Docker Bench for Security
v.1.5.0 (2023/03/16)
Apache License 2.0
Docker社公式のチェックツール
Dockerホストで実行して、Dockerホストの構成と稼働中のコンテナなどを検査
実行例
$ git clone https://github.com/docker/docker-bench-security.git
$ cd docker-bench-security
$ docker-compose run --rm docker-bench-security
WARNING: Image for service docker-bench-security was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------
Initializing Mon Feb 10 07:06:16 UTC 2020
[INFO] 1 - Host Configuration
[INFO] 1.1 - General Configuration
[NOTE] 1.1.1 - Ensure the container host has been Hardened
[INFO] 1.1.2 - Ensure Docker is up to date
[INFO] * Using 18.09.9, verify is it up to date as deemed necessary
[INFO] * Your operating system vendor may provide support and security maintenance for Docker
[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2 - Ensure only trusted users are allowed to control Docker daemon
[INFO] * docker:x:989:CORP\sano
[WARN] 1.2.3 - Ensure auditing is configured for the Docker daemon
[WARN] 1.2.4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[WARN] 1.2.5 - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.2.6 - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.2.7 - Ensure auditing is configured for Docker files and directories - docker.socket
[INFO] 1.2.8 - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] * File not found
[WARN] 1.2.9 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[WARN] 1.2.10 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO] 1.2.11 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[INFO] * File not found
[INFO] 1.2.12 - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
[INFO] * File not found
[INFO] 2 - Docker daemon configuration
[WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2 - Ensure the logging level is set to 'info'
[PASS] 2.3 - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4 - Ensure insecure registries are not used
[PASS] 2.5 - Ensure aufs storage driver is not used
[INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured
[INFO] * Docker daemon not listening on TCP
[PASS] 2.7 - Ensure the default ulimit is configured appropriately
[WARN] 2.8 - Enable user namespace support
[PASS] 2.9 - Ensure the default cgroup usage has been confirmed
[PASS] 2.10 - Ensure base device size is not changed until needed
[WARN] 2.11 - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12 - Ensure centralized and remote logging is configured
[WARN] 2.13 - Ensure live restore is Enabled
[WARN] 2.14 - Ensure Userland Proxy is Disabled
[PASS] 2.15 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
[PASS] 2.16 - Ensure that experimental features are not implemented in production
[WARN] 2.17 - Ensure containers are restricted from acquiring new privileges
[INFO] 3 - Docker daemon configuration files
[PASS] 3.1 - Ensure that docker.service file ownership is set to root:root
[PASS] 3.2 - Ensure that docker.service file permissions are appropriately set
[PASS] 3.3 - Ensure that docker.socket file ownership is set to root:root
[PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive
[PASS] 3.5 - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root
[INFO] * Directory not found
[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO] * Directory not found
[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root
[INFO] * No TLS CA certificate found
[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO] * No TLS CA certificate found
[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root
[INFO] * No TLS Server certificate found
[INFO] 3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
[INFO] * No TLS Server certificate found
[INFO] 3.13 - Ensure that Docker server certificate key file ownership is set to root:root
[INFO] * No TLS Key found
[INFO] 3.14 - Ensure that Docker server certificate key file permissions are set to 400
[INFO] * No TLS Key found
[PASS] 3.15 - Ensure that Docker socket file ownership is set to root:docker
[PASS] 3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive
[PASS] 3.17 - Ensure that daemon.json file ownership is set to root:root
[PASS] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive
[INFO] 3.19 - Ensure that /etc/default/docker file ownership is set to root:root
