Comments (4)
drwetter
commented on July 24, 2024
Hi @danehrlich1,
in order to put the cart behind the horse, intended is to provide a structure first for each single D-point. Technical hints will go into one of the parts of the structure.
D04 is specific for not only for the container / pod but also and mostly host and container orchestration tool. That is why it is @ #4. The main threat is supposed to be avoid on the system side exposed or misconfigured interfaces from kubernetes and friends. On the host e.g. a ~Debian default where rpc services are offered or any other network based service.
For the container part, yes there might be something I could think of. Transport via https doesn't seem so relevant to me as Debian packages you are referring to a signed (do a apt-key list). And if retrieving the Debian keys come via HTTPS 1) apt-transport-https is a privacy improvement, not a security improvement.
1) I haven't researched this but I know other distros which don't do this either.
from docker-security.
commented on July 24, 2024
Apologies and thanks for helping me understand the intended structure of
the repo.
Also read over your other stuff and all good points / thanks for the
information. I agree and you are right, particularly on the privacy vs
actual security issue.
Iām going to hold off on anything else moving forward for now. Let me know
if there is specific help you need or research I can do though in the
meantime as the repo is built out.
ā¦On Fri, Dec 21, 2018 at 7:00 PM Dirk Wetter ***@***.***> wrote:
Hi @danehrlich1 <https://github.com/danehrlich1>,
in order to put the cart behind the horse, intended is to provide a
structure first for each single D-point. Technical hints will go into one
of the parts of the structure.
D04 is specific for not only for the container / pod but also and mostly
host and container orchestration tool. That is why it is @ #4. The main
threat is supposed to be avoid on the system side exposed or misconfigured
interfaces from kubernetes and friends. On the host e.g. a ~Debian default
where rpc services are offered or any other network based service.
For the container part, yes there might be something I could think of.
Transport via https doesn't seem so relevant to me as Debian packages you
are referring to a signed (do a apt-key list). And if retrieving the
Debian keys come via HTTPS 1) apt-transport-https is a privacy
improvement, not a security improvement.
1) I haven't researched this but I know other distros which don't do this
either.
ā
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADM6EjqKMaRk8r6yvzse2GKfpBF3bdMYks5u7YRHgaJpZM4ZfPTE>
.
from docker-security.
drwetter
commented on July 24, 2024
The slides of my talk in Brussels might be useful to understand what is supposed to be in the D sections.
Because I saw too often open APIs or dashboards and e.g. Kubernetes does not seem to be able to clean up their crap (open kubelet, CVE-2018-1002105, etc.) D9 moved to D4 though.
from docker-security.
drwetter
commented on July 24, 2024
No need to apologize, you probably can't read my thoughts
from docker-security.
Related Issues (20)
- D01 - Secure User Mapping: Namespaces HOT 2
- CONTRIBUTING.md missing
- Add year of document release to numbering scheme HOT 2
- Image Scanning in D02 HOT 2
- Typo "then" (instead of "ten") in cover.jpg (assets/cover.xcf) ? HOT 4
- Rendered PDF seems to have broken letter spacing, makes reading a lot less enjoyable HOT 4
- Cover should mention "CC-BY-NC-SA 4.0 International", not just Creative Commons HOT 4
- [D01] Issues with relying on (or advertising) Docker instruction "USER <user>[:<group>]"
- Other threats (+testing guide) HOT 7
- owasp/modsecurity vulnerabilites HOT 3
- Translation to Brazilian Portuguese and Contributions HOT 3
- Fix or replace gitbook (in Dockerfile)
- Gitbook error: "TypeError: cb.apply is not a function" HOT 8
- PDF generation: Replacement for gitbook-cli (and maybe calibre)? HOT 3
- Create copyright and license section
- Trailing page(s) of document
- D02 - Patch Management Strategy Suggestion
- MD to PDF HOT 49
- D06,D08,D09,D10 content lost
- Addition to the threat mindmap might be needed HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-security.