CLOVER🍀

That was when it all began.

Dockerのホストおよびコンテナの設定をチェックしてくれる、Docker Bench for Securityを試す

これは、なにをしたくて書いたもの?

Docker Bench for Securityという、Dockerのホストおよび動いているコンテナの設定を確認してくれるツールがあるというので、
試してみることにしました。

GitHub - docker/docker-bench-security: The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

Docker Bench for Security?

最初に書きましたが、Docker Bench for Securityとは、Dockerのホストおよびコンテナの設定を確認してくれるツールです。

提供元は、Dockerになります。

GitHub - docker/docker-bench-security: The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the CIS Docker Benchmark v1.2.0.

CIS Docker Benchmarkにインスパイアされたもので、本番環境にデプロイするDockerコンテナがベストプラクティスに沿っているか
どうか?などをチェックしてくれるようです。

CIS Docker Benchmarkというのは、こちら。

CIS Docker Benchmarks

Docker Bench for Securityを使って、Dockerのホストやコンテナをセルフチェックできますよ、という感じですね。

We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.

環境

今回の環境は、こちらです。

$ uname -srvmpio
Linux 5.4.0-47-generic #51-Ubuntu SMP Fri Sep 4 19:50:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux


$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.1 LTS
Release:    20.04
Codename:   focal


$ docker version
Client: Docker Engine - Community
 Version:           19.03.13
 API version:       1.40
 Go version:        go1.13.15
 Git commit:        4484c46d9d
 Built:             Wed Sep 16 17:02:52 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.13
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       4484c46d9d
  Built:            Wed Sep 16 17:01:20 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.3.7
  GitCommit:        8fba4e9a7d01810a393d5d25a3621dc101981175
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

auditdというものが必要なようなので、こちらもインストール。

$ sudo apt install auditd

こんなことを書いているので。

Note that when distributions doesn't contain auditctl, the audit tests will check /etc/audit/audit.rules to see if a rule is present instead.

バージョン。

$ sudo auditctl -v
auditctl version 2.8.5

auditdの設定を行う

先に、auditdの設定を行っておきましょう。

デフォルトの設定は、こんな感じ。

$ sudo cat /etc/audit/audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
--backlog_wait_time 0

/etc/audit/rules.d配下にファイルを置くとよいみたいなので、今回はこんな感じで作成。
/etc/audit/rules.d/docker.rules

-w /usr/bin/dockerd -p wa
#-w /etc/sysconfig/docker -p wa
-w /etc/docker -p wa
-w /etc/docker/daemon.json -p wa
-w /usr/bin/containerd -p wa
-w /usr/bin/runc -p wa
-w /lib/systemd/system/docker.service -p wa
-w /lib/systemd/system/docker.socket -p wa
-w /etc/default/docker -p wa

コメントアウトしている箇所があるのは、存在しないディレクトリ等に対してルールを書くと、そこで読み込みが停止して
しまうようだからです…。

ルールは、以下を参考にしつつ今のDockerのバージョンに合わせてみました。

How To Audit Docker Host Security with Docker Bench for Security | DigitalOcean

ルール自体の説明ですが

-wで、監視対象のファイルまたはディレクトリを指定します。

-pはログに記録されるパーミッションで、今回はwaを指定して書き込みと属性変更を記録します。

6.5. Audit ルールの定義 Red Hat Enterprise Linux 7 | Red Hat Customer Portal

設定したら、auditdを再起動。

$ sudo systemctl restart auditd

反映されます。

$ sudo cat /etc/audit/audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
--backlog_wait_time 0
-w /usr/bin/dockerd -p wa
-w /etc/docker -p wa
-w /etc/docker/daemon.json -p wa
-w /usr/bin/containerd -p wa
-w /usr/bin/runc -p wa
-w /lib/systemd/system/docker.service -p wa
-w /lib/systemd/system/docker.socket -p wa
-w /etc/default/docker -p wa

Docker Bench for Securityを使ってみる

それでは、Docker Bench for Securityを使ってみます。

ドキュメントを見てみると、DockerHubにあるイメージを使う方法が書かれています。

Running Docker Bench for Security

docker/docker-bench-security

このDockerHubにあるイメージを見てみると、latestタグしかないし、中身のバージョンも(記載時点で)1.3.4だったので
ちょっとやめることにしました。

# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.4
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
# ------------------------------------------------------------------------------

Initializing Sun Sep 20 15:33:40 UTC 2020

現時点での最新版は、1.3.5です。

というわけで、自分でビルドする方法に方針転換します。

Building Docker Bench for Security

リポジトリをcloneして

$ git clone https://github.com/docker/docker-bench-security.git
$ cd docker-bench-security
$ git checkout v1.3.5

ビルド。

$ docker image build --no-cache -t docker-bench-security:1.3.5 .

この手順では、Alpine Linuxをベースにしたイメージができますが、その他のOSをベースイメージにしたい場合は、以下の
ディレクトリにあるDockerfileを使用するとよいでしょう。

https://github.com/docker/docker-bench-security/tree/v1.3.5/distros

こんな感じに揃っています。

$ ll distros
total 32
drwxrwxr-x 2 xxxxx xxxxx 4096 Sep 21 11:14 ./
drwxrwxr-x 5 xxxxx xxxxx 4096 Sep 21 11:14 ../
-rw-rw-r-- 1 xxxxx xxxxx  731 Sep 21 11:14 Dockerfile.alpine
-rw-rw-r-- 1 xxxxx xxxxx  326 Sep 21 11:14 Dockerfile.centos
-rw-rw-r-- 1 xxxxx xxxxx  762 Sep 21 11:14 Dockerfile.debian
-rw-rw-r-- 1 xxxxx xxxxx  295 Sep 21 11:14 Dockerfile.openSUSE
-rw-rw-r-- 1 xxxxx xxxxx  504 Sep 21 11:14 Dockerfile.rhel
-rw-rw-r-- 1 xxxxx xxxxx  488 Sep 21 11:14 README.md

では、この作成したイメージを使って確認してみます。

まずはヘルプを表示。

$ docker container run -it --rm -v /var/run/docker.sock:/var/run/docker.sock:ro docker-bench-security:1.3.5 -h
  usage: docker-bench-security.sh [options]

  -b           optional  Do not print colors
  -h           optional  Print this help message
  -l FILE      optional  Log output in FILE
  -c CHECK     optional  Comma delimited list of specific check(s)
  -e CHECK     optional  Comma delimited list of specific check(s) to exclude
  -i INCLUDE   optional  Comma delimited list of patterns within a container or image name to check
  -x EXCLUDE   optional  Comma delimited list of patterns within a container or image name to exclude from check

利用する手順そのものは、DockerHubのイメージを使う方法と同じように行います。

Running Docker Bench for Security

ここで、DOCKER_CONTENT_TRUSTという環境変数が目に入りますね。

環境変数DOCKER_CONTENT_TRUSTを1にすると、署名されたコンテナイメージでなければ利用できなくなります。

Content trust in Docker / Client Enforcement with Docker Content Trust

こちらは有効にしておくのが良さそうです。

では、実行。

$ DOCKER_CONTENT_TRUST=1
$ docker container run -it --rm \
    --name docker-bench-security \
    --network host \
    --pid host \
    --userns host \
    --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /etc:/etc:ro \
    -v /usr/bin/docker-containerd:/usr/bin/docker-containerd:ro \
    -v /usr/bin/docker-runc:/usr/bin/docker-runc:ro \
    -v /usr/lib/systemd:/usr/lib/systemd:ro \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
    docker-bench-security:1.3.5

バージョンの情報が表示され

# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------

Initializing Mon Sep 21 11:28:20 UTC 2020

こんな結果になりました。

[INFO] 1 - Host Configuration

[INFO] 1.1 - General Configuration
[NOTE] 1.1.1  - Ensure the container host has been Hardened
[INFO] 1.1.2  - Ensure Docker is up to date
[INFO]        * Using 19.03.13, verify is it up to date as deemed necessary
[INFO]        * Your operating system vendor may provide support and security maintenance for Docker

