Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

excluding group not working #453

Closed
Constantin07 opened this issue Nov 17, 2020 · 6 comments
Closed

excluding group not working #453

Constantin07 opened this issue Nov 17, 2020 · 6 comments

Comments

@Constantin07
Copy link
Contributor

Trying to exclude the docker_swarm_configuration group:

docker run --rm --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /etc:/etc:ro \
    -v /usr/bin/containerd:/usr/bin/containerd:ro \
    -v /usr/bin/runc:/usr/bin/runc:ro \
    -v /usr/lib/systemd:/usr/lib/systemd:ro \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
    docker/docker-bench-security -e docker_swarm_configuration,check_1_1

the check_1_1 is excluded from output but the groups not:

[INFO] 7 - Docker Swarm Configuration
[PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2  - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
[PASS] 7.3  - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled)
[PASS] 7.4  - Ensure data exchanged between containers are encrypted on different nodes on the overlay network
[PASS] 7.5  - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled)
[PASS] 7.6  - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled)
[PASS] 7.7  - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
[PASS] 7.8  - Ensure node certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.9  - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.10  - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled)
@konstruktoid
Copy link
Collaborator

Hi again @Constantin07, are you using a image you built yourself or the official one?

$ sudo bash docker-bench-security.sh -e docker_swarm_configuration,check_6_1,check_5_29
[...]
[PASS] 5.26  - Ensure that container health is checked at runtime (Scored)
[INFO] 5.27  - Ensure that Docker commands always make use of the latest version of their image (Not Scored)
[WARN] 5.28  - Ensure that the PIDs cgroup limit is used (Scored)
[WARN]      * PIDs limit not set: blissful_newton
[WARN]      * PIDs limit not set: eager_lewin
[WARN]      * PIDs limit not set: sharp_wozniak
[PASS] 5.30  - Ensure that the host's user namespaces are not shared (Scored)
[PASS] 5.31  - Ensure that the Docker socket is not mounted inside any containers (Scored)


[INFO] 6 - Docker Security Operations
[INFO] 6.2  - Ensure that container sprawl is avoided (Not Scored)
[INFO]      * There are currently a total of 4 containers, with 3 of them currently running


[INFO] 8 - Docker Enterprise Configuration
[INFO]   * Community Engine license, skipping section 8

[INFO] Checks: 95
[INFO] Score: 12

@konstruktoid
Copy link
Collaborator 

$ docker run --rm --net host --pid host --userns host --cap-add audit_control \
>     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
>     -v /etc:/etc:ro \
>     -v /lib/systemd/system:/lib/systemd/system:ro \
>     -v /usr/bin/containerd:/usr/bin/containerd:ro \
>     -v /usr/bin/runc:/usr/bin/runc:ro \
>     -v /usr/lib/systemd:/usr/lib/systemd:ro \
>     -v /var/lib:/var/lib:ro \
>     -v /var/run/docker.sock:/var/run/docker.sock:ro \
>     --label docker_bench_security \
>     docker/docker-bench-security -e docker_swarm_configuration,check_6_1,check_5_29
[...]
[PASS] 5.26  - Ensure that container health is checked at runtime (Scored)
[INFO] 5.27  - Ensure that Docker commands always make use of the latest version of their image (Not Scored)
[WARN] 5.28  - Ensure that the PIDs cgroup limit is used (Scored)
[WARN]      * PIDs limit not set: blissful_newton
[WARN]      * PIDs limit not set: eager_lewin
[WARN]      * PIDs limit not set: sharp_wozniak
[PASS] 5.30  - Ensure that the host's user namespaces are not shared (Scored)
[PASS] 5.31  - Ensure that the Docker socket is not mounted inside any containers (Scored)


[INFO] 6 - Docker Security Operations
[INFO] 6.2  - Ensure that container sprawl is avoided (Not Scored)
[INFO]      * There are currently a total of 5 containers, with 4 of them currently running


[INFO] 8 - Docker Enterprise Configuration
[INFO]   * Community Engine license, skipping section 8

[INFO] Checks: 95
[INFO] Score: 10

@Constantin07
Copy link
Contributor Author

Thanks @konstruktoid for getting back, I was using official one, docker/docker-bench-security
I was running it on the latest CentOS Linux in bash shell. Will test it once again and get back later.

@konstruktoid
Copy link
Collaborator

konstruktoid commented Nov 18, 2020
edited
Loading

The official docker/docker-bench-security image is, sorry to say, very much out-of-date. See #405

@Constantin07
Copy link
Contributor Author

Thanks @konstruktoid you are right, the image shows version v1.3.4 which is old. Will build one myself then.

@Constantin07
Copy link
Contributor Author

I confirm it works fine now. Thanks @konstruktoid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@konstruktoid @Constantin07