Stats
Actions
Tags
Hardens Docker containers for production per CIS Docker Benchmark v1.8.0, covering daemon config, secure Dockerfiles with multi-stage builds, and runtime flags for least privilege and isolation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:hardening-docker-containers-for-productionThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
对生产环境 Docker 容器进行安全加固,涵盖符合 CIS Docker Benchmark v1.8.0 的安全最佳实践,旨在最小化攻击面、防止权限提升,并在 Docker daemon、镜像、容器和运行时配置中强制执行最小权限原则。
对生产环境 Docker 容器进行安全加固,涵盖符合 CIS Docker Benchmark v1.8.0 的安全最佳实践,旨在最小化攻击面、防止权限提升,并在 Docker daemon、镜像、容器和运行时配置中强制执行最小权限原则。
# 使用特定摘要以确保可重现性
FROM python:3.12-slim@sha256:abc123... AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir --user -r requirements.txt
# 生产阶段——最小镜像
FROM gcr.io/distroless/python3-debian12
# 仅复制必要的工件
COPY --from=builder /root/.local /root/.local
COPY --from=builder /app /app
WORKDIR /app
# 创建非 root 用户
USER 65534:65534
# 设置只读文件系统预期
LABEL org.opencontainers.image.source="https://github.com/org/app"
ENTRYPOINT ["python", "app.py"]
{
"icc": false,
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"live-restore": true,
"userland-proxy": false,
"no-new-privileges": true,
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Hard": 64000,
"Soft": 64000
},
"nproc": {
"Name": "nproc",
"Hard": 1024,
"Soft": 1024
}
},
"seccomp-profile": "/etc/docker/seccomp-default.json",
"tls": true,
"tlscacert": "/etc/docker/tls/ca.pem",
"tlscert": "/etc/docker/tls/server-cert.pem",
"tlskey": "/etc/docker/tls/server-key.pem",
"tlsverify": true
}
docker run -d \
--name production-app \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid,size=100m \
--tmpfs /var/run:rw,noexec,nosuid,size=10m \
--cap-drop ALL \
--cap-add NET_BIND_SERVICE \
--security-opt no-new-privileges:true \
--security-opt seccomp=/etc/docker/seccomp-default.json \
--security-opt apparmor=docker-default \
--pids-limit 100 \
--memory 512m \
--memory-swap 512m \
--cpus 1.0 \
--user 65534:65534 \
--network custom-bridge \
--restart on-failure:3 \
--health-cmd "curl -f http://localhost:8080/health || exit 1" \
--health-interval 30s \
--health-timeout 10s \
--health-retries 3 \
myapp:latest
export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://notary.example.com
# 签名并推送镜像
docker trust sign myregistry.com/myapp:v1.0.0
# 拉取前验证镜像签名
docker trust inspect --pretty myregistry.com/myapp:v1.0.0
# 为 Docker 文件和目录添加审计规则
cat >> /etc/audit/rules.d/docker.rules << 'EOF'
-w /usr/bin/docker -k docker
-w /var/lib/docker -k docker
-w /etc/docker -k docker
-w /lib/systemd/system/docker.service -k docker
-w /lib/systemd/system/docker.socket -k docker
-w /etc/default/docker -k docker
-w /etc/docker/daemon.json -k docker
-w /usr/bin/containerd -k docker
-w /usr/bin/runc -k docker
EOF
systemctl restart auditd
# 运行 Docker Bench Security
docker run --rm --net host --pid host \
--userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
docker/docker-bench-security
# 检查 Dockerfile
hadolint Dockerfile
# 检查构建的镜像
dockle myapp:latest
# 验证没有以 root 运行的容器
docker ps -q | xargs docker inspect --format '{{.Id}}: User={{.Config.User}}'
| 控制 | 实现方式 | CIS 章节 |
|---|---|---|
| 非 root 用户 | Dockerfile 中的 USER 指令 | 4.1 |
| 只读根文件系统 | --read-only 标志 | 5.12 |
| 删除能力 | --cap-drop ALL | 5.3 |
| 资源限制 | --memory、--cpus、--pids-limit | 5.10 |
| 禁止获取新权限 | --security-opt no-new-privileges | 5.25 |
| 内容信任 | DOCKER_CONTENT_TRUST=1 | 4.5 |
| Daemon TLS | daemon.json TLS 配置 | 2.6 |
| 审计日志 | auditd 规则 | 1.1 |
npx claudepluginhub killvxk/cybersecurity-skills-zhHardens Docker containers for production using CIS Benchmark v1.8.0 practices: daemon config, trusted images, runtime restrictions, non-root users, and seccomp/AppArmor.
Hardens Docker containers for production using CIS Docker Benchmark v1.8.0. Covers daemon configuration, image builds, runtime restrictions, and monitoring.
Hardens Docker containers for production using CIS Docker Benchmark v1.8.0. Covers daemon configuration, image builds, runtime restrictions, and monitoring.