Adapt hardening for container environments #125
Comments
|
So I don't want to be thát guy, however, I think that hardening has a lot to do about managing the running processes. And a container should ideally only have a single process running. If you have an entire OS within a container, I say you're doing it wrong... There are of course a lot of things to do to make a container more secure if you happen to require a less than minimal OS in there, but should that really be something to focus on? |
|
@timstoop the idea of single process short living container is completely behind docker, but if you take a look to the usage way of „old“ lxc containers: they are more like a usual traditional system, but with kernel shared virtualization style. For docker based environments, you still have a lot of use cases where generic distro images are used. Sometimes people might want to apply hardening in such cases. Besides that, this idea is a very good way from the CI testing perspective: you can test parts of this module on different docker images (see kitchen-dokken usage in chef-os-hardening) |
|
@artem-sidorenko Do you think we should continue on this? Right now the |
Some rules cannot be implemented in container setups (docker, lxc), e.g. kernel settings.
The text was updated successfully, but these errors were encountered: