TL;DR
- docker-bench-security を試す
- host上で動いているdocker containerのsecurityをチェックする
build
- git clone
git clone https://github.com/docker/docker-bench-security.git
- docker-compose.ymlの調整
- デフォルトの状態だと毎回buildするので、buildしたimageを使うように修正
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,10 +1,10 @@
docker-bench-security:
# use image if you have a dedicated build step:
# docker build --rm -t docker-bench-security .
- # image: docker-bench-security
+ image: docker-bench-security
# use build path to Dockerfile if docker-compose should build the image
- build: .
+ #build: .
cap_add:
- audit_control
-
docker build
docker build -t docker-bench-security .
-
docker-compose
docker-compose run --rm docker-bench-security
実行結果サンプル
- nginx のContainerが動いている
-> % docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d78b33e9ec1b nginx:1.10.0-alpine "nginx -g 'daemon off" 13 minutes ago Up 12 minutes 80/tcp, 443/tcp lonely_euler
- 実行
-> % docker-compose run --rm docker-bench-security
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.0.0
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker 1.11 Benchmark:
# https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker16.110
# ------------------------------------------------------------------------------
Initializing Mon May 16 07:19:06 UTC 2016
[INFO] 1 - Host Configuration
[WARN] 1.1 - Create a separate partition for containers
[PASS] 1.2 - Use an updated Linux Kernel
[PASS] 1.4 - Remove all non-essential services from the host - Network
[WARN] 1.5 - Keep Docker up to date
[WARN] * Using 1.11.0, when 1.11.1 is current as of 2016-04-27
[INFO] * Your operating system vendor may provide support and security maintenance for docker
[INFO] 1.6 - Only allow trusted users to control Docker daemon
[INFO] * docker:x:100:docker
[WARN] 1.7 - Failed to inspect: auditctl command not found.
[INFO] 1.8 - Audit Docker files and directories - /var/lib/docker
[INFO] * Directory not found
[INFO] 1.9 - Audit Docker files and directories - /etc/docker
[INFO] * Directory not found
[INFO] 1.10 - Audit Docker files and directories - docker.service
[INFO] * File not found
[INFO] 1.11 - Audit Docker files and directories - docker.socket
[INFO] * File not found
[INFO] 1.12 - Audit Docker files and directories - /etc/default/docker
[INFO] * File not found
[INFO] 1.13 - Audit Docker files and directories - /etc/docker/daemon.json
[INFO] * File not found
[INFO] 1.14 - Audit Docker files and directories - /usr/bin/docker-containerd
[INFO] * File not found
[INFO] 1.15 - Audit Docker files and directories - /usr/bin/docker-runc
[INFO] * File not found
[INFO] 2 - Docker Daemon Configuration
[WARN] 2.1 - Restrict network traffic between containers
[PASS] 2.2 - Set the logging level
[PASS] 2.3 - Allow Docker to make changes to iptables
[PASS] 2.4 - Do not use insecure registries
[WARN] 2.5 - Do not use the aufs storage driver
[INFO] 2.6 - Configure TLS authentication for Docker daemon
[INFO] * Docker daemon not listening on TCP
[INFO] 2.7 - Set default ulimit as appropriate
[INFO] * Default ulimit doesn't appear to be set
[WARN] 2.8 - Enable user namespace support
[PASS] 2.9 - Confirm default cgroup usage
[PASS] 2.10 - Do not change base device size until needed
[WARN] 2.11 - Use authorization plugin
[WARN] 2.12 - Configure centralized and remote logging
[WARN] 2.13 - Disable operations on legacy registry (v1)
[INFO] 3 - Docker Daemon Configuration Files
[INFO] 3.1 - Verify that docker.service file ownership is set to root:root
[INFO] * File not found
[INFO] 3.2 - Verify that docker.service file permissions are set to 644
[INFO] * File not found
[INFO] 3.3 - Verify that docker.socket file ownership is set to root:root
[INFO] * File not found
[INFO] 3.4 - Verify that docker.socket file permissions are set to 644
[INFO] * File not found
[INFO] 3.5 - Verify that /etc/docker directory ownership is set to root:root
[INFO] * Directory not found
[INFO] 3.6 - Verify that /etc/docker directory permissions are set to 755
[INFO] * Directory not found
[INFO] 3.7 - Verify that registry certificate file ownership is set to root:root
[INFO] * Directory not found
[INFO] 3.8 - Verify that registry certificate file permissions are set to 444
[INFO] * Directory not found
[INFO] 3.9 - Verify that TLS CA certificate file ownership is set to root:root
[INFO] * No TLS CA certificate found
[INFO] 3.10 - Verify that TLS CA certificate file permissions are set to 444
[INFO] * No TLS CA certificate found
[INFO] 3.11 - Verify that Docker server certificate file ownership is set to root:root
[INFO] * No TLS Server certificate found
[INFO] 3.12 - Verify that Docker server certificate file permissions are set to 444
[INFO] * No TLS Server certificate found
[INFO] 3.13 - Verify that Docker server key file ownership is set to root:root
[INFO] * No TLS Key found
[INFO] 3.14 - Verify that Docker server key file permissions are set to 400
[INFO] * No TLS Key found
[PASS] 3.15 - Verify that Docker socket file ownership is set to root:docker
[PASS] 3.16 - Verify that Docker socket file permissions are set to 660
[INFO] 3.17 - Verify that daemon.json file ownership is set to root:root
[INFO] * File not found
[INFO] 3.18 - Verify that daemon.json file permissions are set to 644
[INFO] * File not found
[INFO] 3.19 - Verify that /etc/default/docker file ownership is set to root:root
[INFO] * File not found
[INFO] 3.20 - Verify that /etc/default/docker file permissions are set to 644
[INFO] * File not found
[INFO] 4 - Container Images and Build Files
[WARN] 4.1 - Create a user for the container
[WARN] * Running as root: lonely_euler
[WARN] 4.5 - Enable Content trust for Docker
[INFO] 5 - Container Runtime
[WARN] 5.1 - Verify AppArmor Profile, if applicable
[WARN] * No AppArmorProfile Found: lonely_euler
[WARN] 5.2 - Verify SELinux security options, if applicable
[WARN] * No SecurityOptions Found: lonely_euler
[PASS] 5.3 - Restrict Linux Kernel Capabilities within containers
[PASS] 5.4 - Do not use privileged containers
[PASS] 5.5 - Do not mount sensitive host system directories on containers
[PASS] 5.6 - Do not run ssh within containers
[PASS] 5.7 - Do not map privileged ports within containers
[PASS] 5.9 - Do not share the host's network namespace
[WARN] 5.10 - Limit memory usage for container
[WARN] * Container running without memory restrictions: lonely_euler
[WARN] 5.11 - Set container CPU priority appropriately
[WARN] * Container running without CPU restrictions: lonely_euler
[WARN] 5.12 - Mount container's root filesystem as read only
[WARN] * Container running with root FS mounted R/W: lonely_euler
[PASS] 5.13 - Bind incoming container traffic to a specific host interface
[WARN] 5.14 - Set the 'on-failure' container restart policy to 5
[WARN] * MaximumRetryCount is not set to 5: lonely_euler
[PASS] 5.15 - Do not share the host's process namespace
[PASS] 5.16 - Do not share the host's IPC namespace
[PASS] 5.17 - Do not directly expose host devices to containers
[INFO] 5.18 - Override default ulimit at runtime only if needed
[INFO] * Container no default ulimit override: lonely_euler
[PASS] 5.19 - Do not set mount propagation mode to shared
[PASS] 5.20 - Do not share the host's UTS namespace
[PASS] 5.21 - Do not disable default seccomp profile
[PASS] 5.24 - Confirm cgroup usage
[WARN] 5.25 - Restrict container from acquiring additional privileges
[WARN] * Privileges not restricted: lonely_euler
[INFO] 6 - Docker Security Operations
[INFO] 6.4 - Avoid image sprawl
[INFO] * There are currently: 57 images
[WARN] 6.5 - Avoid container sprawl
[WARN] * There are currently a total of 69 containers, with only 2 of them currently running