What are Linux Containers? A Security Review

The security benefits of Linux containers

Linux containers strengthen security and reduce attack opportunities by isolating execution environments, minimizing base images and container images, limiting container lifespan, and supporting repeatable deployments.

Isolated execution environment

Linux containers provide isolation through namespace partitioning and cgroup resource restrictions, creating separate logical environments. Each container runs in its own user space, limiting the blast radius of a breach.

However, unlike virtual machines—where hypervisors enforce OS segmentation—containers share the host kernel. A kernel exploit can compromise all containers on a host, whereas in VMs, an attacker would need to breach the hypervisor. Because containers isolate execution environments but not the kernel, securing the kernel and runtime is critical.

Minimal base images

Using minimal base images is a best practice that reduces the attack surface of containers. Attackers can exploit fewer potential vulnerabilities by including only the essential components needed to run an application.

Immutability and ephemeral nature

Containers are intended to be immutable and short-lived. Once a container image is created, it does not change. If a container is compromised, it can be quickly replaced with a fresh instance from the original image, limiting the duration of an attack and facilitating rapid recovery.

Faster deployment and immutable infrastructure

Base images provide immutable, preconfigured templates for building container images. This allows repeated reuse of secure configurations, accelerating deployment and reducing the risk of misconfigurations arising from undocumented or altered configurations (configuration drift).

Built-in security mechanisms

Linux provides various built-in security mechanisms to enhance security:

Security-Enhanced Linux (SELinux) avoids risks of root user compromise by implementing mandatory access control (MAC) for all users based on granular policy rules.
AppArmor offers less sophisticated, more user-friendly mandatory access control than SELinux. It provides basic MAC control but lacks SELinux’s ability to fine-tune access based on category labels for files and processes.
The Linux seccomp feature lets kernels filter and limit incoming calls from containers, preventing processes from flooding kernels with calls.
The Linux capabilities management feature divides root user privileges into smaller privilege sets, limiting root users to only those privileges necessary to complete intended operations.

Reduced attack surface

Linux distributions such as Alpine Linux and images such as Distroless Images reduce potential attack vectors by using minimal container images, which include only components necessary to run applications. Limiting the number of components, packages, and dependencies in container images shrinks the number of surfaces attackers can use to target containers.

Advanced Container Security Best Practices [Cheat Sheet]

Use this cheat sheet as a quick reference to ensure you have the proper benchmarks in place to secure your container environments.

Download cheat sheet

Security Challenges and Risks of Linux Containers

Linux containers offer lightweight isolation, but their security depends on proper configuration and management. Key risks include:

Kernel exploits: Containers share the host kernel, so a vulnerability in the kernel can compromise all containers. Securing the host kernel is crucial.

Kernel exploit: Wiz runtime sensor detection for loadable kernel module insertion (source)

Configuration errors: Misconfigurations can expose sensitive data or unintentionally open network ports. Following best practices and using automated tools is essential to minimize these risks.
Networking vulnerabilities: Complex networking setups can introduce risks like unauthorized data exposure if not properly managed.
Supply chain risks: Containers often rely on public or unverified image registries, which can introduce vulnerabilities if images are tampered with. Verifying and securing the supply chain is key.
Vulnerabilities in container images: Base images from untrusted registries can have unpatched security issues. Use trusted registries that scan, sign, and patch images.
Malware: Wiz recently detected malware specifically targeting Linux environments.

The various techniques employed in a Linux malware attack. (source)

Runtime security and container escapes: Insufficient runtime security exposes containers to container escape vulnerabilities, such as kernel exploits or flaws in tools like runC. Attackers could bypass container boundaries and affect all containers on the host.

Effective container security requires securing the kernel, container images, configurations, network setups, and runtime environments.

Key technologies behind Linux containers

Linux containers depend on three key sets of technologies to isolate containerized applications running on the same kernel: namespaces, cgroups, and a pair of container security features called seccomp and AppArmor:

Namespaces: Namespaces keep containers from seeing or affecting other containers by partitioning container elements, including process IDs (PID namespaces), network interfaces (network namespaces), and user IDs (user namespaces).
cgroups: cgroups (control groups) limit individual container CPU, memory, and I/O resources.
seccomp and AppArmor: The Linux seccomp (secure computing) feature limits calls a container can make, while AppArmor (Application Armor) confines containers to specific security profiles.

Comparing Linux Containers with Linux Virtual Machines (VMs)

Linux containers and Linux virtual machines (VMs) serve different purposes in cloud and on-premises environments. While both provide isolated environments for running applications, their underlying architecture and security implications differ significantly:

Features	Linux Containers	Linux VMs
Architecture	Share the host Linux kernel and run in isolated user spaces	Each VM includes a full Linux OS with its own Linux kernel
Resource utilization	Lightweight, lower resource consumption	Heavier, higher resource consumption due to multiple Linux OS instances
Startup time	Fast startup (seconds)	Slower startup (minutes) due to full Linux OS boot process
Isolation	Linux process and file system isolation	Stronger isolation with separate Linux kernels
Performance	Near-native Linux performance, efficient use of resources	Increased overhead due to kernel-based virtual machine (KVM) Linux virtualization layer
Security	Shared Linux kernel can be a security risk if compromised	Stronger isolation as each VM runs on a separate Linux kernel
Use cases	Microservices, cloud-native applications, CI/CD pipelines	Legacy applications, multi-OS requirements, heavy container workloads

Understanding these differences helps you make informed decisions about when to use Linux containers versus VMs, particularly when security and resource efficiency are critical.

