How to Quickly Run a Basic Security Audit Against Docker & Secure the Host…
Examples run on Ubuntu 16.04.6 and using Docker version 18.09.5
Basic Install
sudo apt install docker.io
sudo systemctl start docker
sudo systemctl enable dockersudo apt install git -y
Install Benchmark Security:
git clone https://github.com/docker/docker-bench-security.git
From the benchmark directory, run Benchmark against your Docker version.
cd docker-bench-security/
sudo ./docker-bench-security.sh
The output should look something like the below:
Note that WARN
should be considered similarly to critical vulnerabilities in any other vulnerability assessment tooling. Equally, the INFO
statements may be applicable dependent upon your environment, so do not ignore these.
Host Configuration
It’s particularly important to secure the host that you are running Docker on. To cut down the reams of output, simply add the title in to the command you just ran to get more drilled down vulnerability information.
sudo ./docker-bench-security.sh -c host_configuration
sudo apt install auditd -y
To check what rules you have set on your system already, run the following command:
sudo auditctl -l
sudo aureport -l
Because we have not yet set any rules, we have no events. So the output should look like this:
Let’s set a quick rule, break the rule, and witness the event report:
sudo auditctl -w /usr/bin/dockerd -k docker
This command is a general rule. It basically says watch (-w
) this path and file (/usr/bin/dockerd
). In the event of a breach of this rule, generate a unique event ID (-k
). Below, we can rerun the auditctl
utility, and this shows our rule.
After running a few random commands to test the rule, I could check the output with the following command:
sudo aureport -k
The number you see at the end of every event is its event ID.
To see information on the individual events run the following command:
sudo ausearch --event 102 | sudo aureport -f -i
Do the same for all of the following files by copying and pasting them in to /etc/audit/audit.rules
:
/etc/docker
| /etc/default/docker
| /etc/docker
/daemon.json
| /var/lib/docker
| docker.service
| docker.socket
| /usr/bin/dockerd
| /usr/bin/docker-runc
| /usr/bin/docker-containerd
These rules, although applied in the right place and in working order, are not static. They will be removed upon a reboot or a restarting of the audit daemon itself. Make the rules static.
sudo sh -c "auditctl -l >> /etc/audit/audit.rules"
There is a strange issue with check 1.5. I have no idea why, but simply adding in a letter d
in to the configuration file of bench-security sorts this out. See below:
nano tests/1_host_configuration.sh
Rerun the Host configuration audit check and see the difference from the original audit.
sudo ./docker-bench-security.sh -c host_configuration
Free Resources for Docker Security
- Docker security documentation.
- Benchmark documentation.
- Play with Docker tutorials.
- Can’t play with Docker on your host machine? Play with Docker in the browser.