Have you even looked at the guidance? There's not anything nefarious here. Just imminently reasonable stuff like: "By default, many container services run as the privileged root user, and applications execute inside the container as root despite not requiring privileged execution. Preventing root execution by using non-root containers or a rootless container engine limits the impact of a container compromise. Both methods affect the runtime environment significantly, so applications should be thoroughly tested to ensure compatibility."
They then provide an example Dockerfile in an Appendix.
I've looked through NSA hardening guides for AD, Linux, and many other technologies. They're helpful and imminently reasonable.
Do the NSA and CIA do dirty things? Yes. Should you trust everything they do? No. But you probably should at least skim the hardening document before you completely dismiss it because of your distrust.
Or don't even bother to read the document. Just look at the works cited section, which tells you a lot about the content of the article. Works are cited from: Center for Internet Security, Defense Information Security Agency, Linux Foundation, MITRE ATT&CK, Cybersecurity and Infrastructure Security Agency, Kubernetes.
The guide talks about the following:
- Scanning containers for vulnerabilities and misconfigurations
- Running Pods with least privilege
- Use network segmentation to limit blast radius
- Use firewalls
- Use strong authN and authZ
- Capture and monitor logs
- Periodically check your configurations and do vuln scans
It then points to CIS Kubernetes benchmarks, Kubernetes Security Technical Implimentation Guide, and CISA.
When the NSA pays a crypto company $10 million to promote crypto that the NSA had purposefully weakened, it’s completely reasonable to be wary of advice from them even if that advice, on the surface, seems benign.
So, if I'm understanding you correctly, everyone should be wary of advice such as "don't use service accounts with root permissions", "segment your network", and "regularly scan your assets for vulnerabilities" because of a clandestine program dating back to 2006 which was designed to weaken an encryption standard?
Should all my service accounts run as root because NSA thinks that's a bad idea?
What I am saying is that when taking advice from a proven malicious actor, it’s important scrutinize the advice more carefully than one would usually do.
Osama bin Laden could have said “eat your vegetables to be healthy” and that is obviously reasonable advice but it’s also largely useless because we already know it is true. It’s the stuff that isn’t obviously already correct that we should take extra care to verify.
They then provide an example Dockerfile in an Appendix.
I've looked through NSA hardening guides for AD, Linux, and many other technologies. They're helpful and imminently reasonable.
Do the NSA and CIA do dirty things? Yes. Should you trust everything they do? No. But you probably should at least skim the hardening document before you completely dismiss it because of your distrust.
Or don't even bother to read the document. Just look at the works cited section, which tells you a lot about the content of the article. Works are cited from: Center for Internet Security, Defense Information Security Agency, Linux Foundation, MITRE ATT&CK, Cybersecurity and Infrastructure Security Agency, Kubernetes.
The guide talks about the following:
- Scanning containers for vulnerabilities and misconfigurations - Running Pods with least privilege - Use network segmentation to limit blast radius - Use firewalls - Use strong authN and authZ - Capture and monitor logs - Periodically check your configurations and do vuln scans
It then points to CIS Kubernetes benchmarks, Kubernetes Security Technical Implimentation Guide, and CISA.
Where's the boogey man?