2023-12-22 11:54:01 +01:00
|
|
|
Exposing administration services can lead to unauthorized access to containers
|
|
|
|
|
or escalation of privilege inside of containers.
|
2022-11-25 16:40:13 +01:00
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
A port that is commonly used for administration services is marked as being open
|
|
|
|
|
through the `EXPOSE` command. Administration services like SSH might contain
|
|
|
|
|
vulnerabilities, hard-coded credentials, or other security issues that increase
|
|
|
|
|
the attack surface of a Docker deployment. +
|
|
|
|
|
Even if the ports of the services do not get forwarded to the host system, by
|
|
|
|
|
default they are reachable from other containers in the same network. A
|
|
|
|
|
malicious actor that gets access to one container could use such services to
|
|
|
|
|
escalate access and privileges.
|
|
|
|
|
|
|
|
|
|
Removing the `EXPOSE` command is not sufficient to be secure. The port is still
|
|
|
|
|
open and the service accessible. To be secure, no administration services should
|
|
|
|
|
be started. Instead, try to access the required information from the host system.
|
|
|
|
|
For example, if the administration service is included to access logs or debug
|
|
|
|
|
a service, you can do this from the host system instead. Docker allows you to
|
|
|
|
|
read out any file that is inside of a container and to spawn a shell inside of
|
|
|
|
|
a container if necessary.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
== Ask Yourself Whether
|
|
|
|
|
|
|
|
|
|
* The container starts an administration service.
|
|
|
|
|
|
|
|
|
|
There is a risk if you answered yes to the question.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
|
|
|
|
|
|
* Do not start SSH, VNC, RDP or similar administration services in containers.
|
2022-11-25 16:40:13 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
|
|
|
[source,docker]
|
|
|
|
|
----
|
|
|
|
|
FROM ubuntu:22.04
|
|
|
|
|
# Sensitive
|
|
|
|
|
EXPOSE 22
|
|
|
|
|
CMD ["/usr/sbin/sshd", "-f", "/etc/ssh/sshd_config", "-D"]
|
|
|
|
|
----
|
|
|
|
|
|
2023-12-22 11:54:01 +01:00
|
|
|
include::../see.adoc[]
|
2023-05-25 14:18:12 +02:00
|
|
|
|
|
|
|
|
* https://docs.docker.com/engine/reference/builder/#expose[Dockerfile reference] - EXPOSE
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
2023-12-22 11:54:01 +01:00
|
|
|
include::../message.adoc[]
|
2023-05-25 14:18:12 +02:00
|
|
|
|
2023-12-22 11:54:01 +01:00
|
|
|
include::../highlighting.adoc[]
|
2023-05-25 14:18:12 +02:00
|
|
|
|
2024-12-05 14:40:40 +01:00
|
|
|
include::../parameters.adoc[]
|
2024-10-25 09:02:44 +02:00
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|
