CLOVER🍀

That was when it all began.

Javaソースコードでライブラリ依存関係を解決しつつスクリプトとして実行する、JBangを試す

これは、なにをしたくて書いたもの?

JBangという、Javaプログラムをスクリプト的に実行できるツールがあると知りまして。

ちょっと気になる分野なので、試してみることにしました。

JBang

JBangは、Javaプログラムをスクリプトのように実行できるツールです。

GitHub - jbangdev/jbang: Unleash the power of Java for shell scripting

要件としては、Java(最低8、推奨11)がインストールされていることのようです。

Requirements

機能としては、

  • .java拡張子や.jsh拡張子のファイルを実行できる
  • マルチプラットフォーム
  • いくつかのパッケージマネージャーでインストール可能
  • ライブラリの依存関係を解決可能
  • (実験的)ネイティブイメージのサポート
  • 利用するJavaのバージョンを指定することができ、そのバージョンがOSにインストールされていない場合は自動的にダウンロードする

などなど。もうちょっと書かれているのですが、詳しくは以下を参照してください。

Features

ポイントは、Mavenなどを使う動機のひとつである、依存関係の解決ができることがこちらに注目した理由ですね。

なお、このツールはこんな感じで、作者の勉強目的で作られているようです。

And to be honest I built jbang just to see if I could and get my Java skills refreshed for the newer features in the language. Use it at your own risk :)

FAQ

まあ、ちょっと試してみましょう。

環境

今回の環境は、こちら。

$ java --version
openjdk 11.0.8 2020-07-14
OpenJDK Runtime Environment (build 11.0.8+10-post-Ubuntu-0ubuntu120.04)
OpenJDK 64-Bit Server VM (build 11.0.8+10-post-Ubuntu-0ubuntu120.04, mixed mode, sharing)


$ sdk version

SDKMAN 5.9.0+555

インストール

SDKMANを使ったインストールが可能なようなので、今回はこちらを使用します。

Installation / SDKMan

$ sdk install jbang

その他のインストール方法もあるようですが、使っている環境やツールが条件を満たさない場合は、バイナリをダウンロードして
インストールしましょう。

Releases · jbangdev/jbang · GitHub

今回のバージョンは、こちら。

$ jbang version
0.47.1

使う前に、BashのAuto Completionを有効にしておきましょう。

Bash/Zsh auto-completion

$ source <(jbang completion)

ヘルプ。

$ jbang -h
jbang is a tool for building and running .java/.jsh scripts and jar packages.
Usage: jbang [-h] [--verbose] [COMMAND]

  jbang init hello.java [args...]
        (to initialize a script)
  or  jbang edit --live=code hello.java
        (to edit a script in IDE with live updates)
  or  jbang hello.java [args...]
        (to run a .java file)
  or  jbang gavsearch@jbangdev [args...]
        (to run a alias from a catalog)
  or  jbang group-id:artifact-id:version [args...]
        (to run a .jar file found with a GAV id)

  -h, --help      Display help/info
      --verbose   jbang will be verbose on what it does.

Essentials:
  run         Builds and runs provided script.
  build       Compiles and stores script in the cache.

Editing:
  init        Initialize a script.
  edit        Setup a temporary project to edit script in an IDE.

Caching:
  cache       Manage compiled scripts in the local cache.
  jdk         Manage Java Development Kits installed by jbang.

Configuration:
  trust       Manage which domains you trust to run scripts from.
  alias       Manage aliases for scripts.
  catalog     Manage Catalogs of aliases.

Other:
  completion  Output auto-completion script for bash/zsh.
              Usage: source <(jbang completion)
  version     Display version info.
  wrapper     Manage jbang wrapper for a folder.

Copyright: 2020 Max Rydahl Andersen and jbang.dev contributors, License: MIT
Website: https://jbang.dev

Javaプログラムを動かしてみる

まずは、軽く使ってみます。

Usage

最初の1文を見ると、スクリプトは1ファイルである必要がありそうですね。

A script is just a single .java file with a classic static main method or a .jsh file which will be passed to jshell.

複数のソースコードを扱うのは、実験的機能になっています。

Multiple source files (Experimental)

こんなJavaソースコードを用意。
HelloWorld.java

public class HelloWorld {
    public static void main(String... args) {
        String word;

        if (args.length == 0) {
            word = "World";
        } else {
            word = args[0];
        }

        System.out.printf("Hello %s!!%n", word);
    }
}

このファイル、今ならjavaコマンドで実行できますけどね。

$ java HelloWorld.java
Hello World!!


$ java HelloWorld.java Scripting
Hello Scripting!!

JBangで実行してみます。

$ jbang HelloWorld.java 
[jbang] Building jar...
Hello World!!

なんか、JARファイルを作ってそうなログが出ています…。

2回目からは、出なくなりました。

$ jbang HelloWorld.java 
Hello World!!

引数もふつうに使えます。

$ jbang HelloWorld.java Scripting
Hello Scripting!!

さて、いきなりビルドしている雰囲気があったのでどうなっているのか?ですが、Cachingのところを見るとよいようです。

Caching

デフォルトでは、$HOME/.jbang/cacheにいろいろできるそうな。ちょっと見てみましょう。

$ find ~/.jbang/cache -type f
$HOME/.jbang/cache/jars/HelloWorld.java.a86770d39e60af63573a609bb669a610f5fa51605fb23be6383278d17f81423b/META-INF/maven/g/a/v/pom.xml
$HOME/.jbang/cache/jars/HelloWorld.java.a86770d39e60af63573a609bb669a610f5fa51605fb23be6383278d17f81423b/HelloWorld.class
$HOME/.jbang/cache/jars/HelloWorld.java.a86770d39e60af63573a609bb669a610f5fa51605fb23be6383278d17f81423b.jar

classファイルとか、JARファイルとかありますね…。

ここで、少しファイルを更新してみます。!!を増やしてみました。
HelloWorld.java

public class HelloWorld {
    public static void main(String... args) {
        String word;

        if (args.length == 0) {
            word = "World";
        } else {
            word = args[0];
        }

        System.out.printf("Hello %s!!!!%n", word);
    }
}

すると、再度ビルドされます。

$ jbang HelloWorld.java 
[jbang] Building jar...
Hello World!!!!

