これは、なにをしたくて書いたもの?
Docker Bench for Securityという、Dockerのホストおよび動いているコンテナの設定を確認してくれるツールがあるというので、
試してみることにしました。
Docker Bench for Security?
最初に書きましたが、Docker Bench for Securityとは、Dockerのホストおよびコンテナの設定を確認してくれるツールです。
提供元は、Dockerになります。
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the CIS Docker Benchmark v1.2.0.
CIS Docker Benchmarkにインスパイアされたもので、本番環境にデプロイするDockerコンテナがベストプラクティスに沿っているか
どうか?などをチェックしてくれるようです。
CIS Docker Benchmarkというのは、こちら。
Docker Bench for Securityを使って、Dockerのホストやコンテナをセルフチェックできますよ、という感じですね。
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
環境
今回の環境は、こちらです。
$ uname -srvmpio Linux 5.4.0-47-generic #51-Ubuntu SMP Fri Sep 4 19:50:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.1 LTS Release: 20.04 Codename: focal $ docker version Client: Docker Engine - Community Version: 19.03.13 API version: 1.40 Go version: go1.13.15 Git commit: 4484c46d9d Built: Wed Sep 16 17:02:52 2020 OS/Arch: linux/amd64 Experimental: false Server: Docker Engine - Community Engine: Version: 19.03.13 API version: 1.40 (minimum version 1.12) Go version: go1.13.15 Git commit: 4484c46d9d Built: Wed Sep 16 17:01:20 2020 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.3.7 GitCommit: 8fba4e9a7d01810a393d5d25a3621dc101981175 runc: Version: 1.0.0-rc10 GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd docker-init: Version: 0.18.0 GitCommit: fec3683
auditdというものが必要なようなので、こちらもインストール。
$ sudo apt install auditd
こんなことを書いているので。
Note that when distributions doesn't contain auditctl, the audit tests will check /etc/audit/audit.rules to see if a rule is present instead.
バージョン。
$ sudo auditctl -v auditctl version 2.8.5
auditdの設定を行う
先に、auditdの設定を行っておきましょう。
デフォルトの設定は、こんな感じ。
$ sudo cat /etc/audit/audit.rules ## This file is automatically generated from /etc/audit/rules.d -D -b 8192 -f 1 --backlog_wait_time 0
/etc/audit/rules.d配下にファイルを置くとよいみたいなので、今回はこんな感じで作成。
/etc/audit/rules.d/docker.rules
-w /usr/bin/dockerd -p wa #-w /etc/sysconfig/docker -p wa -w /etc/docker -p wa -w /etc/docker/daemon.json -p wa -w /usr/bin/containerd -p wa -w /usr/bin/runc -p wa -w /lib/systemd/system/docker.service -p wa -w /lib/systemd/system/docker.socket -p wa -w /etc/default/docker -p wa
コメントアウトしている箇所があるのは、存在しないディレクトリ等に対してルールを書くと、そこで読み込みが停止して
しまうようだからです…。
ルールは、以下を参考にしつつ今のDockerのバージョンに合わせてみました。
How To Audit Docker Host Security with Docker Bench for Security | DigitalOcean
ルール自体の説明ですが
-wで、監視対象のファイルまたはディレクトリを指定します。
-pはログに記録されるパーミッションで、今回はwaを指定して書き込みと属性変更を記録します。
6.5. Audit ルールの定義 Red Hat Enterprise Linux 7 | Red Hat Customer Portal
設定したら、auditdを再起動。
$ sudo systemctl restart auditd
反映されます。
$ sudo cat /etc/audit/audit.rules ## This file is automatically generated from /etc/audit/rules.d -D -b 8192 -f 1 --backlog_wait_time 0 -w /usr/bin/dockerd -p wa -w /etc/docker -p wa -w /etc/docker/daemon.json -p wa -w /usr/bin/containerd -p wa -w /usr/bin/runc -p wa -w /lib/systemd/system/docker.service -p wa -w /lib/systemd/system/docker.socket -p wa -w /etc/default/docker -p wa
Docker Bench for Securityを使ってみる
それでは、Docker Bench for Securityを使ってみます。
ドキュメントを見てみると、DockerHubにあるイメージを使う方法が書かれています。
Running Docker Bench for Security
このDockerHubにあるイメージを見てみると、latestタグしかないし、中身のバージョンも(記載時点で)1.3.4だったので
ちょっとやめることにしました。
# ------------------------------------------------------------------------------ # Docker Bench for Security v1.3.4 # # Docker, Inc. (c) 2015- # # Checks for dozens of common best-practices around deploying Docker containers in production. # Inspired by the CIS Docker Community Edition Benchmark v1.1.0. # ------------------------------------------------------------------------------ Initializing Sun Sep 20 15:33:40 UTC 2020
現時点での最新版は、1.3.5です。
というわけで、自分でビルドする方法に方針転換します。
Building Docker Bench for Security
リポジトリをcloneして
$ git clone https://github.com/docker/docker-bench-security.git $ cd docker-bench-security $ git checkout v1.3.5
ビルド。
$ docker image build --no-cache -t docker-bench-security:1.3.5 .
