|
|
|
|
|
|
by viraptor
3504 days ago
|
|
|
> how does any of this increase attacker cost? Because it forces the attacker to write a specific payload for your service. Standard, reused "drop shell.php and register IP" will not work anymore. And realistically if the target of the attack was a WordPress installation, it will likely be a trivial, automated script. > Cant you do the same thing at the OS level already? Yes, you can. Even better, split execution privileges from file privileges, then make it read only, then put a grsec/apparmor/selinux profile on the service. It's not docker specific, but docker does make read only service a little bit easier. > Wouldn't making the dir read only do the same thing? Yeah, but who would do that old school thing. Docker security! :-( |
|
|