网站导航
> 技术文档 > Docker 进程加固全面指南

Docker 进程加固全面指南

网友: 技术文档 2025-09-03 12:02:29

Docker 进程加固全面指南

针对生产环境中的 Docker 安全,以下是详细的加固策略和实施方法:

一、核心加固措施

1. Docker 守护进程加固

// /etc/docker/daemon.json{ \"tls\": true, \"tlscacert\": \"/etc/docker/ca.pem\", \"tlscert\": \"/etc/docker/server-cert.pem\", \"tlskey\": \"/etc/docker/server-key.pem\", \"tlsverify\": true, \"icc\": false, // 禁用容器间通信 \"userns-remap\": \"default\", // 用户命名空间隔离 \"live-restore\": true, // 守护进程崩溃时保持容器运行 \"no-new-privileges\": true, // 禁止容器获取新权限 \"default-ulimits\": { \"nofile\": {\"Name\": \"nofile\", \"Soft\": 64000, \"Hard\": 64000} }, \"log-driver\": \"json-file\", \"log-opts\": { \"max-size\": \"10m\", \"max-file\": \"3\" }}

2. 用户命名空间隔离

# 创建Docker专用用户和组sudo groupadd -g 500000 dockremapsudo useradd -u 500000 -g dockremap -s /bin/false dockremap# 配置用户映射echo \"dockremap:500000:65536\" | sudo tee /etc/subuidecho \"dockremap:500000:65536\" | sudo tee /etc/subgid

3. 内核级防护

# 设置sysctl参数sudo tee /etc/sysctl.d/99-docker.conf <<EOFnet.ipv4.conf.all.forwarding=0net.ipv4.conf.default.forwarding=0net.ipv4.conf.all.send_redirects=0net.ipv4.conf.default.send_redirects=0net.ipv4.tcp_syncookies=1kernel.kptr_restrict=2kernel.perf_event_paranoid=3vm.swappiness=0EOFsudo sysctl -p

二、容器运行时加固

1. 安全容器配置模板

# secure-container.ymlversion: \'3.8\'services: secure-app: image: nginx:hardened read_only: true security_opt: - no-new-privileges:true - apparmor:docker-default - seccomp:/etc/docker/seccomp-profile.json cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID tmpfs: - /tmp:rw,noexec,nosuid,size=10M ulimits: nproc: 50 nofile: soft: 100 hard: 200 logging: driver: json-file options: max-size: \"10m\" max-file: \"3\"

2. 自定义Seccomp配置文件

// /etc/docker/seccomp-profile.json{ \"defaultAction\": \"SCMP_ACT_ERRNO\", \"syscalls\": [ {\"name\": \"accept\", \"action\": \"SCMP_ACT_ALLOW\"}, {\"name\": \"epoll_wait\", \"action\": \"SCMP_ACT_ALLOW\"}, {\"name\": \"read\", \"action\": \"SCMP_ACT_ALLOW\"}, {\"name\": \"write\", \"action\": \"SCMP_ACT_ALLOW\"}, {\"name\": \"close\", \"action\": \"SCMP_ACT_ALLOW\"}, {\"name\": \"futex\", \"action\": \"SCMP_ACT_ALLOW\"}, {\"name\": \"mmap\", \"action\": \"SCMP_ACT_ALLOW\", \"args\": [...]}, // 仅允许必要系统调用 ]}

3. AppArmor策略

# /etc/apparmor.d/docker-nginx#include profile docker-nginx flags=(attach_disconnected,mediate_deleted) { #include  # 允许基本操作 network inet tcp, network inet udp, # 文件访问控制 deny /etc/passwd rwklx, deny /etc/shadow rwklx, deny /root/** rwklx, # 仅允许访问必要路径 /usr/sbin/nginx mr, /var/log/nginx/** rw, /var/www/html/** r, # 拒绝危险操作 deny capability sys_module, deny capability sys_admin, deny mount, deny ptrace,}

三、镜像安全加固

1. Dockerfile 安全实践

FROM alpine:3.18# 使用非root用户RUN addgroup -S appgroup && adduser -S appuser -G appgroup# 安全更新RUN apk update && apk upgrade --no-cache# 最小化安装RUN apk add --no-cache nginx# 配置权限RUN chown -R appuser:appgroup /var/lib/nginx && \\ chmod -R 750 /var/lib/nginx && \\ chmod 444 /etc/nginx/nginx.conf# 清理缓存RUN rm -rf /var/cache/apk/*# 设置非特权端口EXPOSE 8080# 切换用户USER appuser# 健康检查HEALTHCHECK --interval=30s --timeout=10s \\ CMD curl -f http://localhost:8080/ || exit 1CMD [\"nginx\", \"-g\", \"daemon off;\"]

2. 镜像扫描与验证

# 使用Trivy扫描镜像docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\ aquasec/trivy:latest image nginx:latest# 使用Docker Content Trustexport DOCKER_CONTENT_TRUST=1docker pull nginx:alpine# 生成SBOMdocker sbom nginx:latest -o spdx-json=sbom.json

四、网络隔离加固

1. 网络策略实施

# 创建隔离网络docker network create --driver=overlay \\ --opt encrypted=true \\ --opt com.docker.network.driver.mtu=1200 \\ --subnet=10.10.0.0/24 \\ team-isolated-net# 应用网络策略docker service create --name secured-app \\ --network team-isolated-net \\ --publish published=8080,target=80,mode=host \\ --limit-cpu 0.5 \\ --limit-memory 256M \\ nginx:hardened

2. 防火墙规则

# 允许必要端口sudo ufw allow 2376/tcp # Docker TLS端口sudo ufw allow 8080/tcp # 应用端口# 拒绝所有容器到宿主机的直接访问sudo iptables -I DOCKER-USER -i docker0 -j DROP

五、审计与监控

1. Docker 审计配置

# /etc/audit/rules.d/docker.rules-w /var/lib/docker -p wa -k docker-w /etc/docker -p wa -k docker-w /usr/bin/dockerd -p x -k docker-w /usr/bin/docker -p x -k docker-w /var/run/docker.sock -p wa -k docker

2. Falco 实时威胁检测

# falco_rules.yaml- rule: Unauthorized Process in Container desc: Detect processes not in allowed list condition: > container.id != host and not proc.name in (nginx, httpd, apache)  output: > Unauthorized process (%proc.name) in container (%container.name) priority: WARNING

3. 安全监控面板

# 部署安全监控栈docker run -d --name falco \\ --privileged \\ -v /var/run/docker.sock:/host/var/run/docker.sock \\ -v /dev:/host/dev \\ -v /proc:/host/proc:ro \\ falcosecurity/falcodocker run -d --name sysdig \\ --privileged \\ -v /var/run/docker.sock:/host/var/run/docker.sock \\ -v /dev:/host/dev \\ -v /proc:/host/proc:ro \\ sysdig/sysdig

六、自动化加固工作流

#mermaid-svg-vnotpLw2g8rhQmts {font-family:\"trebuchet ms\",verdana,arial,sans-serif;font-size:16px;fill:#333;}#mermaid-svg-vnotpLw2g8rhQmts .error-icon{fill:#552222;}#mermaid-svg-vnotpLw2g8rhQmts .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-vnotpLw2g8rhQmts .edge-thickness-normal{stroke-width:2px;}#mermaid-svg-vnotpLw2g8rhQmts .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-vnotpLw2g8rhQmts .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-vnotpLw2g8rhQmts .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-vnotpLw2g8rhQmts .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-vnotpLw2g8rhQmts .marker{fill:#333333;stroke:#333333;}#mermaid-svg-vnotpLw2g8rhQmts .marker.cross{stroke:#333333;}#mermaid-svg-vnotpLw2g8rhQmts svg{font-family:\"trebuchet ms\",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-vnotpLw2g8rhQmts .label{font-family:\"trebuchet ms\",verdana,arial,sans-serif;color:#333;}#mermaid-svg-vnotpLw2g8rhQmts .cluster-label text{fill:#333;}#mermaid-svg-vnotpLw2g8rhQmts .cluster-label span{color:#333;}#mermaid-svg-vnotpLw2g8rhQmts .label text,#mermaid-svg-vnotpLw2g8rhQmts span{fill:#333;color:#333;}#mermaid-svg-vnotpLw2g8rhQmts .node rect,#mermaid-svg-vnotpLw2g8rhQmts .node circle,#mermaid-svg-vnotpLw2g8rhQmts .node ellipse,#mermaid-svg-vnotpLw2g8rhQmts .node polygon,#mermaid-svg-vnotpLw2g8rhQmts .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-vnotpLw2g8rhQmts .node .label{text-align:center;}#mermaid-svg-vnotpLw2g8rhQmts .node.clickable{cursor:pointer;}#mermaid-svg-vnotpLw2g8rhQmts .arrowheadPath{fill:#333333;}#mermaid-svg-vnotpLw2g8rhQmts .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-vnotpLw2g8rhQmts .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-vnotpLw2g8rhQmts .edgeLabel{background-color:#e8e8e8;text-align:center;}#mermaid-svg-vnotpLw2g8rhQmts .edgeLabel rect{opacity:0.5;background-color:#e8e8e8;fill:#e8e8e8;}#mermaid-svg-vnotpLw2g8rhQmts .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-vnotpLw2g8rhQmts .cluster text{fill:#333;}#mermaid-svg-vnotpLw2g8rhQmts .cluster span{color:#333;}#mermaid-svg-vnotpLw2g8rhQmts div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:\"trebuchet ms\",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-vnotpLw2g8rhQmts :root{--mermaid-font-family:\"trebuchet ms\",verdana,arial,sans-serif;}代码提交镜像构建安全扫描是否通过签名并推送通知安全团队部署到测试环境运行时防护安全审计生产部署

七、紧急响应计划

  1. 入侵检测流程:

    # 1. 暂停可疑容器docker pause suspicious_container# 2. 导出取证数据docker export suspicious_container > forensic.tardocker logs suspicious_container > container.logs# 3. 分析时间线docker diff suspicious_container# 4. 隔离网络docker network disconnect bridge suspicious_container# 5. 安全删除docker rm -f suspicious_container

  2. 漏洞响应流程:

    # 批量更新受影响容器docker ps --format \'{{.Image}}\' | grep vulnerable | \\while read img; do docker pull patched-${img} docker service update --image patched-${img} $(docker service ls | grep $img)done

八、持续安全实践

  1. 定期检查:

    # 检查容器安全状态docker bench-security# 检查镜像漏洞trivy --severity HIGH,CRITICAL registry/your-image# 检查合规性dockle --cis registry/your-image

  2. 安全更新策略:

    # 自动化安全更新docker run -d --name watchtower \\ -v /var/run/docker.sock:/var/run/docker.sock \\ containrrr/watchtower \\ --schedule \"0 0 3 * * *\" \\ --label-enable \\ --cleanup \\ --monitor-only

通过实施这些策略,您将建立多层防御体系,显著提升 Docker 环境的安全性。建议定期审查和更新安全策略,以应对不断变化的威胁环境。

网络标签:

相关问题