# Docker 시스템 취약점 점검 가이드 {% embed url="" %} donation {% endembed %} ## Docker 시스템 취약점 점검 가이드 ![그림. Docker 취약점 진단 리스트](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2Ff1VPXgQregzYzpzHX9R2%2Fimage.png?alt=media\&token=96aabaf4-6983-43d0-a017-ac1cdff305b8) ## 가. Host 설정 ### DO-01. 도커 최신 패치 적용 ![그림. DO-01. 도커 최신 패치 적용 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FRAIiDhl5YuNBgkbTyoxs%2Fimage.png?alt=media\&token=cbe488f9-fb26-43ca-ac29-f7446b817be8) ![그림. DO-01. 도커 최신 패치 적용 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FRG57OD5XOv2o3IcbyHv1%2Fimage.png?alt=media\&token=edd03afd-c5c9-45bf-9bf9-54a1dba37a99) ### DO-02. 도커 그룹에 불필요한 사용자 제거 ![그림. DO-02. 도커 그룹에 불필요한 사용자 제거 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FhBoftn9FC88o9HkWTqqa%2Fimage.png?alt=media\&token=a8be74a3-5075-46fc-b86a-dae0fab1e785) ### DO-03. Docker daemon audit 설정 ![그림. DO-03. Docker daemon audit 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2F0wTW9WV4ItzVBLhclZf4%2Fimage.png?alt=media\&token=4dac674c-3c5d-478b-a838-c0495cafdb11) ### DO-04. /var/lib/docker audit 설정 ![그림. DO-04. /var/lib/docker audit 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FdXBHOtzLUiXjDWPXaXBH%2Fimage.png?alt=media\&token=9482e54a-8707-4f6f-8c67-98316a6f880c) ### DO-05. /etc/docker audit 설정 ![그림. DO-05. /etc/docker audit 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2Fu8pvVjzZNYl3n1vMNshm%2Fimage.png?alt=media\&token=543fde60-9947-433e-9875-7eec3b19c9f6) ### DO-06. docker.service audit 설정 ![그림. DO-06. docker.service audit 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FMOiJWkl9qZUwHqlext2Z%2Fimage.png?alt=media\&token=32d57475-cb76-4707-9fb9-38581d46e37a) ![그림. DO-06. docker.service audit 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2F2EzPO7dQMiXjdtD4uBSl%2Fimage.png?alt=media\&token=c459ca57-4955-4b3e-bc01-56700b671496) ### DO-07. docker.socket audit 설정 ![그림. DO-07. docker.socket audit 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FMstznEs6CNPise5inoCp%2Fimage.png?alt=media\&token=91f9af26-5152-4aa7-b31e-e0225678ed2a) ![그림. DO-07. docker.socket audit 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2F4JXQYEOKmgNBLyMycsCw%2Fimage.png?alt=media\&token=828a8e0c-d157-4a6d-a513-47ddcae7a1ad) ### DO-08. /etc/default/docker audit 설정 ![그림. DO-08. /etc/default/docker audit 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FsIACcnYuDPBD15dVJYLt%2Fimage.png?alt=media\&token=838a0503-9a0f-47a7-8105-fd77cec7e83e) ![그림. DO-08. /etc/default/docker audit 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FmrmeiRU5mnVADYGZAklN%2Fimage.png?alt=media\&token=babfed29-f4fa-4d52-9631-fb2754a75840) ## 나. 도커 데몬 설정 ### DO-09. default bridge 를 통한 컨테이너 간 네트워크 트래픽 제한 ![그림. DO-09. default bridge 를 통한 컨테이너 간 네트워크 트래픽 제한 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2Fq2i5NtjAc7F5U2GmjBvb%2Fimage.png?alt=media\&token=c4cb3b3f-657c-4c4f-b9e4-f37a9f926636) ![그림. DO-09. default bridge 를 통한 컨테이너 간 네트워크 트래픽 제한 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2F23chOWSrcQkcGDfo5PZ0%2Fimage.png?alt=media\&token=e182ed6a-b9db-4163-8a08-e5f316a53def) ### DO-10. 도커 클라이언트 인증 활성화 ![그림. DO-10. 