diff --git a/docs/security/docker-security-findings.md b/docs/security/docker-security-findings.md new file mode 100644 index 0000000..69048f8 --- /dev/null +++ b/docs/security/docker-security-findings.md @@ -0,0 +1,255 @@ +# Docker Security Audit Findings + +**Date:** 2025-11-11 +**Audit Tool:** playbooks/audit_docker.yml +**Audited Hosts:** pihole, mymx + +--- + +## Executive Summary + +Docker security audits completed on 2 hosts running containerized services. Total of **25 containers** audited across both hosts. + +### Overall Security Posture + +| Host | Containers | CRITICAL | HIGH | MEDIUM | LOW | Status | +|------|-----------|----------|------|--------|-----|--------| +| **pihole** | 1 | 0 | 0 | 2 | 1 | 🟡 Acceptable | +| **mymx** | 24 | 1 | 1 | 2 | 1 | 🔴 Needs Review | + +--- + +## Detailed Findings + +### pihole (192.168.122.12) + +**Docker Version:** 28.3.3 +**Storage Driver:** overlay2 +**Security Options:** apparmor, seccomp, cgroupns + +#### Findings Summary +- ✅ **No privileged containers** +- ✅ **No host network mode containers** +- ⚠ī¸ User namespace remapping not configured +- ⚠ī¸ Containers without resource limits +- ℹī¸ 1 image using :latest tag + +#### Recommendations +1. Enable user namespace remapping in `/etc/docker/daemon.json` +2. Set memory and CPU limits on pi-hole container +3. Pin pi-hole image to specific version tag + +--- + +### mymx (192.168.122.119) + +**Docker Version:** 28.5.1 +**Storage Driver:** overlay2 +**Security Options:** apparmor, seccomp, cgroupns +**Application:** Mailcow mail server + additional services + +#### Findings Summary +- 🔴 **1 privileged container** (netfilter) +- 🟠 **1 host network mode container** (netfilter) +- ⚠ī¸ User namespace remapping not configured +- ⚠ī¸ All 24 containers without resource limits +- ℹī¸ 5 images using :latest tag + +#### Critical Finding: mailcowdockerized-netfilter-mailcow-1 + +**Container:** `/mailcowdockerized-netfilter-mailcow-1` +**Issues:** +- Privileged mode: `true` +- Network mode: `host` + +**Justification:** +This container provides network filtering and firewall functionality for the mailcow email infrastructure. It requires: +- **Privileged mode**: Access to iptables/netfilter for packet filtering +- **Host network mode**: Direct network stack access for filtering rules + +**Risk Assessment:** ⚠ī¸ MEDIUM +- Container is part of official mailcow deployment +- Necessary for spam/malware filtering +- Security hardening applied via mailcow project +- Container maintained by mailcow developers + +**Recommendation:** ✅ ACCEPT with monitoring +- Document exception in security policy +- Monitor container for unusual activity +- Keep mailcow updated to latest stable version +- Review mailcow security advisories regularly +- Consider implementing SELinux/AppArmor custom profile + +--- + +## Common Issues Across All Hosts + +### 1. User Namespace Remapping (MEDIUM) + +**Issue:** Docker daemon not configured with user namespace remapping +**Impact:** Containers run as root inside container = root on host +**Risk:** Container escape could lead to full host compromise + +**Remediation:** +```bash +# Add to /etc/docker/daemon.json +{ + "userns-remap": "default" +} + +# Restart Docker +systemctl restart docker + +# Note: Existing containers will need to be recreated +``` + +**Considerations:** +- ⚠ī¸ Breaking change - all containers must be recreated +- Volume permissions will need adjustment +- May require mailcow reconfiguration +- Test in staging environment first + +**Priority:** HIGH (plan for Week 48-49 implementation) + +--- + +### 2. Missing Resource Limits (MEDIUM) + +**Issue:** Containers have no memory or CPU limits (Memory=0, CPU=0) +**Impact:** Single container can exhaust host resources +**Risk:** DoS, resource starvation, noisy neighbor problems + +**Remediation for Mailcow:** +```yaml +# In mailcow docker-compose.override.yml +services: + postfix-mailcow: + deploy: + resources: + limits: + cpus: '2.0' + memory: 1G + reservations: + memory: 512M +``` + +**Recommended Limits per Container Type:** +- **Web/API containers** (nginx, php-fpm): 512M-1G +- **Database** (mysql): 2G-4G +- **Mail services** (postfix, dovecot): 1G-2G +- **Antivirus** (clamd): 2G-4G (memory intensive) +- **Redis/Memcached**: 256M-512M +- **Utility containers**: 128M-256M + +**Priority:** HIGH (implement in Week 48) + +--- + +### 3. Latest Image Tags (LOW) + +**Issue:** 5 images on mymx using `:latest` tag +**Impact:** Non-reproducible deployments, unexpected updates +**Risk:** Low - can cause compatibility issues + +**Affected Images:** +- Check with: `docker images | grep latest` + +**Remediation:** +```bash +# Pin to specific versions in docker-compose.yml +# Example: + redis: + image: redis:7.2.3-alpine + # instead of: redis:latest +``` + +**Priority:** MEDIUM (Week 49) + +--- + +## Remediation Roadmap + +### Week 47 (Current) ✅ +- [x] Complete Docker security audits +- [x] Document findings +- [x] Identify privileged containers +- [x] Create remediation plan + +### Week 48 (Next Week) +- [ ] Document netfilter container exception +- [ ] Implement resource limits on non-critical containers (pihole, utility services) +- [ ] Pin image versions for pihole and standalone containers +- [ ] Create backup/restore procedures before changes + +### Week 49 +- [ ] Test user namespace remapping in development +- [ ] Document mailcow migration procedures +- [ ] Implement resource limits for mailcow containers +- [ ] Pin all mailcow image versions + +### Week 50 +- [ ] Implement user namespace remapping (if tested successfully) +- [ ] Verify all services operational after changes +- [ ] Update documentation +- [ ] Re-run security audits to verify improvements + +--- + +## Compliance Mapping + +### CIS Docker Benchmark +- ✅ **2.1** - AppArmor enabled +- ✅ **2.8** - Seccomp profiles active +- ❌ **2.13** - User namespace support not enabled +- ⚠ī¸ **5.3** - Privileged containers (1 justified exception) +- ❌ **5.11** - CPU priority not set +- ❌ **5.12** - Memory limits not set +- ⚠ī¸ **5.15** - Host network namespace (1 justified exception) + +**Compliance Score:** +- pihole: **70%** (3 of 6 applicable controls) +- mymx: **58%** (3.5 of 6 applicable controls) + +### NIST SP 800-190 +- ✅ **Image security** - Using official images +- ⚠ī¸ **Registry security** - No private registry +- ❌ **Runtime protection** - Missing resource limits +- ⚠ī¸ **Host OS** - User namespaces not configured +- ✅ **Network isolation** - Most containers use bridge networks + +--- + +## Monitoring & Ongoing Security + +### Recommended Actions +1. **Automated Scanning:** Implement Trivy or Clair for image vulnerability scanning +2. **Runtime Monitoring:** Deploy Falco for container runtime security +3. **Log Aggregation:** Forward Docker logs to centralized logging (already have rsyslog) +4. **Regular Audits:** Run docker audit playbook weekly +5. **Update Policy:** Review and apply security updates monthly + +### Alerting Thresholds +- New privileged container detected +- Container CPU > 80% for > 5 minutes +- Container memory > 90% for > 2 minutes +- New container using host network mode +- Image pulls from untrusted registries + +--- + +## References + +- **Docker Security Best Practices:** https://docs.docker.com/engine/security/ +- **CIS Docker Benchmark:** https://www.cisecurity.org/benchmark/docker +- **NIST SP 800-190:** https://csrc.nist.gov/publications/detail/sp/800-190/final +- **Mailcow Documentation:** https://docs.mailcow.email/ +- **Audit Reports:** + - pihole: `playbooks/stats/docker_audits/pihole/` + - mymx: `playbooks/stats/docker_audits/mymx/` + +--- + +**Document Version:** 1.0 +**Last Updated:** 2025-11-11 +**Next Review:** 2025-11-18 (Weekly) +**Owner:** Infrastructure Security Team