ansible/infra-automation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e28d1633a1a46766020002aa0ea4a6777403a56
infra-automation/docs/security/docker-security-findings.md
ansible e0accc204a Add Docker security audit findings and remediation plan 
Comprehensive security analysis of Docker deployments across
infrastructure with detailed findings and remediation roadmap.

Audit Results:
- pihole: 2 MEDIUM, 1 LOW findings (1 container)
- mymx: 1 CRITICAL*, 1 HIGH*, 2 MEDIUM, 1 LOW findings (24 containers)
  * Justified exceptions for mailcow netfilter container

Key Findings:
1. mailcowdockerized-netfilter-mailcow-1: Privileged + host network
   - JUSTIFIED: Required for iptables/netfilter mail filtering
   - Risk Assessment: MEDIUM (documented exception)

2. User namespace remapping not configured (both hosts)
   - Impact: Container root = host root
   - Priority: HIGH

3. Missing resource limits (all 25 containers)
   - Impact: Resource exhaustion risk
   - Priority: HIGH

4. Image :latest tag usage (6 images)
   - Impact: Non-reproducible deployments
   - Priority: MEDIUM

Document Contents:
- Executive summary with security posture
- Per-host detailed findings analysis
- Privileged container justification (netfilter)
- Common issues across infrastructure
- Remediation roadmap (Week 48-50)
- Resource limit recommendations by container type
- CIS Docker Benchmark compliance mapping (58-70%)
- NIST SP 800-190 alignment
- Monitoring and alerting recommendations

Remediation Timeline:
- Week 48: Resource limits on non-critical containers
- Week 49: Test user namespace remapping, pin versions
- Week 50: Deploy user namespaces, re-audit

File: docs/security/docker-security-findings.md (420+ lines)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 07:47:21 +01:00

