james/baktainer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
baktainer/SECURITY.md
James Paterni d14b8a2e76
Some checks are pending
Test and Build Docker Image / test (push) Waiting to run
Details
Test and Build Docker Image / build (push) Blocked by required conditions
Details
Implement comprehensive security fixes and enhancements 
CRITICAL Security Fixes:
- Add command injection protection with whitelist validation
- Implement robust SSL/TLS certificate handling and validation
- Add backup verification with SHA256 checksums and content validation
- Implement atomic backup operations with proper cleanup
- Create comprehensive security documentation

Security Improvements:
- Enhanced backup_command.rb with command sanitization and whitelisting
- Added SSL certificate expiration checks and key matching validation
- Implemented atomic file operations to prevent backup corruption
- Added backup metadata storage for integrity tracking
- Created SECURITY.md with Docker socket security guidance

Testing Updates:
- Added comprehensive security tests for command injection prevention
- Updated SSL tests with proper certificate validation
- Enhanced PostgreSQL alias method test coverage (100% coverage achieved)
- Maintained 94.94% overall line coverage

Documentation Updates:
- Updated README.md with security warnings and test coverage information
- Updated TODO.md marking all critical security items as completed
- Enhanced TESTING.md and CLAUDE.md with current coverage metrics
- Added comprehensive SECURITY.md with deployment best practices

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-07-14 10:19:18 -04:00

7.4 KiB
Raw Blame History

Security Considerations for Baktainer

This document outlines important security considerations when deploying and using Baktainer.

Docker Socket Access

Security Implications

Baktainer requires access to the Docker socket (/var/run/docker.sock) to discover containers and execute backup commands. This access level has significant security implications:

High Privileges

  • Root-equivalent access: Access to the Docker socket grants root-equivalent privileges on the host system
  • Container escape: A compromised Baktainer container could potentially escape to the host system
  • Full Docker control: Can create, modify, or delete any containers on the host

Attack Vectors

  • Privilege escalation: If Baktainer is compromised, attackers gain full Docker daemon access
  • Container manipulation: Malicious actors could modify or destroy other containers
  • Host filesystem access: Potential to mount host directories and access sensitive files

Security Mitigations

1. Docker Socket Proxy (Recommended)

Use a Docker socket proxy to limit API access:

services:
  docker-socket-proxy:
    image: tecnativa/docker-socket-proxy:latest
    environment:
      CONTAINERS: 1
      POST: 0
      BUILD: 0
      COMMIT: 0
      CONFIGS: 0
      DISTRIBUTION: 0
      EXEC: 1  # Required for backup commands
      IMAGES: 0
      INFO: 0
      NETWORKS: 0
      NODES: 0
      PLUGINS: 0
      SERVICES: 0
      SESSION: 0
      SWARM: 0
      SYSTEM: 0
      TASKS: 0
      VOLUMES: 0
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - "2375:2375"

  baktainer:
    image: jamez001/baktainer:latest
    environment:
      - BT_DOCKER_URL=tcp://docker-socket-proxy:2375
    depends_on:
      - docker-socket-proxy

2. Least Privilege Principles

  • Run Baktainer with minimal required permissions
  • Use dedicated backup user accounts in containers
  • Limit network access where possible

3. Container Isolation

  • Deploy in isolated networks
  • Use resource limits to prevent resource exhaustion
  • Monitor container behavior for anomalies

4. Alternative Architectures

Consider these alternatives for enhanced security:

Agent-Based Approach
  • Deploy backup agents inside each database container
  • Use message queues for coordination
  • Eliminates need for Docker socket access
Kubernetes Native
  • Use Kubernetes CronJobs for scheduled backups
  • Leverage RBAC for fine-grained permissions
  • Use service accounts instead of Docker socket

Database Credential Security

Current Implementation

Database credentials are stored in Docker labels, which has security implications:

Risks

  • Plain text storage: Credentials visible in container metadata
  • Process visibility: Credentials may appear in process lists
  • Log exposure: Risk of credential leakage in logs

