docker-bench-security: Audit Well-Known Docker Vulnerabilities

Just start a container, run the check, and dispose the container afterwards.

# Pull docker image
docker pull docker/docker-bench-security

# Enforce the check
docker run -it --net host --pid host \
 --cap-add audit_control \
 -v /var/lib:/var/lib \
 -v /var/run/docker.sock:/var/run/docker.sock \
 -v /usr/lib/systemd:/usr/lib/systemd \
 -v /etc:/etc --label docker_bench_security \
 docker/docker-bench-security

No doubt we may get many warnings/errors for the first time. No worry, we will conquer the major ones together.

Getting familiar with docker-bench-security is good. More importantly, we learn how to avoid common pitfalls for Docker security.

Let’s go through the common major issues with below format:

1. Error Msg. Console output of docker-bench-security.
2. What For. What does it mean and what’s the impact.

• Error Msg:

[WARN] 1.1  - Create a separate partition for containers

For docker daemon, create a separate partition for the data folder. It is usually /var/lib/docker.

Personally I think it’s also a good practice to do the same for docker containers.

1. Be safe with our key data. Store key data in a separate partition. This will dramatically simplify our backup/restore process. When something goes terribly wrong, we can skip the trouble shooting. Simply start a new container, and mount the volume. 2. For devicemapper storage driver, containers will only have 10GB disk. Without volume mount, we run into low capacity easily.

• Error Msg:

[WARN] 1.5  - Keep Docker up to date
[WARN]       * Using 1.12.2, when 1.12.3 is current as of 2016-10-26

Docker is in rapid development. New version is usually better. The upgrade might fix issues and improve the performance. Warnings: 1. Run rehearsal before upgrading our critical envs. Always install latest versions could be troublesome. 2. Be prepared for potential upgrade failures.

# Upgrade Docker Daemon

# Check version before upgrade
docker version
service docker stop

curl -sSL https://get.docker.com/ | sudo sh

# Check version after upgrade
docker version
docker ps

• Error Msg:

[WARN] 1.4  - Remove all non-essential services from the host - Network
[WARN]      * Host listening on: 9 ports

Ideally each container should only run one service. If our container listen on multiple ports, usually it would be a violation of this principle.

• Error Msg:

[WARN] 2.1  - Restrict network traffic between containers

By default, unrestricted network traffic is enabled between all containers on the same host. If our containers doesn’t need to talk with each other, we should disable it. Add –icc=false to $DOCKER_OPTS, when we start docker daemon.

root@denny:/var/log# dockerd --help | grep -C 5 icc
 --fixed-cidr-v6             IPv6 subnet for fixed IPs
 -G, --group=docker          Group for the unix socket
 -g, --graph=/var/lib/docker Root of the Docker runtime
 -H, --host=[]               Daemon socket(s) to connect to
 -h, --help                  Print usage
 --icc=true                  Enable inter-container communication
 --insecure-registry=[]      Enable insecure registry communication
 --ip=0.0.0.0                Default IP when binding container ports
 --ip-forward=true           Enable net.ipv4.ip_forward
 --ip-masq=true              Enable IP masquerading
 --iptables=true             Enable addition of iptables rules

Another useful post about this[1].

• Error Msg:

[WARN] 2.2  - Set the logging level

Specify log level, when we start docker daemon. Usually, we can add “-l log” to $DOCKER_OPTS. For Ubuntu/Debian, check /etc/default/docker.

• Error Msg:

[WARN] 5.4  - Do not use privileged containers
[WARN]      * Container running in Privileged mode: my-ss
[WARN]      * Container running in Privileged mode: docker-jenkins

Don’t use “–privileged” to start containers, unless we 100% need that.

• Error Msg:

[WARN] 5.6  - Do not run ssh within containers
[WARN]      * Container running sshd: docker-jenkins

Avoid running sshd, thus we can reduce the attack surface. Read more: her.[2]

• Error Msg:

[WARN] 5.10 - Limit memory usage for container
[WARN]      * Container running without memory restrictions: my-ss
[WARN]      * Container running without memory restrictions: docker-jenkins

Limit the maximum memory your container can use. Thanks to cgroup, a very good self-protection mechanism.

To enable this, we can start containers with -m option. Let’s do a small experiment. With stress we can simulate a process using any given memory.[3]

# Start a container, only allow to use 600MB RAM at most
docker run -t -d --privileged -h mytest --name my-test \
  -m 600M ubuntu:14.04 /bin/bash

docker exec -it my-test bash

# Install stress tool
apt-get -y update
apt-get -y install stress

# Simulate using 500MB memory: should be fine
stress --vm-bytes 500m --vm-keep -m 1

# Simulate using 1000MB memory: should crash
stress --vm-bytes 1000m --vm-keep -m 1

# Sample output:
# stress: info: [83] dispatching hogs: 0 cpu, 0 io, 1 vm, 0 hdd
# stress: FAIL: [83] (416) <-- worker 84 got signal 9
# stress: WARN: [83] (418) now reaping child worker processes
# stress: FAIL: [83] (452) failed run completed in 2s

• Error Msg:

[WARN] 5.11 - Set container CPU priority appropriately
[WARN]      * Container running without CPU restrictions: my-ss
[WARN]      * Container running without CPU restrictions: docker-jenkins

Similar like above.

• Error Msg:

[WARN] 5.13 - Bind incoming container traffic to a specific host interface
[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in my-ss
[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in docker-jenkins
[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in docker-jenkins
[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in docker-jenkins
[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in docker-jenkins

This would be the most dangerous issue, if you’re running docker in public cloud.

Let’s say, we start a container like below. And we export the db port 3306.

docker run -t -d -p 3306:3306 denny/app:v1 /bin/bash

This makes the docker wrapper transparent for end users. Whenever I visit $docker_hostip:3306, it points me to my db service directly. This is super nice, especially for development cycle.
However if we expose tcp ports like that, docker will configure our iptables to wildly open. That would be a serious problem, if running in public cloud. Anything can visit our db port directly. Sounds exciting, isn’t it?

The most absurd thing is Docker doesn’t support us to customize the behavior. Surely we can manually hack iptables rules, but it would be very tricky. Say when containers restart, container ip will change. Thus iptables rules need to updated manually. Again!

See more discussion in reddit.[4]

• Error Msg:

[INFO] 6.4 - Avoid image sprawl
[INFO]      * There are currently: 52 images
[WARN]      * Only 9 out of 52 are in use

Remove unnecessary or unused docker images. This will help us to save disk capacity.

In the future posts, I will introduce more docker security tools. Open source or commercial. Hopeful they will help us to improve our Docker security even more.

Your input, please.

[1] http://containertutorials.com/docker-security/daemon_security.html#restrict-network-traffic-between-containers
[2] https://jpetazzo.github.io/2014/06/23/docker-ssh-considered-evil/
[3] http://people.seas.harvard.edu/~apw/stress/
[4] https://goo.gl/QmO4iZ

Posts: Tag #docker

• 5 Tips Of GUI Tests With Python + Selenium
• Get Alerts, When Containers Run Into Issues
• [Container] Run Process Debug Tools, But Install Nothing
• ChatOps Bot: Query Node Info Without Manual Login
• Run Code Static Check Via A Temporary Container
• Get Notification: Monitor Your Docker Image Sizing
• 8 Lessons Learned Using docker-compose
• Verify Docker Images Build By Docker-In-Docker
• [Product Review] NeuVector, Build Run-Time Container Security
• docker-bench-security: Audit Well-Known Docker Vulnerabilities
• Docker Tip: Run Daemon Service In Foreground
• Docker Low Disk Space. Clean Up Disk Leak!
• Audit Docker Image Security
• Easy and Reliable Sandbox Setup Matters
• 5 Tips For Building Docker Image

Blog URL: https://www.dennyzhang.com/docker_bench_security