On the Utilized Methods Group within the SEI’s CERT Division, one in all our areas of labor focuses on Docker container photographs that require hardening to take away vulnerabilities. By means of our work, we’ve seen stakeholders encountering problem with hardening open-source container photographs, along with growing routine processes for vulnerability mitigation for Docker container photographs.
Utilizing unvetted container photographs can improve safety dangers by way of the introduction of weak software program into a company’s software program provide chain. For instance, unvetted container photographs may comprise packages with identified Widespread Vulnerabilities and Exposures (CVEs), introducing a possible exploitation vector. As this weblog publish particulars, hardening these container photographs, or deciding on verified pre-hardened container photographs earlier than utilization, decreases the danger of introducing weak software program.
Hardening containers and container photographs entails analyzing their present safety standing after which making use of remediations to iteratively enhance safety. The hardening course of is routine and gives iterative safety monitoring throughout the growth course of. A hardened picture gives a safe sandbox for growth and execution of open-source software program.
The Container Hardening Course of
Determine 1: The iterative container hardening course of for vulnerability detection and remediation.
The method of hardening containers and container photographs begins with a baseline safety scan of the unhardened picture to create a listing of identified vulnerabilities. As soon as this baseline has been made, engineers ought to analyze the picture Dockerfile and exchange any non-standard base photographs with respected base photographs from verified publishers. Following the rebasing, engineers, utilizing container picture options resembling Docker, ought to start the iterative course of to remediate identified bugs whereas scanning for brand new vulnerabilities.
It is advisable to exchange non-standard photographs utilized in a Dockerfile as a result of, as we talked about earlier, photographs can deliver vulnerabilities that may discover their manner into the tip product. This may take the type of weak packages or different dependencies utilized by the picture, however it might probably additionally come because of unsecure practices within the picture itself. To counteract this, rebasing the Dockerfile to make use of photographs from Docker verified publishers resembling Purple Hat permits for extra stability in updates and vulnerability mitigation.
These techniques of scanning and substituting photographs is basically the beginnings of a software program invoice of supplies (SBOM), and this makes it simpler to create and monitor an SBOM. The outputs of every safety scan assist establish the place actions are wanted when new vulnerabilities come to gentle and may be added to the SBOM to keep up its accuracy.
Decreasing Potential Vulnerabilities in Container Photographs
A number of different practices can be employed when rebasing a Dockerfile to additional mitigate dangers and vulnerabilities. For starters, if a Dockerfile doesn’t make use of it already, engineers can implement a multi-stage construct course of. This permits the construct course of to put in the dependencies wanted to construct elements of the service, whereas leaving these construct dependencies behind of their respective levels. Doing this permits the construct course of to deliver solely what’s required for the ultimate picture into the ultimate construct stage. Leaving these runtime-irrelevant dependencies out of the ultimate picture can scale back the picture’s risk floor.
In the identical vein, a extra minimal base picture can be helpful. Constructing a container to serve a database, for instance, is unlikely to want many of the options of a full working system (OS) base picture. A number of frequent base photographs resembling Purple Hat Common Base Picture(UBI), Debian, and Rocky Linux supply stripped-down variations leaving fewer superfluous and doubtlessly weak packages and configurations, and in addition offers the additional benefit of decreasing the dimensions of the ultimate picture. For extra on the subject of decreasing the dimensions of photographs, take a look at this SEI presentation by Kevin Pitstick.
There are just a few different tweaks that may additionally assist in decreasing potential vulnerabilities in container photographs. One in all these is to exchange the usage of the ADD instruction with the COPY instruction wherever potential. ADD and COPY overlap in that they will each be used to maneuver native recordsdata round throughout the picture constructing course of. Nevertheless, ADD has the extra functionality of with the ability to obtain recordsdata referenced by exterior URLs, in addition to unpackage archives. These extra capabilities may be undesirable additions when safety is a priority. Containers must also be set to run as a non-root service consumer when potential, to restrict their means to carry out malicious duties if compromised. Be aware that by default, Docker containers run as root. By operating a container as a non-root service, the precept of least privilege is adopted. It’s additionally follow to outline the service consumer early on in a Dockerfile, switching again to root solely as wanted within the construct course of.
The Significance of Vulnerability Scanning
Vulnerability scanning is a vital step in figuring out vulnerabilities in a container picture. Utilizing instruments resembling Grype and Trivy, safety and infrastructure engineers can routinely run safety scans on open-source photographs along with photographs constructed by way of an automatic pipeline. Creating an automatic course of to routinely scan the container picture is a typical a part of most DevSecOps pipelines and can add larger visibility into vulnerability detection. Routine scanning additionally permits for the institution of a vulnerability baseline and incremental mitigation.
Vulnerability scans sometimes yield a listing of CVEs, which comprise details about the vulnerability and any potential mitigations. A CVE often has a Widespread Vulnerability Scoring System (CVSS) rating, which assesses the severity of the vulnerability. Calculating or trying up the CVSS rating can streamline the method of prioritizing the remediation of vulnerabilities.
Hardening of Docker photographs entails inspection of how the picture is constructed, routinely scanning the constructed picture for vulnerabilities, after which making use of mitigations to the picture constructing course of. The continual means of scanning new revealed photographs helps detect any new vulnerabilities. By establishing a routine course of for hardening photographs, confidence is gained within the manufacturing pipeline ranging from the event stage.
