[dpedu]

Perhaps I overlooked it, but it seems strange there's nothing about making containers immutable and read-only. This is a powerful tool IMO.

https://cloud.google.com/architecture/best-practices-for-ope...

[capableweb]

It seems that Sysdig doesn't have a blog post about making containers immutable and read-only, nor offer a service that enables that, so probably not worth mentioning for them.

[capitangolo]

Hmm, that seems like a weird miss from my side.

i.e. We covered this across several articles like this one about tags: https://sysdig.com/blog/toctou-tag-mutability/

This other one about file integrity monitoring (Disclaimer: A rather commercial one) https://sysdig.com/blog/file-integrity-monitoring/

And I recall others more explicit on the read-only part, but I’m away from my laptop now. Edit: Found it (point 1.3 in https://sysdig.com/blog/dockerfile-best-practices/ )

Thanks for pointing it out. Definitely it should be more explicit.

[raesene9]

Yep I've always had read only root filesystems down as a good control and one that's often not too tough to implement.

Another favourite of mine would be using multi-stage builds and minimal base images in production (FROM Scratch, where possible). having limited or no tooling in the running container makes an attackers life trickier for sure.

[travisd]

The distroless static images are pretty good. It’s essentially scratch plus certificate authority roots of trust.

[kjs3]

I would assume that's because that mitigation isn't what sysdig does.