Investigate added capabilities for container host security
We have an opportunity to lead the emerging market in helping customers secure cloud native apps. Two areas of functionality include scanning containers for known vulnerable code (which we do now) and scanning east/west traffic (in the plan). But I've found an article that describes how to protect the container host early in the SDLC. They seem like they would be easy to implement using JSON files, demonstrating added capability with minimal effort.
The attached article StackRox_Whitepaper_HardeningDocker.pdf, could prove very useful.
The first step in using seccomp is to determine all the system calls an application makes when it runs. This process can be a difficult and error-prone exercise that should be conducted when the application is written. Users can use tools like audit to profile all the system calls that it makes by exercising it in different ways. Seccomp policies are defined using JSON files. A sample seccomp policy can be found on page 3-4.
This policy causes an error to be returned when mkdir or chown are executed. The drawback with seccomp is that the profile has to be applied during the launch of the application. (This sounds like something GitLab can overcome.)
The article provides specific instructions to check for the following vulnerabilities on the host:
*unix socket
*volume mounts
*privileged containers
*SSH within containers
*Binding privileged ports
*exposing ports
*Running without default AppArmor/ SELinux or seccomp
*Sharing host namespaces
*Enabling TLS
*Do not set mount propagation mode to shared
*Restrict a container from acquiring new privileges
It goes on to say that "While the practices presented above are effective in making containers and hosts far less susceptible to exploits, the major container security challenges lie within the runtime phase." And it points to the author's site stackrox.com, which we should also explore.
cc: @bikebilly @plafoucriere @markpundsack
Fabio, I'm not sure I gave this issue the proper label. Please correct if needed.