Docker Bench Security
1 背景知识
Docker公司与美国互联网安全中心(Center for Internet Security)联合制定了Docker最佳安全实践CIS Docker Benchmark(安全基准),以帮助Docker用户对其部署的容器环境进行安全检查。
Docker官方提供了Docker Bench for Security安全配置检查脚本工具docker-bench-security,能够快速检查Docker 是否安全,其检查依据便是CIS制定的Docker最佳安全实践。
1.1 CIS基准的主要内容
- Docker常规配置
- Docker守护程序配置
- Docker守护程序配置文件
- 容器镜像和构建文件
- 容器运行时的状态
- Docker安全运行方式
- Docker Swarm配置
- Docker企业版配置
1.2 Docker Bench Security
1、简介。
Docker-BS是自动化检查工具,下载地址是:github.com/docker/docker-bench-security。
Docker Bench项目按照互联网安全中心对于 Docker 1.11+的安全规范进行一系列环境检查,发现当前 Docker 部署在配置、安全等方面的潜在问题。
2、常用选项。
| 参数 | 说明 |
|---|---|
| --pid=host | 容器的 PID 命名空间。 |
| --userns="" | 启用 userns-remap 时配置用户命名空间的模式。 |
| --rm=true\false | 容器退出后是否自动删除,不能跟-d 同时使用。 |
| --net="bridge" | 指定容器的网络模式,包括 bridge、none、其他容器内网络、host 的网络或者某个现有网络等。 |
| --cap-add=[] | 增加容器的 Linux 指定安全能力。 |
2 快速安全检查
$ docker run --rm --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.4
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
# ------------------------------------------------------------------------------
Initializing Thu Mar 23 14:06:33 UTC 2023
[INFO] 1 - Host Configuration
[WARN] 1.1 - Ensure a separate partition for containers has been created
[NOTE] 1.2 - Ensure the container host has been Hardened
[INFO] 1.3 - Ensure Docker is up to date
[INFO] * Using 23.0.1, verify is it up to date as deemed necessary
[INFO] * Your operating system vendor may provide support and security maintenance for Docker
[INFO] 1.4 - Ensure only trusted users are allowed to control Docker daemon
[INFO] * docker:x:991
[WARN] 1.5 - Ensure auditing is configured for the Docker daemon
[WARN] 1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[WARN] 1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.8 - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.9 - Ensure auditing is configured for Docker files and directories - docker.socket
[INFO] 1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] * File not found
[WARN] 1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO] 1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd
[INFO] * File not found
[INFO] 1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc
[INFO] * File not found
[INFO] 2 - Docker daemon configuration
[WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2 - Ensure the logging level is set to 'info'
[PASS] 2.3 - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4 - Ensure insecure registries are not used
[PASS] 2.5 - Ensure aufs storage driver is not used
[INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured
[INFO] * Docker daemon not listening on TCP
[INFO] 2.7 - Ensure the default ulimit is configured appropriately
[INFO] * Default ulimit doesn't appear to be set
[WARN] 2.8 - Enable user namespace support
[PASS] 2.9 - Ensure the default cgroup usage has been confirmed
[PASS] 2.10 - Ensure base device size is not changed until needed
[WARN] 2.11 - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12 - Ensure centralized and remote logging is configured
[INFO] 2.13 - Ensure operations on legacy registry (v1) are Disabled (Deprecated)
[WARN] 2.14 - Ensure live restore is Enabled
[WARN] 2.15 - Ensure Userland Proxy is Disabled
[INFO] 2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed
[PASS] 2.17 - Ensure experimental features are avoided in production
[WARN] 2.18 - Ensure containers are restricted from acquiring new privileges
[INFO] 3 - Docker daemon configuration files
[PASS] 3.1 - Ensure that docker.service file ownership is set to root:root
[PASS] 3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive
[PASS] 3.3 - Ensure that docker.socket file ownership is set to root:root
[PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive
[PASS] 3.5 - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root
