Introduction
Container security has become a critical concern as more organisations adopt Docker and containerisation for application deployment. With containers now hosting everything from development environments to production applications, securing Docker infrastructure against vulnerabilities has never been more important. OWASP Nightingale, itself packaged as a Docker container, offers security professionals a specialised toolkit for conducting comprehensive security assessments of Docker environments.
This guide explores how to deploy, configure, and effectively utilise Nightingale for Docker security testing. We'll examine methodologies for identifying common container vulnerabilities, techniques for testing Docker daemon configurations, and approaches for analysing container images for security weaknesses. By combining practical examples with comparisons to alternative container security tools, this guide provides the advanced knowledge necessary to secure your Docker infrastructure effectively.
Prerequisites
Before proceeding with this guide, you should have:
- Intermediate to advanced knowledge of Docker and container architecture
- Familiarity with Linux systems administration
- A working Docker installation (version 20.10.x or later recommended)
- Understanding of basic security concepts and threat models
- Permissions to run privileged containers (for certain testing scenarios)
Understanding Nightingale for Docker security
Nightingale is an OWASP project that packages a comprehensive suite of penetration testing tools into a single, ready-to-use Docker container. Created by Raja Nagori, it includes several tools specifically valuable for Docker security assessments, allowing security professionals to comprehensively evaluate containerised environments.
Docker security testing capabilities
Nightingale provides tools for assessing several critical aspects of Docker security:
- Docker daemon configuration assessment
- Container image vulnerability scanning
- Container escape techniques and testing
- Docker network security assessment
- Secrets management evaluation
- Container runtime security analysis
Setting up Nightingale for Docker security testing
Let's begin by setting up Nightingale Docker in a way that provides the necessary access and capabilities for conducting Docker security assessments.
Enhanced deployment with Docker Compose
For Docker security testing, Nightingale requires elevated privileges and access to the Docker socket. Here's a comprehensive docker-compose.yaml file configured specifically for container security testing:
version: '3.8'
services:
nightingale:
image: rajanagori/nightingale:latest
container_name: nightingale-docker-security
volumes:
- ./reports:/home/reports
- ./custom-scripts:/home/custom-scripts
- ./wordlists:/usr/share/wordlists/custom
- /var/run/docker.sock:/var/run/docker.sock # Access to Docker socket
- /etc/docker:/etc/docker:ro # Read Docker configs
ports:
- "8080:8080" # For web interfaces of various tools
environment:
- DISPLAY=${DISPLAY} # For GUI tools
- TERM=xterm-256color
privileged: true # Required for container escape testing
security_opt:
- seccomp:unconfined # For comprehensive security testing
cap_add:
- ALL # Add all capabilities for testing
networks:
- host # Use host network for Docker API access
- pentest_network # Additional isolated network
restart: unless-stopped
tty: true
stdin_open: true
command: /bin/bash
networks:
pentest_network:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/16
Warning
This configuration provides several essential capabilities for Docker security testing:
- Access to Docker socket for interacting with the Docker daemon
- Read access to Docker configuration files for configuration analysis
- Privileged mode for container escape testing and security analysis
- Unrestricted capabilities for comprehensive testing scenarios
- Host network access for thorough network security assessment
Deployment and verification
To deploy Nightingale using the Docker Compose configuration:
# Create the necessary directories
mkdir -p reports custom-scripts wordlists
# Pull the latest image and start the container
docker-compose up -d
# Verify that the container is running with the correct permissions
docker-compose ps
# Access the container shell
docker-compose exec nightingale bash
# Verify Docker access from within Nightingale
docker ps
Upon successful deployment, you should be greeted with a bash shell inside the Nightingale container with full access to the host's Docker daemon.
Docker security assessment methodology
Let's explore a systematic approach to conducting a comprehensive Docker security assessment using Nightingale.
1. Docker daemon configuration assessment
Start by evaluating the Docker daemon configuration for security best practices:
# Check Docker daemon configuration
cat /etc/docker/daemon.json
# Evaluate Docker daemon for security issues
docker-bench-security
# Identify exposed Docker APIs
nmap -p 2375,2376 -sV host_network_range
2. Container image analysis
Next, scan Docker images for vulnerabilities and security issues:
# Pull Trivy for container scanning
docker pull aquasec/trivy:latest
# Scan a specific image for vulnerabilities
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image image_name:tag
# Check for secrets in Docker images
docker save image_name:tag | tar -xf - -C /tmp/image-contents
grep -r "password\|secret\|key\|token" /tmp/image-contents
3. Runtime container assessment
Evaluate running containers for security weaknesses:
# List running containers with security configurations
docker ps --format "table {{.ID}}\t{{.Names}}\t{{.Status}}\t{{.Command}}"
# Inspect container security configurations
docker inspect container_name | grep -E "CapAdd|Privileged|SecurityOpt"
# Check for containers running as root
docker inspect container_name | grep -E "User|Uid"
4. Container escape testing
Test for potential container escape vulnerabilities:
# Check for exposed host directories
docker inspect container_name | grep -A 10 "Mounts"
# Test for vulnerable configurations that allow privilege escalation
# Note: Only perform in isolated testing environments
mkdir /tmp/escape-test
mount -t cgroup -o rdma cgroup /tmp/escape-test
touch /tmp/escape-test/release_agent
echo '#!/bin/sh' > /tmp/escape-test/release_agent
echo 'ps aux > /tmp/proof-of-escape' >> /tmp/escape-test/release_agent
chmod +x /tmp/escape-test/release_agent
echo 1 > /tmp/escape-test/notify_on_release
Important
5. Docker network security analysis
Assess Docker network configurations for security issues:
# List Docker networks
docker network ls
# Inspect network configurations
docker network inspect network_name
# Scan for open ports in Docker networks
nmap -sV 172.17.0.0/16 # Default Docker bridge network
# Test for unauthorized network access between containers
docker run --rm -it alpine sh -c "apk add --no-cache curl && curl http://container_ip:port"
6. Docker secrets management assessment
Evaluate how secrets are managed in the Docker environment:
# List Docker secrets
docker secret ls
# Check for environment variables containing secrets
docker inspect container_name | grep -A 20 "Env"
# Examine entrypoint and CMD for hardcoded secrets
docker inspect container_name | grep -A 5 "Entrypoint\|Cmd"
Custom security testing tools and scripts
Enhance your Docker security testing capabilities with custom tools and scripts tailored for container environments.
