One of the key points of cloud-native security is addressing container security risks as soon as possible. Doing it later in the development life cycle slows down the pace of cloud adoption and raises security and compliance risks. Using Docker to containerize your applications and services can give you some security benefits out of the box. However, a default Docker installation still has room for some security-related configuration improvements.
Docker Bench for Security is a script that checks for dozens of common best practices around deploying Docker containers in production. All tests are automated and based on the CIS Docker Benchmark v1.3.1.
Using the Docker Bench for Security script helps you find and resolve weaknesses in your Docker host’s security. Addressing any warnings that it emits will help harden your host and improve your security posture.
While a good score is always the target, you should also note that Docker Bench is for production workloads. Not all checks are relevant to a developer’s local Docker installation. Run the script, read the warnings, and assess which ones apply to your environment.
Docker Bench for Security scans the Docker host for common configuration issues, like loose settings in configuration files and system rights and questionable defaults. The tool relies on a Common Vulnerabilities and Exposures (CVE) database to audit the libraries and executables on the system in question. For an example output checks result, see image one in the download accompanying these FAQs.
From the docker-bench-security directory, issue the command:
./docker-bench-security.sh -i hello-world
Please see image two in the download accompanying these FAQs for the output. At the end of each scan, it provides a score. Admins can track a host configuration’s Docker Bench for security scores to mark improvements over time. The higher the scan score, the better.
Docker advises the use of system-level auditing on key Docker directories. Auditing logs any operations that affect monitored files and directories and lets you track potentially destructive changes. Ensure you have Auditd installed.
Enter: Edit /etc/audit/audit.rules , add the lines (shown on image three in the download for these FAQs) to the bottom of the file.
The -p wa instruction means that Auditd will log writes and attribute changes that affect the files. If your Docker Bench output suggests that you use auditing for additional directories, add them to the list. Docker’s directories might change over time. You’ll need to restart Auditd to apply your changes:
sudo systemctl restart auditd
Remember that Docker Bench isn’t an exhaustive test. There are other aspects to maintaining Docker security that shouldn’t be overlooked.
Madhu Kumar Yeluri