Docker Bench for Security & Clair (CoreOS) : testez la sécurité de votre environnement Docker et de vos containers

bench 14 mai 2017

Je ne suis pas un pro de Docker étant habitué à utiliser VM/CT et en ayant un stock pour divers usages. J’ai cependant une machine sous CoreOS qui fait tourner quelques Dockers et j’en teste un paquet chez moi sur mes NAS ou mon desktop Linux.

Et je ne m’étais jamais posé la question de la sécurité de l’environnement jusqu’à un message en ce sens sur Mondedie.fr. Ça ne concernerait d’ailleurs pas une “faille” de Docker mais ça m’a fait prendre conscience de certains éléments vu que je me contentais de regarder les ports ouverts par container et de changer les user:pwd.

Du coup j’ai creusé un peu le sujet et me suis rendu compte qu’il existe un outil, par l’équipe de Docker, qui permet de faire un benchmark de la sécurité de son environnement.

Docker Bench for Security est surtout un check des best-practices, notamment basées sur du bon-sens.

 

Pour l’installer et le lancer sur votre machine faisant tourner Docker, rien de plus simple :

docker run -it --net host --pid host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /var/lib:/var/lib \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /usr/lib/systemd:/usr/lib/systemd \
    -v /etc:/etc --label docker_bench_security \
    docker/docker-bench-security

Pensez juste à l’adapter si vous n’avez pas Systemd (ce qui devient rare ou est un choix chez certains). 

 

Et il suffit ensuite de lire les résultats et de réagir/repenser son infra en conséquence. Voici un exemple (le 1er quart du rapport) 

aerya@Aerya:~$ docker run -it --net host --pid host --cap-add audit_control \
>     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
>     -v /var/lib:/var/lib \
>     -v /var/run/docker.sock:/var/run/docker.sock \
>     -v /usr/lib/systemd:/usr/lib/systemd \
>     -v /etc:/etc --label docker_bench_security \
>     docker/docker-bench-security
Unable to find image 'docker/docker-bench-security:latest' locally
latest: Pulling from docker/docker-bench-security
627beaf3eaaf: Pull complete 
d883ad2cf07c: Pull complete 
a6e7e9a565a6: Pull complete 
70c6f64e45bb: Pull complete 
Digest: sha256:a6e803ba5b7702fb4b25b2fa1e34d38265fc314fcb33a808e4bdce8d9070385a
Status: Downloaded newer image for docker/docker-bench-security:latest
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.2
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker 1.13 Benchmark.
# ------------------------------------------------------------------------------

Initializing Sun May 14 09:31:50 CEST 2017


[INFO] 1 - Host Configuration
[WARN] 1.1  - Create a separate partition for containers
[NOTE] 1.2  - Harden the container host
[INFO] 1.3  - Keep Docker up to date
[INFO]      * Using 1.13.1, when 17.05.0 is current as of 2017-05-01
[INFO]      * Your operating system vendor may provide support and security maintenance for Docker
[INFO] 1.4  - Only allow trusted users to control Docker daemon
[WARN] 1.5  - Audit docker daemon - /usr/bin/docker
[INFO] 1.6  - Audit Docker files and directories - /var/lib/docker
[INFO]      * Directory not found
[INFO] 1.7  - Audit Docker files and directories - /etc/docker
[INFO]      * Directory not found
[INFO] 1.8  - Audit Docker files and directories - docker.service
[INFO]      * File not found
[INFO] 1.9  - Audit Docker files and directories - docker.socket
[INFO]      * File not found
[INFO] 1.10 - Audit Docker files and directories - /etc/default/docker
[INFO]      * File not found
[INFO] 1.11 - Audit Docker files and directories - /etc/docker/daemon.json
[INFO]      * File not found
[INFO] 1.12 - Audit Docker files and directories - /usr/bin/docker-containerd
[INFO]      * File not found
[INFO] 1.13 - Audit Docker files and directories - /usr/bin/docker-runc
[INFO]      * File not found


[INFO] 2 - Docker Daemon Configuration
[WARN] 2.1  - Restrict network traffic between containers
[PASS] 2.2  - Set the logging level
[PASS] 2.3  - Allow Docker to make changes to iptables
[PASS] 2.4  - Do not use insecure registries
[WARN] 2.5  - Do not use the aufs storage driver
[INFO] 2.6  - Configure TLS authentication for Docker daemon
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.7  - Set default ulimit as appropriate
[INFO]      * Default ulimit doesn't appear to be set
[WARN] 2.8  - Enable user namespace support
[PASS] 2.9  - Confirm default cgroup usage
[PASS] 2.10 - Do not change base device size until needed
[WARN] 2.11 - Use authorization plugin
flag provided but not defined: --format
See 'docker info --help'.
[PASS] 2.12 - Configure centralized and remote logging
[WARN] 2.13 - Disable operations on legacy registry (v1)
[WARN] 2.14 - Enable live restore
[PASS] 2.15 - Do not enable swarm mode, if not needed
[PASS] 2.16 - Control the number of manager nodes in a swarm (Swarm mode not enabled)
[PASS] 2.17 - Bind swarm services to a specific host interface (Swarm mode not enabled)
[WARN] 2.18 - Disable Userland Proxy
[PASS] 2.19 - Encrypt data exchanged between containers on different nodes on the overlay network
flag provided but not defined: --format
See 'docker info --help'.
[INFO] 2.20 - Apply a daemon-wide custom seccomp profile, if needed
[PASS] 2.21 - Avoid experimental features in production
[PASS] 2.22 - Use Docker's secret management commands for managing secrets in a Swarm cluster (Swarm mode not enabled)
[PASS] 2.23 - Run swarm manager in auto-lock mode (Swarm mode not enabled)
[NOTE] 2.24 - Rotate swarm manager auto-lock key periodically

Le but n’est pas de se dire qu’il faut passer tous les WARN/INFO en PASS mais bien uniquement d’alerter sur d’éventuelles erreurs de configuration voire de possible “erreurs” de sécurité, intentionnelles ou non, des containers qu’on fait tourner. Dans tous les cas c’est qu’un Docker, ça prend 3-4 minutes à installer/lancer et 30 secondes à retirer.

 

Pour ceux qui veulent aller plus loin et inspecter plus en profondeur leurs containers je vous recommande Clair de CoreOS.

Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker).

  1. In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database.
  2. Clients use the Clair API to index their container images; this parses a list of installed source packages and stores them in the database.
  3. Clients use the Clair API to query the database; correlating data is done in real time, rather than a cached result that needs re-scanning.
  4. When updates to vulnerability metadata occur, a webhook containg the affected images can be configured to page or block deployments.

Our goal is to enable a more transparent view of the security of container-based infrastructure. Thus, the project was named Clair after the French term which translates to clear, bright, transparent.

 

 

Mots clés

Aerya

Recommandé pour vous