JARファイル等自体が増えました。

$ find ~/.jbang/cache -type f
$HOME/.jbang/cache/jars/HelloWorld.java.a86770d39e60af63573a609bb669a610f5fa51605fb23be6383278d17f81423b/META-INF/maven/g/a/v/pom.xml
$HOME/.jbang/cache/jars/HelloWorld.java.a86770d39e60af63573a609bb669a610f5fa51605fb23be6383278d17f81423b/HelloWorld.class
$HOME/.jbang/cache/jars/HelloWorld.java.a86770d39e60af63573a609bb669a610f5fa51605fb23be6383278d17f81423b.jar
$HOME/.jbang/cache/jars/HelloWorld.java.319a2e49920a81a167dcf3c65b688c995dc8b2cb1cdfb52756e73335b035ead2.jar
$HOME/.jbang/cache/jars/HelloWorld.java.319a2e49920a81a167dcf3c65b688c995dc8b2cb1cdfb52756e73335b035ead2/META-INF/maven/g/a/v/pom.xml
$HOME/.jbang/cache/jars/HelloWorld.java.319a2e49920a81a167dcf3c65b688c995dc8b2cb1cdfb52756e73335b035ead2/HelloWorld.class

なんかハッシュ値っぽいものが見えますが、これはファイルのSHA256ですね。

$ sha256sum HelloWorld.java 
a86770d39e60af63573a609bb669a610f5fa51605fb23be6383278d17f81423b  HelloWorld.java

これらのファイルは、jbang cache clearでキャッシュクリアすることができます。

$ jbang cache clear
[jbang] Clearing cache for urls
[jbang] Clearing cache for jars
[jbang] Clearing cache for scripts
[jbang] Clearing cache for stdins

サブコマンドだけを指定すると、説明が見えるようです。jbang cache

$ jbang cache
Missing required subcommand
Usage: jbang cache [--verbose] [COMMAND]
Manage compiled scripts in the local cache.
      --verbose   jbang will be verbose on what it does.
Commands:
  clear  Clear cache of dependency list and temporary projects. By default this
           will clear the JAR, script, stdin and URL caches

キャッシュのディレクトリなどは、環境変数で設定できそうですね。

https://github.com/jbangdev/jbang/blob/v0.47.1/src/main/java/dev/jbang/Settings.java

なんか、脱線してきましたが、雰囲気が少しわかった気がします。

JShellで動かす

JBangは、スクリプトをJShellで動かす機能があります。.jsh拡張子のファイルを与えると、JShellで実行しようとします。

Using .jsh for jshell

試してみましょう。
HelloWorld.jsh

String word;

if (args.length == 0) {
    word = "World";
} else {
    word = args[0];
}

System.out.printf("Hello %s!!%n", word);

意味的には、先ほどのJavaソースコードと同等のものです。

確認。

$ jbang HelloWorld.jsh JBang
Hello JBang!!


$ jbang HelloWorld.jsh Scripting
Hello Scripting!!

実行できました。

--interactiveオプションを使うことで、インタラクティブに実行することもできるようですが、こちらの形態は
これくらいにしておきます。

実行可能ファイルとして扱う

スクリプトに対してShebangスタイル…の代わりに//を使い、実行権限を与えることで、スクリプトを実行可能ファイルとして
動作させることができます。

Usage

こんな感じですね。
HelloWorld.java

//usr/bin/env jbang "$0" "$@" ; exit $? 

public class HelloWorld {
    public static void main(String... args) {
        String word;

        if (args.length == 0) {
            word = "World";
        } else {
            word = args[0];
        }

        System.out.printf("Hello %s!!%n", word);
    }
}

実行権限を与えて。

$ chmod a+x HelloWorld.java

実行。

$ ./HelloWorld.java 
[jbang] Building jar...
Hello World!!

こんな感じで、実行できますよ、と。これも、ここまでにしておきます。

依存関係を解決する

では、スクリプト内で依存関係を使用してみましょう。

Declare dependencies

ソースコード内に、//DEPSと記述することで依存関係を解決してくれます。

Using //DEPS

//DEPSで、間にスペースなどは入れてはいけません。

https://github.com/jbangdev/jbang/blob/v0.47.1/src/main/java/dev/jbang/Script.java#L30

こんな感じで、Commons Lang3を使用するソースコードを用意。
HelloWorldDeps.java

//DEPS org.apache.commons:commons-lang3:3.11

import org.apache.commons.lang3.StringUtils;

public class HelloWorldDeps {
    public static void main(String... args) {
        String word;

        if (args.length == 0) {
            word = "World";
        } else {
            word = args[0];
        }

        System.out.println(StringUtils.join("Hello", " ", word, "!!"));
    }
}

実行。

$ jbang HelloWorldDeps.java 
[jbang] [WARN] Detected missing dependencies in cache.
[jbang] Resolving dependencies...
[jbang]     Resolving org.apache.commons:commons-lang3:3.11...Done
[jbang] Dependencies resolved
Hello World!!


$ jbang HelloWorldDeps.java Scripting
Hello Scripting!!

