Home

Technical documentation, guides, and reference materials for ARMOR/RED container images and security practices.

Security in layers

ARMOR/RED applies security at multiple layers of the stack. Each layer provides defense-in-depth, ensuring that a breach at one level does not compromise the entire system.

[ HOST ][ ORCHESTRATOR ]// seccomp | capabilities: drop ALL | limits | SELinux | AppArmor[ CONTAINER ]// user: nobody | readonly: true | no-new-privilegesAPPLICATION BINARYcompiled with: -fstack-protector | PIE: enabled | RELRO: full | NX: onASLR: enabledlibc.solibssllibcrypto

Each layer represents an opportunity for hardening:

  • Host: Kernel hardening, cgroups, namespaces
  • Orchestrator: Seccomp profiles, capability restrictions, resource limits, SELinux, AppArmor
  • Container: Non-root user, read-only filesystem, no-new-privileges, minimal footprint
  • Application: Hardened compilation flags, stack protection, PIE, RELRO, NX, remove non-used features
  • Libraries: Minimal dependencies, vulnerability scanning, ASLR, always updated with security patches