# Docker Security Audit Findings **Date:** 2025-11-11 **Audit Tool:** playbooks/audit_docker.yml **Audited Hosts:** pihole, mymx --- ## Executive Summary Docker security audits completed on 2 hosts running containerized services. Total of **25 containers** audited across both hosts. ### Overall Security Posture | Host | Containers | CRITICAL | HIGH | MEDIUM | LOW | Status | |------|-----------|----------|------|--------|-----|--------| | **pihole** | 1 | 0 | 0 | 2 | 1 | 🟡 Acceptable | | **mymx** | 24 | 1 | 1 | 2 | 1 | 🔴 Needs Review | --- ## Detailed Findings ### pihole (192.168.122.12) **Docker Version:** 28.3.3 **Storage Driver:** overlay2 **Security Options:** apparmor, seccomp, cgroupns #### Findings Summary - ✅ **No privileged containers** - ✅ **No host network mode containers** - ⚠ī¸ User namespace remapping not configured - ⚠ī¸ Containers without resource limits - ℹī¸ 1 image using :latest tag #### Recommendations 1. Enable user namespace remapping in `/etc/docker/daemon.json` 2. Set memory and CPU limits on pi-hole container 3. Pin pi-hole image to specific version tag --- ### mymx (192.168.122.119) **Docker Version:** 28.5.1 **Storage Driver:** overlay2 **Security Options:** apparmor, seccomp, cgroupns **Application:** Mailcow mail server + additional services #### Findings Summary - 🔴 **1 privileged container** (netfilter) - 🟠 **1 host network mode container** (netfilter) - ⚠ī¸ User namespace remapping not configured - ⚠ī¸ All 24 containers without resource limits - ℹī¸ 5 images using :latest tag #### Critical Finding: mailcowdockerized-netfilter-mailcow-1 **Container:** `/mailcowdockerized-netfilter-mailcow-1` **Issues:** - Privileged mode: `true` - Network mode: `host` **Justification:** This container provides network filtering and firewall functionality for the mailcow email infrastructure. It requires: - **Privileged mode**: Access to iptables/netfilter for packet filtering - **Host network mode**: Direct network stack access for filtering rules **Risk Assessment:** ⚠ī¸ MEDIUM - Container is part of official mailcow deployment - Necessary for spam/malware filtering - Security hardening applied via mailcow project - Container maintained by mailcow developers **Recommendation:** ✅ ACCEPT with monitoring - Document exception in security policy - Monitor container for unusual activity - Keep mailcow updated to latest stable version - Review mailcow security advisories regularly - Consider implementing SELinux/AppArmor custom profile --- ## Common Issues Across All Hosts ### 1. User Namespace Remapping (MEDIUM) **Issue:** Docker daemon not configured with user namespace remapping **Impact:** Containers run as root inside container = root on host **Risk:** Container escape could lead to full host compromise **Remediation:** ```bash # Add to /etc/docker/daemon.json { "userns-remap": "default" } # Restart Docker systemctl restart docker # Note: Existing containers will need to be recreated ``` **Considerations:** - ⚠ī¸ Breaking change - all containers must be recreated - Volume permissions will need adjustment - May require mailcow reconfiguration - Test in staging environment first **Priority:** HIGH (plan for Week 48-49 implementation) --- ### 2. Missing Resource Limits (MEDIUM) **Issue:** Containers have no memory or CPU limits (Memory=0, CPU=0) **Impact:** Single container can exhaust host resources **Risk:** DoS, resource starvation, noisy neighbor problems **Remediation for Mailcow:** ```yaml # In mailcow docker-compose.override.yml services: postfix-mailcow: deploy: resources: limits: cpus: '2.0' memory: 1G reservations: memory: 512M ``` **Recommended Limits per Container Type:** - **Web/API containers** (nginx, php-fpm): 512M-1G - **Database** (mysql): 2G-4G - **Mail services** (postfix, dovecot): 1G-2G - **Antivirus** (clamd): 2G-4G (memory intensive) - **Redis/Memcached**: 256M-512M - **Utility containers**: 128M-256M **Priority:** HIGH (implement in Week 48) --- ### 3. Latest Image Tags (LOW) **Issue:** 5 images on mymx using `:latest` tag **Impact:** Non-reproducible deployments, unexpected updates **Risk:** Low - can cause compatibility issues **Affected Images:** - Check with: `docker images | grep latest` **Remediation:** ```bash # Pin to specific versions in docker-compose.yml # Example: redis: image: redis:7.2.3-alpine # instead of: redis:latest ``` **Priority:** MEDIUM (Week 49) --- ## Remediation Roadmap ### Week 47 (Current) ✅ - [x] Complete Docker security audits - [x] Document findings - [x] Identify privileged containers - [x] Create remediation plan ### Week 48 (Next Week) - [ ] Document netfilter container exception - [ ] Implement resource limits on non-critical containers (pihole, utility services) - [ ] Pin image versions for pihole and standalone containers - [ ] Create backup/restore procedures before changes ### Week 49 - [ ] Test user namespace remapping in development - [ ] Document mailcow migration procedures - [ ] Implement resource limits for mailcow containers - [ ] Pin all mailcow image versions ### Week 50 - [ ] Implement user namespace remapping (if tested successfully) - [ ] Verify all services operational after changes - [ ] Update documentation - [ ] Re-run security audits to verify improvements --- ## Compliance Mapping ### CIS Docker Benchmark - ✅ **2.1** - AppArmor enabled - ✅ **2.8** - Seccomp profiles active - ❌ **2.13** - User namespace support not enabled - ⚠ī¸ **5.3** - Privileged containers (1 justified exception) - ❌ **5.11** - CPU priority not set - ❌ **5.12** - Memory limits not set - ⚠ī¸ **5.15** - Host network namespace (1 justified exception) **Compliance Score:** - pihole: **70%** (3 of 6 applicable controls) - mymx: **58%** (3.5 of 6 applicable controls) ### NIST SP 800-190 - ✅ **Image security** - Using official images - ⚠ī¸ **Registry security** - No private registry - ❌ **Runtime protection** - Missing resource limits - ⚠ī¸ **Host OS** - User namespaces not configured - ✅ **Network isolation** - Most containers use bridge networks --- ## Monitoring & Ongoing Security ### Recommended Actions 1. **Automated Scanning:** Implement Trivy or Clair for image vulnerability scanning 2. **Runtime Monitoring:** Deploy Falco for container runtime security 3. **Log Aggregation:** Forward Docker logs to centralized logging (already have rsyslog) 4. **Regular Audits:** Run docker audit playbook weekly 5. **Update Policy:** Review and apply security updates monthly ### Alerting Thresholds - New privileged container detected - Container CPU > 80% for > 5 minutes - Container memory > 90% for > 2 minutes - New container using host network mode - Image pulls from untrusted registries --- ## References - **Docker Security Best Practices:** https://docs.docker.com/engine/security/ - **CIS Docker Benchmark:** https://www.cisecurity.org/benchmark/docker - **NIST SP 800-190:** https://csrc.nist.gov/publications/detail/sp/800-190/final - **Mailcow Documentation:** https://docs.mailcow.email/ - **Audit Reports:** - pihole: `playbooks/stats/docker_audits/pihole/` - mymx: `playbooks/stats/docker_audits/mymx/` --- **Document Version:** 1.0 **Last Updated:** 2025-11-11 **Next Review:** 2025-11-18 (Weekly) **Owner:** Infrastructure Security Team