From 6ddbae3905c98db4046586948e392f8a0ae8242d Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Thu, 31 Mar 2022 03:33:05 +0200 Subject: [PATCH] add links to default profiles --- content/posts/docker-hardening.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/docker-hardening.md b/content/posts/docker-hardening.md index 8c20ce5..339af3f 100644 --- a/content/posts/docker-hardening.md +++ b/content/posts/docker-hardening.md @@ -132,7 +132,7 @@ MAC stand for Mandatory Access Control: traditionnally a Linux Security Module t ### seccomp seccomp (short for secure computing mode) on the other hand is a much simpler and complementary tool, and there is no reason not to use it. What it does is restricting a process to a set of system calls, thus drastically reducing the attack surface available. -Docker provides default profiles for AppArmor and seccomp, and they're enabled by default for newly created containers unless the `unconfined` option is explicitly passed. These profiles are a great start, but you should do much more if you take security seriously, because they were made to not break compatibility with a large range of images. The default seccomp profile only disables [around 44 syscalls](https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile), which are mostly not very common and/or obsoleted. +Docker provides default profiles for [AppArmor](https://github.com/moby/moby/tree/85eaf23bf46b12827273ab2ff523c753117dbdc7/profiles/apparmor) and [seccomp](https://github.com/moby/moby/blob/85eaf23bf46b12827273ab2ff523c753117dbdc7/profiles/seccomp/default.json), and they're enabled by default for newly created containers unless the `unconfined` option is explicitly passed. These profiles are a great start, but you should do much more if you take security seriously, because they were made to not break compatibility with a large range of images. The default seccomp profile only disables [around 44 syscalls](https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile), which are mostly not very common and/or obsoleted. ### cgroups Also, use cgroups to restrict system resources. You likely don't want a guest container to monopolize the host resources. In a Compose file: