Advanced container security including threat modeling, common attacks, mitigation strategies, and security testing.
- Understand container attack surfaces and threat modeling
- Identify common container attacks and vulnerabilities
- Implement comprehensive security mitigation strategies
- Conduct security testing and incident response
Container security is critical in modern infrastructure, as containers introduce unique attack surfaces and vulnerabilities. This chapter explores common container attacks, security threats, and comprehensive mitigation strategies. Understanding these security concepts is essential for building secure containerized applications in your custom Linux distribution.
- Container threat modeling and attack surface analysis
- Common container attacks and exploits
- Vulnerability classes (CVEs, misconfigurations)
- Comprehensive mitigation strategies
- Advanced security techniques (gVisor, Kata, SELinux/AppArmor)
- Incident response and forensics
- Security testing and validation
# Run container with security hardening
podman run --rm \
--security-opt seccomp=/path/to/seccomp-profile.json \
--security-opt apparmor=podman-default \
--cap-drop=ALL --cap-add=NET_BIND_SERVICE \
--read-only --tmpfs /tmp \
--user 1000:1000 \
-p 8080:8080 myapp:latest
# Scan image for vulnerabilities
trivy image myapp:latest
# Verify image signature
cosign verify myregistry.com/myapp:latestgraph TD
A[External Attackers] --> B[Container Attack Surface]
C[Malicious Insiders] --> B
D[Supply Chain] --> B
B --> E[Host Kernel]
B --> F[Container Runtime]
B --> G[Images]
B --> H[Network]
B --> I[Storage]
E --> J[Container Escape]
F --> K[Runtime Exploit]
G --> L[Image Tampering]
H --> M[Network Attack]
I --> N[Data Breach]
- Privilege escalation via mounts
- Container escape via kernel exploits
- Image tampering and supply chain attacks
- DoS and resource exhaustion
- Vulnerability classes (CVEs, misconfigurations)
- Image security (scanning, signing, minimal images)
- Runtime security (security contexts, seccomp, AppArmor)
- Network security (segmentation, policies)
- Secrets management
- Advanced techniques (gVisor, Kata, SELinux)
- Supply chain security (SBOM, binary authorization)
- Container security scanning (static analysis)
- Dynamic testing and penetration testing
- Compliance validation
- Incident response and forensics
- Image Security: Use minimal base images, scan for vulnerabilities, sign images
- Runtime Security: Apply security contexts, use seccomp/AppArmor, drop capabilities
- Network Security: Implement network policies, segment traffic, use TLS
- Access Control: Enforce RBAC, use secrets management, audit access
- Monitoring: Enable logging, monitor anomalies, set up alerts
# Build secure image
docker build --no-cache -t myapp:secure .
# Scan for vulnerabilities
trivy image myapp:secure
# Sign image
cosign sign myregistry.com/myapp:secure
# Deploy with security controls
podman run -d \
--name secure-app \
--security-opt seccomp=default.json \
--security-opt apparmor=docker-default \
--cap-drop=ALL \
--cap-add=NET_BIND_SERVICE \
--read-only \
--tmpfs /tmp \
--tmpfs /run \
--user 1000:1000 \
--memory 512m \
--cpus 1.0 \
--pids-limit 100 \
--network mynetwork \
-p 8080:8080 \
myapp:securesequenceDiagram
participant D as Detection
participant I as Isolation
participant A as Analysis
participant R as Recovery
participant L as Lessons
D->>I: Alert triggered
I->>I: Pause/stop container
I->>A: Capture logs & filesystem
A->>A: Forensic analysis
A->>R: Identify root cause
R->>R: Deploy clean version
R->>L: Update policies
L->>L: Document incident
- Exercise 1: Scan a container image and remediate critical vulnerabilities.
- Exercise 2: Implement a seccomp profile that blocks dangerous syscalls and test it.
- Exercise 3: Configure AppArmor/SELinux policies for a containerized application.
- Exercise 4: Simulate a privilege escalation attack and verify mitigation controls.
- Exercise 5: Create an incident response playbook for container compromise.
- Exercise 6: Generate and analyze an SBOM for your container images.
- Apply security practices to your complete LFS distribution
- Implement continuous security scanning in your CI/CD pipeline
- Develop custom security policies for your use cases
- Review the detailed content in 01-threat-modeling/01-container-security.md for comprehensive examples and attack scenarios
- Proceed to Chapter 13 to compare our custom LFS distribution with modern cloud-native operating systems