Locking Down the Kernel and Securing the Container

Containers have taken the place of virtual machines as the go-to technology if multiple programs are required to run in isolation of one another on a single server. Virtual machines made processes such as cloud computing and web hosting possible. With virtual machines, the operating system and program code are stored together and any single operating system is running on the assumption that it is doing so on its own server. In reality, it is sharing a single server with several other “operating code-program” packages. This is made possible by the host operating system. If this sounds confusing, think of it this way: Several virtual machines are running independently of one another on the same server.

While this approach solved many problems in computing, it also has some major issues—namely, the processing overhead required to run numerous emulated servers. Most laptops today are not capable of running multiple virtual machines efficiently.

DevOps Connect:DevSecOps @ RSAC 2022

This is where container technology has stepped in. “Container tech has become extremely popular over the last decade with large corporations such as Amazon and Google jumping on board,” says Chael Anderson, a tech writer at Australia2write and Nextcoursework.

What Is a Container?

To mitigate the heavy computer costs often associated with virtual machines, containers have only the application and the necessary namespaces. This program interacts directly with the host operating system. To make it clear, the only operating system on the server is the host server interacting with the containers. To use containers, something called a kernel is required.

What Is a Kernel?

A kernel acts as a middle man between the operating system and a container. In fact, many containers may share a single kernel. The kernel limits what programs can access what data. For example, it may not be desirable that program A has full access to the data and information stored within program B, even though they will need to share information at some point. The operating system, on the other hand, has full access to all data in kernel mode (when all memory is accessible).

“Any compromise to kernel security can lead to major issues in regards to sensitive data. Although container technology has made computing less costly than the previous virtual machine approach, it has created a new type of security concerns.” writes Josh Playfair, a web developer at Britstudent and Writemyx.

Next, we will look at some things to keep in mind when locking down a kernel to secure the container.

Locking Down the Kernel

Failure to lock down a kernel can result in a wide variety of issues, the most damaging being a malicious actor gaining access to parts of a container they were not meant to. Here are some best practices for preventing this.

Keep the kernel updated: The kernel should be updated to the newest version as soon as the host is created. The issue is not usually with the kernel itself, but rather with containers. It is not uncommon for containers to have vulnerabilities. Although these vulnerabilities are usually resolved quickly, failure to update to the latest version will still leave the container exposed to these issues. Checking if one has the latest kernel installed is simple; it requires running the code shown below:

Use only SSH authentication and remove root user: The purpose of doing this is simple: If a container escapes isolation we do not want to special privileges of the root user exposed to the host.

Furthermore, SSH authentication passwords are, by design, insecure and best disabled. To disable SSH authentication passwords execute the following code:

containersUse container security tools: Many quality container tools perform scans and alert the user if there is a security issue with a container. Docker is one of the most popular programs that offer this service.

The three tips listed above are some of the most simple yet effective ways to lock down kernels and ensure container security. That being said, no container is ever fully secure or safe from attack. It is important to always monitor. It is also recommended that those concerned with container security look into host security as well. These two topics go hand in hand concerning information security.

Michael Dehoyos

Michael Dehoyos is a content marketer and editor at Phd Kingdom and Academic brits. He assists companies in their marketing strategy concepts, and contributes to numerous sites and publications. Also, he is a writer at Origin Writings.

Michael Dehoyos has 1 posts and counting. See all posts by Michael Dehoyos