初回は、ビルドおよびライブラリのダウンロードが行われます。

キャッシュディレクトリの中身は、こんな感じになりました。

$ find ~/.jbang/cache -type f
$HOME/.jbang/cache/jars/HelloWorldDeps.java.5f6cde3812d30c4eaecfe79d12e46f78dcd5ee9bf94768abeaea5aaaa171f5e5.jar
$HOME/.jbang/cache/jars/HelloWorldDeps.java.5f6cde3812d30c4eaecfe79d12e46f78dcd5ee9bf94768abeaea5aaaa171f5e5/HelloWorldDeps.class
$HOME/.jbang/cache/jars/HelloWorldDeps.java.5f6cde3812d30c4eaecfe79d12e46f78dcd5ee9bf94768abeaea5aaaa171f5e5/META-INF/maven/g/a/v/pom.xml

JBangは、Mavenリポジトリとしてはデフォルトでjcenterを使用するようです。

また、//REPOSを使うことで他のリポジトリも利用することができるようです。

Repositories

jcenterではなくMaven Centralがいいぞ、と思ったらこんな感じですかね。

//REPOS central=https://repo1.maven.org/maven2/
//DEPS org.apache.commons:commons-lang3:3.11

その他、Gitリポジトリを参照できるとか@Grab形式(Grape)で書けるとかあるようですが、いいかなぁと。

Using links to Git sources

Using @Grab

依存関係解決の方法は?

ちょっと気になるのが、JBangの依存関係の解決方法です。

答えとしては、ShrinkWrapです。

https://github.com/jbangdev/jbang/blob/v0.47.1/src/main/java/dev/jbang/DependencyUtil.java

https://github.com/shrinkwrap/resolver/tree/3.1.4/maven

なので、依存するライブラリのダウンロード先はMavenのローカルリポジトリになりますし、settings.xmlも参照されます。

プロキシを設定するとしたら、settings.xmlになるんでしょうね。

JBangは、どのJavaで実行しているんだ?

これも、気になるところですよね。

--verboseオプションを付けて実行すると、確認することができます。

$ jbang --verbose HelloWorld.java 
[jbang] System Java version detected as 11
[jbang] System Java version matches requested version 11
[jbang] Building jar...
[jbang] compile: /usr/lib/jvm/default/bin/javac -d $HOME/.jbang/cache/jars/HelloWorld.java.c1a78dc36160dee8e968a9778b5fc17f8d74f633116e237206383be03aeeb42b HelloWorld.java
[jbang] System Java version matches requested version 11
[jbang] run: /usr/lib/jvm/default/bin/java -classpath $HOME/.jbang/cache/jars/HelloWorld.java.c1a78dc36160dee8e968a9778b5fc17f8d74f633116e237206383be03aeeb42b.jar: HelloWorld
Hello World!!

というわけで

いろいろ確認できた感じですね。

ちょっとしたところで使えたらいいかなーと。

Dockerのホストおよびコンテナの設定をチェックしてくれる、Docker Bench for Securityを試す

これは、なにをしたくて書いたもの?

Docker Bench for Securityという、Dockerのホストおよび動いているコンテナの設定を確認してくれるツールがあるというので、
試してみることにしました。

GitHub - docker/docker-bench-security: The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

Docker Bench for Security?

最初に書きましたが、Docker Bench for Securityとは、Dockerのホストおよびコンテナの設定を確認してくれるツールです。

提供元は、Dockerになります。

GitHub - docker/docker-bench-security: The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the CIS Docker Benchmark v1.2.0.

CIS Docker Benchmarkにインスパイアされたもので、本番環境にデプロイするDockerコンテナがベストプラクティスに沿っているか
どうか?などをチェックしてくれるようです。

CIS Docker Benchmarkというのは、こちら。

CIS Docker Benchmarks

Docker Bench for Securityを使って、Dockerのホストやコンテナをセルフチェックできますよ、という感じですね。

We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.

環境

今回の環境は、こちらです。

$ uname -srvmpio
Linux 5.4.0-47-generic #51-Ubuntu SMP Fri Sep 4 19:50:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux


$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.1 LTS
Release:    20.04
Codename:   focal


$ docker version
Client: Docker Engine - Community
 Version:           19.03.13
 API version:       1.40
 Go version:        go1.13.15
 Git commit:        4484c46d9d
 Built:             Wed Sep 16 17:02:52 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.13
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       4484c46d9d
  Built:            Wed Sep 16 17:01:20 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.3.7
  GitCommit:        8fba4e9a7d01810a393d5d25a3621dc101981175
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

auditdというものが必要なようなので、こちらもインストール。

$ sudo apt install auditd

こんなことを書いているので。

Note that when distributions doesn't contain auditctl, the audit tests will check /etc/audit/audit.rules to see if a rule is present instead.

バージョン。

$ sudo auditctl -v
auditctl version 2.8.5

auditdの設定を行う

先に、auditdの設定を行っておきましょう。

デフォルトの設定は、こんな感じ。

$ sudo cat /etc/audit/audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
--backlog_wait_time 0

/etc/audit/rules.d配下にファイルを置くとよいみたいなので、今回はこんな感じで作成。
/etc/audit/rules.d/docker.rules

-w /usr/bin/dockerd -p wa
#-w /etc/sysconfig/docker -p wa
-w /etc/docker -p wa
-w /etc/docker/daemon.json -p wa
-w /usr/bin/containerd -p wa
-w /usr/bin/runc -p wa
-w /lib/systemd/system/docker.service -p wa
-w /lib/systemd/system/docker.socket -p wa
-w /etc/default/docker -p wa

コメントアウトしている箇所があるのは、存在しないディレクトリ等に対してルールを書くと、そこで読み込みが停止して
しまうようだからです…。

ルールは、以下を参考にしつつ今のDockerのバージョンに合わせてみました。

How To Audit Docker Host Security with Docker Bench for Security | DigitalOcean

ルール自体の説明ですが

-wで、監視対象のファイルまたはディレクトリを指定します。

-pはログに記録されるパーミッションで、今回はwaを指定して書き込みと属性変更を記録します。

6.5. Audit ルールの定義 Red Hat Enterprise Linux 7 | Red Hat Customer Portal

設定したら、auditdを再起動。

$ sudo systemctl restart auditd

反映されます。

$ sudo cat /etc/audit/audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
--backlog_wait_time 0
-w /usr/bin/dockerd -p wa
-w /etc/docker -p wa
-w /etc/docker/daemon.json -p wa
-w /usr/bin/containerd -p wa
-w /usr/bin/runc -p wa
-w /lib/systemd/system/docker.service -p wa
-w /lib/systemd/system/docker.socket -p wa
-w /etc/default/docker -p wa