[INFO] * File not found
[PASS] 3.20 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root
[PASS] 3.21 - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive
[INFO] 3.22 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
[INFO] * File not found
[INFO] 4 - Container Images and Build File
[INFO] 4.1 - Ensure a user for the container has been created
[INFO] * No containers running
[NOTE] 4.2 - Ensure that containers use only trusted base images
[NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container
[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches
[WARN] 4.5 - Ensure Content trust for Docker is Enabled
[WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images
[WARN] * No Healthcheck found: [fluentd-ui:latest]
[WARN] * No Healthcheck found: [ruby:2.7.0-slim]
[WARN] * No Healthcheck found: [mariadb:10.4.12]
[WARN] * No Healthcheck found: [mariadb/maxscale:2.4.6]
[WARN] * No Healthcheck found: [aquasec/trivy:latest]
[WARN] * No Healthcheck found: [alpine:3.11]
[WARN] * No Healthcheck found: [docker.elastic.co/kibana/kibana:7.5.2 kibana:7.5.2]
[WARN] * No Healthcheck found: [docker.elastic.co/kibana/kibana:7.5.2 kibana:7.5.2]
[WARN] * No Healthcheck found: [docker.elastic.co/elasticsearch/elasticsearch:7.5.2]
[WARN] * No Healthcheck found: [servercentral/praeco:latest]
[WARN] * No Healthcheck found: [goodwithtech/dockle:v0.2.4]
[WARN] * No Healthcheck found: [redis:5.0.7]
[WARN] * No Healthcheck found: [nginx:1.16.1]
[WARN] * No Healthcheck found: [nginx:latest]
[WARN] * No Healthcheck found: [servercentral/elastalert:latest]
[WARN] * No Healthcheck found: [ruby:2.6.0-slim]
[INFO] 4.7 - Ensure update instructions are not use alone in the Dockerfile
[INFO] * Update instruction found: [fluentd-ui:latest]
[INFO] * Update instruction found: [ruby:2.7.0-slim]
[INFO] * Update instruction found: [mariadb:10.4.12]
[INFO] * Update instruction found: [docker.elastic.co/kibana/kibana:7.5.2 kibana:7.5.2]
[INFO] * Update instruction found: [docker.elastic.co/kibana/kibana:7.5.2 kibana:7.5.2]
[INFO] * Update instruction found: [servercentral/praeco:latest]
[INFO] * Update instruction found: [servercentral/elastalert:latest]
[INFO] * Update instruction found: [ruby:2.6.0-slim]
[NOTE] 4.8 - Ensure setuid and setgid permissions are removed
[PASS] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles
[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles
[NOTE] 4.11 - Ensure only verified packages are installed
[INFO] 5 - Container Runtime
[INFO] * No containers running, skipping Section 5
[INFO] 6 - Docker Security Operations
[INFO] 6.1 - Ensure that image sprawl is avoided
[INFO] * There are currently: 16 images
[INFO] * Only 1 out of 16 are in use
[INFO] 6.2 - Ensure that container sprawl is avoided
[INFO] * There are currently a total of 1 containers, with 1 of them currently running
[INFO] 7 - Docker Swarm Configuration
[PASS] 7.1 - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2 - Ensure that the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
[PASS] 7.3 - Ensure that swarm services are bound to a specific host interface (Swarm mode not enabled)
[PASS] 7.4 - Ensure that all Docker swarm overlay networks are encrypted
[PASS] 7.5 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Swarm mode not enabled)
[PASS] 7.6 - Ensure that swarm manager is run in auto-lock mode (Swarm mode not enabled)
[PASS] 7.7 - Ensure that the swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
[PASS] 7.8 - Ensure that node certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.9 - Ensure that CA certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.10 - Ensure that management plane traffic is separated from data plane traffic (Swarm mode not enabled)
[INFO] 8 - Docker Enterprise Configuration
[INFO] * Community Engine license, skipping section 8
[INFO] Checks: 76
[INFO] Score: 14
Docker Security Scanningについて
Docker 公式のセキュリティ診断ツール「Docker Bench for Security」を試した
Trivy
v0.11.0 (2023/08/10)
GNU Affero General Public License v3.0
実行例
$ mkdir -p trivy_cache_dir
$ chmod 777 trivy_cache_dir
$ docker run --rm -v $(pwd)/trivy_cache_dir:/root/.cache/ aquasec/trivy mariadb:10.4.12
2020-02-10T07:00:37.269Z INFO Detecting Ubuntu vulnerabilities...
mariadb:10.4.12 (ubuntu 18.04)
==============================
Total: 118 (UNKNOWN: 0, LOW: 25, MEDIUM: 71, HIGH: 22, CRITICAL: 0)
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| bash | CVE-2019-18276 | HIGH | 4.4.18-2ubuntu1.2 | | bash: when effective UID is |
| | | | | | not equal to its real UID |
| | | | | | the... |
+----------------------+------------------+ +-----------------------------------+-------------------------------------+------------------------------------+
| bsdutils | CVE-2018-7738 | | 2.31.1-0.4ubuntu3.4 | | util-linux: Shell command |
| | | | | | injection in unescaped |
| | | | | | bash-completed mount point |
| | | | | | names |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| coreutils | CVE-2016-2781 | LOW | 8.28-1ubuntu1 | | coreutils: Non-privileged |
| | | | | | session can escape to the |
| | | | | | parent session in chroot |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| dirmngr | CVE-2019-13050 | MEDIUM | 2.2.4-1ubuntu1.2 | | GnuPG: interaction between the |
| | | | | | sks-keyserver code and GnuPG |
| | | | | | allows for a Certificate... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-14855 | LOW | | | |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| dpkg | CVE-2017-8283 | HIGH | 1.19.0.5ubuntu2.3 | | dpkg-source in dpkg 1.3.0 |
| | | | | | through 1.18.23 is able to use |
| | | | | | a non-GNU... |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| e2fsprogs | CVE-2019-5188 | MEDIUM | 1.44.1-1ubuntu1.2 | 1.44.1-1ubuntu1.3 | e2fsprogs: Out-of-bounds write |
| | | | | | in e2fsck/rehash.c |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| fdisk | CVE-2018-7738 | HIGH | 2.31.1-0.4ubuntu3.4 | | util-linux: Shell command |
| | | | | | injection in unescaped |
| | | | | | bash-completed mount point |
| | | | | | names |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| gnupg | CVE-2019-13050 | MEDIUM | 2.2.4-1ubuntu1.2 | | GnuPG: interaction between the |
| | | | | | sks-keyserver code and GnuPG |
| | | | | | allows for a Certificate... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-14855 | LOW | | | |
+----------------------+------------------+----------+ +-------------------------------------+------------------------------------+
| gnupg-l10n | CVE-2019-13050 | MEDIUM | | | GnuPG: interaction between the |
| | | | | | sks-keyserver code and GnuPG |
| | | | | | allows for a Certificate... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-14855 | LOW | | | |
+----------------------+------------------+----------+ +-------------------------------------+------------------------------------+
| gnupg-utils | CVE-2019-13050 | MEDIUM | | | GnuPG: interaction between the |
| | | | | | sks-keyserver code and GnuPG |
| | | | | | allows for a Certificate... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-14855 | LOW | | | |
+----------------------+------------------+----------+ +-------------------------------------+------------------------------------+
| gpg | CVE-2019-13050 | MEDIUM | | | GnuPG: interaction between the |
| | | | | | sks-keyserver code and GnuPG |
| | | | | | allows for a Certificate... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-14855 | LOW | | | |
+----------------------+------------------+----------+ +-------------------------------------+------------------------------------+
| gpg-agent | CVE-2019-13050 | MEDIUM | | | GnuPG: interaction between the |
| | | | | | sks-keyserver code and GnuPG |
| | | | | | allows for a Certificate... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-14855 | LOW | | | |
+----------------------+------------------+----------+ +-------------------------------------+------------------------------------+
| gpg-wks-client | CVE-2019-13050 | MEDIUM | | | GnuPG: interaction between the |
| | | | | | sks-keyserver code and GnuPG |
| | | | | | allows for a Certificate... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-14855 | LOW | | | |
+----------------------+------------------+----------+ +-------------------------------------+------------------------------------+
| gpg-wks-server | CVE-2019-13050 | MEDIUM | | | GnuPG: interaction between the |
| | | | | | sks-keyserver code and GnuPG |
| | | | | | allows for a Certificate... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-14855 | LOW | | | |
+----------------------+------------------+----------+ +-------------------------------------+------------------------------------+
| gpgconf | CVE-2019-13050 | MEDIUM | | | GnuPG: interaction between the |
| | | | | | sks-keyserver code and GnuPG |
| | | | | | allows for a Certificate... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-14855 | LOW | | | |
+----------------------+------------------+----------+ +-------------------------------------+------------------------------------+
| gpgsm | CVE-2019-13050 | MEDIUM | | | GnuPG: interaction between the |
| | | | | | sks-keyserver code and GnuPG |
| | | | | | allows for a Certificate... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-14855 | LOW | | | |
+----------------------+------------------+----------+ +-------------------------------------+------------------------------------+
| gpgv | CVE-2019-13050 | MEDIUM | | | GnuPG: interaction between the |
| | | | | | sks-keyserver code and GnuPG |
| | | | | | allows for a Certificate... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-14855 | LOW | | | |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libasn1-8-heimdal | CVE-2019-12098 | MEDIUM | 7.5.0+dfsg-1 | | In the client side of Heimdal |
| | | | | | before 7.6.0, failure to |
| | | | | | verify anonymous... |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libblkid1 | CVE-2018-7738 | HIGH | 2.31.1-0.4ubuntu3.4 | | util-linux: Shell command |
| | | | | | injection in unescaped |
| | | | | | bash-completed mount point |
| | | | | | names |
+----------------------+------------------+ +-----------------------------------+-------------------------------------+------------------------------------+
| libc-bin | CVE-2018-11236 | | 2.27-3ubuntu1 | | glibc: Integer overflow in |
| | | | | | stdlib/canonicalize.c on |
| | | | | | 32-bit architectures leading |
| | | | | | to stack-based buffer... |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2019-9169 | | | | glibc: regular-expression |
| | | | | | match via proceed_next_node |
| | | | | | in posix/regexec.c leads to |
| | | | | | heap-based buffer over-read... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2009-5155 | MEDIUM | | | glibc: parse_reg_exp in |
| | | | | | posix/regcomp.c misparses |
| | | | | | alternatives leading to denial |
| | | | | | of service or... |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2015-8985 | | | | glibc: potential denial of |
| | | | | | service in pop_fail_stack() |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2016-10228 | | | | glibc: iconv program can |
| | | | | | hang when invoked with the -c |
| | | | | | option |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2016-10739 | | | | glibc: getaddrinfo should |
| | | | | | reject IP addresses with |
| | | | | | trailing characters |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2018-11237 | | | | glibc: Buffer overflow in |
| | | | | | __mempcpy_avx512_no_vzeroupper |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2018-19591 | | | | glibc: file descriptor |
| | | | | | leak in if_nametoindex() in |
| | | | | | sysdeps/unix/sysv/linux/if_index.c |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2018-20796 | | | | glibc: uncontrolled |
| | | | | | recursion in function |
| | | | | | check_dst_limits_calc_pos_1 in |
| | | | | | posix/regexec.c |
+ +------------------+ + +-------------------------------------+ +
| | CVE-2019-9192 | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-7309 | LOW | | | glibc: memcmp function |
| | | | | | incorrectly returns zero |
+----------------------+------------------+----------+ +-------------------------------------+------------------------------------+
| libc6 | CVE-2018-11236 | HIGH | | | glibc: Integer overflow in |
| | | | | | stdlib/canonicalize.c on |
| | | | | | 32-bit architectures leading |
| | | | | | to stack-based buffer... |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2019-9169 | | | | glibc: regular-expression |
| | | | | | match via proceed_next_node |
| | | | | | in posix/regexec.c leads to |
| | | | | | heap-based buffer over-read... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2009-5155 | MEDIUM | | | glibc: parse_reg_exp in |
| | | | | | posix/regcomp.c misparses |
| | | | | | alternatives leading to denial |
| | | | | | of service or... |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2015-8985 | | | | glibc: potential denial of |
| | | | | | service in pop_fail_stack() |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2016-10228 | | | | glibc: iconv program can |
| | | | | | hang when invoked with the -c |
| | | | | | option |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2016-10739 | | | | glibc: getaddrinfo should |
| | | | | | reject IP addresses with |
| | | | | | trailing characters |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2018-11237 | | | | glibc: Buffer overflow in |
| | | | | | __mempcpy_avx512_no_vzeroupper |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2018-19591 | | | | glibc: file descriptor |
| | | | | | leak in if_nametoindex() in |
| | | | | | sysdeps/unix/sysv/linux/if_index.c |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2018-20796 | | | | glibc: uncontrolled |
| | | | | | recursion in function |
| | | | | | check_dst_limits_calc_pos_1 in |
| | | | | | posix/regexec.c |
+ +------------------+ + +-------------------------------------+ +
| | CVE-2019-9192 | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-7309 | LOW | | | glibc: memcmp function |
| | | | | | incorrectly returns zero |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libcom-err2 | CVE-2019-5188 | MEDIUM | 1.44.1-1ubuntu1.2 | 1.44.1-1ubuntu1.3 | e2fsprogs: Out-of-bounds write |
| | | | | | in e2fsck/rehash.c |
+----------------------+ + + + + +
| libext2fs2 | | | | | |
| | | | | | |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libfdisk1 | CVE-2018-7738 | HIGH | 2.31.1-0.4ubuntu3.4 | | util-linux: Shell command |
| | | | | | injection in unescaped |
| | | | | | bash-completed mount point |
| | | | | | names |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libgcrypt20 | CVE-2019-12904 | MEDIUM | 1.8.1-4ubuntu1.1 | | Libgcrypt: physical addresses |
| | | | | | being available to other |
| | | | | | processes leads to a |
| | | | | | flush-and-reload... |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2019-13627 | | | 1.8.1-4ubuntu1.2 | libgcrypt: ECDSA timing |
| | | | | | attack in the libgcrypt20 |
| | | | | | cryptographic library |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libgnutls30 | CVE-2018-16868 | LOW | 3.5.18-1ubuntu1.2 | | gnutls: Bleichenbacher-like |
| | | | | | side channel leakage in PKCS#1 |
| | | | | | v1.5 verification and padding |
| | | | | | oracle... |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libgssapi3-heimdal | CVE-2019-12098 | MEDIUM | 7.5.0+dfsg-1 | | In the client side of Heimdal |
| | | | | | before 7.6.0, failure to |
| | | | | | verify anonymous... |
+----------------------+ + + +-------------------------------------+ +
| libhcrypto4-heimdal | | | | | |
| | | | | | |
| | | | | | |
+----------------------+ + + +-------------------------------------+ +
| libheimbase1-heimdal | | | | | |
| | | | | | |
| | | | | | |
+----------------------+ + + +-------------------------------------+ +
| libheimntlm0-heimdal | | | | | |
| | | | | | |
| | | | | | |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libhogweed4 | CVE-2018-16869 | LOW | 3.4-1 | | nettle: Leaky data conversion |
| | | | | | exposing a manager oracle |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libhx509-5-heimdal | CVE-2019-12098 | MEDIUM | 7.5.0+dfsg-1 | | In the client side of Heimdal |
| | | | | | before 7.6.0, failure to |
| | | | | | verify anonymous... |
+----------------------+ + + +-------------------------------------+ +
| libkrb5-26-heimdal | | | | | |
| | | | | | |
| | | | | | |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libldap-2.4-2 | CVE-2017-14159 | LOW | 2.4.45+dfsg-1ubuntu1.4 | | openldap: Privilege escalation |
| | | | | | via PID file manipulation |
+----------------------+ + + +-------------------------------------+ +
| libldap-common | | | | | |
| | | | | | |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| liblz4-1 | CVE-2019-17543 | MEDIUM | 0.0~r131-2ubuntu3 | | lz4: heap-based buffer |
| | | | | | overflow in LZ4_write32 |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libmount1 | CVE-2018-7738 | HIGH | 2.31.1-0.4ubuntu3.4 | | util-linux: Shell command |
| | | | | | injection in unescaped |
| | | | | | bash-completed mount point |
| | | | | | names |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libncurses5 | CVE-2019-17594 | MEDIUM | 6.1-1ubuntu1.18.04 | | ncurses: heap-based buffer |
| | | | | | overflow in the _nc_find_entry |
| | | | | | function in tinfo/comp_hash.c |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2019-17595 | | | | ncurses: heap-based buffer |
| | | | | | overflow in the fmt_entry |
| | | | | | function in tinfo/comp_hash.c |
+----------------------+------------------+ + +-------------------------------------+------------------------------------+
| libncursesw5 | CVE-2019-17594 | | | | ncurses: heap-based buffer |
| | | | | | overflow in the _nc_find_entry |
| | | | | | function in tinfo/comp_hash.c |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2019-17595 | | | | ncurses: heap-based buffer |
| | | | | | overflow in the fmt_entry |
| | | | | | function in tinfo/comp_hash.c |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libnettle6 | CVE-2018-16869 | LOW | 3.4-1 | | nettle: Leaky data conversion |
| | | | | | exposing a manager oracle |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libpcre3 | CVE-2017-11164 | HIGH | 2:8.39-9 | | pcre: OP_KETRMAX feature |