Docker configuration analyzer
Create a custom script to analyze Docker daemon configurations against CIS benchmarks:
# Save this script to /home/custom-scripts/
cat > /home/custom-scripts/docker-config-analyzer.sh <<'EOF'
#!/bin/bash
# Docker Configuration Analyzer against CIS Benchmarks
CONFIG="/etc/docker/daemon.json"
echo "Analyzing Docker configuration at $CONFIG"
if [ ! -f "$CONFIG" ]; then
echo "Warning: No daemon.json found. Using default configuration."
fi
# Check for authorization plugin
if grep -q "authorization-plugins" "$CONFIG"; then
echo "[PASS] Authorization plugin configured"
else
echo "[FAIL] No authorization plugin configured"
fi
# Check for live restore capability
if grep -q "live-restore" "$CONFIG" && grep -q "true" "$CONFIG"; then
echo "[PASS] Live restore enabled"
else
echo "[FAIL] Live restore not enabled"
fi
# Additional checks for logging, user namespace remapping, etc.
# ...
EOF
chmod +x /home/custom-scripts/docker-config-analyzer.sh
Container security monitoring tool
Deploy a simple monitoring script to detect runtime security issues:
cat > /home/custom-scripts/container-monitor.sh <<'EOF'
#!/bin/bash
# Container Security Monitoring Script
# Monitor for new privileged containers
docker events --filter event=start --format '{{.Actor.Attributes.name}}' | while read CONTAINER; do
IS_PRIVILEGED=$(docker inspect --format='{{.HostConfig.Privileged}}' "$CONTAINER")
if [ "$IS_PRIVILEGED" = "true" ]; then
echo "[ALERT] Privileged container started: $CONTAINER"
fi
done
EOF
chmod +x /home/custom-scripts/container-monitor.sh
Comparison with alternative container security tools
To help determine if Nightingale is the right choice for your Docker security testing needs, let's compare it with specialized container security tools:
Nightingale vs Docker Bench Security
Advantages of Nightingale:
- Includes multiple security tools beyond just Docker configuration checks
- Provides capabilities for active testing and exploitation
- More flexible for varied testing approaches
- Better suited for comprehensive security assessments
Advantages of Docker Bench Security:
- Focused specifically on Docker security best practices
- Directly aligned with CIS Docker Benchmark
- Lightweight and purpose-built for Docker auditing
- Easier integration into CI/CD pipelines
Nightingale vs Clair
Advantages of Nightingale:
- More comprehensive security testing beyond just vulnerability scanning
- Includes tools for runtime security assessment
- Better suited for manual penetration testing
Advantages of Clair:
- Specialized in container vulnerability scanning
- Better integration with container registries
- More efficient for automated scanning
- Specifically designed for CI/CD integration
Nightingale vs Anchore Engine
Advantages of Nightingale:
- More versatile toolkit for varied security assessments
- Better suited for penetration testing workflows
- Includes tools for Docker daemon security testing
Advantages of Anchore Engine:
- Deep image analysis capabilities
- Better policy enforcement features
- More comprehensive software bill of materials
- Better suited for governance and compliance
Best practices for Docker security hardening
Based on findings from Nightingale security assessments, implement these hardening measures:
- Implement least privilege principle
- Avoid running containers with
--privilegedflag - Use specific capabilities instead of granting all
- Run containers as non-root users
- Avoid running containers with
- Secure Docker daemon configuration
- Enable TLS authentication for Docker API
- Use authorization plugins for access control
- Implement audit logging
- Container image security
- Use minimal base images (Alpine, distroless)
- Implement multi-stage builds to reduce attack surface
- Never embed secrets in images
- Regularly scan images for vulnerabilities
- Runtime security
- Implement read-only filesystems where possible
- Use seccomp profiles to restrict system calls
- Apply AppArmor or SELinux profiles
- Implement resource limits
- Network security
- Use custom bridge networks with explicit access controls
- Implement network segmentation for container groups
- Minimize exposed ports
- Use Docker Swarm secrets or Kubernetes secrets for sensitive data
Conclusion
Nightingale Docker provides a powerful platform for conducting comprehensive security assessments of Docker environments. By leveraging its extensive toolkit and the methodologies outlined in this guide, security professionals can identify and address vulnerabilities across the container ecosystem—from the Docker daemon configuration to image vulnerabilities and runtime security issues.
While specialized tools like Docker Bench Security, Clair, and Anchore Engine offer focused capabilities for specific aspects of container security, Nightingale's comprehensive approach makes it particularly valuable for security teams that need to conduct thorough, manual penetration tests of containerised environments.
As container adoption continues to accelerate, the security of Docker infrastructure becomes increasingly critical. By implementing a rigorous security testing regimen using Nightingale and following the hardening best practices outlined in this guide, organisations can significantly reduce the risk of container-based security breaches and build more resilient containerised applications.