قالب وردپرس درنا توس
Home / Tips and Tricks / How to automate Docker security audits with Docker Bench for Security – CloudSavvy IT

How to automate Docker security audits with Docker Bench for Security – CloudSavvy IT



Docker logo

Docker is useful, but it can also be a security risk. It is important to protect Docker Engine from potential threats, especially if you have a Docker host in production.

Docker Bench for Security is an automated script that can help you diagnose problems with your configuration. The Bench script scans your host to find weaknesses in your Docker Engine configuration. It is provided by Docker itself as an open-source security monitoring tool.

Run the script

The easiest way to use Docker Bench is to download the script and run it immediately. You can inspect it on GitHub if you are concerned about its content.
Use Git to clone the Bench repository. Run the script with your shell. Docker Bench must be used sudo, because it includes controls that require root access.

git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sudo sh docker-bench-security.sh

You will see the audit results displayed in your terminal. Scanning takes a few seconds. It may take a minute or more if you use a lot of containers.

Understand the report

The report is color-coded so you can identify problems quickly. Blue INFO lines of log entry in different scan sections. A green PASS line indicates that your system has passed the check. Red WARN lines are indicative of a possible vulnerability.

Docker Bench performs a total of more than 200 individual checks. The full list is available in the project’s GitHub repository. Here’s how tests are categorized.

Host configuration

This group of tests focuses on weaknesses in your host’s security audits. It checks for proper Docker folder checking, use of a special partition for containers, and installation of an updated Docker version.

Daemon configuration

The daemon-oriented tests verify that the Docker socket is not exposed over an unsecured connection. Standard network traffic between containers bridge network should be restricted and insecure registries removed.

This section also looks for inappropriate container privileges. Containers should not be able to get new privileges. This allows an attacker to outgrow the container.

The next section, Docker daemon configuration files, has a similar focus. It ensures that the Docker installation folder and the Unix socket have the correct permissions and ownership. Docker’s filesystem should be owned by root:root with restrictive permissions from 644.

Container images

Docker Bench performs a basic check of the Docker files for your known images. It will look for dedicated container users, the presence of HEALTHCHECK instructions and using Content Trust to verify data integrity.

This test section also displays warnings to remind you of basic steps for hardening images. Use trusted base images, apply new security patches, and avoid installing unnecessary packages. These measures help to remove vulnerabilities within containers.

Container runtime

The Container Runtime tests inspect your active containers. This section contains more than 30 tests, ranging from the availability of SELinux and AppArmor to the use of appropriate file system mounts and network options.

You will drop points if you use privileged containers or mount the Docker socket in a container. Containers should not be able to gain additional rights or disrupt the host system.

Bench also looks for active SSH servers within containers. This is not recommended as direct access to containers should be avoided. It is preferable to docker exec from the host to communicate with containers.

Additional tests look at the usage of CPU and memory limits. An unlimited container can consume excessive resources and eventually lead to insufficient memory on the host. Networks checks both the marking of unused ports and requests to assign privileged ports to containers.

Docker Swarm

Docker Bench includes an additional section for Docker Swarm users. It focuses on flagging unsecured secrets and certificates that are not being rotated properly. It also requires correct network configuration, including the use of encrypted overlay networks.

The Swarm section will give a warning if Swarm mode is enabled but not actually in use. If you don’t plan on using Swarm, disable it by running docker swarm leave --force.

Address common problems

Most Docker hosts will issue several warnings if you have not taken any active steps to harden them. Here are some measures you can take to address some of the most common Docker Bench reports.

Enable auditing for Docker files

Docker recommends using system-level auditing for important Docker folders. Auditing records all operations that affect audited files and folders. This allows you to track potentially destructive changes.

Make sure you auditd installed. Edit /etc/audit/audit.rules and add the following lines to the bottom of the file:

-w /etc/default/docker -p wa
-w /etc/docker -p wa
-w /etc/docker/daemon.json -p wa
-w /lib/systemd/system/docker.service -p wa
-w /lib/systemd/system/docker.socket -p wa
-w /usr/bin/docker -p wa
-w /usr/bin/docker-containerd -p wa
-w /usr/bin/docker-runc -p wa
-w /var/lib/docker -p wa

The -p wa instruction means that auditd records writes and attribute changes that affect the files. If your Docker Bench output suggests that you use control for additional folders, add it to the list as well. Docker’s folders can change over time.

You have to reboot auditd to apply your changes:

sudo systemctl restart auditd

Reinforce the daemon

Docker Bench will usually find problems with your daemon configuration. Add the following to /etc/docker/daemon.json will mute various daemon warnings.

{
    "icc": false,
    "live-restore": true,
    "no-new-privileges": true,
    "userland-proxy": false,
    "userns-remap": "default"
}
  • icc: This prevents containers from communicating with each other through the default settings bridge network. Containers only reach each other if they are explicitly linked to each other with a --link.
  • live recovery: Setting this will allow containers to continue to run even when the daemon stops. This is recommended in production environments where you want to keep downtime to a minimum.
  • no-new-privileges: This prevents containers from increasing their privileges using commands such as setuid and setgid.
  • user country proxy: Turning this off means that iptables is used to route host port traffic to containers. Without it, Docker’s userland proxy process is used, which increases the attack surface of your daemon.
  • user remap: This allows the use of user namespaces, so root in a container is assigned to a less privileged host user. This reduces the risk that a compromised container can run root commands on your host. Using default will instruct Docker to create a special user account for this.

RELATED: Using Cron with your Docker containers

Customize report output

Docker Bench supports several flags that you can use to adjust the output:

  • -b: Turn off colors. Useful if you are running the script in a CI environment that does not support full ANSI output.
  • -p: Do not include suggested remedial actions. Useful if you want to focus on the warnings and reduce the noise in the output.
  • -l report.txt: Write output to report.txt instead of the terminal.
  • -c check_5.1, check_5.2: Only perform checks 5.1 and 5.2. The test list is available on GitHub.
  • -e check_5.1, check_5.2: Excluding controls 5.1 and 5.2.

You can combine flags to create the report you need. If an entire section of checks doesn’t apply to you, consider creating a shell alias so that you can quickly run Docker Bench with a series of flags applied.

Conclusion

Using the Docker Bench for Security script, you can find and fix security vulnerabilities in your Docker host. Addressing any warnings it issues will make your host stronger and improve your security posture.

Keep in mind that Docker Bench is not an exhaustive test. There are other aspects of maintaining Docker security that shouldn’t be overlooked either.

A compromised container can give attackers a foothold in your systems, even if you have strong host-level security. You can reduce this risk by using Docker Bench, in addition to active container vulnerability scanners such as Trivy and Clair. These will help you identify problems within your containers, such as obsolete dependencies that can be exploited.

While good security is always the goal, keep in mind that Docker Bench is aimed at workloads. Not all controls are relevant to a developer’s local Docker installation. Run the script, read the warnings and assess which ones apply to your environment.


Source link