Add Docker security audit findings and remediation plan
Comprehensive security analysis of Docker deployments across
infrastructure with detailed findings and remediation roadmap.
Audit Results:
- pihole: 2 MEDIUM, 1 LOW findings (1 container)
- mymx: 1 CRITICAL*, 1 HIGH*, 2 MEDIUM, 1 LOW findings (24 containers)
* Justified exceptions for mailcow netfilter container
Key Findings:
1. mailcowdockerized-netfilter-mailcow-1: Privileged + host network
- JUSTIFIED: Required for iptables/netfilter mail filtering
- Risk Assessment: MEDIUM (documented exception)
2. User namespace remapping not configured (both hosts)
- Impact: Container root = host root
- Priority: HIGH
3. Missing resource limits (all 25 containers)
- Impact: Resource exhaustion risk
- Priority: HIGH
4. Image :latest tag usage (6 images)
- Impact: Non-reproducible deployments
- Priority: MEDIUM
Document Contents:
- Executive summary with security posture
- Per-host detailed findings analysis
- Privileged container justification (netfilter)
- Common issues across infrastructure
- Remediation roadmap (Week 48-50)
- Resource limit recommendations by container type
- CIS Docker Benchmark compliance mapping (58-70%)
- NIST SP 800-190 alignment
- Monitoring and alerting recommendations
Remediation Timeline:
- Week 48: Resource limits on non-critical containers
- Week 49: Test user namespace remapping, pin versions
- Week 50: Deploy user namespaces, re-audit
File: docs/security/docker-security-findings.md (420+ lines)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
ansible
e0accc204a