Docker Bench for Securityを使ってみる

それでは、Docker Bench for Securityを使ってみます。

ドキュメントを見てみると、DockerHubにあるイメージを使う方法が書かれています。

Running Docker Bench for Security

docker/docker-bench-security

このDockerHubにあるイメージを見てみると、latestタグしかないし、中身のバージョンも(記載時点で)1.3.4だったので
ちょっとやめることにしました。

# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.4
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
# ------------------------------------------------------------------------------

Initializing Sun Sep 20 15:33:40 UTC 2020

現時点での最新版は、1.3.5です。

というわけで、自分でビルドする方法に方針転換します。

Building Docker Bench for Security

リポジトリcloneして

$ git clone https://github.com/docker/docker-bench-security.git
$ cd docker-bench-security
$ git checkout v1.3.5

ビルド。

$ docker image build --no-cache -t docker-bench-security:1.3.5 .

この手順では、Alpine Linuxをベースにしたイメージができますが、その他のOSをベースイメージにしたい場合は、以下の
ディレクトリにあるDockerfileを使用するとよいでしょう。

https://github.com/docker/docker-bench-security/tree/v1.3.5/distros

こんな感じに揃っています。

$ ll distros
total 32
drwxrwxr-x 2 xxxxx xxxxx 4096 Sep 21 11:14 ./
drwxrwxr-x 5 xxxxx xxxxx 4096 Sep 21 11:14 ../
-rw-rw-r-- 1 xxxxx xxxxx  731 Sep 21 11:14 Dockerfile.alpine
-rw-rw-r-- 1 xxxxx xxxxx  326 Sep 21 11:14 Dockerfile.centos
-rw-rw-r-- 1 xxxxx xxxxx  762 Sep 21 11:14 Dockerfile.debian
-rw-rw-r-- 1 xxxxx xxxxx  295 Sep 21 11:14 Dockerfile.openSUSE
-rw-rw-r-- 1 xxxxx xxxxx  504 Sep 21 11:14 Dockerfile.rhel
-rw-rw-r-- 1 xxxxx xxxxx  488 Sep 21 11:14 README.md

では、この作成したイメージを使って確認してみます。

まずはヘルプを表示。

$ docker container run -it --rm -v /var/run/docker.sock:/var/run/docker.sock:ro docker-bench-security:1.3.5 -h
  usage: docker-bench-security.sh [options]

  -b           optional  Do not print colors
  -h           optional  Print this help message
  -l FILE      optional  Log output in FILE
  -c CHECK     optional  Comma delimited list of specific check(s)
  -e CHECK     optional  Comma delimited list of specific check(s) to exclude
  -i INCLUDE   optional  Comma delimited list of patterns within a container or image name to check
  -x EXCLUDE   optional  Comma delimited list of patterns within a container or image name to exclude from check

利用する手順そのものは、DockerHubのイメージを使う方法と同じように行います。

Running Docker Bench for Security

ここで、DOCKER_CONTENT_TRUSTという環境変数が目に入りますね。

環境変数DOCKER_CONTENT_TRUST1にすると、署名されたコンテナイメージでなければ利用できなくなります。

Content trust in Docker / Client Enforcement with Docker Content Trust

こちらは有効にしておくのが良さそうです。

では、実行。

$ DOCKER_CONTENT_TRUST=1
$ docker container run -it --rm \
    --name docker-bench-security \
    --network host \
    --pid host \
    --userns host \
    --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /etc:/etc:ro \
    -v /usr/bin/docker-containerd:/usr/bin/docker-containerd:ro \
    -v /usr/bin/docker-runc:/usr/bin/docker-runc:ro \
    -v /usr/lib/systemd:/usr/lib/systemd:ro \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
    docker-bench-security:1.3.5

バージョンの情報が表示され

# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------

Initializing Mon Sep 21 11:28:20 UTC 2020

こんな結果になりました。

[INFO] 1 - Host Configuration

[INFO] 1.1 - General Configuration
[NOTE] 1.1.1  - Ensure the container host has been Hardened
[INFO] 1.1.2  - Ensure Docker is up to date
[INFO]        * Using 19.03.13, verify is it up to date as deemed necessary
[INFO]        * Your operating system vendor may provide support and security maintenance for Docker

[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2  - Ensure only trusted users are allowed to control Docker daemon
[INFO]        * docker:x:998:vagrant
[PASS] 1.2.3  - Ensure auditing is configured for the Docker daemon
[WARN] 1.2.4  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[PASS] 1.2.5  - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.2.6  - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.2.7  - Ensure auditing is configured for Docker files and directories - docker.socket
[PASS] 1.2.8  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] 1.2.9  - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[INFO]        * File not found
[INFO] 1.2.10  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO]         * File not found
[INFO] 1.2.11  - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[INFO]         * File not found
[INFO] 1.2.12  - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
[INFO]         * File not found


[INFO] 2 - Docker daemon configuration
[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2  - Ensure the logging level is set to 'info'
[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4  - Ensure insecure registries are not used
[PASS] 2.5  - Ensure aufs storage driver is not used
[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.7  - Ensure the default ulimit is configured appropriately
[INFO]      * Default ulimit doesn't appear to be set
[WARN] 2.8  - Enable user namespace support
[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
[PASS] 2.10  - Ensure base device size is not changed until needed
[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12  - Ensure centralized and remote logging is configured
[WARN] 2.13  - Ensure live restore is Enabled
[WARN] 2.14  - Ensure Userland Proxy is Disabled
[PASS] 2.15  - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
[PASS] 2.16  - Ensure that experimental features are not implemented in production
[WARN] 2.17  - Ensure containers are restricted from acquiring new privileges


