Security tools for Docker


Is container security important to you?   

62 members have voted

You do not have permission to vote in this poll, or see the poll results. Please sign in or register to vote in this poll.

Recommended Posts

It would be nice to see some security tools around the docker. 

 

For example maybe something that can do vulnerability scanning and reporting of your running containers.  It would be helpful for many reasons, perhaps adding additional firewall rules to prevent attacks, upgrading, downgrading etc.   I know there are open source tools and images that already exist with many features that we could all benefit from.  

Link to comment

Comment:

Honestly surprised this has not receive more attention in here... Considering Unraid primary function is to house all your data as a NAS and I'd image many people store sensitive or personal data/documents on their servers... right?   Combine that with running applications (docker images) that share the same kernel and mounted filesystems that someone else (other than the programers) are building (the docker images)... nobody is concerns?  If if you trust the image owners, after they are deployed nobody has concerns about them containing exploits or knowing if they are vulnerable? 

 

 

I'm not sure if everyone is naive or just doesn't care about their data on their Unraid server or their home network in general.  Can anyone who doesn't maintain the docker images tell me if you have CVE-2019-5021 on your Alpine linux running containers?  I'd guess nobody can confidently answer that without spending significant researching it or already have tools scanning. 

 


Supporting Info: 
This is a decent writeup back in 2017. 
https://sysdig.com/blog/7-docker-security-vulnerabilities/

Also this in 2019 (has video)

https://www.techrepublic.com/article/docker-containers-are-filled-with-vulnerabilities-heres-how-the-top-1000-fared/

 

 

 

Summary: 
My point is that many of these containers are communicating with the internet. 

1. We don't know what is in the images we are downloading/updating. (unless you are one of those people that hash matches all the binaries and configs to the master). 

2. Your containers will or do have vulnerabilities and you will have no idea about it.  If you are running a container that the image maintainer stopped updating (maybe they are on vacation) and an exploit is discovered, well good luck.   

 

Considering the current state of the world with CoVid19... you will see an increase of ransomware!  It won't matter who you are... people need money and take advantage in times like these.  I can personally attest to this:  I have a unifi firewall and it is running IDS and the amount of attacks against my IP has increased.  
https://www.businessinsider.com/ransomware-attack-hospitals-coronavirus-covid-19-2020-3
 

 

 

Want/Ask/Need:
I would really like to see some integrations of tools that scan against the images and running containers.  There are a lot of smart people in here and I'm sure everyone can benefit from having a container that does scanning of other containers.  Wouldn't it be nice to know you have a problem with a docker (a CVE was released yesterday) and this image is vulnerable.  That could allow you to at least disable the services until it is updated or follow the CVE and perhaps mitigate the risk another way. 

 

Disclaimer: I am not a dev. 

I want to generate interest from the community and see if any devs would be interested in this project.  

 

As GI Joe says.... Knowing is half the battle. 
 

Quote

You can't fix what you don't know is broken.

 

Edited by pish180
Added Disclaimer.
Link to comment

Are you asking how much interest there is so you know whether or not to spend your time working on implementing this for others benefit?

 

If so, maybe say that upfront. Otherwise it just sounds like you want to volunteer someone else's time for your interests.

 

If you develop it and it works well, I'm sure there will be people wanting to use it.

Link to comment
2 hours ago, jonathanm said:

Are you asking how much interest there is so you know whether or not to spend your time working on implementing this for others benefit?

 

If so, maybe say that upfront. Otherwise it just sounds like you want to volunteer someone else's time for your interests.

 

If you develop it and it works well, I'm sure there will be people wanting to use it.

That's a good point.   I would have put this post in the request section but that is blocked off. 

 

The goal with this post is really 3 things: 

1.  Hopefully build some interest amongst the community

2. Once we have some interest, see if any devs want to take on the challenge.  

3. End Product?

 

Wanting to volunteer someone else's time.  -  Seems like a negative way to word it.   If that is what you consider a request to build something is then I guess I'm guilty. 🙄 Every project starts with an idea/request/issue.  

 

With more users backing a request a dev would feel.  

1.  More motivated

2. More likely to be incentivised

3. Have a positive impact on the community

 

Depending on what motivates them.

 

FTR I have supported many developers via Patron and other donations for their work.  Just wanted to throw that out there.

Hope that helps.

Link to comment
On 4/2/2020 at 5:11 AM, johnnie.black said:

Anyone can post in the Feature Requests forum, just not the sub-forums.

DOH.   Are one of the mods able to move it?   I swear I recall trying to and there was no button to create a thread.  I guess as you mentioned I was probably in a sub-forum.   Ideally I would like it in the FR section.  If not I guess I can re-create it there. 

Link to comment
  • 10 months later...
  • 1 month later...

Any of the devs consider looking at this?  Maybe something like Anchore, Clair, etc or another docker file that we can add to Unraid that would scan all the docker images we have in our Local Docker Repo and provide a report for UnRaid users? 

 

I think this would be really valuable for the community so they know of the images they are running, if there are any vulnerability and let them determine if its an acceptable risk. 

 

Thanks!

Link to comment
  • 7 months later...
  • 6 months later...
  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.