Scan for Host Vulnerabilities with Docker Bench
If you’re a cloud native developer, chances are pretty good you work with containers and container images. The problem with this is that you might base your work on an image that contains vulnerabilities. So, out of the gate, security is an issue. And if you are working with vulnerable images, security issues will plague your apps and services. That’s not the only issue you face. You deploy your containers from a host platform. Are you certain that the host platform is secure?
There are a lot of moving parts within the realm of cloud native development, so it’s always best to start with a solid foundation. That’s why there are tools like Docker Bench, which can run an audit of your hosting platform to find any possible issues you might not even know about. According to Docker documentation, “the Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.”
Docker Bench will scan your host platform for the following vulnerabilities:
- General configuration
- Linux host-specific configuration
- The Docker daemon configuration
- All Docker daemon configuration files
- Container images and build files
- Container runtime
- Docker security operations
- Docker swarm configuration
- Docker Enterprise configuration
- Docker trusted registry configuration
The tests are all automated and based on the CIS Docker Benchmark v1.3.1.
Photo courtesy of Docker.
This tool should be run on every single host used to deploy Docker containers (be it a single host or a Docker Swarm). You want to ensure every possible vulnerability is addressed. Now, Docker Bench will not fix your problems. All it does is list them out, so you can then take action to resolve all discovered issues.
You can use Docker Bench on your dev machines, your on-premise servers, or even your cloud-hosted servers. I’ll be demonstrating on an instance of Ubuntu Server 20.04.
Let’s install and run Docker Bench to audit your Docker hosts.
Installing Docker
On the off-chance you don’t have Docker installed, let’s get it up and running first. Log into your Ubuntu Server and issue the command:
sudo apt-get install docker.io -y
When the installation completes, add your user to the docker group with the command:
sudo usermod -aG docker $USER
Log out and log back in for the changes to take effect.
Installing Docker Bench
Next, we’ll install Docker Bench. You won’t find this tool in the standard repositories. In fact, you need to clone the latest version from the official GitHub repository, so first install Git with the command:
sudo apt-get install git -y
Once Git has been installed, you can then clone the Docker Bench repository with the command:
git clone https://github.com/docker/docker-bench-security.git
With the repository cloned, change into the newly-created directory with the command:
cd docker-bench-security
Configuring the Docker daemon
We need to modify the Docker daemon configuration file so it can be accessed by Docker Bench. Open the configuration file with the command:
sudo nano /etc/docker/daemon.json
At the bottom of that file, add the following lines:
|
1 2 3 4 5 6 7 |
{ "icc": false, "userns-remap": "default", "live-restore": true, "userland-proxy": false, "no-new-privileges": true } |
Save and close the file.
Installing Auditd
Next, we need to install Auditd, which is the Linux userspace component of the Linux Auditing System and is responsible for writing audit records to disk. Install this software with the command:
sudo apt-get install auditd -y
Now, we can configure Auditd to work with Docker. Open the Auditd configuration file with:
sudo nano /etc/audit/audit.rules
At the bottom of that file, paste the following:
|
1 2 3 4 5 6 7 8 9 |
-w /usr/bin/docker -p wa -w /var/lib/docker -p wa -w /etc/docker -p wa -w /lib/systemd/system/docker.service -p wa -w /lib/systemd/system/docker.socket -p wa -w /etc/default/docker -p wa -w /etc/docker/daemon.json -p wa -w /usr/bin/docker-containerd -p wa -w /usr/bin/docker-runc -p wa |
Save and close the file.
Restart Auditd with:
sudo systemctl restart auditd
And then restart Docker with:
sudo systemctl restart docker
Running Your First Audit
Now the fun begins. From the docker-bench-security directory, issue the command:
sudo ./docker-bench-security.sh
You’ll see quite a bit of information reported, among that information, you’ll see lines associated with [Pass], [INFO], [NOTE], [WARN]. You absolutely should pay close attention to anything marked [WARN], because chances are good that’s a security issue.
At the end of the output, you’ll also see how many checks were run and your score.
If you’d rather save the output to a file (for later reading), you can issue the command:
sudo ./docker-bench-security.sh -l scan_results
After the scan completes, you can view the file with:
less scan_results
You’ll be warned the file is binary, but it’s still viewable.
You might find warnings such as:
[WARN] 4.5 - Ensure Content trust for Docker is Enabled (Automated)
To fix this error enable content trust with the command:
sudo echo "DOCKER_CONTENT_TRUST=1" | sudo tee -a /etc/environment
Restart Docker with:
sudo systemctl restart docker
If you run another scan, the Content Trust warning should no longer be present.
Continue combing through the results and fixing every line that starts with [WARN] to harden your Docker host.
And that’s all there is to it. Tools like Docker Bench should be considered must-haves for anyone who works with Docker.