假设我在Linux机器上运行带有恶意软件的docker容器,可以做些什么损害?
在CPU,内存,磁盘I / O,网络I / O,系统……上运行Docker的安全问题列表是什么?
我的第一个猜测(完成):
容器将能够刻录我的CPU,因为无法限制容器可以使用的CPU百分比.
它也可以直接访问我的Linux内核,这可能也不是很好(如果没有用SE Linux锁定).
它能够完全填满我的磁盘或将蹩脚的东西注入内存吗?
解决方法:
是的,它可以访问你的内核,所以基本上,你有小的保护,你可以看到它here.
关于刻录你的CPU,当CPU达到某个温度时,一些主板关闭计算机以避免“烧毁”CPU(如果你在谈论它).
您可以采取一些措施来提高安全性,因为您可以看到它here:
SELinux – Enabling this will automatically generate an MCS label for each container, limiting its ability to do damage.
Read-Only – You can also mark the container read-only which can allow you make large portions of the container’s image read-only, which can make it harder for an attacker to deploy malware.
Self-Hosted Registry – To reduce the risk of image tampering, loading malicious containers, leaking secrets, or otherwise putting yourself at risk you can host a registry internally. 07002 is an example of one which sits on top of S3, though there are other options as well.