Best practices for ensuring Linux container security

1. Use trusted base images

Using trusted base images minimizes the risk of vulnerabilities and ensures a secure foundation for your containers:

Always source pre-built container images from official or verified repositories.
Regularly update your container images with the latest security patches.
Use tools like Clair, Trivy, and services from cloud providers to scan for vulnerabilities in your images.

Here’s a Dockerfile example that uses an official base image:

FROM ubuntu:20.04
# Installing necessary packages
RUN apt-get update && apt-get install -y \
    curl \
    vim \
    && rm -rf /var/lib/apt/lists/*

2. Implement the least-privilege principle

Running containers with as few permissions as possible reduces the potential impact of a security breach:

Avoid running containers as root or using privileged containers unless absolutely necessary.
Define and enforce security contexts in Kubernetes manifests and limit container users.
Utilize unprivileged users to reduce risk further in production environments.

Use this sample code to create a Kubernetes pod with a non-root user who is in a precise range of UIDs specified in the security context:

apiVersion: v1
kind: Pod
metadata:
  name: non-root-pod
spec:
  containers:
  - name: app
    image: your-app-image:latest
    securityContext:
      runAsUser: 1000
      runAsGroup: 3000
      fsGroup: 2000

3. Integrate security in the CI/CD pipeline

Incorporating security checks into your CI/CD pipeline ensures vulnerabilities are found and mitigated early in the development cycle:

Integrate security scanning tools like Trivy and Clair into your CI/CD pipelines before container deployment.
Automate security policy enforcement using tools like OPA Gatekeeper.
Ensure all stages of the container life cycle include security checks.

This Jenkins pipeline example integrates security checks:

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                sh 'docker build -t your-app-image .'
            }
        }
        stage('Scan') {
            steps {
                sh 'trivy image your-app-image'
            }
        }
        stage('Deploy') {
            steps {
                sh 'docker-compose up -d'
            }
        }
    }
}

wiz academy

Open-source Container Security Tools [By Use Case]

4. Implement network security policies

Applying network security policies can control traffic between containers and restrict unauthorized access:

Define and enforce network policies to control traffic between pods and services.
Use Kubernetes network policies to restrict ingress and egress traffic based on labels.
Regularly review and update network policies to adapt to evolving security requirements.

Here’s an example Kubernetes network policy that restricts access between containers labeled as web, api, and database, specifically allowing ingress traffic from web to database and egress traffic from database to api on port 9090:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-app-traffic
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: database
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: web
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: api
    ports:
    - protocol: TCP
      port: 9090

5. Implement runtime protection

Ensuring real-time monitoring and protection of your running containers is a crucial means of detecting and mitigating threats:

Use tools like Falco to monitor container activity and detect anomalies.
Implement runtime security policies to enforce expected behavior and block malicious activities.
Continuously monitor logs and events for signs of breaches or abnormal activities.

Here’s an example of setting up runtime security policies using Falco to monitor and alert on suspicious activities:

apiVersion: v1
kind: ConfigMap
metadata:
  name: falco-config
  namespace: kube-system
data:
  falco_rules.local.yaml: |
    - rule: Write below root
      desc: Detect any write below / (not allowed)
      condition: write and not fd.name in (user_files, proc_files)
      output: "Write below root detected (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname file=%fd.name)"
      priority: ERROR

6. Regularly patch and update containers

Patching and updating forms a critical component of container security, since even trusted base images can contain vulnerabilities without vigilant security update policies:

Scan images from repositories for known vulnerabilities.
Check images for patches and updates before deployment.
Periodically check base images for new patches and updates.
Run automated CI/CD security checks to detect outdated containers.

7. Secure container registries

Protecting container registries after you’ve created and stored your containers protects you from hackers who may target registry vulnerabilities:

Store container images in secure private registries such as Amazon Elastic Container Registry (ECR) or Google Artifact Registry.
Enable image scanning in your registry before pulling any images from it.
Require multi-factor authentication (MFA) for registry access.

8. Implement continuous monitoring and incident response

Real-time monitoring and incident response planning can protect your containers against runtime risks:

Implement runtime monitoring by deploying security tools such as Falco, Sysdig Secure, and Aqua Security.
Enable real-time alerts to detect unusual runtime activity.
Create a container security incident response plan to proactively intercept emerging threats.

Secure your organization's Linux container environment and alleviate risks with Wiz

Wiz provides a comprehensive cloud security platform that seamlessly integrates into your development workflow to protect containerized environments from build-time to runtime. By leveraging direct connections to Kubernetes clusters and cloud-provider APIs, Wiz ensures continuous monitoring and real-time detection of vulnerabilities.

The Wiz Security Graph offers a clear, context-driven insight into potential risks, helping teams prioritize and mitigate threats efficiently. With tools for vulnerability management, compliance, and infrastructure as code (IaC) scanning, Wiz enables developers to secure container ecosystems.

Request a demo today and take the first step towards a more resilient containerized environment.

What's running in your containers?

Learn why CISOs at the fastest growing companies use Wiz to uncover blind spots in their containerized environments.

Get a demo

Linux Container Security: Benefits, Risks, & Best Practices

Linux container security takeaways: