Docker Security CIS Benchmark

The following tutorial is an extension of the Center for Internet Security (CIS) benchmark, CIS DOCKER 1.6 BENCHMARK V1.0.0 published by Pravin Goyal <pgoyal@vmware.com>, Staff Engineer, VMware. In this tutorial we will be covering all the important guidelines to run docker containers in secured environment.

Host Configuration

This section covers security recommendations that you should follow to prepare the host machine that you plan to use for executing containerized workloads. Securing the Docker host and following your infrastructure security best practices would build a solid and secure foundation for executing containerized workloads.

Keep Docker version up to date

By staying up to date on Docker updates, vulnerabilities in the Docker software can be mitigated. An educated attacker may exploit known vulnerabilities when attempting to attain access or elevate privileges. Not installing regular Docker updates may leave you with running vulnerable Docker software. It might lead to elevation privileges, unauthorized access or other security breaches.

$ docker version
Client:
 Version:      1.9.1
 API version:  1.21
 Go version:   go1.4.2
 Git commit:   a34a1d5
 Built:        Fri Nov 20 13:20:08 UTC 2015
 OS/Arch:      linux/amd64

Server:
 Version:      1.9.1
 API version:  1.21
 Go version:   go1.4.2
 Git commit:   a34a1d5
 Built:        Fri Nov 20 13:20:08 UTC 2015
 OS/Arch:      linux/amd64

Only allow trusted users to control Docker daemon

The Docker daemon currently requires ‘root’ privileges. A user added to the ‘docker’ group gives him full ‘root’ access rights. Hence, only verified users should be added to docker group.

$ useradd test

$ passwd test
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

$ su test

test@ubuntu:/home/vkohli$ ls -l /etc/passwd
-rw-r--r-- 1 root root 2238 Nov 27 01:33 /etc/passwd

test@ubuntu:/home/vkohli$ docker ps
Cannot connect to the Docker daemon. Is the docker daemon running on this host?

$ usermod -G docker test

$ su test

$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Audit Docker Daemon

Apart from auditing your regular Linux file system and system calls, audit Docker daemon as well. Docker daemon runs with ‘root’ privileges. It is thus necessary to audit its activities and usage;

$ apt-get install auditd
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libauparse0
Suggested packages:
  audispd-plugins
The following NEW packages will be installed:
  auditd libauparse0
0 upgraded, 2 newly installed, 0 to remove and 50 not upgraded.
Need to get 227 kB of archives.
After this operation, 732 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://us.archive.ubuntu.com/ubuntu/ wily/main libauparse0 amd64 1:2.4.2-1ubuntu1 [35.1 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ wily/main auditd amd64 1:2.4.2-1ubuntu1 [192 kB]
Fetched 227 kB in 6s (35.2 kB/s)
Selecting previously unselected package libauparse0:amd64.
(Reading database ... 176489 files and directories currently installed.)
Preparing to unpack .../libauparse0_1%3a2.4.2-1ubuntu1_amd64.deb ...
Unpacking libauparse0:amd64 (1:2.4.2-1ubuntu1) ...
Selecting previously unselected package auditd.
Preparing to unpack .../auditd_1%3a2.4.2-1ubuntu1_amd64.deb ...
Unpacking auditd (1:2.4.2-1ubuntu1) ...
Processing triggers for man-db (2.7.4-1) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for systemd (225-1ubuntu9) ...
Setting up libauparse0:amd64 (1:2.4.2-1ubuntu1) ...
Setting up auditd (1:2.4.2-1ubuntu1) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Processing triggers for libc-bin (2.21-0ubuntu4) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for systemd (225-1ubuntu9) ...

Remove the audit log file if exist;

$ cd /etc/audit/

$ ls
audit.log

$ nano audit.log

$ rm -rf audit.log

Add the audit rules for docker service and audit the docker service;

$ nano audit.rules
-w /usr/bin/docker -k docker

$ service auditd restart

$ ausearch -k docker
<no matches>

$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

$ ausearch -k docker
----
time->Fri Nov 27 02:29:50 2015
type=PROCTITLE msg=audit(1448620190.716:79): proctitle=646F636B6572007073
type=PATH msg=audit(1448620190.716:79): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=398512 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1448620190.716:79): item=0 name="/usr/bin/docker" inode=941134 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1448620190.716:79):  cwd="/etc/audit"
type=EXECVE msg=audit(1448620190.716:79): argc=2 a0="docker" a1="ps"
type=SYSCALL msg=audit(1448620190.716:79): arch=c000003e syscall=59 success=yes exit=0 a0=ca1208 a1=c958c8 a2=c83008 a3=58c items=2 ppid=5203 pid=10863 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="docker" exe="/usr/bin/docker" key="docker"