| | | | | | in the match function in |
| | | | | | pcre_exec.c |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2017-7245 | MEDIUM | | | pcre: stack-based |
| | | | | | buffer overflow write in |
| | | | | | pcre32_copy_substring |
+ +------------------+ + +-------------------------------------+ +
| | CVE-2017-7246 | | | | |
| | | | | | |
| | | | | | |
+----------------------+------------------+ +-----------------------------------+-------------------------------------+------------------------------------+
| libroken18-heimdal | CVE-2019-12098 | | 7.5.0+dfsg-1 | | In the client side of Heimdal |
| | | | | | before 7.6.0, failure to |
| | | | | | verify anonymous... |
+----------------------+------------------+ +-----------------------------------+-------------------------------------+------------------------------------+
| libsasl2-2 | CVE-2019-19906 | | 2.1.27~101-g0780600+dfsg-3ubuntu2 | 2.1.27~101-g0780600+dfsg-3ubuntu2.1 | cyrus-sasl: denial of service |
| | | | | | in _sasl_add_string function |
+----------------------+ + + + + +
| libsasl2-modules-db | | | | | |
| | | | | | |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libsmartcols1 | CVE-2018-7738 | HIGH | 2.31.1-0.4ubuntu3.4 | | util-linux: Shell command |
| | | | | | injection in unescaped |
| | | | | | bash-completed mount point |
| | | | | | names |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libss2 | CVE-2019-5188 | MEDIUM | 1.44.1-1ubuntu1.2 | 1.44.1-1ubuntu1.3 | e2fsprogs: Out-of-bounds write |
| | | | | | in e2fsck/rehash.c |
+----------------------+------------------+ +-----------------------------------+-------------------------------------+------------------------------------+
| libssl1.1 | CVE-2019-1549 | | 1.1.1-1ubuntu2.1~18.04.5 | | openssl: information |
| | | | | | disclosure in fork() |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2019-1551 | | | | openssl: Integer overflow in |
| | | | | | RSAZ modular exponentiation on |
| | | | | | x86_64 |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2019-1563 | | | | openssl: information |
| | | | | | disclosure in PKCS7_dataDecode |
| | | | | | and CMS_decrypt_set1_pkey |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-1547 | LOW | | | openssl: side-channel weak |
| | | | | | encryption vulnerability |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libsystemd0 | CVE-2020-1712 | HIGH | 237-3ubuntu10.33 | 237-3ubuntu10.38 | systemd: use-after-free when |
| | | | | | asynchronous polkit queries |
| | | | | | are performed |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2018-20839 | MEDIUM | | | systemd: mishandling of the |
| | | | | | current keyboard mode check |
| | | | | | leading to passwords being... |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2019-3843 | | | 237-3ubuntu10.38 | systemd: services with |
| | | | | | DynamicUser can create |
| | | | | | SUID/SGID binaries |
+ +------------------+ + + +------------------------------------+
| | CVE-2019-3844 | | | | systemd: services with |
| | | | | | DynamicUser can get new |
| | | | | | privileges and create SGID |
| | | | | | binaries... |
+ +------------------+----------+ + +------------------------------------+
| | CVE-2019-20386 | LOW | | | systemd: a memory leak was |
| | | | | | discovered in button_open in |
| | | | | | login/logind-button.c when |
| | | | | | udev... |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libtasn1-6 | CVE-2018-1000654 | HIGH | 4.13-2 | | libtasn1: Infinite loop in |
| | | | | | _asn1_expand_object_id(ptree) |
| | | | | | leads to memory exhaustion |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libtinfo5 | CVE-2019-17594 | MEDIUM | 6.1-1ubuntu1.18.04 | | ncurses: heap-based buffer |
| | | | | | overflow in the _nc_find_entry |
| | | | | | function in tinfo/comp_hash.c |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2019-17595 | | | | ncurses: heap-based buffer |
| | | | | | overflow in the fmt_entry |
| | | | | | function in tinfo/comp_hash.c |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libudev1 | CVE-2020-1712 | HIGH | 237-3ubuntu10.33 | 237-3ubuntu10.38 | systemd: use-after-free when |
| | | | | | asynchronous polkit queries |
| | | | | | are performed |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2018-20839 | MEDIUM | | | systemd: mishandling of the |
| | | | | | current keyboard mode check |
| | | | | | leading to passwords being... |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2019-3843 | | | 237-3ubuntu10.38 | systemd: services with |
| | | | | | DynamicUser can create |
| | | | | | SUID/SGID binaries |
+ +------------------+ + + +------------------------------------+
| | CVE-2019-3844 | | | | systemd: services with |