この手順では、Alpine Linuxをベースにしたイメージができますが、その他のOSをベースイメージにしたい場合は、以下の
ディレクトリにあるDockerfileを使用するとよいでしょう。
https://github.com/docker/docker-bench-security/tree/v1.3.5/distros
こんな感じに揃っています。
$ ll distros total 32 drwxrwxr-x 2 xxxxx xxxxx 4096 Sep 21 11:14 ./ drwxrwxr-x 5 xxxxx xxxxx 4096 Sep 21 11:14 ../ -rw-rw-r-- 1 xxxxx xxxxx 731 Sep 21 11:14 Dockerfile.alpine -rw-rw-r-- 1 xxxxx xxxxx 326 Sep 21 11:14 Dockerfile.centos -rw-rw-r-- 1 xxxxx xxxxx 762 Sep 21 11:14 Dockerfile.debian -rw-rw-r-- 1 xxxxx xxxxx 295 Sep 21 11:14 Dockerfile.openSUSE -rw-rw-r-- 1 xxxxx xxxxx 504 Sep 21 11:14 Dockerfile.rhel -rw-rw-r-- 1 xxxxx xxxxx 488 Sep 21 11:14 README.md
では、この作成したイメージを使って確認してみます。
まずはヘルプを表示。
$ docker container run -it --rm -v /var/run/docker.sock:/var/run/docker.sock:ro docker-bench-security:1.3.5 -h usage: docker-bench-security.sh [options] -b optional Do not print colors -h optional Print this help message -l FILE optional Log output in FILE -c CHECK optional Comma delimited list of specific check(s) -e CHECK optional Comma delimited list of specific check(s) to exclude -i INCLUDE optional Comma delimited list of patterns within a container or image name to check -x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
利用する手順そのものは、DockerHubのイメージを使う方法と同じように行います。
Running Docker Bench for Security
ここで、DOCKER_CONTENT_TRUSTという環境変数が目に入りますね。
環境変数DOCKER_CONTENT_TRUSTを1にすると、署名されたコンテナイメージでなければ利用できなくなります。
Content trust in Docker / Client Enforcement with Docker Content Trust
こちらは有効にしておくのが良さそうです。
では、実行。
$ DOCKER_CONTENT_TRUST=1
$ docker container run -it --rm \
--name docker-bench-security \
--network host \
--pid host \
--userns host \
--cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /usr/bin/docker-containerd:/usr/bin/docker-containerd:ro \
-v /usr/bin/docker-runc:/usr/bin/docker-runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker-bench-security:1.3.5
バージョンの情報が表示され
# ------------------------------------------------------------------------------ # Docker Bench for Security v1.3.5 # # Docker, Inc. (c) 2015- # # Checks for dozens of common best-practices around deploying Docker containers in production. # Inspired by the CIS Docker Benchmark v1.2.0. # ------------------------------------------------------------------------------ Initializing Mon Sep 21 11:28:20 UTC 2020
こんな結果になりました。
[INFO] 1 - Host Configuration [INFO] 1.1 - General Configuration [NOTE] 1.1.1 - Ensure the container host has been Hardened [INFO] 1.1.2 - Ensure Docker is up to date [INFO] * Using 19.03.13, verify is it up to date as deemed necessary [INFO] * Your operating system vendor may provide support and security maintenance for Docker [INFO] 1.2 - Linux Hosts Specific Configuration [WARN] 1.2.1 - Ensure a separate partition for containers has been created [INFO] 1.2.2 - Ensure only trusted users are allowed to control Docker daemon [INFO] * docker:x:998:vagrant [PASS] 1.2.3 - Ensure auditing is configured for the Docker daemon [WARN] 1.2.4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker [PASS] 1.2.5 - Ensure auditing is configured for Docker files and directories - /etc/docker [WARN] 1.2.6 - Ensure auditing is configured for Docker files and directories - docker.service [WARN] 1.2.7 - Ensure auditing is configured for Docker files and directories - docker.socket [PASS] 1.2.8 - Ensure auditing is configured for Docker files and directories - /etc/default/docker [INFO] 1.2.9 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker [INFO] * File not found [INFO] 1.2.10 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json [INFO] * File not found [INFO] 1.2.11 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd [INFO] * File not found [INFO] 1.2.12 - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc [INFO] * File not found [INFO] 2 - Docker daemon configuration [WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge [PASS] 2.2 - Ensure the logging level is set to 'info' [PASS] 2.3 - Ensure Docker is allowed to make changes to iptables [PASS] 2.4 - Ensure insecure registries are not used [PASS] 2.5 - Ensure aufs storage driver is not used [INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured [INFO] * Docker daemon not listening on TCP [INFO] 2.7 - Ensure the default ulimit is configured appropriately [INFO] * Default ulimit doesn't appear to be set [WARN] 2.8 - Enable user namespace support [PASS] 2.9 - Ensure the default cgroup usage has been confirmed [PASS] 2.10 - Ensure base device size is not changed until needed [WARN] 2.11 - Ensure that authorization for Docker client commands is enabled [WARN] 2.12 - Ensure centralized and remote logging is configured [WARN] 2.13 - Ensure live restore is Enabled [WARN] 2.14 - Ensure Userland Proxy is Disabled [PASS] 2.15 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate [PASS] 2.16 - Ensure that experimental features are not implemented in production [WARN] 2.17 - Ensure containers are restricted from acquiring new privileges [INFO] 3 - Docker daemon configuration files [PASS] 3.1 - Ensure that docker.service file ownership is set to root:root [PASS] 3.2 - Ensure that docker.service file permissions are appropriately set [PASS] 3.3 - Ensure that docker.socket file ownership is set to root:root [PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive [PASS] 3.5 - Ensure that /etc/docker directory ownership is set to root:root [PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive [INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root [INFO] * Directory not found [INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive [INFO] * Directory not found [INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root [INFO] * No TLS CA certificate found [INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive [INFO] * No TLS CA certificate found [INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root [INFO] * No TLS Server certificate found [INFO] 3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive [INFO] * No TLS Server certificate found [INFO] 3.13 - Ensure that Docker server certificate key file ownership is set to root:root [INFO] * No TLS Key found [INFO] 3.14 - Ensure that Docker server certificate key file permissions are set to 400 [INFO] * No TLS Key found [PASS] 3.15 - Ensure that Docker socket file ownership is set to root:docker [PASS] 3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive [INFO] 3.17 - Ensure that daemon.json file ownership is set to root:root [INFO] * File not found [INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive [INFO] * File not found [PASS] 3.19 - Ensure that /etc/default/docker file ownership is set to root:root [INFO] 3.20 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root [INFO] * File not found [INFO] 3.21 - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive [INFO] * File not found [PASS] 3.22 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive [INFO] 4 - Container Images and Build File [INFO] 4.1 - Ensure a user for the container has been created [INFO] * No containers running [NOTE] 4.2 - Ensure that containers use only trusted base images [NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container [NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches [PASS] 4.5 - Ensure Content trust for Docker is Enabled [WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images [WARN] * No Healthcheck found: [httpd:2.4.46] [WARN] * No Healthcheck found: [alpine:3.10] [INFO] 4.7 - Ensure update instructions are not use alone in the Dockerfile [INFO] * Update instruction found: [httpd:2.4.46] [NOTE] 4.8 - Ensure setuid and setgid permissions are removed [PASS] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles [NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles [NOTE] 4.11 - Ensure only verified packages are installed [INFO] 5 - Container Runtime [INFO] * No containers running, skipping Section 5 [INFO] 6 - Docker Security Operations [INFO] 6.1 - Ensure that image sprawl is avoided [INFO] * There are currently: 3 images [INFO] 6.2 - Ensure that container sprawl is avoided [INFO] * There are currently a total of 1 containers, with 1 of them currently running [INFO] 7 - Docker Swarm Configuration [PASS] 7.1 - Ensure swarm mode is not Enabled, if not needed [PASS] 7.2 - Ensure that the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled) [PASS] 7.3 - Ensure that swarm services are bound to a specific host interface (Swarm mode not enabled) [PASS] 7.4 - Ensure that all Docker swarm overlay networks are encrypted [PASS] 7.5 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Swarm mode not enabled) [PASS] 7.6 - Ensure that swarm manager is run in auto-lock mode (Swarm mode not enabled) [PASS] 7.7 - Ensure that the swarm manager auto-lock key is rotated periodically (Swarm mode not enabled) [PASS] 7.8 - Ensure that node certificates are rotated as appropriate (Swarm mode not enabled) [PASS] 7.9 - Ensure that CA certificates are rotated as appropriate (Swarm mode not enabled) [PASS] 7.10 - Ensure that management plane traffic is separated from data plane traffic (Swarm mode not enabled) [INFO] 8 - Docker Enterprise Configuration [INFO] * Community Engine license, skipping section 8 [INFO] Checks: 76 [INFO] Score: 20
こんなサマリーになりましたが。
[INFO] Checks: 76 [INFO] Score: 20
Scoreは、パスしたチェックが加算、パスしなかったものは減算されていくようです。チェック対象が存在しなかった場合は、
プラマイ0になります。
続いて、Apacheをコンテナとして実行してみます。
$ docker container run -i --rm --name apache2 httpd:2.4.46
再度実行すると、結果がこうなります。