[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2  - Ensure only trusted users are allowed to control Docker daemon
[INFO]        * docker:x:998:vagrant
[PASS] 1.2.3  - Ensure auditing is configured for the Docker daemon
[WARN] 1.2.4  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[PASS] 1.2.5  - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.2.6  - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.2.7  - Ensure auditing is configured for Docker files and directories - docker.socket
[PASS] 1.2.8  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] 1.2.9  - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[INFO]        * File not found
[INFO] 1.2.10  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO]         * File not found
[INFO] 1.2.11  - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[INFO]         * File not found
[INFO] 1.2.12  - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
[INFO]         * File not found


[INFO] 2 - Docker daemon configuration
[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2  - Ensure the logging level is set to 'info'
[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4  - Ensure insecure registries are not used
[PASS] 2.5  - Ensure aufs storage driver is not used
[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.7  - Ensure the default ulimit is configured appropriately
[INFO]      * Default ulimit doesn't appear to be set
[WARN] 2.8  - Enable user namespace support
[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
[PASS] 2.10  - Ensure base device size is not changed until needed
[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12  - Ensure centralized and remote logging is configured
[WARN] 2.13  - Ensure live restore is Enabled
[WARN] 2.14  - Ensure Userland Proxy is Disabled
[PASS] 2.15  - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
[PASS] 2.16  - Ensure that experimental features are not implemented in production
[WARN] 2.17  - Ensure containers are restricted from acquiring new privileges


[INFO] 3 - Docker daemon configuration files
[PASS] 3.1  - Ensure that docker.service file ownership is set to root:root
[PASS] 3.2  - Ensure that docker.service file permissions are appropriately set
[PASS] 3.3  - Ensure that docker.socket file ownership is set to root:root
[PASS] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
[PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
[INFO]      * Directory not found
[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO]      * Directory not found
[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
[INFO]      * No TLS CA certificate found
[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS CA certificate found
[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
[INFO]       * No TLS Server certificate found
[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS Server certificate found
[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
[INFO]       * No TLS Key found
[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
[INFO]       * No TLS Key found
[PASS] 3.15  - Ensure that Docker socket file ownership is set to root:docker
[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
[INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
[INFO] 3.20  - Ensure that the /etc/sysconfig/docker file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.21  - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.22  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive


[INFO] 4 - Container Images and Build File
[INFO] 4.1  - Ensure a user for the container has been created
[INFO]      * No containers running
[NOTE] 4.2  - Ensure that containers use only trusted base images
[NOTE] 4.3  - Ensure that unnecessary packages are not installed in the container
[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
[PASS] 4.5  - Ensure Content trust for Docker is Enabled
[WARN] 4.6  - Ensure that HEALTHCHECK instructions have been added to container images
[WARN]      * No Healthcheck found: [httpd:2.4.46]
[WARN]      * No Healthcheck found: [alpine:3.10]
[INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
[INFO]      * Update instruction found: [httpd:2.4.46]
[NOTE] 4.8  - Ensure setuid and setgid permissions are removed
[PASS] 4.9  - Ensure that COPY is used instead of ADD in Dockerfiles
[NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
[NOTE] 4.11  - Ensure only verified packages are installed


[INFO] 5 - Container Runtime
[INFO]   * No containers running, skipping Section 5


[INFO] 6 - Docker Security Operations
[INFO] 6.1  - Ensure that image sprawl is avoided
[INFO]      * There are currently: 3 images
[INFO] 6.2  - Ensure that container sprawl is avoided
[INFO]      * There are currently a total of 1 containers, with 1 of them currently running


[INFO] 7 - Docker Swarm Configuration
[PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2  - Ensure that the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
[PASS] 7.3  - Ensure that swarm services are bound to a specific host interface (Swarm mode not enabled)
[PASS] 7.4  - Ensure that all Docker swarm overlay networks are encrypted
[PASS] 7.5  - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Swarm mode not enabled)
[PASS] 7.6  - Ensure that swarm manager is run in auto-lock mode (Swarm mode not enabled)
[PASS] 7.7  - Ensure that the swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
[PASS] 7.8  - Ensure that node certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.9  - Ensure that CA certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.10  - Ensure that management plane traffic is separated from data plane traffic (Swarm mode not enabled)


[INFO] 8 - Docker Enterprise Configuration
[INFO]   * Community Engine license, skipping section 8

[INFO] Checks: 76
[INFO] Score: 20

こんなサマリーになりましたが。

[INFO] Checks: 76
[INFO] Score: 20

Scoreは、パスしたチェックが加算、パスしなかったものは減算されていくようです。チェック対象が存在しなかった場合は、
プラマイ0になります。

続いて、Apacheをコンテナとして実行してみます。

$ docker container run -i --rm --name apache2 httpd:2.4.46

再度実行すると、結果がこうなります。

[INFO] 1 - Host Configuration

[INFO] 1.1 - General Configuration
[NOTE] 1.1.1  - Ensure the container host has been Hardened
[INFO] 1.1.2  - Ensure Docker is up to date
[INFO]        * Using 19.03.13, verify is it up to date as deemed necessary
[INFO]        * Your operating system vendor may provide support and security maintenance for Docker

[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2  - Ensure only trusted users are allowed to control Docker daemon
[INFO]        * docker:x:998:vagrant
[PASS] 1.2.3  - Ensure auditing is configured for the Docker daemon
[WARN] 1.2.4  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[PASS] 1.2.5  - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.2.6  - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.2.7  - Ensure auditing is configured for Docker files and directories - docker.socket
[PASS] 1.2.8  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] 1.2.9  - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[INFO]        * File not found
[INFO] 1.2.10  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO]         * File not found
[INFO] 1.2.11  - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[INFO]         * File not found
[INFO] 1.2.12  - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
[INFO]         * File not found


[INFO] 2 - Docker daemon configuration
[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2  - Ensure the logging level is set to 'info'
[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4  - Ensure insecure registries are not used
[PASS] 2.5  - Ensure aufs storage driver is not used
[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.7  - Ensure the default ulimit is configured appropriately
[INFO]      * Default ulimit doesn't appear to be set
[WARN] 2.8  - Enable user namespace support
[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
[PASS] 2.10  - Ensure base device size is not changed until needed
[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12  - Ensure centralized and remote logging is configured
[WARN] 2.13  - Ensure live restore is Enabled
[WARN] 2.14  - Ensure Userland Proxy is Disabled
[PASS] 2.15  - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
[PASS] 2.16  - Ensure that experimental features are not implemented in production
[WARN] 2.17  - Ensure containers are restricted from acquiring new privileges


[INFO] 3 - Docker daemon configuration files
[PASS] 3.1  - Ensure that docker.service file ownership is set to root:root
[PASS] 3.2  - Ensure that docker.service file permissions are appropriately set
[PASS] 3.3  - Ensure that docker.socket file ownership is set to root:root
[PASS] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
[PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
[INFO]      * Directory not found
[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO]      * Directory not found
[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
[INFO]      * No TLS CA certificate found
[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS CA certificate found
[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
[INFO]       * No TLS Server certificate found
[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS Server certificate found
[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
[INFO]       * No TLS Key found
[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
[INFO]       * No TLS Key found
[PASS] 3.15  - Ensure that Docker socket file ownership is set to root:docker
[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
[INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
[INFO] 3.20  - Ensure that the /etc/sysconfig/docker file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.21  - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.22  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive


[INFO] 4 - Container Images and Build File
[WARN] 4.1  - Ensure a user for the container has been created
[WARN]      * Running as root: apache2
[NOTE] 4.2  - Ensure that containers use only trusted base images
[NOTE] 4.3  - Ensure that unnecessary packages are not installed in the container
[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
[PASS] 4.5  - Ensure Content trust for Docker is Enabled
[WARN] 4.6  - Ensure that HEALTHCHECK instructions have been added to container images
[WARN]      * No Healthcheck found: [httpd:2.4.46]
[WARN]      * No Healthcheck found: [alpine:3.10]
[INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
[INFO]      * Update instruction found: [httpd:2.4.46]
[NOTE] 4.8  - Ensure setuid and setgid permissions are removed
[PASS] 4.9  - Ensure that COPY is used instead of ADD in Dockerfiles
[NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
[NOTE] 4.11  - Ensure only verified packages are installed


[INFO] 5 - Container Runtime
[PASS] 5.1  - Ensure that, if applicable, an AppArmor Profile is enabled 
[WARN] 5.2  - Ensure that, if applicable, SELinux security options are set
[WARN]      * No SecurityOptions Found: apache2
[PASS] 5.3  - Ensure Linux Kernel Capabilities are restricted within containers
[PASS] 5.4  - Ensure that privileged containers are not used
[PASS] 5.5  - Ensure sensitive host system directories are not mounted on containers
[PASS] 5.6  - Ensure sshd is not run within containers
[PASS] 5.7  - Ensure privileged ports are not mapped within containers
[NOTE] 5.8  - Ensure that only needed ports are open on the container
[PASS] 5.9  - Ensure the host's network namespace is not shared
[WARN] 5.10  - Ensure that the memory usage for containers is limited
[WARN]      * Container running without memory restrictions: apache2
[WARN] 5.11  - Ensure CPU priority is set appropriately on the container
[WARN]      * Container running without CPU restrictions: apache2
[WARN] 5.12  - Ensure that the container's root filesystem is mounted as read only
[WARN]      * Container running with root FS mounted R/W: apache2
[PASS] 5.13  - Ensure that incoming container traffic is bound to a specific host interface
[WARN] 5.14  - Ensure that the 'on-failure' container restart policy is set to '5'
[WARN]      * MaximumRetryCount is not set to 5: apache2
[PASS] 5.15  - Ensure the host's process namespace is not shared
[PASS] 5.16  - Ensure the host's IPC namespace is not shared
[PASS] 5.17  - Ensure that host devices are not directly exposed to containers
[INFO] 5.18  - Ensure that the default ulimit is overwritten at runtime if needed
[INFO]      * Container no default ulimit override: apache2
[PASS] 5.19  - Ensure mount propagation mode is not set to shared
[PASS] 5.20  - Ensure the host's UTS namespace is not shared
[PASS] 5.21  - Ensure the default seccomp profile is not Disabled
[NOTE] 5.22  - Ensure docker exec commands are not used with privileged option
[NOTE] 5.23  - Ensure that docker exec commands are not used with the user=root option
[PASS] 5.24  - Ensure that cgroup usage is confirmed
[WARN] 5.25  - Ensure that the container is restricted from acquiring additional privileges
[WARN]      * Privileges not restricted: apache2
[WARN] 5.26  - Ensure that container health is checked at runtime
[WARN]      * Health check not set: apache2
[INFO] 5.27  - Ensure that Docker commands always make use of the latest version of their image
[WARN] 5.28  - Ensure that the PIDs cgroup limit is used
[WARN]      * PIDs limit not set: apache2
[INFO] 5.29  - Ensure that Docker's default bridge 'docker0' is not used
[INFO]      * Container in docker0 network: apache2
[PASS] 5.30  - Ensure that the host's user namespaces are not shared
[PASS] 5.31  - Ensure that the Docker socket is not mounted inside any containers


[INFO] 6 - Docker Security Operations
[INFO] 6.1  - Ensure that image sprawl is avoided
[INFO]      * There are currently: 3 images
[INFO] 6.2  - Ensure that container sprawl is avoided
[INFO]      * There are currently a total of 2 containers, with 2 of them currently running


[INFO] 7 - Docker Swarm Configuration
[PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2  - Ensure that the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
[PASS] 7.3  - Ensure that swarm services are bound to a specific host interface (Swarm mode not enabled)
[PASS] 7.4  - Ensure that all Docker swarm overlay networks are encrypted
[PASS] 7.5  - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Swarm mode not enabled)
[PASS] 7.6  - Ensure that swarm manager is run in auto-lock mode (Swarm mode not enabled)
[PASS] 7.7  - Ensure that the swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
[PASS] 7.8  - Ensure that node certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.9  - Ensure that CA certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.10  - Ensure that management plane traffic is separated from data plane traffic (Swarm mode not enabled)


[INFO] 8 - Docker Enterprise Configuration
[INFO]   * Community Engine license, skipping section 8

[INFO] Checks: 107
[INFO] Score: 27

なにが変わったんでしょう?

