Using the CIS Center for Internet Security script to verify is your linux host for your containers are configured correctly. This nice script checks for dozens of common best-practices around deploying Docker containers in production. It is a public avail script located here https://raw.githubusercontent.com/docker/docker-bench-security/master/docker-bench-security.sh
[WARN] 1.1 – Ensure a separate partition for containers has been created
/var – for running all docker volumets and images etc…
Disk /dev/mapper/ubuntu–vg–data-var_big: 39 GiB, 41875931136 bytes, 81788928 sectors
Check with:
docker info -f ‘{{ .DockerRootDir }}’
/var/lib/docker/
grep “$(docker info -f ‘{{ .DockerRootDir }}’)” /proc/mounts
NOTE: /var/lib/docker/ is inside /var which is a whole dedicated DISK
[WARN] 1.5 – Ensure auditing is configured for the Docker daemon
[WARN] 1.8 – Ensure auditing is configured for Docker files and directories – docker.service
[WARN] 1.9 – Ensure auditing is configured for Docker files and directories – docker.socket
[WARN] 1.10 – Ensure auditing is configured for Docker files and directories – /etc/default/docker
Fixes can be found at
/etc/audit/rules.d/audit-container.rules
-w /usr/bin/docker -p wa
-w /var/lib/docker -p wa
-w /etc/docker -p wa
-w /lib/systemd/system/docker.service -p wa
-w /lib/systemd/system/docker.socket -p wa
-w /etc/default/docker -p wa
-w /etc/docker/daemon.json -p wa
-w /usr/bin/docker-containerd -p wa
-w /usr/bin/docker-runc -p wa
NOTE: we should further monitor /var/log/audit/audit.log for suspecios activity
[WARN] 2.11 – Ensure that authorization for Docker client commands is enabled
IGNORING
Access to the default local-only Docker socket is protected by requiring membership in the docker group so this can be safely ignored. And most important we will not have docker api listen on network!
[WARN] 2.12 – Ensure centralized and remote logging is configured
SHOULD BE FIXED – configuration done, script still alerts( rerun script)
Created of /etc/docker/daemon.json from https://github.com/nearform/devops/blob/master/packer/securing-docker/files/daemon.json
edit local rsyslog: to use local rsyslog that forward to central logging system for any authentication
This can cause problems because you will not be able to use docker logs or docker-compose logs commands. so I have it disabled for now.
[WARN] 2.15 – Ensure Userland Proxy is Disabled
The “userland-proxy”: false line fixes this warning. This disables the docker-proxy userland process that by default handles forwarding host ports to containers, and replaces it with iptables rules. If hairpin NAT is available, the userland proxy is not needed and should be disabled to reduce the attack surface of your host.
Maybe adding “userland-proxy”: false to daemon.json (may breack NAT functionality)
[WARN] 4.5 – Ensure Content trust for Docker is Enabled
“We take care of this by setting the environment variable DOCKER_CONTENT_TRUST
for all users in ./scripts/docker-setup.sh . Note that if you build an image locally there are known issues with Docker Content Trust disallowing your action with an authorization failure (i.e. 401). You can use the --disable-content-trust
flag to bypass the setting we created in our docker setup script”
$ docker run –disable-content-trust example:1.0.0
[Docker Content Trust has no concept of trusting something built locally #25852](https://github.com/moby/moby/issues/25852
TO BE REVIEWED
#
INSIDE EACH CONTAINER SECURITY/RESTRICTIONS:
[WARN] * Running as root
Containers should run services as useraccount (never as root)
[WARN] 4.6 – Ensure HEALTHCHECK instructions have been added to the container image
Example:
HEALTHCHECK –interval=20s –timeout=3s \
CMD curl -f http://localhost:8000/ || exit 1
[WARN] 5.2 – Ensure SELinux security options are set, if applicable
IGNORED, we are using Ubuntu no SELinux
[WARN] 5.7 – Ensure privileged ports are not mapped within containers
[WARN] 5.10 – Ensure memory usage for container is limited
[WARN] 5.11 – Ensure CPU priority is set appropriately on the container
#
APPENDIX:
More configuration Consideration Details
- a docker swarm inside each VM
- portainer instance for easy visual/management
- abeen a new /tmp and /var/tmp folder created with an exclusive mountpoint
- new 2GB swap and configured as Docker Documentation
- Restricted user ( Admins) will be able to access via Kerberos(AD)
- For general automation service account will work using key pair only