Shulou(Shulou.com)06/01 Report--

Today, the editor will share with you the relevant knowledge points about how to prevent information disclosure in Docker. The content is detailed and the logic is clear. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article. Let's take a look at it.

Overview

Containers and Docker make our daily life more convenient, but at the same time, it is also easy to accidentally leak some information to the public and cause security problems. Passwords, cloud credentials and SSH private keys can be leaked if they are not configured properly. Unless a security event policy is established and comprehensive protection is established, there are some cases:

Codecov supply chain attacks:

On April 1, 2021, due to a misconfiguration of a Docker file in Codecov, an attacker could steal credentials and modify the Bash Uploader script used by the customer. The Bash Uploaders was modified by malicious code and environment variables and keys collected from some customers' CI/CD environments were disclosed to an attacker-controlled server.

Affected by this event, the GPG key used by HashiCorp to issue signature and verification has been compromised. At present, the private key has been changed periodically using the rotation mechanism.

Other leaks caused by Docker Hub public images include, but are not limited to:

AWS accounts and credentials, SSH private keys, Azure keys, .npmrc tokens, Docker Hub accounts, PyPI repository keys, SMTP server authentication information, eCAPTCHA passwords, Twitter API keys, Jira keys, Slack keys, and other keys.

COPY method

A common COPY method in DockerFile syntax:

FROM debian:busterCOPY. / app

By default, this statement copies everything in the current directory to the mirror. Files that may contain sensitive information in these contents: such as site .env.

Once sensitive information is placed in a Docker image, it can be seen by any user who can access the image. To prevent the disclosure of sensitive information due to COPY:

Restrict copying: copy only the specific files or directories that are necessary. For example:

COPY setup.py myapp/app

.dockerkeeper: use .dockerkeeper to ensure that sensitive files are not copied into the image. A typical configuration:

NOTICEREADME.mdLICENSEAUTHORS.mdCONTRIBUTING.md.vscode/vendor/env/ENV/build/dist/target/downloads/eggs/.eggs/lib/lib64/parts/sdist/var/Dockerfile.git.editorconfig*.egg-info/.installed.cfg*.egg*.manifest*.spec.gcloudignore.gitignore.tox/.dockerignore.coverage.coverage.*.cachehtmlcov/nosetests.xmlcoverage.xml*,cover.hypothesis/ssh/id_rsa.git-credentialsconfig.*

Avoid manually generating images: the development environment is more likely to involve sensitive files than the CICD automatic generation system, so manually generating public images in the development environment is more likely to lead to disclosure.

Use the CI environment variable: if the CI or build environment needs to make confidential information, you need to configure it in the environment variable instead of accessing it through a file.

Image compilation

Sometimes you need to use secrets when building Docker images, such as passwords to access private package repositories.

FROM python:3.9RUN pip install\-extra-index-url User:pass@priveapk.example\ package privatepackage

Including a user name and password directly in URL will directly cause it to be compromised. You can apply it in the form of environment variables:

Export MYSECRET=secretpasswordexport DOCKER_BUILDKIT=1docker build-secret-secret id=mysecret,env=MYSECRET. Run time

Some passwords need to be accessed while the container is running, such as the credentials to access the database. The same runtime secrets cannot be stored directly in the mirror.

In addition to the accidental disclosure caused by the contents of the image, this configuration stored in the image is also bound to the environment, which makes it difficult for the image to run flexibly. There are several ways to pass secrets to the container when you run the container:

Use environment variables.

The volume that binds the confidential file.

Password management mechanism of orchestration system (such as K8S).

In a public cloud environment, cloud environment variables and authorizations can be used. For example, AWS's IAM role management.

External KeyStore.

Through these mechanisms, runtime sensitive information can be avoided from being stored in the mirror itself.

Security scanning

In addition to some of the above management strategies, another proactive approach is to automatically perform security scans. There are many password scanning tools on the market, which can scan directories or Git repositories, and will alarm directly if they contain sensitive information. Like detect-secrets,trufflehog.

There are also tools for scanning images, such as pentester, which can scan Docker Hub images to find problems.

These are all the contents of this article entitled "how to prevent Information leakage in Docker". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.