top | item 12998404

(no title)

sublimino | 9 years ago

Of note is that an immutable/noexec filesystem doesn't prevent code being downloaded to an environment var/typed out and run - tools like https://github.com/SafeBreach-Labs/pwndsh just pipe source to an interpreter (in that case BASH, which generally isn't installed in smaller base images).

Reducing the attack surface is important, but if a running container is compromised it's imperative a post-mortem is performed immediately - and the issue remediated - to prevent re-exploitation.

discuss

justincormack|9 years ago

potentially you do not need any interpreters available at all, which certainly increases attack difficulty.