[INFO] 1 - Host Configuration [INFO] 1.1 - General Configuration [NOTE] 1.1.1 - Ensure the container host has been Hardened [INFO] 1.1.2 - Ensure Docker is up to date [INFO] * Using 19.03.13, verify is it up to date as deemed necessary [INFO] * Your operating system vendor may provide support and security maintenance for Docker [INFO] 1.2 - Linux Hosts Specific Configuration [WARN] 1.2.1 - Ensure a separate partition for containers has been created [INFO] 1.2.2 - Ensure only trusted users are allowed to control Docker daemon [INFO] * docker:x:998:vagrant [PASS] 1.2.3 - Ensure auditing is configured for the Docker daemon [WARN] 1.2.4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker [PASS] 1.2.5 - Ensure auditing is configured for Docker files and directories - /etc/docker [WARN] 1.2.6 - Ensure auditing is configured for Docker files and directories - docker.service [WARN] 1.2.7 - Ensure auditing is configured for Docker files and directories - docker.socket [PASS] 1.2.8 - Ensure auditing is configured for Docker files and directories - /etc/default/docker [INFO] 1.2.9 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker [INFO] * File not found [INFO] 1.2.10 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json [INFO] * File not found [INFO] 1.2.11 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd [INFO] * File not found [INFO] 1.2.12 - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc [INFO] * File not found [INFO] 2 - Docker daemon configuration [WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge [PASS] 2.2 - Ensure the logging level is set to 'info' [PASS] 2.3 - Ensure Docker is allowed to make changes to iptables [PASS] 2.4 - Ensure insecure registries are not used [PASS] 2.5 - Ensure aufs storage driver is not used [INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured [INFO] * Docker daemon not listening on TCP [INFO] 2.7 - Ensure the default ulimit is configured appropriately [INFO] * Default ulimit doesn't appear to be set [WARN] 2.8 - Enable user namespace support [PASS] 2.9 - Ensure the default cgroup usage has been confirmed [PASS] 2.10 - Ensure base device size is not changed until needed [WARN] 2.11 - Ensure that authorization for Docker client commands is enabled [WARN] 2.12 - Ensure centralized and remote logging is configured [WARN] 2.13 - Ensure live restore is Enabled [WARN] 2.14 - Ensure Userland Proxy is Disabled [PASS] 2.15 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate [PASS] 2.16 - Ensure that experimental features are not implemented in production [WARN] 2.17 - Ensure containers are restricted from acquiring new privileges [INFO] 3 - Docker daemon configuration files [PASS] 3.1 - Ensure that docker.service file ownership is set to root:root [PASS] 3.2 - Ensure that docker.service file permissions are appropriately set [PASS] 3.3 - Ensure that docker.socket file ownership is set to root:root [PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive [PASS] 3.5 - Ensure that /etc/docker directory ownership is set to root:root [PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive [INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root [INFO] * Directory not found [INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive [INFO] * Directory not found [INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root [INFO] * No TLS CA certificate found [INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive [INFO] * No TLS CA certificate found [INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root [INFO] * No TLS Server certificate found [INFO] 3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive [INFO] * No TLS Server certificate found [INFO] 3.13 - Ensure that Docker server certificate key file ownership is set to root:root [INFO] * No TLS Key found [INFO] 3.14 - Ensure that Docker server certificate key file permissions are set to 400 [INFO] * No TLS Key found [PASS] 3.15 - Ensure that Docker socket file ownership is set to root:docker [PASS] 3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive [INFO] 3.17 - Ensure that daemon.json file ownership is set to root:root [INFO] * File not found [INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive [INFO] * File not found [PASS] 3.19 - Ensure that /etc/default/docker file ownership is set to root:root [INFO] 3.20 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root [INFO] * File not found [INFO] 3.21 - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive [INFO] * File not found [PASS] 3.22 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive [INFO] 4 - Container Images and Build File [WARN] 4.1 - Ensure a user for the container has been created [WARN] * Running as root: apache2 [NOTE] 4.2 - Ensure that containers use only trusted base images [NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container [NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches [PASS] 4.5 - Ensure Content trust for Docker is Enabled [WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images [WARN] * No Healthcheck found: [httpd:2.4.46] [WARN] * No Healthcheck found: [alpine:3.10] [INFO] 4.7 - Ensure update instructions are not use alone in the Dockerfile [INFO] * Update instruction found: [httpd:2.4.46] [NOTE] 4.8 - Ensure setuid and setgid permissions are removed [PASS] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles [NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles [NOTE] 4.11 - Ensure only verified packages are installed [INFO] 5 - Container Runtime [PASS] 5.1 - Ensure that, if applicable, an AppArmor Profile is enabled [WARN] 5.2 - Ensure that, if applicable, SELinux security options are set [WARN] * No SecurityOptions Found: apache2 [PASS] 5.3 - Ensure Linux Kernel Capabilities are restricted within containers [PASS] 5.4 - Ensure that privileged containers are not used [PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers [PASS] 5.6 - Ensure sshd is not run within containers [PASS] 5.7 - Ensure privileged ports are not mapped within containers [NOTE] 5.8 - Ensure that only needed ports are open on the container [PASS] 5.9 - Ensure the host's network namespace is not shared [WARN] 5.10 - Ensure that the memory usage for containers is limited [WARN] * Container running without memory restrictions: apache2 [WARN] 5.11 - Ensure CPU priority is set appropriately on the container [WARN] * Container running without CPU restrictions: apache2 [WARN] 5.12 - Ensure that the container's root filesystem is mounted as read only [WARN] * Container running with root FS mounted R/W: apache2 [PASS] 5.13 - Ensure that incoming container traffic is bound to a specific host interface [WARN] 5.14 - Ensure that the 'on-failure' container restart policy is set to '5' [WARN] * MaximumRetryCount is not set to 5: apache2 [PASS] 5.15 - Ensure the host's process namespace is not shared [PASS] 5.16 - Ensure the host's IPC namespace is not shared [PASS] 5.17 - Ensure that host devices are not directly exposed to containers [INFO] 5.18 - Ensure that the default ulimit is overwritten at runtime if needed [INFO] * Container no default ulimit override: apache2 [PASS] 5.19 - Ensure mount propagation mode is not set to shared [PASS] 5.20 - Ensure the host's UTS namespace is not shared [PASS] 5.21 - Ensure the default seccomp profile is not Disabled [NOTE] 5.22 - Ensure docker exec commands are not used with privileged option [NOTE] 5.23 - Ensure that docker exec commands are not used with the user=root option [PASS] 5.24 - Ensure that cgroup usage is confirmed [WARN] 5.25 - Ensure that the container is restricted from acquiring additional privileges [WARN] * Privileges not restricted: apache2 [WARN] 5.26 - Ensure that container health is checked at runtime [WARN] * Health check not set: apache2 [INFO] 5.27 - Ensure that Docker commands always make use of the latest version of their image [WARN] 5.28 - Ensure that the PIDs cgroup limit is used [WARN] * PIDs limit not set: apache2 [INFO] 5.29 - Ensure that Docker's default bridge 'docker0' is not used [INFO] * Container in docker0 network: apache2 [PASS] 5.30 - Ensure that the host's user namespaces are not shared [PASS] 5.31 - Ensure that the Docker socket is not mounted inside any containers [INFO] 6 - Docker Security Operations [INFO] 6.1 - Ensure that image sprawl is avoided [INFO] * There are currently: 3 images [INFO] 6.2 - Ensure that container sprawl is avoided [INFO] * There are currently a total of 2 containers, with 2 of them currently running [INFO] 7 - Docker Swarm Configuration [PASS] 7.1 - Ensure swarm mode is not Enabled, if not needed [PASS] 7.2 - Ensure that the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled) [PASS] 7.3 - Ensure that swarm services are bound to a specific host interface (Swarm mode not enabled) [PASS] 7.4 - Ensure that all Docker swarm overlay networks are encrypted [PASS] 7.5 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Swarm mode not enabled) [PASS] 7.6 - Ensure that swarm manager is run in auto-lock mode (Swarm mode not enabled) [PASS] 7.7 - Ensure that the swarm manager auto-lock key is rotated periodically (Swarm mode not enabled) [PASS] 7.8 - Ensure that node certificates are rotated as appropriate (Swarm mode not enabled) [PASS] 7.9 - Ensure that CA certificates are rotated as appropriate (Swarm mode not enabled) [PASS] 7.10 - Ensure that management plane traffic is separated from data plane traffic (Swarm mode not enabled) [INFO] 8 - Docker Enterprise Configuration [INFO] * Community Engine license, skipping section 8 [INFO] Checks: 107 [INFO] Score: 27
なにが変わったんでしょう?
