mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-18 16:22:33 +01:00
Add remediation stuff on daemon configuration
This commit is contained in:
parent
7e89fdd364
commit
c05c58674a
1 changed files with 32 additions and 0 deletions
|
@ -32,6 +32,8 @@ check_2_1() {
|
|||
check_2_2() {
|
||||
local id="2.2"
|
||||
local desc="Ensure the logging level is set to 'info' (Scored)"
|
||||
local remediation="Ensure that the Docker daemon configuration file has the following configuration included log-level: info. Alternatively, run the Docker daemon as following: dockerd --log-level=info"
|
||||
local remediationImpact="None."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -63,6 +65,8 @@ check_2_2() {
|
|||
check_2_3() {
|
||||
local id="2.3"
|
||||
local desc="Ensure Docker is allowed to make changes to iptables (Scored)"
|
||||
local remediation="Do not run the Docker daemon with --iptables=false option."
|
||||
local remediationImpact="The Docker daemon service requires iptables rules to be enabled before it starts."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -81,6 +85,8 @@ check_2_3() {
|
|||
check_2_4() {
|
||||
local id="2.4"
|
||||
local desc="Ensure insecure registries are not used (Scored)"
|
||||
local remediation="You should ensure that no insecure registries are in use."
|
||||
local remediationImpact="None."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -104,6 +110,8 @@ check_2_4() {
|
|||
check_2_5() {
|
||||
local id="2.5"
|
||||
local desc="Ensure aufs storage driver is not used (Scored)"
|
||||
local remediation="Do not start Docker daemon as using dockerd --storage-driver aufs option."
|
||||
local remediationImpact="aufs is the only storage driver that allows containers to share executable and shared library memory. Its use should be reviewed in line with your organization's security policy."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -119,6 +127,8 @@ check_2_5() {
|
|||
check_2_6() {
|
||||
local id="2.6"
|
||||
local desc="Ensure TLS authentication for Docker daemon is configured (Scored)"
|
||||
local remediation="Follow the steps mentioned in the Docker documentation or other references. By default, TLS authentication is not configured."
|
||||
local remediationImpact="You would need to manage and guard certificates and keys for the Docker daemon and Docker clients."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -148,6 +158,8 @@ check_2_6() {
|
|||
check_2_7() {
|
||||
local id="2.7"
|
||||
local desc="Ensure the default ulimit is configured appropriately (Not Scored)"
|
||||
local remediation="Run Docker in daemon mode and pass --default-ulimit as option with respective ulimits as appropriate in your environment and in line with your security policy. Example: dockerd --default-ulimit nproc=1024:2048 --default-ulimit nofile=100:200"
|
||||
local remediationImpact="If ulimits are set incorrectly this could cause issues with system resources, possibly causing a denial of service condition."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -167,6 +179,8 @@ check_2_7() {
|
|||
check_2_8() {
|
||||
local id="2.8"
|
||||
local desc="Enable user namespace support (Scored)"
|
||||
local remediation="Please consult the Docker documentation for various ways in which this can be configured depending upon your requirements. The high-level steps are: Ensure that the files /etc/subuid and /etc/subgid exist. Start the docker daemon with --userns-remap flag."
|
||||
local remediationImpact="User namespace remapping is incompatible with a number of Docker features and also currently breaks some of its functionalities."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -185,6 +199,8 @@ check_2_8() {
|
|||
check_2_9() {
|
||||
local id="2.9"
|
||||
local desc="Ensure the default cgroup usage has been confirmed (Scored)"
|
||||
local remediation="The default setting is in line with good security practice and can be left in situ."
|
||||
local remediationImpact="None."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -205,6 +221,8 @@ check_2_9() {
|
|||
check_2_10() {
|
||||
local id="2.10"
|
||||
local desc="Ensure base device size is not changed until needed (Scored)"
|
||||
local remediation="Do not set --storage-opt dm.basesize until needed."
|
||||
local remediationImpact="None."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -223,6 +241,8 @@ check_2_10() {
|
|||
check_2_11() {
|
||||
local id="2.11"
|
||||
local desc="Ensure that authorization for Docker client commands is enabled (Scored)"
|
||||
local remediation="Install/Create an authorization plugin. Configure the authorization policy as desired. Start the docker daemon using command dockerd --authorization-plugin=<PLUGIN_ID>"
|
||||
local remediationImpact="Each Docker command needs to pass through the authorization plugin mechanism. This may have a performance impact"
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -241,6 +261,8 @@ check_2_11() {
|
|||
check_2_12() {
|
||||
local id="2.12"
|
||||
local desc="Ensure centralized and remote logging is configured (Scored)"
|
||||
local remediation="Set up the desired log driver following its documentation. Start the docker daemon using that logging driver. Example: dockerd --log-driver=syslog --log-opt syslog-address=tcp://192.xxx.xxx.xxx"
|
||||
local remediationImpact="None."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -256,6 +278,8 @@ check_2_12() {
|
|||
check_2_13() {
|
||||
local id="2.13"
|
||||
local desc="Ensure live restore is enabled (Scored)"
|
||||
local remediation="Run Docker in daemon mode and pass --live-restore option."
|
||||
local remediationImpact="None."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -279,6 +303,8 @@ check_2_13() {
|
|||
check_2_14() {
|
||||
local id="2.14"
|
||||
local desc="Ensure Userland Proxy is Disabled (Scored)"
|
||||
local remediation="You should run the Docker daemon using command: dockerd --userland-proxy=false"
|
||||
local remediationImpact="Some systems with older Linux kernels may not be able to support hairpin NAT and therefore require the userland proxy service. Also, some networking setups can be impacted by the removal of the userland proxy."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -297,6 +323,8 @@ check_2_14() {
|
|||
check_2_15() {
|
||||
local id="2.15"
|
||||
local desc="Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Not Scored)"
|
||||
local remediation="By default, Docker's default seccomp profile is applied. If this is adequate for your environment, no action is necessary."
|
||||
local remediationImpact="A misconfigured seccomp profile could possibly interrupt your container environment. You should therefore exercise extreme care if you choose to override the default settings."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -315,6 +343,8 @@ check_2_16() {
|
|||
|
||||
local id="2.16"
|
||||
local desc="Ensure that experimental features are not implemented in production (Scored)"
|
||||
local remediation="You should not pass --experimental as a runtime parameter to the Docker daemon on production systems."
|
||||
local remediationImpact="None."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
@ -337,6 +367,8 @@ check_2_16() {
|
|||
check_2_17() {
|
||||
local id="2.17"
|
||||
local desc="Ensure containers are restricted from acquiring new privileges (Scored)"
|
||||
local remediation="You should run the Docker daemon using command: dockerd --no-new-privileges"
|
||||
local remediationImpact="no_new_priv prevents LSMs such as SELinux from escalating the privileges of individual containers."
|
||||
local check="$id - $desc"
|
||||
starttestjson "$id" "$desc"
|
||||
|
||||
|
|
Loading…
Reference in a new issue