Once ISET is installed, users may want to consider reconfiguring their systems to enhance security. The list below is for manually configuring security controls and documenting recommendations.
Most of these are satisified by make targets.
The following command will configure sshd_config to match the next example, with the exception of modifying LoginGraceTime.
make security-configLoginGraceTime 30s
ClientAliveInterval 15
ClientAliveCountMax 10
#Subsystem sftp /usr/libexec/openssh/sftp-server
Match User training
ForceCommand /opt/islet/bin/islet_shell
X11Forwarding no
AllowTcpForwarding no
PermitTunnel no
PermitOpen none
MaxAuthTries 3
MaxSessions 1
AllowAgentForwarding no
PermitEmptyPasswords noISLET includes security options in $CONFIG_DIR/modules/docker.conf, which can be used to easily add or drop kernel capabilities(7)
(and apply ulimit values to containers) to all Docker environments. They can be set in any ISLET configuration file.
Only add what you need to run the software in the container.
Note: ISLET with Docker 1.6 supports passing ulimit settings in config files.
The following command will configure decent ulimit settings for docker processes. These have the effect of restricting the user's environment inside the container.
Adjust as necessary: /etc/init/docker.conf
# BEGIN ISLET Additions
limit nofile 1000 2000 # Limit number of open files
limit nproc 1000 2000 # Prevent fork bombs
limit fsize 100000000 200000000 # Limit file sizes to max of 200MB
# END
service docker stop
rm -rf /var/lib/docker/*
mkfs.ext2 /dev/sdb1
mount -o defaults,noatime,nodiratime /dev/sdb1 /var/lib/docker
tail -1 /etc/fstab
/dev/sdb1 /var/lib/docker ext2 defaults,noatime,nodiratime,nobootwait 0 1
service docker start
Switching storage backends to devicemapper allows for disk quotas. Set dm.basesize to the maximum size the container can grow to (def: 10G)
Note: Currently unstable, and all existing container and image data will be lost.
service docker stop
rm -rf /var/lib/docker/*
docker -d --storage-driver=devicemapper --storage-opt dm.basesize=3G &
sleep 3 && pkill docker
tail -1 /etc/default/docker
DOCKER_OPTS="--storage-driver=devicemapper --storage-opt dm.basesize=3G"
start docker
Note: There's currently a bug in devicemapper that may cause docker to fail to run containers more info.
Use iptables for protection of the SSH service.
make iptables-config
To aid in protecting the host system, it's recommended to patch the Linux kernel more info