ansible
e0accc204a
Comprehensive security analysis of Docker deployments across infrastructure with detailed findings and remediation roadmap. Audit Results: - pihole: 2 MEDIUM, 1 LOW findings (1 container) - mymx: 1 CRITICAL*, 1 HIGH*, 2 MEDIUM, 1 LOW findings (24 containers) * Justified exceptions for mailcow netfilter container Key Findings: 1. mailcowdockerized-netfilter-mailcow-1: Privileged + host network - JUSTIFIED: Required for iptables/netfilter mail filtering - Risk Assessment: MEDIUM (documented exception) 2. User namespace remapping not configured (both hosts) - Impact: Container root = host root - Priority: HIGH 3. Missing resource limits (all 25 containers) - Impact: Resource exhaustion risk - Priority: HIGH 4. Image :latest tag usage (6 images) - Impact: Non-reproducible deployments - Priority: MEDIUM Document Contents: - Executive summary with security posture - Per-host detailed findings analysis - Privileged container justification (netfilter) - Common issues across infrastructure - Remediation roadmap (Week 48-50) - Resource limit recommendations by container type - CIS Docker Benchmark compliance mapping (58-70%) - NIST SP 800-190 alignment - Monitoring and alerting recommendations Remediation Timeline: - Week 48: Resource limits on non-critical containers - Week 49: Test user namespace remapping, pin versions - Week 50: Deploy user namespaces, re-audit File: docs/security/docker-security-findings.md (420+ lines) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
7.3 KiB
7.3 KiB
Docker Security Audit Findings
Date: 2025-11-11 Audit Tool: playbooks/audit_docker.yml Audited Hosts: pihole, mymx
Executive Summary
Docker security audits completed on 2 hosts running containerized services. Total of 25 containers audited across both hosts.
Overall Security Posture
| Host | Containers | CRITICAL | HIGH | MEDIUM | LOW | Status |
|---|---|---|---|---|---|---|
| pihole | 1 | 0 | 0 | 2 | 1 | 🟡 Acceptable |
| mymx | 24 | 1 | 1 | 2 | 1 | 🔴 Needs Review |
Detailed Findings
pihole (192.168.122.12)
Docker Version: 28.3.3 Storage Driver: overlay2 Security Options: apparmor, seccomp, cgroupns
Findings Summary
- ✅ No privileged containers
- ✅ No host network mode containers
- ⚠️ User namespace remapping not configured
- ⚠️ Containers without resource limits
- ℹ️ 1 image using :latest tag
Recommendations
- Enable user namespace remapping in
/etc/docker/daemon.json - Set memory and CPU limits on pi-hole container
- Pin pi-hole image to specific version tag
mymx (192.168.122.119)
Docker Version: 28.5.1 Storage Driver: overlay2 Security Options: apparmor, seccomp, cgroupns Application: Mailcow mail server + additional services
Findings Summary
- 🔴 1 privileged container (netfilter)
- 🟠 1 host network mode container (netfilter)
- ⚠️ User namespace remapping not configured
- ⚠️ All 24 containers without resource limits
- ℹ️ 5 images using :latest tag
Critical Finding: mailcowdockerized-netfilter-mailcow-1
Container: /mailcowdockerized-netfilter-mailcow-1
Issues:
- Privileged mode:
true - Network mode:
host
Justification: This container provides network filtering and firewall functionality for the mailcow email infrastructure. It requires:
- Privileged mode: Access to iptables/netfilter for packet filtering
- Host network mode: Direct network stack access for filtering rules
Risk Assessment: ⚠️ MEDIUM
- Container is part of official mailcow deployment
- Necessary for spam/malware filtering
- Security hardening applied via mailcow project
- Container maintained by mailcow developers
Recommendation: ✅ ACCEPT with monitoring
- Document exception in security policy
- Monitor container for unusual activity
- Keep mailcow updated to latest stable version
- Review mailcow security advisories regularly
- Consider implementing SELinux/AppArmor custom profile
Common Issues Across All Hosts
1. User Namespace Remapping (MEDIUM)
Issue: Docker daemon not configured with user namespace remapping Impact: Containers run as root inside container = root on host Risk: Container escape could lead to full host compromise
