This document summarizes ways to attack and audit Docker containers. It discusses exploiting container capabilities, insecure volume mounts, and socket mounts. It also outlines auditing Docker images, containers, networks, volumes and registries to check for misconfigurations and vulnerabilities. The goal of auditing is to identify security issues when deploying and running Docker containers.
11. Basics (Cont.)
docker inspect <container name>
Gives complete information about container’s running state
● Start time
● Mount points
● Ports exposed
● IP
12. Docker volumes and networks
● Multiple services on different containers
● Communication between them
16. Capabilities
● Capabilities define privileges
● Linux Capabilities are used for fine grained ACL
● “Need to know” concept , Whitelist approach
● By default the Docker drops all capabilities except those needed
26. Socket as volume mount
● CI/CD guys run entire code in a docker which is already
running inside a docker
● To access host docker environment, pass the socket
● Attaching socket as volume mount (Portainer)
32. Docker Images & Containers
Look at images configuration and options to find any issues or
misconfigurations.
# docker images --digests ubuntu
33. Check for content trust to get signatures
● Checking the image issuers with docker trust
# docker trust inspect mediawiki --pretty
● This shows who signed the repository
34.
35.
36. Looking for known vulnerabilities
● We can use docker hub registry scanning to check for
vulnerable packages in images
○ Clair (Vulnerability Static Analysis for Containers) - Opensource
37. Looking for known vulnerabilities
● vulners.com/audit: checks for known issues from them.