Docker Bench for Security for Docker Host

The official Docker documentation has a description of Docker security.

Environment

  • Ubuntu 18.04 (Vagrant)
  • Docker 20.10.3-ce

Let’s start with Docker Bench for Security

The Github repository we have explains how to run using a Docker image.
but, due to the mechanism of docker, there are some parts where some tests do not work specifically, part regarding audit system, so instead of using the docker image, execute the script directly.

root@vagrant:/home/vagrant# git clone https://github.com/docker/docker-bench-security.git
Cloning into 'docker-bench-security'...
remote: Enumerating objects: 2101, done.
remote: Total 2101 (delta 0), reused 0 (delta 0), pack-reused 2101
Receiving objects: 100% (2101/2101), 2.95 MiB | 5.05 MiB/s, done.
Resolving deltas: 100% (1471/1471), done.
root@vagrant:/home/vagrant# cd docker-bench-security/
root@vagrant:/home/vagrant/docker-bench-security# sh docker-bench-security.sh

Result of Docker Bench for Security

root@vagrant:/home/vagrant# systemctl stop docker
Warning: Stopping docker.service, but it can still be activated by:
docker.socket
root@vagrant:/home/vagrant# fdisk /dev/sdb
Welcome to fdisk (util-linux 2.27.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command ( help with m ) : gCommand ( help with m ) : n
Partition number ( 1-128, default 1 ) : 1
First sector (2048-209715166, default 2048):
Last sector, +sectors or +size{K,M,G,T,P} (2048-209715166, default 209715166):
Created a new partition 1 of type 'Linux filesystem' and of size 100 GiB.Command ( help with m ) : w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
root@vagrant:/home/vagrant# mkfs -t ext4 /dev/sdb1
mke2fs 1.42.13 (17-May-2015)
Creating filesystem with 26214139 4k blocks and 6553600 inodes
Filesystem UUID: 1f2c0bb1-967f-4d12-b304-e7c06f6de806
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
root@vagrant:/home/vagrant# cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/vagrant--vg-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=eddb4c8a-78b7-494f-b8e8-a9f361451c99 /boot ext2 defaults 0 2
/dev/mapper/vagrant--vg-swap_1 none swap sw 0 0
/dev/sdb1 /var/lib/docker ext4 defaults 0 0
root@vagrant:/home/vagrant# mount -a
root@vagrant:/home/vagrant# systemctl start docker
root@vagrant:/home/vagrant# apt-get update
root@vagrant:/home/vagrant# apt-get install -y auditd
root@vagrant:/home/vagrant# echo "-w /usr/bin/docker -p wa" | sudo tee -a /etc/audit/audit.rules
root@vagrant:/home/vagrant# echo "-w /var/lib/docker -p wa" | sudo tee -a /etc/audit/audit.rules
root@vagrant:/home/vagrant# echo "-w /etc/docker -p wa" | sudo tee -a /etc/audit/audit.rules
root@vagrant:/home/vagrant# echo "-w /lib/systemd/system/docker.service -p wa" | sudo tee -a /etc/audit/audit.rules
root@vagrant:/home/vagrant# echo "-w /lib/systemd/system/docker.socket -p wa" | sudo tee -a /etc/audit/audit.rules
root@vagrant:/home/vagrant# echo "-w /etc/default/docker -p wa" | sudo tee -a /etc/audit/audit.rules
root@vagrant:/home/vagrant# echo "-w /etc/sysconfig/docker -p wa" | sudo tee -a /etc/audit/audit.rules
root@vagrant:/home/vagrant# echo "-w /etc/docker/daemon.json -p wa" | sudo tee -a /etc/audit/audit.rules
root@vagrant:/home/vagrant# echo "-w /usr/bin/docker-containerd -p wa" | sudo tee -a /etc/audit/audit.rules
root@vagrant:/home/vagrant# echo "-w /usr/bin/docker-runc -p wa" | sudo tee -a /etc/audit/audit.rules
Source: https://giphy.com

DevOps Consultant. I’m strongly focused on automation, security, and reliability.