Skip to content

Docker

Jump to bottom Edit New page
Richard Spindler edited this page Feb 15, 2017 · 4 revisions

Docker

CIS benchmarks:

https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.13.0_Benchmark_v1.0.0.pdf

Information

The Docker security tests audit the hosts running Docker, i.e. the Docker plumbing.

You can audit the Operating Systems inside the Docker containers using the usual Unix audit tests.

Example usage

List Docker reports:

$ sh ./lunar.sh -D

Docker Security Tests:

audit_docker_daemon
audit_docker_logging
audit_docker_monitoring
audit_docker_network
audit_docker_security
audit_docker_users

Perform a specific Docker report:

$ ./lunar.sh -s audit_docker_security

Running:   In audit mode (no changes will be made to system)
           Filesystem checks will not be done

Auditing:  Selecting audit_docker_security

# SYSTEM INFORMATION:

Platform:  i386
Vendor:    Apple
Name:      Darwin
Version:   10.12
Update:    4

Checking:  If node is managed
Notice:    Node is not managed

Checking:  Docker config parameter SecurityOpt has value <no value>
Warning:   Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 has parameter SecurityOpt set to <no value> [1 Warnings]
Warning:   Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 has parameter SecurityOpt set to <no value> [2 Warnings]
Checking:  Docker config parameter SecurityOpt has value userns
Warning:   Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 parameter SecurityOpt does not include userns [3 Warnings]
Warning:   Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 parameter SecurityOpt does not include userns [4 Warnings]
Checking:  Docker config parameter SecurityOpt has value no-new-privileges
Warning:   Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 parameter SecurityOpt does not include no-new-privileges [5 Warnings]
Warning:   Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 parameter SecurityOpt does not include no-new-privileges [6 Warnings]
Checking:  Docker config parameter Privileged has value false
Secure:    Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have parameter Privileged set to false [1 Passes]
Secure:    Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have parameter Privileged set to false [2 Passes]
Checking:  Docker config parameter AppArmorProfile has no value
Warning:   Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 has parameter AppArmorProfile set [7 Warnings]
Warning:   Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 has parameter AppArmorProfile set [8 Warnings]
Checking:  Docker config parameter ReadonlyRootfs has value true
Warning:   Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have parameter ReadonlyRootfs set to true [9 Warnings]
Warning:   Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have parameter ReadonlyRootfs set to true [10 Warnings]
Checking:  Docker config parameter PidMode has value host
Secure:    Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have parameter PidMode set to host [3 Passes]
Secure:    Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have parameter PidMode set to host [4 Passes]
Checking:  Docker config parameter IpcMode has value host
Secure:    Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have parameter IpcMode set to host [5 Passes]
Secure:    Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have parameter IpcMode set to host [6 Passes]
Checking:  Docker config parameter UsernsMode has value host
Secure:    Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have parameter UsernsMode set to host [7 Passes]
Secure:    Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have parameter UsernsMode set to host [8 Passes]
Checking:  Docker config parameter Devices has no value
Secure:    Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have parameter Devices set [9 Passes]
Secure:    Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have parameter Devices set [10 Passes]
Checking:  Docker config parameter Ulimits has value <no value>
Secure:    Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have parameter Ulimits set to <no value> [11 Passes]
Secure:    Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have parameter Ulimits set to <no value> [12 Passes]
Checking:  Docker config parameter Propagation has value shared
Secure:    Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have parameter Propagation set to shared [13 Passes]
Secure:    Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have parameter Propagation set to shared [14 Passes]
Checking:  Docker config parameter UTSMode has value shared
Secure:    Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have parameter UTSMode set to shared [15 Passes]
Secure:    Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have parameter UTSMode set to shared [16 Passes]
Checking:  Docker config parameter CgroupParent has no value
Secure:    Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have parameter CgroupParent set [17 Passes]
Secure:    Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have parameter CgroupParent set [18 Passes]
Checking:  Docker config parameter PidsLimit has value 0
Warning:   Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 has parameter PidsLimit set to 0 [11 Warnings]
Warning:   Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 has parameter PidsLimit set to 0 [12 Warnings]
Checking:  Docker config parameter PidsLimit has value -1
Secure:    Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have parameter PidsLimit set to -1 [19 Passes]
Secure:    Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have parameter PidsLimit set to -1 [20 Passes]
Checking:  Docker kernel parameter NET_ADMIN is unused
Secure:    Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have capability NET_ADMIN [21 Passes]
Warning:   Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not forcibly capability NET_ADMIN [13 Warnings]
Secure:    Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have capability NET_ADMIN [22 Passes]
Warning:   Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not forcibly capability NET_ADMIN [14 Warnings]
Checking:  Docker kernel parameter SYS_ADMIN is unused
Secure:    Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have capability SYS_ADMIN [23 Passes]
Warning:   Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not forcibly capability SYS_ADMIN [15 Warnings]
Secure:    Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have capability SYS_ADMIN [24 Passes]
Warning:   Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not forcibly capability SYS_ADMIN [16 Warnings]
Checking:  Docker kernel parameter SYS_MODULE is unused
Secure:    Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not have capability SYS_MODULE [25 Passes]
Warning:   Docker instance ffccbcf1bab366457c5e1ae8c717805848beb07734d042174f1bbdde896cb266 does not forcibly capability SYS_MODULE [17 Warnings]
Secure:    Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not have capability SYS_MODULE [26 Passes]
Warning:   Docker instance 2d89c5e69360335a2472523174b86722a9f6422b14fb2a6fe57cf5b6ada73769 does not forcibly capability SYS_MODULE [18 Warnings]
Checking:  Docker socket mounted inside containers
Secure:    Docker socket is not mounter inside a container [27 Passes]

Tests:     45
Passes:    27
Warnings:  18

Perform all AWS reports:

$ ./lunar.sh -d
Add a custom footer
Add a custom sidebar
Clone this wiki locally