[INFO] * Directory not found
[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO] * Directory not found
[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root
[INFO] * No TLS CA certificate found
[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO] * No TLS CA certificate found
[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root
[INFO] * No TLS Server certificate found
[INFO] 3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
[INFO] * No TLS Server certificate found
[INFO] 3.13 - Ensure that Docker server certificate key file ownership is set to root:root
[INFO] * No TLS Key found
[INFO] 3.14 - Ensure that Docker server certificate key file permissions are set to 400
[INFO] * No TLS Key found
[PASS] 3.15 - Ensure that Docker socket file ownership is set to root:docker
[PASS] 3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive
[PASS] 3.17 - Ensure that daemon.json file ownership is set to root:root
[PASS] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive
[INFO] 3.19 - Ensure that /etc/default/docker file ownership is set to root:root
[INFO] * File not found
[INFO] 3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
[INFO] * File not found
[INFO] 4 - Container Images and Build File
[WARN] 4.1 - Ensure a user for the container has been created
[WARN] * Running as root: laughing_lamarr
[NOTE] 4.2 - Ensure that containers use trusted base images
[NOTE] 4.3 - Ensure unnecessary packages are not installed in the container
[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches
[WARN] 4.5 - Ensure Content trust for Docker is Enabled
[WARN] 4.6 - Ensure HEALTHCHECK instructions have been added to the container image
[WARN] * No Healthcheck found: [kingbase:v8r6]
[WARN] * No Healthcheck found: [sshd:latest]
[WARN] * No Healthcheck found: [centos:7.2.1511]
[PASS] 4.7 - Ensure update instructions are not use alone in the Dockerfile
[NOTE] 4.8 - Ensure setuid and setgid permissions are removed in the images
[INFO] 4.9 - Ensure COPY is used instead of ADD in Dockerfile
[INFO] * ADD in image history: [kingbase:v8r6]
[INFO] * ADD in image history: [sshd:latest]
[INFO] * ADD in image history: [centos:7.2.1511]
[INFO] * ADD in image history: [docker/docker-bench-security:latest]
[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles
[NOTE] 4.11 - Ensure verified packages are only Installed
[INFO] 5 - Container Runtime
[WARN] 5.1 - Ensure AppArmor Profile is Enabled
[WARN] * No AppArmorProfile Found: kingbase
[WARN] * No AppArmorProfile Found: laughing_lamarr
[WARN] 5.2 - Ensure SELinux security options are set, if applicable
[WARN] * No SecurityOptions Found: laughing_lamarr
[PASS] 5.3 - Ensure Linux Kernel Capabilities are restricted within containers
[WARN] 5.4 - Ensure privileged containers are not used
[WARN] * Container running in Privileged mode: kingbase
[PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers
[WARN] 5.6 - Ensure ssh is not run within containers
[WARN] * Container running sshd: laughing_lamarr
[PASS] 5.7 - Ensure privileged ports are not mapped within containers
[NOTE] 5.8 - Ensure only needed ports are open on the container
[PASS] 5.9 - Ensure the host's network namespace is not shared
[WARN] 5.10 - Ensure memory usage for container is limited
[WARN] * Container running without memory restrictions: kingbase
[WARN] * Container running without memory restrictions: laughing_lamarr
[WARN] 5.11 - Ensure CPU priority is set appropriately on the container
[WARN] * Container running without CPU restrictions: kingbase
[WARN] * Container running without CPU restrictions: laughing_lamarr
[WARN] 5.12 - Ensure the container's root filesystem is mounted as read only
[WARN] * Container running with root FS mounted R/W: kingbase