実行されたチェック数が、だいぶ変わっています。

[INFO] Checks: 76
[INFO] Score: 20


[INFO] Checks: 107
[INFO] Score: 27

コンテナイメージに対するチェックが追加され、

[INFO] 4 - Container Images and Build File
[WARN] 4.1  - Ensure a user for the container has been created
[WARN]      * Running as root: apache2

コンテナランタイムに関しても、いろいろチェックされるようになります。

[INFO] 5 - Container Runtime
[PASS] 5.1  - Ensure that, if applicable, an AppArmor Profile is enabled 
[WARN] 5.2  - Ensure that, if applicable, SELinux security options are set
[WARN]      * No SecurityOptions Found: apache2
[PASS] 5.3  - Ensure Linux Kernel Capabilities are restricted within containers
[PASS] 5.4  - Ensure that privileged containers are not used
[PASS] 5.5  - Ensure sensitive host system directories are not mounted on containers
[PASS] 5.6  - Ensure sshd is not run within containers
[PASS] 5.7  - Ensure privileged ports are not mapped within containers
[NOTE] 5.8  - Ensure that only needed ports are open on the container
[PASS] 5.9  - Ensure the host's network namespace is not shared
[WARN] 5.10  - Ensure that the memory usage for containers is limited
[WARN]      * Container running without memory restrictions: apache2
[WARN] 5.11  - Ensure CPU priority is set appropriately on the container
[WARN]      * Container running without CPU restrictions: apache2
[WARN] 5.12  - Ensure that the container's root filesystem is mounted as read only
[WARN]      * Container running with root FS mounted R/W: apache2
[PASS] 5.13  - Ensure that incoming container traffic is bound to a specific host interface
[WARN] 5.14  - Ensure that the 'on-failure' container restart policy is set to '5'
[WARN]      * MaximumRetryCount is not set to 5: apache2
[PASS] 5.15  - Ensure the host's process namespace is not shared
[PASS] 5.16  - Ensure the host's IPC namespace is not shared
[PASS] 5.17  - Ensure that host devices are not directly exposed to containers
[INFO] 5.18  - Ensure that the default ulimit is overwritten at runtime if needed
[INFO]      * Container no default ulimit override: apache2
[PASS] 5.19  - Ensure mount propagation mode is not set to shared
[PASS] 5.20  - Ensure the host's UTS namespace is not shared
[PASS] 5.21  - Ensure the default seccomp profile is not Disabled
[NOTE] 5.22  - Ensure docker exec commands are not used with privileged option
[NOTE] 5.23  - Ensure that docker exec commands are not used with the user=root option
[PASS] 5.24  - Ensure that cgroup usage is confirmed
[WARN] 5.25  - Ensure that the container is restricted from acquiring additional privileges
[WARN]      * Privileges not restricted: apache2
[WARN] 5.26  - Ensure that container health is checked at runtime
[WARN]      * Health check not set: apache2
[INFO] 5.27  - Ensure that Docker commands always make use of the latest version of their image
[WARN] 5.28  - Ensure that the PIDs cgroup limit is used
[WARN]      * PIDs limit not set: apache2
[INFO] 5.29  - Ensure that Docker's default bridge 'docker0' is not used
[INFO]      * Container in docker0 network: apache2
[PASS] 5.30  - Ensure that the host's user namespaces are not shared
[PASS] 5.31  - Ensure that the Docker socket is not mounted inside any containers

コンテナを実行していない場合は、こんな感じになりますからね。

[INFO] 4 - Container Images and Build File
[INFO] 4.1  - Ensure a user for the container has been created
[INFO]      * No containers running

〜省略〜


[INFO] 5 - Container Runtime
[INFO]   * No containers running, skipping Section 5

チェック内容は?

