Docker Bench for Security for Docker Daemon

Photo by chris panas on Unsplash

Introduction

Result of Docker Bench for Security

Let’s start

🚨 2.1 — Ensure network traffic is restricted between containers on the default bridge

root@vagrant:/home/vagrant# cat /etc/docker/daemon.json
{
"icc": false
}
root@vagrant:/home/vagrant# systemctl daemon-reload
root@vagrant:/home/vagrant# systemctl restart docker

🚨 2.5 — Ensure aufs storage driver is not used

root@vagrant:/home/vagrant# sudo docker info | grep Storage
WARNING: No swap limit support
Storage Driver: aufs
root@vagrant:/home/vagrant# cat /etc/docker/daemon.json
{
"icc": false,
"storage-driver": "overlay2"
}
root@vagrant:/home/vagrant# systemctl restart docker

🚨 2.7 — Ensure the default ulimit is configured appropriately

root@vagrant:/home/vagrant# cat /etc/docker/daemon.json
{
"icc": false,
"storage-driver": "overlay2",
"default-ulimit": true
}
root@vagrant:/home/vagrant# systemctl restart docker

🚨 2.8 — Enable user namespace support

root@vagrant:/home/vagrant# cat /etc/docker/daemon.json
{
"icc": false,
"storage-driver": "overlay2",
"default-ulimit": true,
"userns-remap": "default"
}
root@vagrant:/home/vagrant# systemctl restart docker

🚨 2.12 — Ensure centralized and remote logging is configured

root@vagrant:/home/vagrant# cat /etc/docker/daemon.json
{
"icc": false,
"storage-driver": "overlay2",
"default-ulimit": true,
"userns-remap": "default",
"log-driver": "syslog",
"log-opts": {
"syslog-address": "tcp://127.0.0.1:514"
}

}
root@vagrant:/home/vagrant# systemctl restart docker

🚨 2.13 — Ensure live restore is Enabled

root@vagrant:/home/vagrant# cat /etc/docker/daemon.json
{
"icc": false,
"storage-driver": "overlay2",
"default-ulimit": "true",
"userns-remap": "default",
"log-driver": "syslog",
"log-opts": {
"syslog-address": "tcp://127.0.0.1:514"
},
"live-restore": true
}
root@vagrant:/home/vagrant# systemctl restart docker

🚨 2.14 — Ensure Userland Proxy is Disabled

root@vagrant:/home/vagrant# cat /etc/docker/daemon.json
{
"icc": false,
"storage-driver": "overlay2",
"default-ulimit": true,
"userns-remap": "default"
"log-driver": "syslog",
"log-opts": {
"syslog-address": "tcp://127.0.0.1:514"
},
"live-restore": true,
"userland-proxy": false
}
root@vagrant:/home/vagrant# systemctl restart docker

🚨 2.17 — Ensure containers are restricted from acquiring new privileges

root@vagrant:/home/vagrant# cat /etc/docker/daemon.json
{
"icc": false,
"storage-driver": "overlay2",
"default-ulimit": true,
"userns-remap": "default"
"log-driver": "syslog",
"log-opts": {
"syslog-address": "tcp://127.0.0.1:514"
},
"live-restore": true,
"userland-proxy": false,
"no-new-privileges": true
}
root@vagrant:/home/vagrant# systemctl restart docker

Conclusion

Source: https://giphy.com

DevOps Consultant. I’m strongly focused on automation, security, and reliability.