forked from docker/docker-bench-security
-
Notifications
You must be signed in to change notification settings - Fork 0
/
2_docker_daemon_configuration.sh
429 lines (390 loc) · 15.4 KB
/
2_docker_daemon_configuration.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
#!/bin/bash
check_2() {
logit ""
local id="2"
local desc="Docker daemon configuration"
checkHeader="$id - $desc"
info "$checkHeader"
startsectionjson "$id" "$desc"
}
check_2_1() {
local id="2.1"
local desc="Run the Docker daemon as a non-root user, if possible (Manual)"
local remediation="Follow the current Dockerdocumentation on how to install the Docker daemon as a non-root user."
local remediationImpact="There are multiple prerequisites depending on which distribution that is in use, and also known limitations regarding networking and resource limitation. Running in rootless mode also changes the location of any configuration files in use, including all containers using the daemon."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_2_2() {
local id="2.2"
local desc="Ensure network traffic is restricted between containers on the default bridge (Scored)"
local remediation="Edit the Docker daemon configuration file to ensure that inter-container communication is disabled: icc: false."
local remediationImpact="Inter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_3() {
local id="2.3"
local desc="Ensure the logging level is set to 'info' (Scored)"
local remediation="Ensure that the Docker daemon configuration file has the following configuration included log-level: info. Alternatively, run the Docker daemon as following: dockerd --log-level=info"
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if get_docker_effective_command_line_args '-l'; then
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_4() {
local id="2.4"
local desc="Ensure Docker is allowed to make changes to iptables (Scored)"
local remediation="Do not run the Docker daemon with --iptables=false option."
local remediationImpact="The Docker daemon service requires iptables rules to be enabled before it starts."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
return
fi
if get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_5() {
local id="2.5"
local desc="Ensure insecure registries are not used (Scored)"
local remediation="You should ensure that no insecure registries are in use."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
return
fi
if ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_6() {
local id="2.6"
local desc="Ensure aufs storage driver is not used (Scored)"
local remediation="Do not start Docker daemon as using dockerd --storage-driver aufs option."
local remediationImpact="aufs is the only storage driver that allows containers to share executable and shared library memory. Its use should be reviewed in line with your organization's security policy."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "^\sStorage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_7() {
local id="2.7"
local desc="Ensure TLS authentication for Docker daemon is configured (Scored)"
local remediation="Follow the steps mentioned in the Docker documentation or other references. By default, TLS authentication is not configured."
local remediationImpact="You would need to manage and guard certificates and keys for the Docker daemon and Docker clients."
local check="$id - $desc"
starttestjson "$id" "$desc"
if $(grep -qE "host.*tcp://" "$CONFIG_FILE") || \
[ $(get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://') > /dev/null 2>&1 ]; then
if [ $(get_docker_configuration_file_args '"tlsverify":' | grep 'true') ] || \
[ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
[ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then
warn -s "$check"
warn " * Docker daemon currently listening on TCP with TLS, but no verification"
logcheckresult "WARN" "Docker daemon currently listening on TCP with TLS, but no verification"
return
fi
warn -s "$check"
warn " * Docker daemon currently listening on TCP without TLS"
logcheckresult "WARN" "Docker daemon currently listening on TCP without TLS"
return
fi
info -c "$check"
info " * Docker daemon not listening on TCP"
logcheckresult "INFO" "Docker daemon not listening on TCP"
}
check_2_8() {
local id="2.8"
local desc="Ensure the default ulimit is configured appropriately (Manual)"
local remediation="Run Docker in daemon mode and pass --default-ulimit as option with respective ulimits as appropriate in your environment and in line with your security policy. Example: dockerd --default-ulimit nproc=1024:2048 --default-ulimit nofile=100:200"
local remediationImpact="If ulimits are set incorrectly this could cause issues with system resources, possibly causing a denial of service condition."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
pass -c "$check"
logcheckresult "PASS"
return
fi
if get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
pass -c "$check"
logcheckresult "PASS"
return
fi
info -c "$check"
info " * Default ulimit doesn't appear to be set"
logcheckresult "INFO" "Default ulimit doesn't appear to be set"
}
check_2_9() {
local id="2.9"
local desc="Enable user namespace support (Scored)"
local remediation="Please consult the Docker documentation for various ways in which this can be configured depending upon your requirements. The high-level steps are: Ensure that the files /etc/subuid and /etc/subgid exist. Start the docker daemon with --userns-remap flag."
local remediationImpact="User namespace remapping is incompatible with a number of Docker features and also currently breaks some of its functionalities."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_10() {
local id="2.10"
local desc="Ensure the default cgroup usage has been confirmed (Scored)"
local remediation="The default setting is in line with good security practice and can be left in situ."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'cgroup-parent' | grep -v ''; then
warn -s "$check"
info " * Confirm cgroup usage"
logcheckresult "WARN" "Confirm cgroup usage"
return
fi
if get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
warn -s "$check"
info " * Confirm cgroup usage"
logcheckresult "WARN" "Confirm cgroup usage"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_11() {
local id="2.11"
local desc="Ensure base device size is not changed until needed (Scored)"
local remediation="Do not set --storage-opt dm.basesize until needed."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
return
fi
if get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_12() {
local id="2.12"
local desc="Ensure that authorization for Docker client commands is enabled (Scored)"
local remediation="Install/Create an authorization plugin. Configure the authorization policy as desired. Start the docker daemon using command dockerd --authorization-plugin=<PLUGIN_ID>"
local remediationImpact="Each Docker command needs to pass through the authorization plugin mechanism. This may have a performance impact"
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_13() {
local id="2.13"
local desc="Ensure centralized and remote logging is configured (Scored)"
local remediation="Set up the desired log driver following its documentation. Start the docker daemon using that logging driver. Example: dockerd --log-driver=syslog --log-opt syslog-address=tcp://192.xxx.xxx.xxx"
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_14() {
local id="2.14"
local desc="Ensure containers are restricted from acquiring new privileges (Scored)"
local remediation="You should run the Docker daemon using command: dockerd --no-new-privileges"
local remediationImpact="no_new_priv prevents LSMs such as SELinux from escalating the privileges of individual containers."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_15() {
local id="2.15"
local desc="Ensure live restore is enabled (Scored)"
local remediation="Run Docker in daemon mode and pass --live-restore option."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass -s "$check (Incompatible with swarm mode)"
logcheckresult "PASS"
return
fi
if get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_16() {
local id="2.16"
local desc="Ensure Userland Proxy is Disabled (Scored)"
local remediation="You should run the Docker daemon using command: dockerd --userland-proxy=false"
local remediationImpact="Some systems with older Linux kernels may not be able to support hairpin NAT and therefore require the userland proxy service. Also, some networking setups can be impacted by the removal of the userland proxy."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_17() {
local id="2.17"
local desc="Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)"
local remediation="By default, Docker's default seccomp profile is applied. If this is adequate for your environment, no action is necessary."
local remediationImpact="A misconfigured seccomp profile could possibly interrupt your container environment. You should therefore exercise extreme care if you choose to override the default settings."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
pass -c "$check"
logcheckresult "PASS"
return
fi
info -c "$check"
logcheckresult "INFO"
}
check_2_18() {
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4)
local id="2.18"
local desc="Ensure that experimental features are not implemented in production (Scored)"
local remediation="You should not pass --experimental as a runtime parameter to the Docker daemon on production systems."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if [ "$docker_version" -le 1903 ]; then
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
local desc="$desc (Deprecated)"
local check="$id - $desc"
info -c "$desc"
logcheckresult "INFO"
}
check_2_end() {
endsectionjson
}