| | | | | | DynamicUser can get new |
| | | | | | privileges and create SGID |
| | | | | | binaries... |
+ +------------------+----------+ + +------------------------------------+
| | CVE-2019-20386 | LOW | | | systemd: a memory leak was |
| | | | | | discovered in button_open in |
| | | | | | login/logind-button.c when |
| | | | | | udev... |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libuuid1 | CVE-2018-7738 | HIGH | 2.31.1-0.4ubuntu3.4 | | util-linux: Shell command |
| | | | | | injection in unescaped |
| | | | | | bash-completed mount point |
| | | | | | names |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libwind0-heimdal | CVE-2019-12098 | MEDIUM | 7.5.0+dfsg-1 | | In the client side of Heimdal |
| | | | | | before 7.6.0, failure to |
| | | | | | verify anonymous... |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| libxtables12 | CVE-2012-2663 | HIGH | 1.6.1-2ubuntu2 | | iptables: --syn flag bypass |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2019-11360 | MEDIUM | | | A buffer overflow in |
| | | | | | iptables-restore in netfilter |
| | | | | | iptables 1.8.2 allows an |
| | | | | | attacker... |
+----------------------+------------------+ +-----------------------------------+-------------------------------------+------------------------------------+
| login | CVE-2018-7169 | | 1:4.5-1ubuntu2 | | shadow-utils: newgidmap |
| | | | | | allows unprivileged user |
| | | | | | to drop supplementary |
| | | | | | groups potentially allowing |
| | | | | | privilege... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2013-4235 | LOW | | | shadow-utils: TOCTOU race |
| | | | | | conditions by copying and |
| | | | | | removing directory trees |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| mount | CVE-2018-7738 | HIGH | 2.31.1-0.4ubuntu3.4 | | util-linux: Shell command |
| | | | | | injection in unescaped |
| | | | | | bash-completed mount point |
| | | | | | names |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| ncurses-base | CVE-2019-17594 | MEDIUM | 6.1-1ubuntu1.18.04 | | ncurses: heap-based buffer |
| | | | | | overflow in the _nc_find_entry |
| | | | | | function in tinfo/comp_hash.c |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2019-17595 | | | | ncurses: heap-based buffer |
| | | | | | overflow in the fmt_entry |
| | | | | | function in tinfo/comp_hash.c |
+----------------------+------------------+ + +-------------------------------------+------------------------------------+
| ncurses-bin | CVE-2019-17594 | | | | ncurses: heap-based buffer |
| | | | | | overflow in the _nc_find_entry |
| | | | | | function in tinfo/comp_hash.c |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2019-17595 | | | | ncurses: heap-based buffer |
| | | | | | overflow in the fmt_entry |
| | | | | | function in tinfo/comp_hash.c |
+----------------------+------------------+ +-----------------------------------+-------------------------------------+------------------------------------+
| passwd | CVE-2018-7169 | | 1:4.5-1ubuntu2 | | shadow-utils: newgidmap |
| | | | | | allows unprivileged user |
| | | | | | to drop supplementary |
| | | | | | groups potentially allowing |
| | | | | | privilege... |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2013-4235 | LOW | | | shadow-utils: TOCTOU race |
| | | | | | conditions by copying and |
| | | | | | removing directory trees |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| rsync | CVE-2016-9841 | HIGH | 3.1.2-2.1ubuntu1 | | zlib: Out-of-bounds pointer |
| | | | | | arithmetic in inffast.c |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2016-9843 | | | | zlib: Big-endian out-of-bounds |
| | | | | | pointer |
+ +------------------+----------+ +-------------------------------------+------------------------------------+
| | CVE-2016-9840 | MEDIUM | | | zlib: Out-of-bounds pointer |
| | | | | | arithmetic in inftrees.c |
+ +------------------+ + +-------------------------------------+------------------------------------+
| | CVE-2016-9842 | | | | zlib: Undefined left shift of |
| | | | | | negative number |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| tar | CVE-2018-20482 | LOW | 1.29b-2ubuntu0.1 | | tar: Infinite read loop in |
| | | | | | sparse_dump_region function in |
| | | | | | sparse.c |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
| util-linux | CVE-2018-7738 | HIGH | 2.31.1-0.4ubuntu3.4 | | util-linux: Shell command |
| | | | | | injection in unescaped |
| | | | | | bash-completed mount point |
| | | | | | names |
+----------------------+------------------+----------+-----------------------------------+-------------------------------------+------------------------------------+
フロントエンドでもTrivyを使って脆弱性対策したい!
Trivyをやっと試してみた!