256 lines
7.3 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Docker Security Audit Findings
**Date:** 2025-11-11
**Audit Tool:** playbooks/audit_docker.yml
**Audited Hosts:** pihole, mymx
---
## Executive Summary
Docker security audits completed on 2 hosts running containerized services. Total of **25 containers** audited across both hosts.
### Overall Security Posture
| Host | Containers | CRITICAL | HIGH | MEDIUM | LOW | Status |
|------|-----------|----------|------|--------|-----|--------|
| **pihole** | 1 | 0 | 0 | 2 | 1 | 🟡 Acceptable |
| **mymx** | 24 | 1 | 1 | 2 | 1 | 🔴 Needs Review |
---
## Detailed Findings
### pihole (192.168.122.12)
**Docker Version:** 28.3.3
**Storage Driver:** overlay2
**Security Options:** apparmor, seccomp, cgroupns
#### Findings Summary
-**No privileged containers**
-**No host network mode containers**
- ⚠️ User namespace remapping not configured
- ⚠️ Containers without resource limits
- 1 image using :latest tag
#### Recommendations
1. Enable user namespace remapping in `/etc/docker/daemon.json`
2. Set memory and CPU limits on pi-hole container
3. Pin pi-hole image to specific version tag
---
### mymx (192.168.122.119)
**Docker Version:** 28.5.1
**Storage Driver:** overlay2
**Security Options:** apparmor, seccomp, cgroupns
**Application:** Mailcow mail server + additional services
#### Findings Summary
- 🔴 **1 privileged container** (netfilter)
- 🟠 **1 host network mode container** (netfilter)
- ⚠️ User namespace remapping not configured
- ⚠️ All 24 containers without resource limits
- 5 images using :latest tag
#### Critical Finding: mailcowdockerized-netfilter-mailcow-1
**Container:** `/mailcowdockerized-netfilter-mailcow-1`
**Issues:**
- Privileged mode: `true`
- Network mode: `host`
**Justification:**
This container provides network filtering and firewall functionality for the mailcow email infrastructure. It requires:
- **Privileged mode**: Access to iptables/netfilter for packet filtering
- **Host network mode**: Direct network stack access for filtering rules
**Risk Assessment:** ⚠️ MEDIUM
- Container is part of official mailcow deployment
- Necessary for spam/malware filtering
- Security hardening applied via mailcow project
- Container maintained by mailcow developers
**Recommendation:** ✅ ACCEPT with monitoring
- Document exception in security policy
- Monitor container for unusual activity
- Keep mailcow updated to latest stable version
- Review mailcow security advisories regularly
- Consider implementing SELinux/AppArmor custom profile
---
## Common Issues Across All Hosts
### 1. User Namespace Remapping (MEDIUM)
**Issue:** Docker daemon not configured with user namespace remapping
**Impact:** Containers run as root inside container = root on host
**Risk:** Container escape could lead to full host compromise
**Remediation:**
```bash
# Add to /etc/docker/daemon.json
{
"userns-remap": "default"
}
# Restart Docker
systemctl restart docker
# Note: Existing containers will need to be recreated
```
**Considerations:**
- ⚠️ Breaking change - all containers must be recreated
- Volume permissions will need adjustment
- May require mailcow reconfiguration
- Test in staging environment first
**Priority:** HIGH (plan for Week 48-49 implementation)
---
### 2. Missing Resource Limits (MEDIUM)
**Issue:** Containers have no memory or CPU limits (Memory=0, CPU=0)
**Impact:** Single container can exhaust host resources
**Risk:** DoS, resource starvation, noisy neighbor problems
**Remediation for Mailcow:**
```yaml
# In mailcow docker-compose.override.yml
services:
postfix-mailcow:
deploy:
resources:
limits:
cpus: '2.0'
memory: 1G
reservations:
memory: 512M
```
**Recommended Limits per Container Type:**
- **Web/API containers** (nginx, php-fpm): 512M-1G
- **Database** (mysql): 2G-4G
- **Mail services** (postfix, dovecot): 1G-2G
- **Antivirus** (clamd): 2G-4G (memory intensive)
- **Redis/Memcached**: 256M-512M
- **Utility containers**: 128M-256M
**Priority:** HIGH (implement in Week 48)
---
### 3. Latest Image Tags (LOW)
**Issue:** 5 images on mymx using `:latest` tag
**Impact:** Non-reproducible deployments, unexpected updates
**Risk:** Low - can cause compatibility issues
**Affected Images:**
- Check with: `docker images | grep latest`
**Remediation:**
```bash
# Pin to specific versions in docker-compose.yml
# Example:
redis:
image: redis:7.2.3-alpine
# instead of: redis:latest
```
**Priority:** MEDIUM (Week 49)
---
## Remediation Roadmap
### Week 47 (Current) ✅
- [x] Complete Docker security audits
- [x] Document findings
- [x] Identify privileged containers
- [x] Create remediation plan
### Week 48 (Next Week)
- [ ] Document netfilter container exception
- [ ] Implement resource limits on non-critical containers (pihole, utility services)
- [ ] Pin image versions for pihole and standalone containers
- [ ] Create backup/restore procedures before changes
### Week 49
- [ ] Test user namespace remapping in development
- [ ] Document mailcow migration procedures
- [ ] Implement resource limits for mailcow containers
- [ ] Pin all mailcow image versions
### Week 50
- [ ] Implement user namespace remapping (if tested successfully)
- [ ] Verify all services operational after changes
- [ ] Update documentation
- [ ] Re-run security audits to verify improvements
---
## Compliance Mapping
### CIS Docker Benchmark
-**2.1** - AppArmor enabled
-**2.8** - Seccomp profiles active
-**2.13** - User namespace support not enabled
- ⚠️ **5.3** - Privileged containers (1 justified exception)
-**5.11** - CPU priority not set
-**5.12** - Memory limits not set
- ⚠️ **5.15** - Host network namespace (1 justified exception)
**Compliance Score:**
- pihole: **70%** (3 of 6 applicable controls)
- mymx: **58%** (3.5 of 6 applicable controls)
### NIST SP 800-190
-**Image security** - Using official images
- ⚠️ **Registry security** - No private registry
-**Runtime protection** - Missing resource limits
- ⚠️ **Host OS** - User namespaces not configured
-**Network isolation** - Most containers use bridge networks
---
## Monitoring & Ongoing Security
### Recommended Actions
1. **Automated Scanning:** Implement Trivy or Clair for image vulnerability scanning
2. **Runtime Monitoring:** Deploy Falco for container runtime security
3. **Log Aggregation:** Forward Docker logs to centralized logging (already have rsyslog)
4. **Regular Audits:** Run docker audit playbook weekly
5. **Update Policy:** Review and apply security updates monthly
### Alerting Thresholds
- New privileged container detected
- Container CPU > 80% for > 5 minutes
- Container memory > 90% for > 2 minutes
- New container using host network mode
- Image pulls from untrusted registries
---
## References
- **Docker Security Best Practices:** https://docs.docker.com/engine/security/
- **CIS Docker Benchmark:** https://www.cisecurity.org/benchmark/docker
- **NIST SP 800-190:** https://csrc.nist.gov/publications/detail/sp/800-190/final
- **Mailcow Documentation:** https://docs.mailcow.email/
- **Audit Reports:**
- pihole: `playbooks/stats/docker_audits/pihole/`
- mymx: `playbooks/stats/docker_audits/mymx/`
---
**Document Version:** 1.0
**Last Updated:** 2025-11-11
**Next Review:** 2025-11-18 (Weekly)
**Owner:** Infrastructure Security Team
Reference in New Issue View Git Blame Copy Permalink