도커 클라이언트 인증 활성화 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FHy0OBlKwUxyk5upp6En2%2Fimage.png?alt=media\&token=74c3958a-f554-4547-9842-a446d7b02c26) ![그림. DO-10. 도커 클라이언트 인증 활성화 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FpeM3vLwR6dTaSEzZgH38%2Fimage.png?alt=media\&token=2991eaf4-a3a5-4cf4-9011-87e809d5dbe7) ![그림. DO-10. 도커 클라이언트 인증 활성화 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FxePKU1mwoPtxLwbua7gM%2Fimage.png?alt=media\&token=0e416117-9837-4240-94cc-6f9ba2b69938) ### DO-11. legacy registry (v1) 비활성화 ![그림. DO-11. legacy registry (v1) 비활성화 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2F8sFRLwk2U0zAjwZIJczm%2Fimage.png?alt=media\&token=b1560d2e-448f-493b-8d16-7c553c10d808) ### DO-12. 추가 권한 획득으로부터 컨테이너 제한 ![그림. DO-12. 추가 권한 획득으로부터 컨테이너 제한 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FUzr69btohoaBNDJXH4ar%2Fimage.png?alt=media\&token=fd270493-86d3-4e5a-ab34-15fad53e3398) ![그림. DO-12. 추가 권한 획득으로부터 컨테이너 제한 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2F9HrTWqM13fpgHYsOYcSj%2Fimage.png?alt=media\&token=a0297cbf-9f4f-45bc-a44c-d7ed9a08909a) ## 다. 도커 데몬 설정 파일 ### DO-13. docker.service 소유권 설정 ![그림. DO-13. docker.service 소유권 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FBzlyZ8dSk0Bvw6Tg20Mm%2Fimage.png?alt=media\&token=b9ae5ec1-ed40-4b7f-bdbe-e22a831a875b) ### DO-14. docker.service 파일 접근권한 설정 ![그림. DO-14. docker.service 파일 접근권한 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FHkJPIroysdaJtiLatuNs%2Fimage.png?alt=media\&token=724bc03e-2344-41e2-b1ca-3ca4446b35b1) ### DO-15. docker.socket 소유권 설정 ![그림. DO-15. docker.socket 소유권 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FuV5Vz4XpcPL71pfEJPX5%2Fimage.png?alt=media\&token=609ab5f0-b922-474b-9abe-d4125c80f41f) ### DO-16. docker.socket 파일 접근권한 설정 ![그림. DO-16. docker.socket 파일 접근권한 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2Fe0UcV8Q4zOJoTv4wub8N%2Fimage.png?alt=media\&token=eb4353e9-7d56-4d98-aa05-60bd0348f114) ### DO-17. /etc/docker 디렉터리 소유권 설정 ![그림. DO-17. /etc/docker 디렉터리 소유권 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2Fv1Sr6chFmWGLiphAw5T1%2Fimage.png?alt=media\&token=cd9c90f3-bbb3-4428-81bb-7171c851f3cc) ### DO-18. /etc/docker 디렉터리 접근권한 설정 ![그림. DO-18. /etc/docker 디렉터리 접근권한 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2Fobzz4bCsPZekqjeOGdnH%2Fimage.png?alt=media\&token=b06d0827-aeb5-43cb-aa14-1ec6367cc8ea) ### DO-19. /var/run/docker.socket 파일 소유권 설정 ![그림. DO-19. /var/run/docker.socket 파일 소유권 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2F4YUr9S8FxspuSVdYLxhR%2Fimage.png?alt=media\&token=11980ce2-f0b2-4439-a884-6d017f7817e5) ### DO-20. /var/run/docker.sock 접근권한 설정 ![그림. DO-20. /var/run/docker.sock 접근권한 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2F9TcguG19RLrwf6auI8HR%2Fimage.png?alt=media\&token=ea3fe451-4438-4deb-8b89-63ca68dbc4bb) ### DO-21. daemon.json 파일 소유권 설정 ![그림. DO-21. daemon.json 파일 소유권 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FO6Jfhzuk2fIJen3F5Miw%2Fimage.png?alt=media\&token=0e8acbad-4b3d-4845-9b18-8e901a83b439) ### DO-22. daemon.json 파일 접근권한 설정 ![그림. DO-22. daemon.json 파일 접근권한 