Docker イメージの脆弱性検査ができる「Trivy」を使ってみた
CIで使えるコンテナの脆弱性スキャナ
気軽に使えるContainerの脆弱性スキャンツール Trivy を試してみた
Dockle
v0.4.13 (2023/07/09)
GNU Affero General Public License v3.0
コンテナイメージのセキュリティ診断ツール
プライベートレジストリにも対応している
実行例
$ export DOCKLE_LATEST=$(
curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
grep '"tag_name":' | \
sed -E 's/.*"v([^"]+)".*/\1/' \
)
$ docker run --rm goodwithtech/dockle:v${DOCKLE_LATEST} mariadb:10.4.12
WARN - CIS-DI-0001: Create a user for the container
* Last user should not be root
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
INFO - CIS-DI-0008: Confirm safety of setuid/setgid files
* setgid file: usr/bin/wall grwxr-xr-x
* setgid file: usr/bin/chage grwxr-xr-x
* setuid file: usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool urwxr-xr-x
* setuid file: usr/bin/gpasswd urwxr-xr-x
* setuid file: bin/umount urwxr-xr-x
* setuid file: bin/mount urwxr-xr-x
* setuid file: usr/bin/chfn urwxr-xr-x
* setuid file: usr/bin/chsh urwxr-xr-x
* setuid file: bin/su urwxr-xr-x
* setgid file: sbin/pam_extrausers_chkpwd grwxr-xr-x
* setuid file: usr/bin/passwd urwxr-xr-x
* setuid file: usr/bin/newgrp urwxr-xr-x
* setgid file: sbin/unix_chkpwd grwxr-xr-x
* setgid file: usr/bin/expiry grwxr-xr-x
CIで簡単につかえるコンテナのセキュリティ診断「Dockle」
人を震えさせるツール「Dockle」の仕組みを解説〜Dockerセキュリティの基礎知識も一緒に
Clair (クレア)
v4.7.0 (2023/08/11)
Apache License 2.0
CoreOS社(現在はRedHat社)開発のコンテナイメージ脆弱性スキャンツール
セキュアなDockerイメージを支援するClair
Clairで、Dockerイメージの脆弱性スキャンを試す
clairでローカルのDockerイメージの脆弱性スキャン
Vuls (バルス)
v0.23.3 (2023/07/10)
GNU Affero General Public License v3.0
日本製の脆弱性スキャナー
あなたのサーバは本当に安全ですか?今もっともイケてる脆弱性検知ツールVulsを使ってみた
進化するVuls!稼働中のDockerコンテナの脆弱性を検知する
脆弱性診断ツールVulsをDockerで運用する
VulsをDockerで構築
サーバの脆弱性チェックできるVulsをdockerを使って試した
Vulsをdocker-composeで手っ取り早く使う
脆弱性スキャンツール vuls 〜cron定周期スキャン編〜
Vulsを使った脆弱性チェック運用 [環境構築編]【セキュリティ対策】
OWASP ZAP(オワスプ・ザップ)
v2.13.0 (2023/07/12)
Apache License 2.0
無料のセキュリティ診断用プロキシツール
docker 版OWASP ZAPを試してみる
DockerでOWASP ZAPを使う
Jenkins と OWASP ZAP で自動診断
OWASP ZAP CLI 入門(インストール、起動方法、基本的なオプション)
kube-hunter
v0.6.8 (2022/05/18)
Apache License 2.0
Kubernetes向けペネトレーションテストツール
Kubernetes向けペネトレーションテストツール kube-hunter の紹介
【Kube-hunter】Dockerワンライナーで30項目のkubernetes環境脆弱性テストができるOSSを試してみた
kube-bench
v0.6.17 (2023/07/25)
Apache License 2.0
CIS Kubernetes Benchmarkで定義されているセキュリティの
ベストプラクティスに従っているかどうかのセキュリティ監査を
行うことができる
kubeaudit
v0.22.0 (2023/03/31)
MIT License
Kubernetes環境で動いている Pod に対して
セキュリティ監査を行うことができる
Sysdig Secure Jenkins Plugin
2.3.0 (2023/06/16)
Apache License 2.0
GitHub
Sysdig Secure Container Image Scanner
Jenkins CI/CDセキュリティにおけるDockerスキャニングをSysdig Secureプラグインを用いて行う
Gitlab CI/CDと Sysdig Secureを統合する
kubesec
0.9.2 (2018/08/11)
Apache License 2.0
kubernetesのsecret定義を暗号化
kubesecを使ってkubernetesのsecret定義を暗号化する
MicroScanner
v0.0.1-beta (2018/01/15)
開発終了
コンテナイメージの脆弱性スキャンツール