The official Docker documentation has a description of Docker security.
Docker Bench for Security is provided as a tool to check this automatically, ok so let’s take advantage of this and try to realize a more secure container execution environment.
Environment
- Ubuntu 18.04 (Vagrant)
- Docker 20.10.3-ce
Let’s start with Docker Bench for Security
The Github repository we have explains how to run using a Docker image.
but, due to the mechanism of docker, there are some parts where some tests do not work specifically, part regarding audit system, so instead of using the docker image, execute the script directly.
root@vagrant:/home/vagrant# git clone https://github.com/docker/docker-bench-security.git
Cloning into 'docker-bench-security'...
remote: Enumerating objects: 2101, done.
remote: Total 2101 (delta 0), reused 0 (delta 0), pack-reused 2101
Receiving objects: 100% (2101/2101), 2.95 MiB | 5.05 MiB/s, done.
Resolving deltas: 100% (1471/1471), done.
root@vagrant:/home/vagrant# cd docker-bench-security/
root@vagrant:/home/vagrant/docker-bench-security# sh docker-bench-security.shResult of Docker Bench for Security
Once we have the result, we can start fixing 🙂
🚨 1.2.1 — Ensure a separate partition for containers has been created:
Warning to have a separate partition for the container. Specifically, it corresponds by preparing a dedicated disk partition in the data area used by docker /var/lib/docker by default
Fix:
root@vagrant:/home/vagrant# systemctl stop docker
Warning: Stopping docker.service, but it can still be activated by:
docker.socketroot@vagrant:/home/vagrant# fdisk /dev/sdb
Welcome to fdisk (util-linux 2.27.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.Command ( help with m ) : gCommand ( help with m ) : n
Partition number ( 1-128, default 1 ) : 1
First sector (2048-209715166, default 2048):
Last sector, +sectors or +size{K,M,G,T,P} (2048-209715166, default 209715166):Created a new partition 1 of type 'Linux filesystem' and of size 100 GiB.Command ( help with m ) : w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.root@vagrant:/home/vagrant# mkfs -t ext4 /dev/sdb1
mke2fs 1.42.13 (17-May-2015)
Creating filesystem with 26214139 4k blocks and 6553600 inodes
Filesystem UUID: 1f2c0bb1-967f-4d12-b304-e7c06f6de806
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
And add the following contents to /etc/fstab
root@vagrant:/home/vagrant# cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/vagrant--vg-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=eddb4c8a-78b7-494f-b8e8-a9f361451c99 /boot ext2 defaults 0 2
/dev/mapper/vagrant--vg-swap_1 none swap sw 0 0
/dev/sdb1 /var/lib/docker ext4 defaults 0 0Now we can mount disk and start docker
root@vagrant:/home/vagrant# mount -a
root@vagrant:/home/vagrant# systemctl start docker🚨 1.2.3–1.2.12 — Checking audit functions
Basically, it doesn’t mean anything more than executing various commands and throwing changes in the configuration file to the audit log . Make sure that the Docker daemon is being audited. Since we auditd are using it as an audit mechanism here, we will add this setting.
Installation
root@vagrant:/home/vagrant# apt-get update
root@vagrant:/home/vagrant# apt-get install -y auditdThe settings of auditd there is in /etc/audit/audit.rules we can write inside to file or with the auditctl command.
- 1.2.3 — Ensure auditing is configured for the Docker daemon
root@vagrant:/home/vagrant# echo "-w /usr/bin/docker -p wa" | sudo tee -a /etc/audit/audit.rules- 1.2.4 — Ensure auditing is configured for Docker files and directories
/var/lib/docker
root@vagrant:/home/vagrant# echo "-w /var/lib/docker -p wa" | sudo tee -a /etc/audit/audit.rules- 1.2.5 — Ensure auditing is configured for Docker files and directories
/etc/docker
root@vagrant:/home/vagrant# echo "-w /etc/docker -p wa" | sudo tee -a /etc/audit/audit.rules- 1.2.6 — Ensure auditing is configured for Docker files and directories
docker.service
root@vagrant:/home/vagrant# echo "-w /lib/systemd/system/docker.service -p wa" | sudo tee -a /etc/audit/audit.rules- 1.2.7 — Ensure auditing is configured for Docker files and directories
docker.socket
root@vagrant:/home/vagrant# echo "-w /lib/systemd/system/docker.socket -p wa" | sudo tee -a /etc/audit/audit.rules- 1.2.8 — Ensure auditing is configured for Docker files and directories
/etc/default/docker
root@vagrant:/home/vagrant# echo "-w /etc/default/docker -p wa" | sudo tee -a /etc/audit/audit.rules- 1.2.9 — Ensure auditing is configured for Docker files and directories
/etc/sysconfig/docker
root@vagrant:/home/vagrant# echo "-w /etc/sysconfig/docker -p wa" | sudo tee -a /etc/audit/audit.rules- 1.2.10 — Ensure auditing is configured for Docker files and directories
/etc/docker/daemon.json
root@vagrant:/home/vagrant# echo "-w /etc/docker/daemon.json -p wa" | sudo tee -a /etc/audit/audit.rules- Ensure auditing is configured for Docker files and directories
/usr/bin/containerd
root@vagrant:/home/vagrant# echo "-w /usr/bin/docker-containerd -p wa" | sudo tee -a /etc/audit/audit.rules- 1.2.12 — Ensure auditing is configured for Docker files and directories
/usr/sbin/runc
root@vagrant:/home/vagrant# echo "-w /usr/bin/docker-runc -p wa" | sudo tee -a /etc/audit/audit.rulesAll audit rules:
