Automating Docker Security Validation

Uncategorized 1 Minute

Automating Docker Security Checks

Hunting around for ways of validating Docker images from a security perspective, I’ve not seen much documentation on finding ways to do this.

As a result, I put together this video of the best means I’ve found yet: using openscap tooling. You might want to skip to 1:55 when the Vagrant setup is complete and the software is installed.

Source available here.

Briefly, it:

  • Creates a trivial custom check for our security policy (‘is this a CentOS machine?’), which is run using the standard oscap tooling, and passes
  • Runs a RHEL7 container (‘our-rhel-container’)
  • Runs oscap-docker with the same check, which fails (as this is a RHEL7 image)
  • Performs a general CVE check against the container
  • Downloads another policy and runs that against the running container

Using this as a template, you can see how easy it would be to script up a custom policy, run it regularly and perform actions based on the output.

Are you using this or similar tools to manage Docker images? Any tips on extending and improving this gratefully received.

 

Currently co-authoring a book on Docker:

Get 39% off with the code 39miell

dip

Published by zwischenzugs

Published

One thought on “Automating Docker Security Validation

  1. Pingback: Sandboxing Docker with Google’s gVisor – zwischenzugs

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.