Which two actions help limit the attack surface of your Docker container? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.CE.
Sure, I'd be happy to help explain this question!
The term "attack surface" refers to the ways in which an attacker might be able to gain unauthorized access to a system or application. In the context of Docker containers, reducing the attack surface means limiting the potential avenues for attackers to exploit vulnerabilities.
Option A - Run only a single service in each container - can help limit the attack surface because it means that each container only has a single point of entry for attackers. If multiple services are running in a single container and one of them is compromised, the attacker may be able to gain access to other services running in the same container.
Option B - Run all services in a single image - is not a recommended practice for limiting the attack surface. Running all services in a single image means that if one service is compromised, the entire image (and all the services running in it) could be at risk.
Option C - Use version tags for base images and dependencies - is a best practice for managing Docker images and can help reduce the attack surface by ensuring that you're using known, trusted versions of the software.
Option D - Use Kali Linux as a base image - is not a recommended practice for most Docker use cases. Kali Linux is a specialized distribution of Linux that is specifically designed for penetration testing and other security-related tasks. While it may be appropriate for some security-related Docker applications, it is generally not recommended as a base image for running regular applications.
Option E - Download images over HTTPS supporting sites - is a good security practice in general, but it does not directly limit the attack surface of Docker containers. It helps ensure that the images you're downloading are authentic and have not been tampered with, but it does not address the issue of how those images are configured or how they are running.
So, the two actions that help limit the attack surface of Docker containers are A) Run only a single service in each container and C) Use version tags for base images and dependencies.