mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-26 11:44:37 +03:00
mukul975
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
1.8 KiB
1.8 KiB
API Reference: Docker Container Hardening
Docker CLI
List Containers
docker ps --format '{{json .}}'
Inspect Container
docker inspect <container_id>
Key Inspect Fields
| Path | Description |
|---|---|
.HostConfig.Privileged |
Privileged mode |
.HostConfig.NetworkMode |
Network namespace |
.HostConfig.CapAdd |
Added capabilities |
.HostConfig.ReadonlyRootfs |
Read-only filesystem |
.HostConfig.Memory |
Memory limit (bytes) |
.Config.User |
Container user |
CIS Docker Benchmark Checks
| Check | Description | Severity |
|---|---|---|
| 4.1 | Non-root user | HIGH |
| 5.3 | Restrict capabilities | HIGH |
| 5.4 | No privileged containers | CRITICAL |
| 5.5 | No sensitive host mounts | HIGH |
| 5.10 | No host network | HIGH |
| 5.12 | Read-only root FS | MEDIUM |
| 5.13 | CPU limits set | LOW |
| 5.14 | Memory limits set | MEDIUM |
Secure Dockerfile Practices
Non-Root User
FROM alpine:3.18
RUN adduser -D appuser
USER appuser
Read-Only Filesystem
docker run --read-only --tmpfs /tmp:rw,noexec,nosuid myimage
Drop Capabilities
docker run --cap-drop ALL --cap-add NET_BIND_SERVICE myimage
Resource Limits
docker run --memory=512m --cpus=1.0 myimage
Docker Bench Security
Run Audit
docker run --rm --net host --pid host --userns host \
--cap-add audit_control \
-v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc:/etc \
docker/docker-bench-security
Seccomp and AppArmor
Custom Seccomp Profile
docker run --security-opt seccomp=profile.json myimage
AppArmor Profile
docker run --security-opt apparmor=docker-default myimage