実際のチェック内容は、testsディレクトリ配下に実装されているだけなので、こちらを見るしかありません。

https://github.com/docker/docker-bench-security/tree/v1.3.5/tests

とはいえ、これだけだと全体がわからないので、簡単にリスト表示にしてみました。

$ grep desc_ tests/*.sh | fgrep -v '$desc' | perl -wp -e 's!.*:\s+(.+)!$1!; s!desc|"!!g; s!=! !; s!^_([^_]+\_[^_]+\_[^_]+?) (.+)!    * $1 - $2!; s!^_([^_]+\_[^_]+?) (.+)!  * $1 - $2!; s!^_([^_]+?) (.+)!* $1 - **$2**!;'

結果。そのうち、眺めましょう…。

  • 1 - Host Configuration
    • 1_1 - General Configuration
      • 1_1_1 - Ensure the container host has been Hardened
      • 1_1_2 - Ensure Docker is up to date
    • 1_2 - Linux Hosts Specific Configuration
      • 1_2_1 - Ensure a separate partition for containers has been created
      • 1_2_2 - Ensure only trusted users are allowed to control Docker daemon
      • 1_2_3 - Ensure auditing is configured for the Docker daemon
      • 1_2_4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker
      • 1_2_5 - Ensure auditing is configured for Docker files and directories - /etc/docker
      • 1_2_6 - Ensure auditing is configured for Docker files and directories - docker.service
      • 1_2_7 - Ensure auditing is configured for Docker files and directories - docker.socket
      • 1_2_8 - Ensure auditing is configured for Docker files and directories - /etc/default/docker
      • 1_2_9 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
      • 1_2_10 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
      • 1_2_11 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
      • 1_2_12 - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
  • 2 - Docker daemon configuration
    • 2_1 - Ensure network traffic is restricted between containers on the default bridge
    • 2_2 - Ensure the logging level is set to 'info'
    • 2_3 - Ensure Docker is allowed to make changes to iptables
    • 2_4 - Ensure insecure registries are not used
    • 2_5 - Ensure aufs storage driver is not used
    • 2_6 - Ensure TLS authentication for Docker daemon is configured
    • 2_7 - Ensure the default ulimit is configured appropriately
    • 2_8 - Enable user namespace support
    • 2_9 - Ensure the default cgroup usage has been confirmed
    • 2_10 - Ensure base device size is not changed until needed
    • 2_11 - Ensure that authorization for Docker client commands is enabled
    • 2_12 - Ensure centralized and remote logging is configured
    • 2_13 - Ensure live restore is Enabled
    • 2_14 - Ensure Userland Proxy is Disabled
    • 2_15 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
    • 2_16 - Ensure that experimental features are not implemented in production
    • 2_17 - Ensure containers are restricted from acquiring new privileges
  • 3 - Docker daemon configuration files
    • 3_1 - Ensure that docker.service file ownership is set to root:root
    • 3_2 - Ensure that docker.service file permissions are appropriately set
    • 3_3 - Ensure that docker.socket file ownership is set to root:root
    • 3_4 - Ensure that docker.socket file permissions are set to 644 or more restrictive
    • 3_5 - Ensure that /etc/docker directory ownership is set to root:root
    • 3_6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
    • 3_7 - Ensure that registry certificate file ownership is set to root:root
    • 3_8 - Ensure that registry certificate file permissions are set to 444 or more restrictive
    • 3_9 - Ensure that TLS CA certificate file ownership is set to root:root
    • 3_10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
    • 3_11 - Ensure that Docker server certificate file ownership is set to root:root
    • 3_12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
    • 3_13 - Ensure that Docker server certificate key file ownership is set to root:root
    • 3_14 - Ensure that Docker server certificate key file permissions are set to 400
    • 3_15 - Ensure that Docker socket file ownership is set to root:docker
    • 3_16 - Ensure that Docker socket file permissions are set to 660 or more restrictive
    • 3_17 - Ensure that daemon.json file ownership is set to root:root
    • 3_18 - Ensure that daemon.json file permissions are set to 644 or more restrictive
    • 3_19 - Ensure that /etc/default/docker file ownership is set to root:root
    • 3_20 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root
    • 3_21 - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive
    • 3_22 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
  • 4 - Container Images and Build File
    • 4_1 - Ensure a user for the container has been created
    • 4_2 - Ensure that containers use only trusted base images
    • 4_3 - Ensure that unnecessary packages are not installed in the container
    • 4_4 - Ensure images are scanned and rebuilt to include security patches
    • 4_5 - Ensure Content trust for Docker is Enabled
    • 4_6 - Ensure that HEALTHCHECK instructions have been added to container images
    • 4_7 - Ensure update instructions are not use alone in the Dockerfile
    • 4_8 - Ensure setuid and setgid permissions are removed
    • 4_9 - Ensure that COPY is used instead of ADD in Dockerfiles
    • 4_10 - Ensure secrets are not stored in Dockerfiles
    • 4_11 - Ensure only verified packages are installed
  • 5 - Container Runtime
    • 5_1 - Ensure that, if applicable, an AppArmor Profile is enabled
    • 5_2 - Ensure that, if applicable, SELinux security options are set
    • 5_3 - Ensure Linux Kernel Capabilities are restricted within containers
    • 5_4 - Ensure that privileged containers are not used
    • 5_5 - Ensure sensitive host system directories are not mounted on containers
    • 5_6 - Ensure sshd is not run within containers
    • 5_7 - Ensure privileged ports are not mapped within containers
    • 5_8 - Ensure that only needed ports are open on the container
    • 5_9 - Ensure the host's network namespace is not shared
    • 5_10 - Ensure that the memory usage for containers is limited
    • 5_11 - Ensure CPU priority is set appropriately on the container
    • 5_12 - Ensure that the container's root filesystem is mounted as read only
    • 5_13 - Ensure that incoming container traffic is bound to a specific host interface
    • 5_14 - Ensure that the 'on-failure' container restart policy is set to '5'
    • 5_15 - Ensure the host's process namespace is not shared
    • 5_16 - Ensure the host's IPC namespace is not shared
    • 5_17 - Ensure that host devices are not directly exposed to containers
    • 5_18 - Ensure that the default ulimit is overwritten at runtime if needed
    • 5_19 - Ensure mount propagation mode is not set to shared
    • 5_20 - Ensure the host's UTS namespace is not shared
    • 5_21 - Ensure the default seccomp profile is not Disabled
    • 5_22 - Ensure docker exec commands are not used with privileged option
    • 5_23 - Ensure that docker exec commands are not used with the user=root option
    • 5_24 - Ensure that cgroup usage is confirmed
    • 5_25 - Ensure that the container is restricted from acquiring additional privileges
    • 5_26 - Ensure that container health is checked at runtime
    • 5_27 - Ensure that Docker commands always make use of the latest version of their image
    • 5_28 - Ensure that the PIDs cgroup limit is used
    • 5_29 - Ensure that Docker's default bridge 'docker0' is not used
    • 5_30 - Ensure that the host's user namespaces are not shared
    • 5_31 - Ensure that the Docker socket is not mounted inside any containers
  • 6 - Docker Security Operations
    • 6_1 - Ensure that image sprawl is avoided
    • 6_2 - Ensure that container sprawl is avoided
  • 7 - Docker Swarm Configuration
    • 7_1 - Ensure swarm mode is not Enabled, if not needed
    • 7_2 - Ensure that the minimum number of manager nodes have been created in a swarm
    • 7_3 - Ensure that swarm services are bound to a specific host interface
    • 7_4 - Ensure that all Docker swarm overlay networks are encrypted
    • 7_5 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster
    • 7_6 - Ensure that swarm manager is run in auto-lock mode
    • 7_7 - Ensure that the swarm manager auto-lock key is rotated periodically
    • 7_8 - Ensure that node certificates are rotated as appropriate
    • 7_9 - Ensure that CA certificates are rotated as appropriate
    • 7_10 - Ensure that management plane traffic is separated from data plane traffic
  • 8 - Docker Enterprise Configuration
    • 8_1 - Universal Control Plane Configuration
      • 8_1_1 - Configure the LDAP authentication service
      • 8_1_2 - Use external certificates
      • 8_1_3 - Enforce the use of client certificate bundles for unprivileged users
      • 8_1_4 - Configure applicable cluster role-based access control policies
      • 8_1_5 - Enable signed image enforcement
      • 8_1_6 - Set the Per-User Session Limit to a value of '3' or lower
      • 8_1_7 - Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively
    • 8_2 - Docker Trusted Registry Configuration
  • 99 - Community contributed checks
    • c_2 - Ensure operations on legacy registry (v1) are Disabled