On the Utilized Techniques Group within the SEI’s CERT Division, considered one of our areas of labor focuses on Docker container pictures that require hardening to take away vulnerabilities. Via our work, we’ve seen stakeholders encountering issue with hardening open supply container pictures, along with creating routine processes for vulnerability mitigation for Docker container pictures.
Utilizing unvetted container pictures can improve safety dangers by means of the introduction of weak software program into a company’s software program provide chain. For instance, unvetted container pictures may comprise packages with identified Frequent Vulnerabilities and Exposures (CVEs), introducing a possible exploitation vector. As this weblog publish particulars, hardening these container pictures, or deciding on verified pre-hardened container pictures earlier than utilization, decreases the danger of introducing weak software program.
Hardening containers and container pictures includes analyzing their present safety standing after which making use of remediations to iteratively enhance safety. The hardening course of is routine and supplies iterative safety monitoring throughout the improvement course of. A hardened picture supplies a safe sandbox for improvement and execution of open supply software program.
The Container Hardening Course of
The method of hardening containers and container pictures begins with analyzing the picture Dockerfile and changing any non-standard base pictures with respected base pictures from verified publishers. As soon as this alteration has been made, a baseline safety scan of the unhardened picture ought to be created to ascertain an inventory of identified vulnerabilities. Following the creation of a baseline safety scan, engineers utilizing container picture options, similar to Docker, ought to start the iterative course of to remediate identified bugs whereas scanning for brand spanking new vulnerabilities.
It is advisable to interchange non-standard pictures utilized in a Dockerfile as a result of, as we talked about earlier, pictures can convey vulnerabilities that may discover their method into the tip product. This will take the type of weak packages or different dependencies utilized by the picture, however it might probably additionally come on account of unsecure practices within the picture itself. To counteract this, rebasing the Dockerfile to make use of pictures from Docker verified publishers similar to Pink Hat permits for extra stability in updates and vulnerability mitigation.
These ways of scanning and substituting pictures is basically the beginnings of a software program invoice of supplies (SBOM), and this makes it simpler to create and monitor an SBOM. The outputs of every safety scan assist determine the place actions are wanted when new vulnerabilities come to mild and may be added to the SBOM to keep up its accuracy.
Lowering Potential Vulnerabilities in Container Photos
A number of different practices will also be employed when rebasing a Dockerfile to additional mitigate dangers and vulnerabilities. For starters, if a Dockerfile doesn’t make use of it already, engineers can implement a multi-stage construct course of. This enables the construct course of to put in the dependencies wanted to construct elements of the service, whereas leaving these construct dependencies behind of their respective phases. Doing this enables the construct course of to convey solely what’s required for the ultimate picture into the ultimate construct stage. Leaving these runtime-irrelevant dependencies out of the ultimate picture can cut back the picture’s menace floor.
In the identical vein, a extra minimal base picture will also be helpful. Constructing a container to serve a database, for instance, is unlikely to want a lot of the options of a full working system (OS) base picture. A number of widespread base pictures similar to Pink Hat Common Base Picture (UBI), Debian, and Rocky Linux provide stripped-down variations leaving fewer superfluous and doubtlessly weak packages and configurations, and in addition provides the additional benefit of lowering the dimensions of the ultimate picture.
There are just a few different tweaks that may additionally help in lowering potential vulnerabilities in container pictures. Considered one of these is to exchange the usage of the ADD instruction with the COPY instruction wherever potential. ADD and COPY overlap in that they’ll each be used to maneuver native information round throughout the picture constructing course of. Nonetheless, ADD has the extra functionality of having the ability to obtain information referenced by exterior URLs, in addition to unpackage archives. These further capabilities may be undesirable additions when safety is a priority. Containers must also be set to run as a non-root service person when potential, to restrict their skill to carry out malicious duties if compromised. Be aware that by default, Docker containers run as root. By working a container as a non-root service, the precept of least privilege is adopted. It’s additionally a great follow to outline the service person early on in a Dockerfile, switching again to root solely as wanted within the construct course of.
The Significance of Vulnerability Scanning
Vulnerability scanning is a vital step in figuring out vulnerabilities in a container picture. Utilizing instruments similar to Grype and Trivy, safety and infrastructure engineers can routinely run safety scans on open supply pictures along with pictures constructed through an automatic pipeline. Creating an automatic course of to routinely scan the container picture is a typical a part of most DevSecOps pipelines and can add higher visibility into vulnerability detection. Routine scanning additionally permits for the institution of a vulnerability baseline and incremental mitigation.
Vulnerability scans usually yield an inventory of CVEs, which comprise details about the vulnerability and any potential mitigations. A CVE normally has a Frequent Vulnerability Scoring System (CVSS) rating, which assesses the severity of the vulnerability. Calculating or trying up the CVSS rating can streamline the method of prioritizing the remediation of vulnerabilities.
Hardening of Docker pictures includes inspection of how the picture is constructed, routinely scanning the constructed picture for vulnerabilities, after which making use of mitigations to the picture constructing course of. The continual technique of scanning new printed pictures helps detect any new vulnerabilities. By establishing a routine course of for hardening pictures, confidence is gained within the manufacturing pipeline ranging from the event stage.
