top of page

Docker Fixing Audit Warning



In last tutorial we saw that how to generate a Docker Audit report using docker bench.


In this tutorial we are going to see how to fix WARN category vulnerabilities to make docker environment more secure..


1. Ensure a separate partition for containers has been created


It is always recommended to use other then by default partition of docker. Most of cloud platform like AWS or DigitalOcean mostly never give maximum free space under /var partition by default. So in this case you might face a disk space crunch.

How to find default partition of docker containers ?

So you can use below command to find out the actual partition details.


[root@siddhesh ~]# docker info -f'{{.DockerRootDir }}'
/var/lib/docker
[root@siddhesh ~]#

You can create a new partition and format using your suitable file system. Once this is done then you can create a soft link to /var/lib/docker.


2. Ensure only trusted users are allowed to control Docker daemon

Only trusted user should be part of docker group. This will help to manage docker daemon through certain trusted user only.


[root@siddhesh ~]# grep docker /etc/group
dockerroot:x:986:siddhesh
[root@siddhesh ~]#

3. Ensure auditing is configured for Docker files and directories


Auditing on linux server can be configuring auditd daemon. This daemon is responsible for recording audit record to audit log file. To configure auditing for Docker files run :


[root@siddhesh ~]# vim /etc/audit/rules.d/audit.rules
-w /usr/bin/docker -p wa
-w /var/lib/docker -p wa
-w /etc/docker -p wa
-w /lib/systemd/system/docker.service -p wa
-w /lib/systemd/system/docker.socket -p wa
-w /etc/default/docker -p wa
-w /etc/docker/daemon.json -p wa
-w /usr/bin/docker-containerd -p wa
-w /usr/bin/docker-runc -p wa
[root@siddhesh ~]# systemctl restart auditd.service


[root@siddhesh ~]# auditctl -l
-w /usr/bin/docker -p wa
-w /var/lib/docker -p wa
-w /etc/docker -p wa 
-w /lib/systemd/system/docker.service -p wa 
-w /lib/systemd/system/docker.socket -p wa 
-w /etc/default/docker -p wa 
-w /etc/docker/daemon.json -p wa 
-w /usr/bin/docker-containerd -p wa 
-w /usr/bin/docker-runc -p wa
[root@siddhesh ~]#

4. Docker Daemon Configuration Warnings


In this section docker bench check for daemon level security configuration setting.

Most of all warning can be fixed by creating a daemon file ie /etc/docker/daemon.json

This is file is by default present under /etc/docker location with empty content ie {}

You can add similar content like below .


[root@siddhesh ~]# cat /etc/docker/daemon.json
{
    "icc": false,
    "userns-remap": "default",
    "log-driver": "syslog",
    "disable-legacy-registry": true,
    "live-restore": true,
    "userland-proxy": false,
    "no-new-privileges": true
}
[root@siddhesh ~]#

Here :


"icc": false ==> Ensure network traffic is restricted between containers on the default bridge

"userns-remap": "default" ==> Enable user namespace support

"log-driver": "syslog" ==> Ensure centralized and remote logging is configured

"disable-legacy-registry": true ==> Ensure operations on legacy registry (v1) are Disabled

"live-restore": true ==> Ensure live restore is Enabled

"userland-proxy": false ==> Ensure Userland Proxy is Disabled

"no-new-privileges": true ==> Ensure containers are restricted from acquiring new privileges



bottom of page