[INFO] 3 - Docker daemon configuration files
[PASS] 3.1  - Ensure that docker.service file ownership is set to root:root
[PASS] 3.2  - Ensure that docker.service file permissions are appropriately set
[PASS] 3.3  - Ensure that docker.socket file ownership is set to root:root
[PASS] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
[PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
[INFO]      * Directory not found
[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO]      * Directory not found
[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
[INFO]      * No TLS CA certificate found
[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS CA certificate found
[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
[INFO]       * No TLS Server certificate found
[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS Server certificate found
[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
[INFO]       * No TLS Key found
[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
[INFO]       * No TLS Key found
[PASS] 3.15  - Ensure that Docker socket file ownership is set to root:docker
[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
[INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
[INFO] 3.20  - Ensure that the /etc/sysconfig/docker file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.21  - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.22  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive


[INFO] 4 - Container Images and Build File
[INFO] 4.1  - Ensure a user for the container has been created
[INFO]      * No containers running
[NOTE] 4.2  - Ensure that containers use only trusted base images
[NOTE] 4.3  - Ensure that unnecessary packages are not installed in the container
[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
[PASS] 4.5  - Ensure Content trust for Docker is Enabled
[WARN] 4.6  - Ensure that HEALTHCHECK instructions have been added to container images
[WARN]      * No Healthcheck found: [httpd:2.4.46]
[WARN]      * No Healthcheck found: [alpine:3.10]
[INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
[INFO]      * Update instruction found: [httpd:2.4.46]
[NOTE] 4.8  - Ensure setuid and setgid permissions are removed
[PASS] 4.9  - Ensure that COPY is used instead of ADD in Dockerfiles
[NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
[NOTE] 4.11  - Ensure only verified packages are installed


[INFO] 5 - Container Runtime
[INFO]   * No containers running, skipping Section 5


[INFO] 6 - Docker Security Operations
[INFO] 6.1  - Ensure that image sprawl is avoided
[INFO]      * There are currently: 3 images
[INFO] 6.2  - Ensure that container sprawl is avoided
[INFO]      * There are currently a total of 1 containers, with 1 of them currently running


[INFO] 7 - Docker Swarm Configuration
[PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2  - Ensure that the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
[PASS] 7.3  - Ensure that swarm services are bound to a specific host interface (Swarm mode not enabled)
[PASS] 7.4  - Ensure that all Docker swarm overlay networks are encrypted
[PASS] 7.5  - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Swarm mode not enabled)
[PASS] 7.6  - Ensure that swarm manager is run in auto-lock mode (Swarm mode not enabled)
[PASS] 7.7  - Ensure that the swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
[PASS] 7.8  - Ensure that node certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.9  - Ensure that CA certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.10  - Ensure that management plane traffic is separated from data plane traffic (Swarm mode not enabled)


[INFO] 8 - Docker Enterprise Configuration
[INFO]   * Community Engine license, skipping section 8

[INFO] Checks: 76
[INFO] Score: 20

こんなサマリーになりましたが。

[INFO] Checks: 76
[INFO] Score: 20

Scoreは、パスしたチェックが加算、パスしなかったものは減算されていくようです。チェック対象が存在しなかった場合は、
プラマイ0になります。

続いて、Apacheをコンテナとして実行してみます。

$ docker container run -i --rm --name apache2 httpd:2.4.46

再度実行すると、結果がこうなります。

[INFO] 1 - Host Configuration

[INFO] 1.1 - General Configuration
[NOTE] 1.1.1  - Ensure the container host has been Hardened
[INFO] 1.1.2  - Ensure Docker is up to date
[INFO]        * Using 19.03.13, verify is it up to date as deemed necessary
[INFO]        * Your operating system vendor may provide support and security maintenance for Docker

[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2  - Ensure only trusted users are allowed to control Docker daemon
[INFO]        * docker:x:998:vagrant
[PASS] 1.2.3  - Ensure auditing is configured for the Docker daemon
[WARN] 1.2.4  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[PASS] 1.2.5  - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.2.6  - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.2.7  - Ensure auditing is configured for Docker files and directories - docker.socket
[PASS] 1.2.8  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] 1.2.9  - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[INFO]        * File not found
[INFO] 1.2.10  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO]         * File not found
[INFO] 1.2.11  - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[INFO]         * File not found
[INFO] 1.2.12  - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
[INFO]         * File not found


[INFO] 2 - Docker daemon configuration
[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2  - Ensure the logging level is set to 'info'
[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4  - Ensure insecure registries are not used
[PASS] 2.5  - Ensure aufs storage driver is not used
[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.7  - Ensure the default ulimit is configured appropriately
[INFO]      * Default ulimit doesn't appear to be set
[WARN] 2.8  - Enable user namespace support
[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
[PASS] 2.10  - Ensure base device size is not changed until needed
[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12  - Ensure centralized and remote logging is configured
[WARN] 2.13  - Ensure live restore is Enabled
[WARN] 2.14  - Ensure Userland Proxy is Disabled
[PASS] 2.15  - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
[PASS] 2.16  - Ensure that experimental features are not implemented in production
[WARN] 2.17  - Ensure containers are restricted from acquiring new privileges


[INFO] 3 - Docker daemon configuration files
[PASS] 3.1  - Ensure that docker.service file ownership is set to root:root
[PASS] 3.2  - Ensure that docker.service file permissions are appropriately set
[PASS] 3.3  - Ensure that docker.socket file ownership is set to root:root
[PASS] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
[PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
[INFO]      * Directory not found
[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO]      * Directory not found
[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
[INFO]      * No TLS CA certificate found
[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS CA certificate found
[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
[INFO]       * No TLS Server certificate found
[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS Server certificate found
[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
[INFO]       * No TLS Key found
[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
[INFO]       * No TLS Key found
[PASS] 3.15  - Ensure that Docker socket file ownership is set to root:docker
[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
[INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
[INFO] 3.20  - Ensure that the /etc/sysconfig/docker file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.21  - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.22  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive


[INFO] 4 - Container Images and Build File
[WARN] 4.1  - Ensure a user for the container has been created
[WARN]      * Running as root: apache2
[NOTE] 4.2  - Ensure that containers use only trusted base images
[NOTE] 4.3  - Ensure that unnecessary packages are not installed in the container
[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
[PASS] 4.5  - Ensure Content trust for Docker is Enabled
[WARN] 4.6  - Ensure that HEALTHCHECK instructions have been added to container images
[WARN]      * No Healthcheck found: [httpd:2.4.46]
[WARN]      * No Healthcheck found: [alpine:3.10]
[INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
[INFO]      * Update instruction found: [httpd:2.4.46]
[NOTE] 4.8  - Ensure setuid and setgid permissions are removed
[PASS] 4.9  - Ensure that COPY is used instead of ADD in Dockerfiles
[NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
[NOTE] 4.11  - Ensure only verified packages are installed


[INFO] 5 - Container Runtime
[PASS] 5.1  - Ensure that, if applicable, an AppArmor Profile is enabled 
[WARN] 5.2  - Ensure that, if applicable, SELinux security options are set
[WARN]      * No SecurityOptions Found: apache2
[PASS] 5.3  - Ensure Linux Kernel Capabilities are restricted within containers
[PASS] 5.4  - Ensure that privileged containers are not used
[PASS] 5.5  - Ensure sensitive host system directories are not mounted on containers
[PASS] 5.6  - Ensure sshd is not run within containers
[PASS] 5.7  - Ensure privileged ports are not mapped within containers
[NOTE] 5.8  - Ensure that only needed ports are open on the container
[PASS] 5.9  - Ensure the host's network namespace is not shared
[WARN] 5.10  - Ensure that the memory usage for containers is limited
[WARN]      * Container running without memory restrictions: apache2
[WARN] 5.11  - Ensure CPU priority is set appropriately on the container
[WARN]      * Container running without CPU restrictions: apache2
[WARN] 5.12  - Ensure that the container's root filesystem is mounted as read only
[WARN]      * Container running with root FS mounted R/W: apache2
[PASS] 5.13  - Ensure that incoming container traffic is bound to a specific host interface
[WARN] 5.14  - Ensure that the 'on-failure' container restart policy is set to '5'
[WARN]      * MaximumRetryCount is not set to 5: apache2
[PASS] 5.15  - Ensure the host's process namespace is not shared
[PASS] 5.16  - Ensure the host's IPC namespace is not shared
[PASS] 5.17  - Ensure that host devices are not directly exposed to containers
[INFO] 5.18  - Ensure that the default ulimit is overwritten at runtime if needed
[INFO]      * Container no default ulimit override: apache2
[PASS] 5.19  - Ensure mount propagation mode is not set to shared
[PASS] 5.20  - Ensure the host's UTS namespace is not shared
[PASS] 5.21  - Ensure the default seccomp profile is not Disabled
[NOTE] 5.22  - Ensure docker exec commands are not used with privileged option
[NOTE] 5.23  - Ensure that docker exec commands are not used with the user=root option
[PASS] 5.24  - Ensure that cgroup usage is confirmed
[WARN] 5.25  - Ensure that the container is restricted from acquiring additional privileges
[WARN]      * Privileges not restricted: apache2
[WARN] 5.26  - Ensure that container health is checked at runtime
[WARN]      * Health check not set: apache2
[INFO] 5.27  - Ensure that Docker commands always make use of the latest version of their image
[WARN] 5.28  - Ensure that the PIDs cgroup limit is used
[WARN]      * PIDs limit not set: apache2
[INFO] 5.29  - Ensure that Docker's default bridge 'docker0' is not used
[INFO]      * Container in docker0 network: apache2
[PASS] 5.30  - Ensure that the host's user namespaces are not shared
[PASS] 5.31  - Ensure that the Docker socket is not mounted inside any containers


[INFO] 6 - Docker Security Operations
[INFO] 6.1  - Ensure that image sprawl is avoided
[INFO]      * There are currently: 3 images
[INFO] 6.2  - Ensure that container sprawl is avoided
[INFO]      * There are currently a total of 2 containers, with 2 of them currently running


[INFO] 7 - Docker Swarm Configuration
[PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2  - Ensure that the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
[PASS] 7.3  - Ensure that swarm services are bound to a specific host interface (Swarm mode not enabled)
[PASS] 7.4  - Ensure that all Docker swarm overlay networks are encrypted
[PASS] 7.5  - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Swarm mode not enabled)
[PASS] 7.6  - Ensure that swarm manager is run in auto-lock mode (Swarm mode not enabled)
[PASS] 7.7  - Ensure that the swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
[PASS] 7.8  - Ensure that node certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.9  - Ensure that CA certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.10  - Ensure that management plane traffic is separated from data plane traffic (Swarm mode not enabled)


[INFO] 8 - Docker Enterprise Configuration
[INFO]   * Community Engine license, skipping section 8

[INFO] Checks: 107
[INFO] Score: 27

なにが変わったんでしょう?

