Methods to Audit Docker Container Security

Container adoption is off the charts. With more enterprises passing valuable data through these containers, security has become a chief priority for maintaining stability and for meeting new international data regulations such as GDPR.

A 2018 Sysdig report shows 83 percent of containers in use are Docker containers. Others, including CoreOS, Mesos and Linux, are slicing a little off the pie chart, but Docker still makes up the most sizable chunk of container usage.

A Validation Approach to Docker Security

So how do we keep Docker containers secure in today’s turbulent digital landscape? One way is to use detection software that scans Docker images to search for vulnerabilities. Docker auditing engines focus on discovering common vulnerabilities and exposures (CVE), often utilizing benchmarks set in databases such as the National Vulnerability Database (NVD).

Rather than code your own threat discovery software, many open source tools such as Docker Bench, Clair, Cilium, Dagda and others exist to save you the hassle. One in particular—Anchore—boasts an impressive feature set, with sturdy adoption and what appears to be a stable history of maintenance.

Introduction to Anchore Engine for Docker Image Auditing

The open source Anchore tool can be used to validate Docker images. How it works is that Docker images are downloaded, and then ran against policies as defined by the user.

“The Anchore Engine is an open source project that provides a centralized service for inspection, analysis and certification of container images.”

Run Anchore standalone or on an orchestration platform such as Kubernetes. You can also invoke it through a CLI or call it over a REST API.

Working with the Engine Via the CLI

First off, Anchore is distributed as a Docker Image, found here. You’ll also need a PostgreSQL database for persistent storage.

The CLI is an easy way to engage with the Anchore Engine, so let’s see what sample calls can be made to perform Docker image auditing functions.

To begin with, the Documentation describes how to pass credentials in such a manner:

--u   TEXT   Username     eg. admin1
--p   TEXT   Password     eg. foofoo
--url TEXT   Service URL  eg. http://localhost:8001/v1

Of course, setting environment variables is an easy way to avoid duplicate entries:

ANCHORE_CLI_URL=http://myserver.example.com:8001/v1
ANCHORE_CLI_USER=admin1
ANCHORE_CLI_PASS=foofoo

Once credentials are stored for future, this command will add a Docker image to Anchore Engine:

anchore-cli image add docker.io/library/debian:latest

Next, this will obtain the results from a vulnerability scan:

anchore-cli image vuln docker.io/library/debian:latest os

It also helps to keep updated when new CVEs are added to the system. A helpful trigger is the webhook—you can subscribe to receive notifications with this command:

anchore-cli subscription activate vuln_update docker.io/library/debian:latest

Want to know more about the OS behind an image? This command will return OS types used in a container:

anchore-cli image content docker.io/library/debian:latest os

Diving deeper in the documentation, users can discover how to create custom policies. Adding a policy bundle to Anchore can be done through the CLI:

anchore-cli policy add /path/to/policy/bundle.json

Such a bundle may look something like the following JSON object, and can contain multiple policies:

{
  "name": "DefaultPolicy", 
  "version": "1_0",
  "comment": "Policy for basic checks", 
  "id": "ba6daa06-da3b-46d3-9e22-f01f07b0489a", 
  "rules": [
    {
      "action": "STOP", 
      "gate": "vulnerabilities", 
      "id": "80569900-d6b3-4391-b2a0-bf34cf6d813d", 
      "params": [
        { "name": "package_type", "value": "all" }, 
        { "name": "severity_comparison", "value": ">=" }, 
        { "name": "severity", "value": "medium" }
      ], 
      "trigger": "package"
    }
  ]
}

Benefits of Container Auditing with Anchore

We’ve hardly scratched the surface of Docker container auditing. From custom policies to whitelists, and mappings, there are many features of Anchore that can be utilized to automate container analysis and find more custom routines for your environment.

The Anchore feed collates many data sources, such as Linux Distributions, Software Package Repositories and the NIST National Vulnerability Database (NVD). Default polling is set to every six hours for updated CVE information. A wide breadth of data sources means quality coverage for many types of vulnerabilities.

Integrating such a container auditing within a CI/CD pipeline can help reduce risk, ensuring these quality assurance checks are processed with each new build.

Final Thoughts

In this post, we’ve reviewed one open source method for analyzing Docker containers. Enterprises once may have once viewed containerization as an insecure act; however, the tide is changing—swiftly—and DevSecOps approaches must evolve. As Sysdig reports:

“The ephemeral nature of containers left many concerned about running services that collect valuable corporate data in containers. The concern appears to be easing as the data suggests customers are beginning to move to environments completely driven by containers.”

Container security auditing is a natural component to ensuring these fears aren’t supplanted by real breaches. An open source option such as Anchore can at least be used to meet QA expectations, while also preventing vendor lock-in.

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and analyst. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high-impact blog on API strategy for providers. He loves discovering new trends, interviewing key contributors, and researching new technology. He also gets out into the world to speak occasionally.

Bill Doerrfeld has 105 posts and counting. See all posts by Bill Doerrfeld