Solution Security

  • TLS communication between docker services
    • All transport between docker services is supported over TLS
    • Service discovery is supported via Service FQDN using custom Docker network DNS
    • Only TLS supported ports are exposed via Docker
  • TLSv1.2 support
    • Only TLSv1.2 supported in web-based applications.
  • Alpine version
    • Updated Alpine 3.11 for all java & node based images including ActiveMQ
  • Hardened third party images
    • Third-party images are updated to the latest Alpine Linux and Trivy reported vulnerabilities are removed up-to-date.
    • Updated Alpine 3.11 for MySql image
    • Updated Alpine 3.10.4 for Minio
    • Updated Alpine 3.10.4 for NGINX based images
    • Resolved vulnerabilities in MongoDB image
  • Trivy Docker Images Security Compliance
    • All images are free from OS & npm vulnerabilities scanned by Trivy Vulnerability Scanner, including third-party images
  • Transparent & Explicit forward proxy support for internet consuming components
    • Transparent & Explicit Forward proxy is supported for the components which access the internet i.e. Customer Channel Manager for sending messages to Facebook, Viber, etc.
  • Reverse Proxy profile for internet-facing components
    • NGINX Reverse proxy is implemented to access all components over a single port (HTTPS 443). Another profile is supported to access only those components which are needed to be accessed via the internet e.g. Customer Gadget, Chat Server, Customer Channel Manager, etc
  • Code Injection & SQL Injection prevention
    • Prevention of basic code & SQL injection is implemented already. Further injection prevention practices are being added to Hybrid Chat with upcoming releases.
  • Rate limits
    • Reverse Proxy is configured to limit incoming traffic rates for prevention of DDoS attacks
  • OWASP Best Practices for Web
    • OWASP best practices are implemented in individual web-based components are the reverse proxy server
  • Docker CIS Compliance
    • Following points (regarding images and runtime) are implemented by HC


      CIS ReferenceDescriptionStatus
      14.1

      Ensure a user for the container has been created

      PASS
      24.2

      Ensure that containers use only trusted base images

      PASS
      34.4

      Ensure images are scanned and rebuilt to include security patches

      PASS
      44.6

      Ensure that HEALTHCHECK instructions have been added to container images

      PASS
      54.9

      Ensure that COPY is used instead of ADD in Dockerfiles

      PASS
      64.10

      Ensure secrets are not stored in Dockerfiles

      PASS
      74.11

      Ensure only verified packages are installed

      PASS
      85.3

      Ensure Linux Kernel Capabilities are restricted within containers

      PASS
      95.5

      Ensure sensitive host system directories are not mounted on containers

      PASS
      105.6

      Ensure sshd is not run within containers

      PASS
      115.7

      Ensure privileged ports are not mapped within containers

      PASS
      125.8

      Ensure that only needed ports are open on the container

      PASS
      135.9

      Ensure the host's network namespace is not shared

      PASS
      145.10

      Ensure that the memory usage for containers is limited

      PASS
      155.11

      Ensure CPU priority is set appropriately on the container

      PASS
      165.13

      Ensure that incoming container traffic is bound to a specific host interface

      PASS
      175.14

      Ensure that the 'on-failure' container restart policy is set to '5'

      PASS
      185.15

      Ensure the host's process namespace is not shared

      PASS
      195.16

      Ensure the host's IPC namespace is not shared

      PASS
      205.17

      Ensure that the host devices are not directly exposed to containers

      PASS
      215.19

      Ensure mount propagation mode is not set to "shared"

      PASS
      225.20

      Ensure the host's UTS namespace is not "shared"

      PASS
      235.21

      Ensure the default seccomp profile is not Disabled

      PASS
      245.22

      Ensure docker exec commands are not used with privileged option

      PASS
      255.23

      Ensure that docker exec commands are not used with the user=root option

      PASS
      265.24

      Ensure that cgroup usage is confirmed

      PASS
      275.26

      Ensure that container health is checked at runtime

      PASS
      285.28

      Ensure that the PIDs cgroup limit is used

      PASS
      295.29

      Ensure that Docker's default bridge 'docker0' is not used

      PASS
      305.30

      Ensure that the host's user namespaces are not shared

      PASS
      315.31

      Ensure that the Docker socket is not mounted inside any containers

      PASS
      327.1

      Ensure swarm mode is not Enabled, if not needed

      PASS
      337.2

      Ensure that the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)

      PASS
      347.3

      Ensure that swarm services are bound to a specific host interface (Swarm mode not enabled)

      PASS
      357.4

      Ensure that all Docker swarm overlay networks are encrypted

      PASS
      367.5

      Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Swarm mode not enabled)

      PASS
      377.6

      Ensure that swarm manager is run in auto-lock mode (Swarm mode not enabled)

      PASS
      387.7

      Ensure that the swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)

      PASS
      397.8

      Ensure that node certificates are rotated as appropriate (Swarm mode not enabled)

      PASS
      407.9

      Ensure that CA certificates are rotated as appropriate (Swarm mode not enabled)

      PASS
      417.10

      Ensure that management plane traffic is separated from data plane traffic (Swarm mode not enabled)

      PASS