[WARN] * Container running with root FS mounted R/W: laughing_lamarr
[WARN] 5.13 - Ensure incoming container traffic is binded to a specific host interface
[WARN] * Port being bound to wildcard IP: 0.0.0.0 in kingbase
[WARN] * Port being bound to wildcard IP: 0.0.0.0 in laughing_lamarr
[WARN] 5.14 - Ensure 'on-failure' container restart policy is set to '5'
[WARN] * MaximumRetryCount is not set to 5: kingbase
[WARN] * MaximumRetryCount is not set to 5: laughing_lamarr
[PASS] 5.15 - Ensure the host's process namespace is not shared
[PASS] 5.16 - Ensure the host's IPC namespace is not shared
[PASS] 5.17 - Ensure host devices are not directly exposed to containers
[INFO] 5.18 - Ensure the default ulimit is overwritten at runtime, only if needed
[INFO] * Container no default ulimit override: kingbase
[INFO] * Container no default ulimit override: laughing_lamarr
[PASS] 5.19 - Ensure mount propagation mode is not set to shared
[PASS] 5.20 - Ensure the host's UTS namespace is not shared
[PASS] 5.21 - Ensure the default seccomp profile is not Disabled
[NOTE] 5.22 - Ensure docker exec commands are not used with privileged option
[NOTE] 5.23 - Ensure docker exec commands are not used with user option
[PASS] 5.24 - Ensure cgroup usage is confirmed
[WARN] 5.25 - Ensure the container is restricted from acquiring additional privileges
[WARN] * Privileges not restricted: kingbase
[WARN] * Privileges not restricted: laughing_lamarr
[WARN] 5.26 - Ensure container health is checked at runtime
[WARN] * Health check not set: kingbase
[WARN] * Health check not set: laughing_lamarr
[INFO] 5.27 - Ensure docker commands always get the latest version of the image
[WARN] 5.28 - Ensure PIDs cgroup limit is used
[WARN] * PIDs limit not set: kingbase
[WARN] * PIDs limit not set: laughing_lamarr
[INFO] 5.29 - Ensure Docker's default bridge docker0 is not used
[INFO] * Container in docker0 network: laughing_lamarr
[INFO] * Container in docker0 network: kingbase
[PASS] 5.30 - Ensure the host's user namespaces is not shared
[PASS] 5.31 - Ensure the Docker socket is not mounted inside any containers
[INFO] 6 - Docker Security Operations
[INFO] 6.1 - Avoid image sprawl
[INFO] * There are currently: 8 images
[INFO] * Only 3 out of 8 are in use
[INFO] 6.2 - Avoid container sprawl
[INFO] * There are currently a total of 3 containers, with 3 of them currently running
[INFO] 7 - Docker Swarm Configuration
[PASS] 7.1 - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2 - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
[PASS] 7.3 - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled)
[PASS] 7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network
[PASS] 7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled)
[PASS] 7.6 - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled)
[PASS] 7.7 - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
[PASS] 7.8 - Ensure node certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.9 - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.10 - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled)
[INFO] Checks: 105
[INFO] Score: 10
编者注:输出结果中,带有不同的级别,说明问题的严重程度。一般要尽量避免出现 WARN 或以上的问题。
3 输出结果说明
1、信息说明。
| 标记 | 说明 |
|---|---|
| PASS | 这些项目都是很稳固的,不需要关注,pass 越多越好。 |
| WARN | 需要修复的项目。 |
| INFO | 如果这些项目和你的设置和安全需要相关,建议检查和修复这些项目。 |
| NOTE | 一些建议。 |
2、信息分类。
| 分类 | 说明 |
|---|---|
| [INFO] 1 - Host Configuration | 宿主机配置。 |
| [INFO] 2 - Docker daemon configuration | Docker Engine 配置。 |
| [INFO] 3 - Docker daemon configuration files | Docker Engine 配置文件。 |
| [INFO] 4 - Container Images and Build File | 容器镜像和编译文件。 |
| [INFO] 5 - Container Runtime | 容器运行情况。 |
| [INFO] 6 - Docker Security Operations | Docker 安全相关类。 |
4 评分查看
对当前 Docker 服务器进行打分为 15 分。
[INFO] Checks: 105
[INFO] Score: 15