Docker security audit is one of most crucial aspect before you implement this in production environment. This is quiet important to know the configuration mistake or loop hole in setup which may directly hit the security concerns.
Docker has its own utility available ie Docker Bench which flag an issue in setup.
So lets see why this is more important to know when you deal with crucial setups of Docker.
Lets clone a repository of Docker Bench on local machine.
[root@siddhesh ~]# git clone https://github.com/docker/docker-bench-security.git
Cloning into 'docker-bench-security'...
remote: Enumerating objects: 28, done.
remote: Counting objects: 100% (28/28), done.
remote: Compressing objects: 100% (23/23), done.
remote: Total 2020 (delta 13), reused 10 (delta 5), pack-reused 1992
Receiving objects: 100% (2020/2020), 2.93 MiB | 1024.00 KiB/s, done.
Resolving deltas: 100% (1410/1410), done.
[root@siddhesh ~]#
After this you can go into the directory docker-bench-security
[root@siddhesh ~]# cd docker-bench-security/
[root@siddhesh docker-bench-security]#
To perform the security audit run docker-bench-security.sh
[root@siddhesh docker-bench-security]# ./docker-bench-security.sh
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------
Initializing Tue Apr 21 22:11:49 IST 2020
[INFO] 1 - Host Configuration
[INFO] 1.1 - General Configuration
[NOTE] 1.1.1 - Ensure the container host has been Hardened
[INFO] 1.1.2 - Ensure Docker is up to date
[INFO] * Using 1.13.1, verify is it up to date as deemed necessary
[INFO] * Your operating system vendor may provide support and security maintenance for Docker
[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2 - Ensure only trusted users are allowed to control Docker daemon
[WARN] 1.2.3 - Ensure auditing is configured for the Docker daemon
[WARN] 1.2.4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[WARN] 1.2.5 - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.2.6 - Ensure auditing is configured for Docker files and directories - docker.service
[INFO] 1.2.7 - Ensure auditing is configured for Docker files and directories - docker.socket
[INFO] * File not found
[INFO] 1.2.8 - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] * File not found
[WARN] 1.2.9 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[WARN] 1.2.10 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
. . .
[Output Truncate]
This script runs multiple tests to identify a security loop holes as per standards.
So this report is divided into following four category :
[INFO]
[PASS]
[WARN]
[NOTE]
Category WARN should be considered for critical vulnerability.
This test includes primarily eight checks as follow :
1. Host Configuration
2. Docker daemon configuration 3. Docker daemon configuration files
4. Container Images and Build File
5. Container Runtime
6. Docker Security Operations
7. Docker Swarm Configuration
8. Docker Enterprise Configuration
You can also run this tool specific to above check.
[root@siddhesh docker-bench-security]# ./docker-bench-security.sh -c docker_daemon_configuration
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------
Initializing Tue Apr 21 22:27:41 IST 2020
[INFO] 2 - Docker daemon configuration
[WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2 - Ensure the logging level is set to 'info'
[PASS] 2.3 - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4 - Ensure insecure registries are not used
[PASS] 2.5 - Ensure aufs storage driver is not used
[INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured
[INFO] * Docker daemon not listening on TCP
[INFO] 2.7 - Ensure the default ulimit is configured appropriately
[INFO] * Default ulimit doesn't appear to be set
[WARN] 2.8 - Enable user namespace support
[PASS] 2.9 - Ensure the default cgroup usage has been confirmed
[PASS] 2.10 - Ensure base device size is not changed until needed
[WARN] 2.11 - Ensure that authorization for Docker client commands is enabled
[PASS] 2.12 - Ensure centralized and remote logging is configured
[WARN] 2.13 - Ensure live restore is Enabled
[WARN] 2.14 - Ensure Userland Proxy is Disabled
[INFO] 2.15 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
[PASS] 2.16 - Ensure that experimental features are not implemented in production
[WARN] 2.17 - Ensure containers are restricted from acquiring new privileges
[INFO] Checks: 17
[INFO] Score: 2
[root@siddhesh docker-bench-security]#
In Next tutorials we'll try to close WARN category points to improve its overall scoring..
Comentarios