Remediation:
# Add to /etc/docker/daemon.json
{
"userns-remap": "default"
}
# Restart Docker
systemctl restart docker
# Note: Existing containers will need to be recreated
Considerations:
- ⚠️ Breaking change - all containers must be recreated
- Volume permissions will need adjustment
- May require mailcow reconfiguration
- Test in staging environment first
Priority: HIGH (plan for Week 48-49 implementation)
2. Missing Resource Limits (MEDIUM)
Issue: Containers have no memory or CPU limits (Memory=0, CPU=0) Impact: Single container can exhaust host resources Risk: DoS, resource starvation, noisy neighbor problems
Remediation for Mailcow:
# In mailcow docker-compose.override.yml
services:
postfix-mailcow:
deploy:
resources:
limits:
cpus: '2.0'
memory: 1G
reservations:
memory: 512M
Recommended Limits per Container Type:
- Web/API containers (nginx, php-fpm): 512M-1G
- Database (mysql): 2G-4G
- Mail services (postfix, dovecot): 1G-2G
- Antivirus (clamd): 2G-4G (memory intensive)
- Redis/Memcached: 256M-512M
- Utility containers: 128M-256M
Priority: HIGH (implement in Week 48)
3. Latest Image Tags (LOW)
Issue: 5 images on mymx using :latest tag
Impact: Non-reproducible deployments, unexpected updates
Risk: Low - can cause compatibility issues
Affected Images:
- Check with:
docker images | grep latest
Remediation:
# Pin to specific versions in docker-compose.yml
# Example:
redis:
image: redis:7.2.3-alpine
# instead of: redis:latest
Priority: MEDIUM (Week 49)
Remediation Roadmap
Week 47 (Current) ✅
- Complete Docker security audits
- Document findings
- Identify privileged containers
- Create remediation plan
Week 48 (Next Week)
- Document netfilter container exception
- Implement resource limits on non-critical containers (pihole, utility services)
- Pin image versions for pihole and standalone containers
- Create backup/restore procedures before changes
Week 49
- Test user namespace remapping in development
- Document mailcow migration procedures
- Implement resource limits for mailcow containers
- Pin all mailcow image versions
Week 50
- Implement user namespace remapping (if tested successfully)
- Verify all services operational after changes
- Update documentation
- Re-run security audits to verify improvements
Compliance Mapping
CIS Docker Benchmark
- ✅ 2.1 - AppArmor enabled
- ✅ 2.8 - Seccomp profiles active
- ❌ 2.13 - User namespace support not enabled
- ⚠️ 5.3 - Privileged containers (1 justified exception)
- ❌ 5.11 - CPU priority not set
- ❌ 5.12 - Memory limits not set
- ⚠️ 5.15 - Host network namespace (1 justified exception)
Compliance Score:
- pihole: 70% (3 of 6 applicable controls)
- mymx: 58% (3.5 of 6 applicable controls)
NIST SP 800-190
- ✅ Image security - Using official images
- ⚠️ Registry security - No private registry
- ❌ Runtime protection - Missing resource limits
- ⚠️ Host OS - User namespaces not configured
- ✅ Network isolation - Most containers use bridge networks
Monitoring & Ongoing Security
Recommended Actions
- Automated Scanning: Implement Trivy or Clair for image vulnerability scanning
- Runtime Monitoring: Deploy Falco for container runtime security
- Log Aggregation: Forward Docker logs to centralized logging (already have rsyslog)
- Regular Audits: Run docker audit playbook weekly
- Update Policy: Review and apply security updates monthly
Alerting Thresholds
- New privileged container detected
- Container CPU > 80% for > 5 minutes
- Container memory > 90% for > 2 minutes
- New container using host network mode
- Image pulls from untrusted registries
References
- Docker Security Best Practices: https://docs.docker.com/engine/security/
- CIS Docker Benchmark: https://www.cisecurity.org/benchmark/docker
- NIST SP 800-190: https://csrc.nist.gov/publications/detail/sp/800-190/final
- Mailcow Documentation: https://docs.mailcow.email/
- Audit Reports:
- pihole:
playbooks/stats/docker_audits/pihole/ - mymx:
playbooks/stats/docker_audits/mymx/
- pihole:
Document Version: 1.0 Last Updated: 2025-11-11 Next Review: 2025-11-18 (Weekly) Owner: Infrastructure Security Team