53. Docker Security Part 1
Seccomp and syscalls:
------------------------
docker container run -it --name mybuntu ubuntu
docker container exec -it mybuntu /bin/bash
chmod 777 .dockerenv
github:
https://github.com/moby/moby/blob/mas...
wget https://raw.githubusercontent.com/mob...
vi default.json
Delete chmod
docker container run -it --name myubuntusec --security-opt seccomp=./default.json ubuntu
docker container exec -it myubuntusec /bin/bash
Capabilities:
----------------
docker container run -it --name mybuntu2 ubuntu
mknod test123 c 19 1
docker container run -it --name mybuntucapdrop --cap-drop=MKNOD ubuntu
docker container exec -it mybuntucapdrop /bin/bash
mknod test123 c 19 1
Docker Bench for Security:
-----------------------------
docker run -it --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security
