Comments (4)
Hi @danehrlich1,
in order to put the cart behind the horse, intended is to provide a structure first for each single D-point. Technical hints will go into one of the parts of the structure.
D04 is specific for not only for the container / pod but also and mostly host and container orchestration tool. That is why it is @ #4. The main threat is supposed to be avoid on the system side exposed or misconfigured interfaces from kubernetes and friends. On the host e.g. a ~Debian default where rpc services are offered or any other network based service.
For the container part, yes there might be something I could think of. Transport via https doesn't seem so relevant to me as Debian packages you are referring to a signed (do a apt-key list
). And if retrieving the Debian keys come via HTTPS 1) apt-transport-https is a privacy improvement, not a security improvement.
1) I haven't researched this but I know other distros which don't do this either.
from docker-security.
from docker-security.
The slides of my talk in Brussels might be useful to understand what is supposed to be in the D sections.
Because I saw too often open APIs or dashboards and e.g. Kubernetes does not seem to be able to clean up their crap (open kubelet, CVE-2018-1002105, etc.) D9 moved to D4 though.
from docker-security.
No need to apologize, you probably can't read my thoughts
from docker-security.
Related Issues (20)
- D01 - Secure User Mapping: Namespaces HOT 2
- CONTRIBUTING.md missing
- Add year of document release to numbering scheme HOT 2
- Image Scanning in D02 HOT 2
- Typo "then" (instead of "ten") in cover.jpg (assets/cover.xcf) ? HOT 4
- Rendered PDF seems to have broken letter spacing, makes reading a lot less enjoyable HOT 4
- Cover should mention "CC-BY-NC-SA 4.0 International", not just Creative Commons HOT 4
- [D01] Issues with relying on (or advertising) Docker instruction "USER <user>[:<group>]"
- Other threats (+testing guide) HOT 7
- owasp/modsecurity vulnerabilites HOT 3
- Translation to Brazilian Portuguese and Contributions HOT 3
- Fix or replace gitbook (in Dockerfile)
- Gitbook error: "TypeError: cb.apply is not a function" HOT 8
- PDF generation: Replacement for gitbook-cli (and maybe calibre)? HOT 3
- Create copyright and license section
- Trailing page(s) of document
- D02 - Patch Management Strategy Suggestion
- MD to PDF HOT 49
- D06,D08,D09,D10 content lost
- Addition to the threat mindmap might be needed HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-security.