esell / dockopotamus Goto Github PK

Each container should have outbound traffic set to a very low level to prevent the container from becoming a viable source for real attacks.

There should also be some logic in the app that detects sustained outbound traffic and shuts the container down.

Would be neat to listen on other ports/protocols (telnet anyone?).

The logging data, src IP, etc should be collected and put into something (elasticsearch?). With all of the potential data coming in there should be a good way to search and aggregate it.

What are some steps that can be taken to make this a bit more secure?

• using -cap-drop=all breaks a lot of the container since it's assumed users will want to download/create stuff
• document how to create a docker group so we can avoid running as root
• document how to forward port 22 -> dockopotamus port to avoid running as root
• the main attack vector seems to be the docker daemon, what do we do about that?

Look at using go-dockerclient to do container stuffs instead of just running a command via bash.

Is snoopy the right way to log everything? Should the logs be sent somewhere vs written to disk?

Things like listening port, docker image used, etc should be set via a config file instead of being hardcoded.