実行されたチェック数が、だいぶ変わっています。
[INFO] Checks: 76 [INFO] Score: 20 [INFO] Checks: 107 [INFO] Score: 27
コンテナイメージに対するチェックが追加され、
[INFO] 4 - Container Images and Build File [WARN] 4.1 - Ensure a user for the container has been created [WARN] * Running as root: apache2
コンテナランタイムに関しても、いろいろチェックされるようになります。
[INFO] 5 - Container Runtime [PASS] 5.1 - Ensure that, if applicable, an AppArmor Profile is enabled [WARN] 5.2 - Ensure that, if applicable, SELinux security options are set [WARN] * No SecurityOptions Found: apache2 [PASS] 5.3 - Ensure Linux Kernel Capabilities are restricted within containers [PASS] 5.4 - Ensure that privileged containers are not used [PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers [PASS] 5.6 - Ensure sshd is not run within containers [PASS] 5.7 - Ensure privileged ports are not mapped within containers [NOTE] 5.8 - Ensure that only needed ports are open on the container [PASS] 5.9 - Ensure the host's network namespace is not shared [WARN] 5.10 - Ensure that the memory usage for containers is limited [WARN] * Container running without memory restrictions: apache2 [WARN] 5.11 - Ensure CPU priority is set appropriately on the container [WARN] * Container running without CPU restrictions: apache2 [WARN] 5.12 - Ensure that the container's root filesystem is mounted as read only [WARN] * Container running with root FS mounted R/W: apache2 [PASS] 5.13 - Ensure that incoming container traffic is bound to a specific host interface [WARN] 5.14 - Ensure that the 'on-failure' container restart policy is set to '5' [WARN] * MaximumRetryCount is not set to 5: apache2 [PASS] 5.15 - Ensure the host's process namespace is not shared [PASS] 5.16 - Ensure the host's IPC namespace is not shared [PASS] 5.17 - Ensure that host devices are not directly exposed to containers [INFO] 5.18 - Ensure that the default ulimit is overwritten at runtime if needed [INFO] * Container no default ulimit override: apache2 [PASS] 5.19 - Ensure mount propagation mode is not set to shared [PASS] 5.20 - Ensure the host's UTS namespace is not shared [PASS] 5.21 - Ensure the default seccomp profile is not Disabled [NOTE] 5.22 - Ensure docker exec commands are not used with privileged option [NOTE] 5.23 - Ensure that docker exec commands are not used with the user=root option [PASS] 5.24 - Ensure that cgroup usage is confirmed [WARN] 5.25 - Ensure that the container is restricted from acquiring additional privileges [WARN] * Privileges not restricted: apache2 [WARN] 5.26 - Ensure that container health is checked at runtime [WARN] * Health check not set: apache2 [INFO] 5.27 - Ensure that Docker commands always make use of the latest version of their image [WARN] 5.28 - Ensure that the PIDs cgroup limit is used [WARN] * PIDs limit not set: apache2 [INFO] 5.29 - Ensure that Docker's default bridge 'docker0' is not used [INFO] * Container in docker0 network: apache2 [PASS] 5.30 - Ensure that the host's user namespaces are not shared [PASS] 5.31 - Ensure that the Docker socket is not mounted inside any containers
コンテナを実行していない場合は、こんな感じになりますからね。
[INFO] 4 - Container Images and Build File [INFO] 4.1 - Ensure a user for the container has been created [INFO] * No containers running 〜省略〜 [INFO] 5 - Container Runtime [INFO] * No containers running, skipping Section 5
チェック内容は?
