Docker Security: Best Practices for your Vessel and Containers

Docker Security Everything you need to know about Docker security.   Introduction into Docker Operating systems like CoreOS use Docker to run applications on top of their lightweight platform. Docker in its turn, provides utilities around technologies like Linux container technology (e.g. LXC, systemd-nspawn, libvirt). Previously Docker could be described as the “automated LXC”, now it’s actually even more powerful. What it definitely is, is simplifying and enhancing the possibilities of container technology. Continuous delivery Rolling out containers is quick […]

Read more

Linux Capabilities 101

Linux Capabilities 101 Tutorial about how capabilities work in Linux Even seasoned Linux administrators may not see capabilities a lot in their daily duties, but they are still used all the time. This features was added to Linux 2.2 and gave us new possibilities regarding security. In this guide we have an in-depth look on how can leverage them to increase security. The problem It is good to know why capabilities were implemented at the first place. Let’s assume we […]

Read more

Linux Capabilities: Hardening Linux binaries by removing setuid

Linux Capabilities Hardening Linux binaries by removing setuid Normally Unix based systems use two kind of processes: privileged and unprivileged. The first category is usually used for administrative purposes, like starting and stopping other processes, tuning the kernel and opening sockets. Root permissions The command ping is a great example why even small programs needs root permissions. In a first glance you might consider this tool to be simple: send a package to a host and see if it responds. The […]

Read more

How and why Linux daemons drop privileges

How and why Linux daemons drop privileges In this article we have a look at the privileges of Linux daemons and dropping privileges in particular. The samples provided are in C. Why drop privileges? Some daemons need root permissions to start. This happens for example when a daemon wants to bind to a low port (<1024). However running network based daemons with root permissions is considered to be a serious risk. In case of compromise of the process, an attacker […]

Read more