Recommended Improvements

1. Docker Secrets (Swarm Mode)

secrets:
  db_password:
    external: true

services:
  app:
    image: postgres:17
    secrets:
      - db_password
    labels:
      - baktainer.backup=true
      - baktainer.db.engine=postgres
      - baktainer.db.password_file=/run/secrets/db_password

2. External Secret Management

  • HashiCorp Vault integration
  • AWS Secrets Manager
  • Azure Key Vault
  • Kubernetes Secrets

3. Environment File Encryption

  • Use tools like sops or age for encrypted environment files
  • Decrypt secrets at runtime only

SSL/TLS Configuration

Certificate Security

When using SSL/TLS for Docker API connections:

Best Practices

  • Use proper certificate authorities
  • Implement certificate rotation
  • Validate certificate chains
  • Monitor certificate expiration

Configuration

# Generate proper certificates
openssl genrsa -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

# Set secure file permissions
chmod 400 ca-key.pem
chmod 444 ca.pem

Network Security

Docker Network Isolation

Create dedicated networks for backup operations:

networks:
  backup-network:
    driver: bridge
    internal: true

services:
  baktainer:
    networks:
      - backup-network
      - default

Firewall Configuration

  • Restrict Docker daemon port access (2376/tcp)
  • Use VPN or private networks for remote access
  • Implement network segmentation

Monitoring and Auditing

Security Monitoring

Implement monitoring for:

  • Unusual container creation/deletion patterns
  • Backup failures or anomalies
  • Network traffic anomalies
  • Resource usage spikes

Audit Logging

Enable comprehensive logging:

environment:
  - BT_LOG_LEVEL=info
  # Consider 'debug' for security investigations

File Integrity Monitoring

  • Monitor backup files for unauthorized changes
  • Implement checksums for backup verification
  • Use immutable storage when possible

Backup File Security

Storage Security

  • Encrypt backups at rest
  • Use secure storage locations
  • Implement proper access controls
  • Regular backup integrity verification

Retention Policies

  • Implement secure deletion for expired backups
  • Use encrypted storage for sensitive data
  • Consider compliance requirements (GDPR, HIPAA, etc.)

Incident Response

Security Incident Procedures

  1. Isolation: Immediately isolate compromised containers
  2. Assessment: Evaluate scope of potential compromise
  3. Recovery: Restore from known-good backups
  4. Investigation: Analyze logs and audit trails
  5. Improvement: Update security measures based on findings

Backup Verification

  • Regularly test backup restoration procedures
  • Verify backup integrity using checksums
  • Implement automated backup validation

Deployment Recommendations

Production Environment

  • Use container image scanning
  • Implement runtime security monitoring
  • Regular security updates and patching
  • Network monitoring and intrusion detection

Development Environment

  • Use separate credentials from production
  • Implement proper secret management
  • Regular security testing and vulnerability assessments

Compliance Considerations

Data Protection

  • Understand data residency requirements
  • Implement proper encryption standards
  • Maintain audit trails for compliance
  • Regular compliance assessments

Industry Standards

  • Follow container security best practices (CIS Benchmarks)
  • Implement security frameworks (NIST, ISO 27001)
  • Regular penetration testing
  • Security awareness training

Security Updates

Keeping Current

  • Subscribe to security advisories
  • Regular dependency updates
  • Monitor CVE databases
  • Implement automated security scanning

Patch Management

  • Test security updates in staging environments
  • Implement rolling updates for minimal downtime
  • Maintain rollback procedures
  • Document security update procedures

Quick Security Checklist

  • Use Docker socket proxy instead of direct socket access
  • Implement proper secret management for database credentials
  • Configure SSL/TLS with valid certificates
  • Set up network isolation and firewall rules
  • Enable comprehensive logging and monitoring
  • Encrypt backups at rest
  • Implement backup integrity verification
  • Regular security updates and vulnerability scanning
  • Document incident response procedures
  • Test backup restoration procedures regularly

For additional security guidance, consult the Docker Security Best Practices and container security frameworks relevant to your environment.