実際のチェック内容は、testsディレクトリ配下に実装されているだけなので、こちらを見るしかありません。
https://github.com/docker/docker-bench-security/tree/v1.3.5/tests
とはいえ、これだけだと全体がわからないので、簡単にリスト表示にしてみました。
$ grep desc_ tests/*.sh | fgrep -v '$desc' | perl -wp -e 's!.*:\s+(.+)!$1!; s!desc|"!!g; s!=! !; s!^_([^_]+\_[^_]+\_[^_]+?) (.+)! * $1 - $2!; s!^_([^_]+\_[^_]+?) (.+)! * $1 - $2!; s!^_([^_]+?) (.+)!* $1 - **$2**!;'
結果。そのうち、眺めましょう…。
- 1 - Host Configuration
- 1_1 - General Configuration
- 1_1_1 - Ensure the container host has been Hardened
- 1_1_2 - Ensure Docker is up to date
- 1_2 - Linux Hosts Specific Configuration
- 1_2_1 - Ensure a separate partition for containers has been created
- 1_2_2 - Ensure only trusted users are allowed to control Docker daemon
- 1_2_3 - Ensure auditing is configured for the Docker daemon
- 1_2_4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker
- 1_2_5 - Ensure auditing is configured for Docker files and directories - /etc/docker
- 1_2_6 - Ensure auditing is configured for Docker files and directories - docker.service
- 1_2_7 - Ensure auditing is configured for Docker files and directories - docker.socket
- 1_2_8 - Ensure auditing is configured for Docker files and directories - /etc/default/docker
- 1_2_9 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
- 1_2_10 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
- 1_2_11 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
- 1_2_12 - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
- 1_1 - General Configuration
- 2 - Docker daemon configuration
- 2_1 - Ensure network traffic is restricted between containers on the default bridge
- 2_2 - Ensure the logging level is set to 'info'
- 2_3 - Ensure Docker is allowed to make changes to iptables
- 2_4 - Ensure insecure registries are not used
- 2_5 - Ensure aufs storage driver is not used
- 2_6 - Ensure TLS authentication for Docker daemon is configured
- 2_7 - Ensure the default ulimit is configured appropriately
- 2_8 - Enable user namespace support
- 2_9 - Ensure the default cgroup usage has been confirmed
- 2_10 - Ensure base device size is not changed until needed
- 2_11 - Ensure that authorization for Docker client commands is enabled
- 2_12 - Ensure centralized and remote logging is configured
- 2_13 - Ensure live restore is Enabled
- 2_14 - Ensure Userland Proxy is Disabled
- 2_15 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
- 2_16 - Ensure that experimental features are not implemented in production
- 2_17 - Ensure containers are restricted from acquiring new privileges
- 3 - Docker daemon configuration files
- 3_1 - Ensure that docker.service file ownership is set to root:root
- 3_2 - Ensure that docker.service file permissions are appropriately set
- 3_3 - Ensure that docker.socket file ownership is set to root:root
- 3_4 - Ensure that docker.socket file permissions are set to 644 or more restrictive
- 3_5 - Ensure that /etc/docker directory ownership is set to root:root
- 3_6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
- 3_7 - Ensure that registry certificate file ownership is set to root:root
- 3_8 - Ensure that registry certificate file permissions are set to 444 or more restrictive
- 3_9 - Ensure that TLS CA certificate file ownership is set to root:root
- 3_10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
- 3_11 - Ensure that Docker server certificate file ownership is set to root:root
- 3_12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
- 3_13 - Ensure that Docker server certificate key file ownership is set to root:root
- 3_14 - Ensure that Docker server certificate key file permissions are set to 400
- 3_15 - Ensure that Docker socket file ownership is set to root:docker
- 3_16 - Ensure that Docker socket file permissions are set to 660 or more restrictive
- 3_17 - Ensure that daemon.json file ownership is set to root:root
- 3_18 - Ensure that daemon.json file permissions are set to 644 or more restrictive
- 3_19 - Ensure that /etc/default/docker file ownership is set to root:root
- 3_20 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root
- 3_21 - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive
- 3_22 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
- 4 - Container Images and Build File
- 4_1 - Ensure a user for the container has been created
