owasp / docker-security Goto Github PK

D06,D08,D09,D10 content lost? why? someone delete or may I do something to recompile them?

Hi

I have some other threats to add to this (good) list

• Untrusted base images
• Supply chain poisoning
• This is not related to docker itself, but it might be good to add Kubernetes issues too (maybe a kubernetes top 10 is too much)

I dont know if those qualify for the top 10, but for sure in a docker security guide.

Would you be accepting a PR where i add those? I have contributed before to the mobile testing guide and i will be glad to contribute here too :)

The current text mentions:

Then, before you start the microservice, the USER <username> [3] switches to this user.

While that is true and might be of help while building an image, it is my understanding that it would be a mistake to let the image tell the operator what user to use unless we have full control over the the image we run. E.g. you could drop line USER node from Dockerfile and when I rebuild or pull the image again next time, I'd start running the image as user root. (If I had a line in docker-compose.yml or my Docker command line running the image, I would be safe against that kind of change.)

What do you think?

In the end a PDF should be available.

While github is great in dealing with markdown documents I suspect it's not as easy to generate a handy PDF from the markdown files.

Help or hints would be appreciated.

Hi! I found the rendered dist/owasp-docker-security.pdf to be rather unpleasant on the eyes when it comes to reading the actual text, probably mostly to the unnatural letter spacing, for example:

Same results with evince and okular. GitHub's rendering at https://github.com/OWASP/Docker-Security/blob/master/dist/owasp-docker-security.pdf seems to have the same issue.

https://github.blog/2012-09-17-contributing-guidelines/

https://github.com/OWASP/Docker-Security/blob/master/cover.jpg reads "The Then Most Important Aspects". I read "then" as "back then" meaning distent past. Is it a typo of "ten" or was it supposed to mean "up to the date of publishing"? Looking at https://dict.leo.org/german-english/bisher I cannot find "then" as a candidate for translation.

Hello there,

I'm just have started a translation for this awesome project do Brazilian Portuguese. I'm a leader for Belo Horizonte Chapter and we just fork this project to do this translation apart and we send a pull request when apropriate.

As WIP I consider a great oportunity to stay close translating it at the same time this projects gets in shape. I'm also have interest to contribute in some way, just let me know. This container rush had a impact on security so I consider this project a must have.

Greetings from Brazil.
Happy holidays.

Hi *,

I could need some help wrt to image scanning for known vulnerabilities, see D02 --> How can I find out? --> Automatic.

Preferably short and "crispy"

Cheers, Dirk

Am going to slowly add to this issue, and then eventually merge into repo:

1. apt install apt-transport-https

I think it's important to use TLS for all package installations. You'll have to have to separate install statements, which can cause slight increase in image size but is worth it.

2. apt-get --no-install-recommends -y install libtool

reduce surface area of attack by not installing extra packages during installation of packages too.

I will start with a structure of the D sections which will basically provide the core for a) planning a secure container environment, for b) security controls and for c) auditing. It'll be basically addressing the threats mentioned in https://github.com/OWASP/Docker-Security/blob/master/001_Threats.md .

This document is not supposed to have a single page per D section like the OWASP Top 10 but still I was thinking on borrowing a few headlines from the boxes (no boxes either) like

• ~How Do I Prevent?,
• ~Am I Vulnerable --> need to use a different term like How can I detect?,
• ~Example Attack Scenarios --> probably needs to be related to the aforementioned threats
• References

and before an introductory paragraph telling what each point is about. Each of those sections will have a text paragraph or examples, and as said no boxes. I am not in favor of a single page as I am afraid there's too much content.

Any thoughts on this?

example #18 (comment) of Application Top 10

Hi!

There is a pile of Creative Commons licenses and the current logo used on the cover keeps the license very vague. I also didn't find any place in the document, where the license would be mentioned with more precision — maybe #4 is related? It would be nice to have "CC-BY-NC-SA 4.0 International" and maybe its logo parts, instead.

Thanks!

Because of several issues with gitbook-cli, its status, and calibre issues I am seeking for a replacement or help with a solution which works.

The goal is:

• to enable almost everybody to build or get a PDF
• should work at least under every Linux distro
• it should be maintainable (no private or deprecated repos)

See also #17, #31, #32

I am currently working a lot with Docker and the security resources are pretty lacking. Is there anyway I can help?

Breaking out of a container might not only be achieved by root processes or (ab)use cases of SETUID/SETGID, but through risky bind mounts of the host file system, too.
UID 0 might help with additional permissions in such a scenario, but i'd argue it would still be considered a separate point.

The docker docs even acknowledge it here (search page for "security implications").

Side note: Most english sources call it container breakout instead of container outbreak.
Using your favourite search engine with both terms will demonstrate the difference in search result quality.

Just building a new PDF since a while and I was confronted with this ugly message:

Probably the threat is not high. But for a secuirty project it's just ugly. Can you @PauloASilva or sombody else give a hand here?
Gitbook-cli supported is is no longer under active development. as stated here: https://github.com/GitbookIO/gitbook

In addition to #31 there's also another error when using docker-compose run --rm build

cc @PauloASilva

Hi,

I noticed a lot of vulnerabilities in the owasp/modsecurity:3 Docker image. I didn't find a repo for the Docker image so posting here. (It feels a bit sour having to accept 2 critical and 106 high vulnerabilities if we want to implement WAF in our cluster..)

$ trivy i owasp/modsecurity:3

owasp/modsecurity:3 (debian 10.3)
=================================
Total: 569 (UNKNOWN: 2, LOW: 379, MEDIUM: 80, HIGH: 106, CRITICAL: 2)

The Docker image could use some attention, the source files are left in the container only wasting image size.

Could you address these vulnerabilities and create a repo for the source?

Cheers, cDR

Suggestion to include guidance on tracking the components in your base image, and your own bundled software, as part of D02.

There are tools like Anchore Syft that can generate a software bill of materials for container images. This information can be fed into tools like OWASP Dependency-Track for continuous analysis. And identification of vulnerable components.

It also helps address OWASP Top 10 A9:2017-Using Components with Known Vulnerabilities, and activities identified in the OWASP SCVS.

While I found a clash of the numbering scheme of OWASP Top 10 and the API Top 10 (OWASP/API-Security#24) I accidentially realized that the Docker Top 10 lack the year of release in their numbering scheme.

Recommendation

Use D1:2019 instead of D1 in the summary table and when referring to individual list entries. This would harmonize Top 10 lists of OWASP overall a bit.

I disagree with the following lines:
"The catch using namespaces is that you can only run one namespace at a time. If you run user namespacing you e.g. can't use network namespacing on the same host [6]."
The cited document only states that it is not possible to share "PID or NET namespaces with the host" while using the user namespace, but that does not mean that generally speaking only one namespace can be used at a time.
Furthermore, other documents and blog entries explicitly state that "[m]odern containerization systems (e.g. Docker, LXC, etc.) use all of these namespaces when programs are launched". (https://blog.selectel.com/containerization-mechanisms-namespaces/)
Probably you meant the right thing but formulated it a bit ambiguous.

I would be very glad to hear your thoughts about this topic!

This is just a reminder that a) trailing page(s) would do good b) that then maybe the naming scheme needs to be readjusted .