Open Container Security Benchmarks: Building ‘Am I Isolated’ the FOSS Way

Containers have revolutionised how we package and deploy applications, but their security at runtime remains a critical challenge. Unlike VMs, containers share the host kernel and rely on Linux namespaces and cgroups for isolation. As NIST notes, containers “do not offer as clear and concrete a security boundary as VMs”, and misconfigurations can allow containers to interact with each other or the host more easily than separate VMs. In practice, this means a container escape can compromise the host or other containers.

Recent Docker/runc "leaky vessels" CVEs, for instance, demonstrate how runtime errors can get around container boundaries. At the same time, developers often focus on building container images, pushing off security checks until later. Our talk introduces “Am I Isolated”, an open-source (Apache‑2.0) security benchmark tool that fills this gap by measuring and visualising container isolation. Built in Rust and running as a container, it automatically probes your runtime environment for missing isolation features, ambient privileges, or misconfigurations. In this session, we will explain why container isolation matters, demo the tool (with live code examples), and show how a community-driven approach can harden multi‑tenant environments.

Traditional best practices exist – e.g., Docker Bench Security (open-sourced by Docker/Aqua) checks hundreds of host and container settings – but they mostly audit configurations (daemon settings, mounts, permissions). Few tools examine the running container’s actual isolation posture. “Am I Isolated” is designed to test exactly that; it acts like a diagnostic for container security, probing namespaces, capabilities, and privilege gaps at runtime.

Modern container platforms also offer tools (Falco, kube-hunter, etc.) for runtime security, but they complement rather than replace a baseline isolation check. Our session will compare existing FOSS tools and benchmarks, then show how Am I Isolated slots in: it scans the container environment itself and prints a clear report of any “leaks” in the sandbox. For instance, it verifies the mounting of host namespaces and the presence of caps such as CAP_SYS_ADMIN.

1. Understand Container Isolation: Learn why containers aren’t completely sandboxed and how shared kernels lead to risk. See real examples (e.g., SUID binaries, capabilities) that can cause escapes.
   
   

2. Hands-On FOSS Security Tool: Get a demo of Am I Isolated and how to run it (code snippet and live output included). See how easy it is to integrate this FOSS scanner into your workflow.
   
   

3. Actionable Improvements: Understand common misconfigurations (running as root, missing namespaces, excess privileges) and how to fix them. For instance, seeing the Docker Bench score and specific FAILs will guide improvements.
   
   

4. Community-Driven Security: Discover how open source drives container security. We’ll point to GitHub discussions, issue trackers, and encourage contributions to evolving benchmarks.
   
   

Multi-Tenancy and Blast Radius: Appreciate the importance of isolation in Kubernetes and cloud-native systems. We discuss how tools like Edera’s hypervisor-based sandbox approach aim for true VM-like isolation and how benchmarks like Am I Isolated help validate any chosen isolation strategy.