- 4_2 - Ensure that containers use only trusted base images
- 4_3 - Ensure that unnecessary packages are not installed in the container
- 4_4 - Ensure images are scanned and rebuilt to include security patches
- 4_5 - Ensure Content trust for Docker is Enabled
- 4_6 - Ensure that HEALTHCHECK instructions have been added to container images
- 4_7 - Ensure update instructions are not use alone in the Dockerfile
- 4_8 - Ensure setuid and setgid permissions are removed
- 4_9 - Ensure that COPY is used instead of ADD in Dockerfiles
- 4_10 - Ensure secrets are not stored in Dockerfiles
- 4_11 - Ensure only verified packages are installed
- 5 - Container Runtime
- 5_1 - Ensure that, if applicable, an AppArmor Profile is enabled
- 5_2 - Ensure that, if applicable, SELinux security options are set
- 5_3 - Ensure Linux Kernel Capabilities are restricted within containers
- 5_4 - Ensure that privileged containers are not used
- 5_5 - Ensure sensitive host system directories are not mounted on containers
- 5_6 - Ensure sshd is not run within containers
- 5_7 - Ensure privileged ports are not mapped within containers
- 5_8 - Ensure that only needed ports are open on the container
- 5_9 - Ensure the host's network namespace is not shared
- 5_10 - Ensure that the memory usage for containers is limited
- 5_11 - Ensure CPU priority is set appropriately on the container
- 5_12 - Ensure that the container's root filesystem is mounted as read only
- 5_13 - Ensure that incoming container traffic is bound to a specific host interface
- 5_14 - Ensure that the 'on-failure' container restart policy is set to '5'
- 5_15 - Ensure the host's process namespace is not shared
- 5_16 - Ensure the host's IPC namespace is not shared
- 5_17 - Ensure that host devices are not directly exposed to containers
- 5_18 - Ensure that the default ulimit is overwritten at runtime if needed
- 5_19 - Ensure mount propagation mode is not set to shared
- 5_20 - Ensure the host's UTS namespace is not shared
- 5_21 - Ensure the default seccomp profile is not Disabled
- 5_22 - Ensure docker exec commands are not used with privileged option
- 5_23 - Ensure that docker exec commands are not used with the user=root option
- 5_24 - Ensure that cgroup usage is confirmed
- 5_25 - Ensure that the container is restricted from acquiring additional privileges
- 5_26 - Ensure that container health is checked at runtime
- 5_27 - Ensure that Docker commands always make use of the latest version of their image
- 5_28 - Ensure that the PIDs cgroup limit is used
- 5_29 - Ensure that Docker's default bridge 'docker0' is not used
- 5_30 - Ensure that the host's user namespaces are not shared
- 5_31 - Ensure that the Docker socket is not mounted inside any containers
- 6 - Docker Security Operations
- 6_1 - Ensure that image sprawl is avoided
- 6_2 - Ensure that container sprawl is avoided
- 7 - Docker Swarm Configuration
- 7_1 - Ensure swarm mode is not Enabled, if not needed
- 7_2 - Ensure that the minimum number of manager nodes have been created in a swarm
- 7_3 - Ensure that swarm services are bound to a specific host interface
- 7_4 - Ensure that all Docker swarm overlay networks are encrypted
- 7_5 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster
- 7_6 - Ensure that swarm manager is run in auto-lock mode
- 7_7 - Ensure that the swarm manager auto-lock key is rotated periodically
- 7_8 - Ensure that node certificates are rotated as appropriate
- 7_9 - Ensure that CA certificates are rotated as appropriate
- 7_10 - Ensure that management plane traffic is separated from data plane traffic
- 8 - Docker Enterprise Configuration
- 8_1 - Universal Control Plane Configuration
- 8_1_1 - Configure the LDAP authentication service
- 8_1_2 - Use external certificates
- 8_1_3 - Enforce the use of client certificate bundles for unprivileged users
- 8_1_4 - Configure applicable cluster role-based access control policies
- 8_1_5 - Enable signed image enforcement
- 8_1_6 - Set the Per-User Session Limit to a value of '3' or lower
- 8_1_7 - Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively
- 8_2 - Docker Trusted Registry Configuration
- 8_2_1 - Enable image vulnerability scanning
- 8_1 - Universal Control Plane Configuration
- 99 - Community contributed checks
- c_2 - Ensure operations on legacy registry (v1) are Disabled
