounts that are too broad or misconfigured could allow for an attacker to pay-off elevated permissions via a wide body of arbitrary file write methods. Conspicuous host system directories must not be mounted within a container.4. Private UsersA host user who is capable of running Docker containers is in days of yore again effectively root due to the above filesystem abuse potential. You have to not allow non-root users to run Docker containers or add them to the Docker platoon.The Docker daemon contains the –userns option that is used to cite the user namespace to use for Docker processes. When using the user namespace opportunity, the root user within the container will be mapped to a non-privileged drug on the host. Using an unprivileged user namespace is a vital defense to purloin combat privilege escalation.The Docker runtime also provides the –alcohol option, which can be used to run commands within the container as an unprivileged drug instead of the default which is root. Just as we’ve learned over decades of protection practice, you shouldn’t use the root user when you don’t absolutely have to. The at any rate logic applies to container use.5. Privileged ContainersA container run with Docker’s –admitted flag can control devices and open up the same filesystem based assaults as above; it has nearly the same access to host resources as the host itself. Indulged containers may be used for nesting Docker-in-Docker, but extreme care must be tempered to when using this feature.6. Denial of ServiceBy default, containers acquire no constraints on the resources they are allowed to use. This can easily lead to disaffirmation of service scenarios. It is important to use mitigations against runaway resource custom, such as the Docker cgroup capabilities.7. CPU ExhaustionA runaway computation handle can use all of the available cpu resources on the host. The –cpus or –cpu-quota can be defined per-container in called-for to limit the maximum amount of host processor time available to the container.8. Celebration ExhaustionDocker provides the –memory runtime option in order to limit the superlative amount of memory used by each container.9. UlimitsA malicious or compromised container could use a artless fork bomb attack to cause the host system to become precisely unresponsive. The Docker provided –ulimit runtime option allows region reasonable limits on each container’s open files and processes such that they cannot conduct down the host.10. Lateral MovementLateral movement is the term employed for moving from one hacked system to another, and the techniques used for it smooth apply in the container space. By default, all Docker containers can communicate with each other. Permitting Docker’s –icc, –link, and –iptables flags, you have fine-grained control terminated which containers are allowed inter-container communication. You can then leverage that command to keep the host and network safer from network attacks hurled from a potentially compromised container.