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FMwVJ2vaSwikmFGy1wfpD%2Fimage.png?alt=media\&token=ae59f772-3f15-4f40-b57a-26a083bd0966) ### DO-23. /etc/default/docker 파일 소유권 설정 ![그림. DO-23. /etc/default/docker 파일 소유권 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2F7AULTKtBBKU17AYOMhQA%2Fimage.png?alt=media\&token=f5a08c0a-dd35-4554-9863-377e7dfa3892) ### DO-24. /var/default/docker 파일 접근권한 설정 ![그림. DO-24. /var/default/docker 파일 접근권한 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FT6xgFmT8sPlOV3Mq1mJs%2Fimage.png?alt=media\&token=5932e400-2142-4e4d-a6bc-fe69093d2bd4) ## 라. 컨테이너 이미지 및 빌드 파일 ### DO-25. root가 아닌 user로 컨테이너 실행 ![그림. DO-25. root가 아닌 user로 컨테이너 실행 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FqzxJLNzTrr0jUjymnVOV%2Fimage.png?alt=media\&token=1993ea34-6db1-4c9d-b344-96510a83994c) ![그림. DO-25. root가 아닌 user로 컨테이너 실행 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FSP0AKan7PQbf0XmgWplb%2Fimage.png?alt=media\&token=66cc33e6-d3ad-4873-b494-018d5a4a28ab) ### DO-26. 도커를 위한 컨텐츠 신뢰성 활성화 ![그림. DO-26. 도커를 위한 컨텐츠 신뢰성 활성화 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2Ffub6y6Obixx9uuyTaLma%2Fimage.png?alt=media\&token=277f4899-1355-4b8f-89cd-10d24ab45247) ## 마. 컨테이너 런타임 ### DO-27. 컨테이너 SELinux 보안 옵션 설정 ![그림. DO-27. 컨테이너 SELinux 보안 옵션 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2Fbs7HYDdG0O0ls74hBwvL%2Fimage.png?alt=media\&token=ae73b564-2918-41f5-9073-69dfebd2e3e9) ![그림. DO-27. 컨테이너 SELinux 보안 옵션 설정 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FsRrSgtRQvAODi3YTUtHf%2Fimage.png?alt=media\&token=0e5f5a00-b31a-479d-b37b-9bbfcaf42ee9) ### DO-28. 컨테이너에서 ssh 사용 금지 ![그림. DO-28. 컨테이너에서 ssh 사용 금지 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2F1xhg0hepaZ3Qc0KHNO4U%2Fimage.png?alt=media\&token=2582bdd9-130f-4bf4-b65e-40b6a7eabfaa) ### DO-29. 컨테이너에 privileged 포트 매핑 금지 ![그림. DO-29. 컨테이너에 privileged 포트 매핑 금지 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2Fz9M9QszAZZNPWLqgf1IV%2Fimage.png?alt=media\&token=14bea40d-50f8-4142-b4ef-aa756428abd0) ![그림. DO-29. 컨테이너에 privileged 포트 매핑 금지 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FKNw36Yvpvj9SZiO6NMFx%2Fimage.png?alt=media\&token=e98978c6-1769-4e3d-902b-76b6cbc829a3) ### DO-30. PIDs cgroup 제한 ![그림. DO-30. PIDs cgroup 제한 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FV50ns92h4MvxhJRHemEw%2Fimage.png?alt=media\&token=ce65d111-3b38-4cf8-a109-c663827eb23f) ### DO-31. 도커의 default bridge docker0 사용 제한 ![그림. DO-31. 도커의 default bridge docker0 사용 제한 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2F8iYbmiwyjAyYTChvWJHO%2Fimage.png?alt=media\&token=5d4eff2f-a72a-49f1-969d-9a83622bc099) ### DO-32. 호스트의 user namespaces 공유 제한 ![그림. DO-32. 호스트의 user namespaces 공유 제한 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2FqmNe1lKe3th7UaIRqOpc%2Fimage.png?alt=media\&token=c047980f-35eb-4057-a208-9ace4ee81290) ![그림. DO-32. 호스트의 user namespaces 공유 제한 ](https://1567468684-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fs0j0HSGvadiD7HlWa44X%2Fuploads%2F56w9YFtNyl6FxWIIo76a%2Fimage.png?alt=media\&token=53f43d22-44fe-45ee-9855-6c05432ea509) {% embed url="" %} donation {% endembed %}