実行されたチェック数が、だいぶ変わっています。

[INFO] Checks: 76
[INFO] Score: 20


[INFO] Checks: 107
[INFO] Score: 27

コンテナイメージに対するチェックが追加され、

[INFO] 4 - Container Images and Build File
[WARN] 4.1  - Ensure a user for the container has been created
[WARN]      * Running as root: apache2

コンテナランタイムに関しても、いろいろチェックされるようになります。

[INFO] 5 - Container Runtime
[PASS] 5.1  - Ensure that, if applicable, an AppArmor Profile is enabled 
[WARN] 5.2  - Ensure that, if applicable, SELinux security options are set
[WARN]      * No SecurityOptions Found: apache2
[PASS] 5.3  - Ensure Linux Kernel Capabilities are restricted within containers
[PASS] 5.4  - Ensure that privileged containers are not used
[PASS] 5.5  - Ensure sensitive host system directories are not mounted on containers
[PASS] 5.6  - Ensure sshd is not run within containers
[PASS] 5.7  - Ensure privileged ports are not mapped within containers
[NOTE] 5.8  - Ensure that only needed ports are open on the container
[PASS] 5.9  - Ensure the host's network namespace is not shared
[WARN] 5.10  - Ensure that the memory usage for containers is limited
[WARN]      * Container running without memory restrictions: apache2
[WARN] 5.11  - Ensure CPU priority is set appropriately on the container
[WARN]      * Container running without CPU restrictions: apache2
[WARN] 5.12  - Ensure that the container's root filesystem is mounted as read only
[WARN]      * Container running with root FS mounted R/W: apache2
[PASS] 5.13  - Ensure that incoming container traffic is bound to a specific host interface
[WARN] 5.14  - Ensure that the 'on-failure' container restart policy is set to '5'
[WARN]      * MaximumRetryCount is not set to 5: apache2
[PASS] 5.15  - Ensure the host's process namespace is not shared
[PASS] 5.16  - Ensure the host's IPC namespace is not shared
[PASS] 5.17  - Ensure that host devices are not directly exposed to containers
[INFO] 5.18  - Ensure that the default ulimit is overwritten at runtime if needed
[INFO]      * Container no default ulimit override: apache2
[PASS] 5.19  - Ensure mount propagation mode is not set to shared
[PASS] 5.20  - Ensure the host's UTS namespace is not shared
[PASS] 5.21  - Ensure the default seccomp profile is not Disabled
[NOTE] 5.22  - Ensure docker exec commands are not used with privileged option
[NOTE] 5.23  - Ensure that docker exec commands are not used with the user=root option
[PASS] 5.24  - Ensure that cgroup usage is confirmed
[WARN] 5.25  - Ensure that the container is restricted from acquiring additional privileges
[WARN]      * Privileges not restricted: apache2
[WARN] 5.26  - Ensure that container health is checked at runtime
[WARN]      * Health check not set: apache2
[INFO] 5.27  - Ensure that Docker commands always make use of the latest version of their image
[WARN] 5.28  - Ensure that the PIDs cgroup limit is used
[WARN]      * PIDs limit not set: apache2
[INFO] 5.29  - Ensure that Docker's default bridge 'docker0' is not used
[INFO]      * Container in docker0 network: apache2
[PASS] 5.30  - Ensure that the host's user namespaces are not shared
[PASS] 5.31  - Ensure that the Docker socket is not mounted inside any containers

コンテナを実行していない場合は、こんな感じになりますからね。

[INFO] 4 - Container Images and Build File
[INFO] 4.1  - Ensure a user for the container has been created
[INFO]      * No containers running

〜省略〜


[INFO] 5 - Container Runtime
[INFO]   * No containers running, skipping Section 5

チェック内容は?

実際のチェック内容は、testsディレクトリ配下に実装されているだけなので、こちらを見るしかありません。

https://github.com/docker/docker-bench-security/tree/v1.3.5/tests

とはいえ、これだけだと全体がわからないので、簡単にリスト表示にしてみました。

$ grep desc_ tests/*.sh | fgrep -v '$desc' | perl -wp -e 's!.*:\s+(.+)!$1!; s!desc|"!!g; s!=! !; s!^_([^_]+\_[^_]+\_[^_]+?) (.+)!    * $1 - $2!; s!^_([^_]+\_[^_]+?) (.+)!  * $1 - $2!; s!^_([^_]+?) (.+)!* $1 - **$2**!;'

