FEA406 - Harden all the containers
Feature ID | FEA406 |
Subsystem the feature is part of | EP04 - Security and Authentication |
Responsible person | SEC |
Status | Done |
Description
This feature enhances the security posture of the Tukko - traffic visualizer's containerized environment. It aims to mitigate various security risks by implementing Docker container hardening best practices. The primary focus has been to:
- Run containers with non-root users to minimize the potential damage from a container compromise.
- Limit container capabilities to the bare minimum required for operation, thereby reducing the attack surface.
- Prevent the privilege escalation which could allow attackers to gain more privileges than initially granted.
- Set resource limits on containers to avoid system resource exhaustion, which could be used in denial of service attacks.
Restrictions, requirements and use cases related to this feature
ID | Description |
---|---|
FUNC-REQ-C0022 | Harden all the containers |
Preliminary user stories
- US056 As a security specialist I want to harden all the containers.#81
User interface mock-up
Implementation Details
Running Containers with Non-Root Users * Modified the Dockerfile for both frontend and backend services to create a non-root user. * Ensured that containers are running as this non-root user by default.
Limiting Container Capabilities * Updated the docker-compose.yml file to include cap_drop: ALL directive, which ensures no default capabilities are granted to any container.
Preventing Privilege Escalation * In the docker-compose.yml file, added no-new-privileges: true to ensure that no process within the container can gain additional privileges beyond what was assigned.
Setting Resource Limits * Defined memory and CPU usage limits within the docker-compose.yml to prevent any container from consuming excessive system resources.
Testing / possible acceptance criteria
Testcase | Test source | Responsible |
---|---|---|
Testcase 1 | FUNC-REQ-C0022 |