Docker (Engine)
Docker is a widely used containerization platform that allows you to build, run, and manage containers. It provides a simple and efficient way to package applications and their dependencies into portable containers.
How it works
The bifrost agent supports running on Docker and enables auditing and securing containers deployed directly on Docker Engine. The agent is deployed as a container on Docker to enable the usual features (reading Linux Kernel audit events and loading/unloading security profiles). To enable automatic detection of containers being deployed the agent also works as a Docker API proxy and intercepts container create requests.
Prerequisites
- Docker Engine installed on a host machine that has AppArmor enabled (like Ubuntu and Debian).
- Access to Docker API either via Unix socket (default) or TCP socket.
- Account in bifrost portal and an
AGENT_KEY
for registered cluster there.
Privileges for bifrost-agent
The agent needs to run with some extra capabilities (AUDIT_READ
, NET_BROADCAST
, MAC_ADMIN
) same as when deployed on Kubernetes)
and bind mounting the host path /var/run/docker.sock
and /sys/kernel/security/apparmor
to the container.
Deployment
bifrost portal
- Create a new cluster in the bifrost portal.
- Register new cluster in portal.
- Copy the
AGENT_KEY
from the cluster details page.
Docker CLI
To deploy the bifrost agent using the Docker CLI, you can use the following command:
docker run -d --name bifrost-agent \-e SECURITY_FS_PATH=/host/sys/kernel/security \-e AGENT_KEY=$AGENT_KEY \--cap-add NET_BROADCAST \--cap-add AUDIT_READ \--cap-add MAC_ADMIN \-v /sys/kernel/security/apparmor:/host/sys/kernel/security/apparmor \-v /var/run/docker.sock:/var/run/docker.sock \-p 2375:2375 \public.ecr.aws/bifrostsec/bifrost-agent:0.9.7
Docker Compose
To make it easier to deploy the bifrost agent, you can use Docker Compose.
docker-compose up -d
With the following docker-compose.yaml
file:
name: bifrost-agentservices:bifrost-agent: image: public.ecr.aws/bifrostsec/bifrost-agent:0.9.7 environment: - AGENT_KEY=$AGENT_KEY - SECURITY_FS_PATH=/host/sys/kernel/security cap_add: - NET_BROADCAST - AUDIT_READ - MAC_ADMIN volumes: - type: bind source: /sys/kernel/security/apparmor target: /host/sys/kernel/security/apparmor - type: bind source: /var/run/docker.sock target: /var/run/docker.sock ports: - 2375:2375
Operation
Configure docker client
Set environment variable DOCKER_HOST=tcp://localhost:2375
to use the bifrost agent as a Docker API proxy.
Deploy container with labels
Deploy your container you want to audit and use labels to configure how bifrost-agent will handle it.
Example:
docker run \--label com.bifrostsec.environment.name=dev \--label com.bifrostsec.profile.mode=audit \--label com.bifrostsec.service.name=nginx \--label com.bifrostsec.service.version=1.27.4 \nginx:1.27.4
Deploy container without labels
Some defaults (environment name
and profile mode
) can be set/overridden by setting environment variables for bifrost-agent
and these values will apply for all containers deployed.
Settings these defaults together with deploying named containers enables bifrost on any deployed container.
Run bifrost-agent with these extra environment variables:
-e ENVIRONMENT_NAME=dev-e PROFILE_MODE=audit
Deploy named container with no labels:
docker run --name nginx nginx:1.27.4
Container labels
Container label | Env var override | Default value |
---|---|---|
com.bifrostsec.environment.name | ENVIRONMENT_NAME | (none) |
com.bifrostsec.profile.mode | PROFILE_MODE | audit |
com.bifrostsec.service.name | (none) | from container name (if set during deploy) |
com.bifrostsec.service.version | (none) | from container image tag |