Hardens Docker containers for production per CIS Docker Benchmark v1.8.0, covering daemon config, secure Dockerfiles with multi-stage builds, and runtime flags for least privilege and isolation.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
对生产环境 Docker 容器进行安全加固,涵盖符合 CIS Docker Benchmark v1.8.0 的安全最佳实践,旨在最小化攻击面、防止权限提升,并在 Docker daemon、镜像、容器和运行时配置中强制执行最小权限原则。
Hardens Docker containers for production using CIS Benchmark v1.8.0: non-root users, read-only rootfs, capability drops, seccomp, and multi-stage distroless builds.
Hardens Docker containers for production using CIS Benchmark v1.8.0 practices: daemon config, trusted images, runtime restrictions, non-root users, and seccomp/AppArmor.
Hardens Docker container images using multi-stage builds, distroless bases, non-root users, package removal, and CIS benchmarks for minimal attack surface and production security.
Share bugs, ideas, or general feedback.
对生产环境 Docker 容器进行安全加固,涵盖符合 CIS Docker Benchmark v1.8.0 的安全最佳实践,旨在最小化攻击面、防止权限提升,并在 Docker daemon、镜像、容器和运行时配置中强制执行最小权限原则。
# 使用特定摘要以确保可重现性
FROM python:3.12-slim@sha256:abc123... AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir --user -r requirements.txt
# 生产阶段——最小镜像
FROM gcr.io/distroless/python3-debian12
# 仅复制必要的工件
COPY --from=builder /root/.local /root/.local
COPY --from=builder /app /app
WORKDIR /app
# 创建非 root 用户
USER 65534:65534
# 设置只读文件系统预期
LABEL org.opencontainers.image.source="https://github.com/org/app"
ENTRYPOINT ["python", "app.py"]
{
"icc": false,
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"live-restore": true,
"userland-proxy": false,
"no-new-privileges": true,
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Hard": 64000,
"Soft": 64000
},
"nproc": {
"Name": "nproc",
"Hard": 1024,
"Soft": 1024
}
},
"seccomp-profile": "/etc/docker/seccomp-default.json",
"tls": true,
"tlscacert": "/etc/docker/tls/ca.pem",
"tlscert": "/etc/docker/tls/server-cert.pem",
"tlskey": "/etc/docker/tls/server-key.pem",
"tlsverify": true
}
docker run -d \
--name production-app \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid,size=100m \
--tmpfs /var/run:rw,noexec,nosuid,size=10m \
--cap-drop ALL \
--cap-add NET_BIND_SERVICE \
--security-opt no-new-privileges:true \
--security-opt seccomp=/etc/docker/seccomp-default.json \
--security-opt apparmor=docker-default \
--pids-limit 100 \
--memory 512m \
--memory-swap 512m \
--cpus 1.0 \
--user 65534:65534 \
--network custom-bridge \
--restart on-failure:3 \
--health-cmd "curl -f http://localhost:8080/health || exit 1" \
--health-interval 30s \
--health-timeout 10s \
--health-retries 3 \
myapp:latest
export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://notary.example.com
# 签名并推送镜像
docker trust sign myregistry.com/myapp:v1.0.0
# 拉取前验证镜像签名
docker trust inspect --pretty myregistry.com/myapp:v1.0.0
# 为 Docker 文件和目录添加审计规则
cat >> /etc/audit/rules.d/docker.rules << 'EOF'
-w /usr/bin/docker -k docker
-w /var/lib/docker -k docker
-w /etc/docker -k docker
-w /lib/systemd/system/docker.service -k docker
-w /lib/systemd/system/docker.socket -k docker
-w /etc/default/docker -k docker
-w /etc/docker/daemon.json -k docker
-w /usr/bin/containerd -k docker
-w /usr/bin/runc -k docker
EOF
systemctl restart auditd
# 运行 Docker Bench Security
docker run --rm --net host --pid host \
--userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
docker/docker-bench-security
# 检查 Dockerfile
hadolint Dockerfile
# 检查构建的镜像
dockle myapp:latest
# 验证没有以 root 运行的容器
docker ps -q | xargs docker inspect --format '{{.Id}}: User={{.Config.User}}'
| 控制 | 实现方式 | CIS 章节 |
|---|---|---|
| 非 root 用户 | Dockerfile 中的 USER 指令 | 4.1 |
| 只读根文件系统 | --read-only 标志 | 5.12 |
| 删除能力 | --cap-drop ALL | 5.3 |
| 资源限制 | --memory、--cpus、--pids-limit | 5.10 |
| 禁止获取新权限 | --security-opt no-new-privileges | 5.25 |
| 内容信任 | DOCKER_CONTENT_TRUST=1 | 4.5 |
| Daemon TLS | daemon.json TLS 配置 | 2.6 |
| 审计日志 | auditd 规则 | 1.1 |