結果。そのうち、眺めましょう…。

  • 1 - Host Configuration
    • 1_1 - General Configuration
      • 1_1_1 - Ensure the container host has been Hardened
      • 1_1_2 - Ensure Docker is up to date
    • 1_2 - Linux Hosts Specific Configuration
      • 1_2_1 - Ensure a separate partition for containers has been created
      • 1_2_2 - Ensure only trusted users are allowed to control Docker daemon
      • 1_2_3 - Ensure auditing is configured for the Docker daemon
      • 1_2_4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker
      • 1_2_5 - Ensure auditing is configured for Docker files and directories - /etc/docker
      • 1_2_6 - Ensure auditing is configured for Docker files and directories - docker.service
      • 1_2_7 - Ensure auditing is configured for Docker files and directories - docker.socket
      • 1_2_8 - Ensure auditing is configured for Docker files and directories - /etc/default/docker
      • 1_2_9 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
      • 1_2_10 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
      • 1_2_11 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
      • 1_2_12 - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
  • 2 - Docker daemon configuration
    • 2_1 - Ensure network traffic is restricted between containers on the default bridge
    • 2_2 - Ensure the logging level is set to 'info'
    • 2_3 - Ensure Docker is allowed to make changes to iptables
    • 2_4 - Ensure insecure registries are not used
    • 2_5 - Ensure aufs storage driver is not used
    • 2_6 - Ensure TLS authentication for Docker daemon is configured
    • 2_7 - Ensure the default ulimit is configured appropriately
    • 2_8 - Enable user namespace support
    • 2_9 - Ensure the default cgroup usage has been confirmed
    • 2_10 - Ensure base device size is not changed until needed
    • 2_11 - Ensure that authorization for Docker client commands is enabled
    • 2_12 - Ensure centralized and remote logging is configured
    • 2_13 - Ensure live restore is Enabled
    • 2_14 - Ensure Userland Proxy is Disabled
    • 2_15 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
    • 2_16 - Ensure that experimental features are not implemented in production
    • 2_17 - Ensure containers are restricted from acquiring new privileges
  • 3 - Docker daemon configuration files
    • 3_1 - Ensure that docker.service file ownership is set to root:root
    • 3_2 - Ensure that docker.service file permissions are appropriately set
    • 3_3 - Ensure that docker.socket file ownership is set to root:root
    • 3_4 - Ensure that docker.socket file permissions are set to 644 or more restrictive
    • 3_5 - Ensure that /etc/docker directory ownership is set to root:root
    • 3_6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
    • 3_7 - Ensure that registry certificate file ownership is set to root:root
    • 3_8 - Ensure that registry certificate file permissions are set to 444 or more restrictive
    • 3_9 - Ensure that TLS CA certificate file ownership is set to root:root
    • 3_10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
    • 3_11 - Ensure that Docker server certificate file ownership is set to root:root
    • 3_12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
    • 3_13 - Ensure that Docker server certificate key file ownership is set to root:root
    • 3_14 - Ensure that Docker server certificate key file permissions are set to 400
    • 3_15 - Ensure that Docker socket file ownership is set to root:docker
    • 3_16 - Ensure that Docker socket file permissions are set to 660 or more restrictive
    • 3_17 - Ensure that daemon.json file ownership is set to root:root
    • 3_18 - Ensure that daemon.json file permissions are set to 644 or more restrictive
    • 3_19 - Ensure that /etc/default/docker file ownership is set to root:root
    • 3_20 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root
    • 3_21 - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive
    • 3_22 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
  • 4 - Container Images and Build File
    • 4_1 - Ensure a user for the container has been created
    • 4_2 - Ensure that containers use only trusted base images
    • 4_3 - Ensure that unnecessary packages are not installed in the container
    • 4_4 - Ensure images are scanned and rebuilt to include security patches
    • 4_5 - Ensure Content trust for Docker is Enabled
    • 4_6 - Ensure that HEALTHCHECK instructions have been added to container images
    • 4_7 - Ensure update instructions are not use alone in the Dockerfile
    • 4_8 - Ensure setuid and setgid permissions are removed
    • 4_9 - Ensure that COPY is used instead of ADD in Dockerfiles
    • 4_10 - Ensure secrets are not stored in Dockerfiles
    • 4_11 - Ensure only verified packages are installed
  • 5 - Container Runtime
    • 5_1 - Ensure that, if applicable, an AppArmor Profile is enabled
    • 5_2 - Ensure that, if applicable, SELinux security options are set
    • 5_3 - Ensure Linux Kernel Capabilities are restricted within containers
    • 5_4 - Ensure that privileged containers are not used
    • 5_5 - Ensure sensitive host system directories are not mounted on containers
    • 5_6 - Ensure sshd is not run within containers
    • 5_7 - Ensure privileged ports are not mapped within containers
    • 5_8 - Ensure that only needed ports are open on the container
    • 5_9 - Ensure the host's network namespace is not shared
    • 5_10 - Ensure that the memory usage for containers is limited
    • 5_11 - Ensure CPU priority is set appropriately on the container
    • 5_12 - Ensure that the container's root filesystem is mounted as read only
    • 5_13 - Ensure that incoming container traffic is bound to a specific host interface
    • 5_14 - Ensure that the 'on-failure' container restart policy is set to '5'
    • 5_15 - Ensure the host's process namespace is not shared
    • 5_16 - Ensure the host's IPC namespace is not shared
    • 5_17 - Ensure that host devices are not directly exposed to containers
    • 5_18 - Ensure that the default ulimit is overwritten at runtime if needed
    • 5_19 - Ensure mount propagation mode is not set to shared
    • 5_20 - Ensure the host's UTS namespace is not shared
    • 5_21 - Ensure the default seccomp profile is not Disabled
    • 5_22 - Ensure docker exec commands are not used with privileged option
    • 5_23 - Ensure that docker exec commands are not used with the user=root option
    • 5_24 - Ensure that cgroup usage is confirmed
    • 5_25 - Ensure that the container is restricted from acquiring additional privileges
    • 5_26 - Ensure that container health is checked at runtime
    • 5_27 - Ensure that Docker commands always make use of the latest version of their image
    • 5_28 - Ensure that the PIDs cgroup limit is used
    • 5_29 - Ensure that Docker's default bridge 'docker0' is not used
    • 5_30 - Ensure that the host's user namespaces are not shared
    • 5_31 - Ensure that the Docker socket is not mounted inside any containers
  • 6 - Docker Security Operations
    • 6_1 - Ensure that image sprawl is avoided
    • 6_2 - Ensure that container sprawl is avoided
  • 7 - Docker Swarm Configuration
    • 7_1 - Ensure swarm mode is not Enabled, if not needed
    • 7_2 - Ensure that the minimum number of manager nodes have been created in a swarm
    • 7_3 - Ensure that swarm services are bound to a specific host interface
    • 7_4 - Ensure that all Docker swarm overlay networks are encrypted
    • 7_5 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster
    • 7_6 - Ensure that swarm manager is run in auto-lock mode
    • 7_7 - Ensure that the swarm manager auto-lock key is rotated periodically
    • 7_8 - Ensure that node certificates are rotated as appropriate
    • 7_9 - Ensure that CA certificates are rotated as appropriate
    • 7_10 - Ensure that management plane traffic is separated from data plane traffic
  • 8 - Docker Enterprise Configuration
    • 8_1 - Universal Control Plane Configuration
      • 8_1_1 - Configure the LDAP authentication service
      • 8_1_2 - Use external certificates
      • 8_1_3 - Enforce the use of client certificate bundles for unprivileged users
      • 8_1_4 - Configure applicable cluster role-based access control policies
      • 8_1_5 - Enable signed image enforcement
      • 8_1_6 - Set the Per-User Session Limit to a value of '3' or lower
      • 8_1_7 - Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively
    • 8_2 - Docker Trusted Registry Configuration
  • 99 - Community contributed checks
    • c_2 - Ensure operations on legacy registry (v1) are Disabled