基线检查工具_1分钟docker部署安全扫描工具

  docker官方提供安全扫描工具用于检查有关在生产中部署Docker容器的安全问题。 这种类似于安全扫描类似于安全基线检查，对相应的项进行逐条核查，可以有效地规避一些安全风险。

他的github地址：https://github.com/docker/docker-bench-security

使用方法如下：

docker run --rm --net host --pid host --userns host --cap-add audit_control     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST     -v /etc:/etc:ro     -v /usr/bin/containerd:/usr/bin/containerd:ro     -v /usr/bin/runc:/usr/bin/runc:ro     -v /usr/lib/systemd:/usr/lib/systemd:ro     -v /var/lib:/var/lib:ro     -v /var/run/docker.sock:/var/run/docker.sock:ro     --label docker_bench_security     docker/docker-bench-security

如图所示：

执行完成之后可以看到下面的结果

[root@kali.org ~]# docker run --rm --net host --pid host --userns host --cap-add audit_control     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST     -v /etc:/etc:ro     -v /usr/bin/containerd:/usr/bin/containerd:ro     -v /usr/bin/runc:/usr/bin/runc:ro     -v /usr/lib/systemd:/usr/lib/systemd:ro     -v /var/lib:/var/lib:ro     -v /var/run/docker.sock:/var/run/docker.sock:ro     --label docker_bench_security     docker/docker-bench-security# ------------------------------------------------------------------------------# Docker Bench for Security v1.3.4## Docker, Inc. (c) 2015-## Checks for dozens of common best-practices around deploying Docker containers in production.# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.# ------------------------------------------------------------------------------Initializing Sat Nov 21 13:20:07 UTC 2020[INFO] 1 - Host Configuration[WARN] 1.1  - Ensure a separate partition for containers has been created[NOTE] 1.2  - Ensure the container host has been Hardened[INFO] 1.3  - Ensure Docker is up to date[INFO]      * Using 1.13.1, verify is it up to date as deemed necessary[INFO]      * Your operating system vendor may provide support and security maintenance for Docker[INFO] 1.4  - Ensure only trusted users are allowed to control Docker daemon[WARN] 1.5  - Ensure auditing is configured for the Docker daemon[WARN] 1.6  - Ensure auditing is configured for Docker files and directories - /var/lib/docker[WARN] 1.7  - Ensure auditing is configured for Docker files and directories - /etc/docker[WARN] 1.8  - Ensure auditing is configured for Docker files and directories - docker.service[INFO] 1.9  - Ensure auditing is configured for Docker files and directories - docker.socket[INFO]      * File not found[INFO] 1.10  - Ensure auditing is configured for Docker files and directories - /etc/default/docker[INFO]      * File not found[WARN] 1.11  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json[INFO] 1.12  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd[INFO]      * File not found[INFO] 1.13  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc[INFO]      * File not found[INFO] 2 - Docker daemon configuration[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge[PASS] 2.2  - Ensure the logging level is set to 'info'[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables[PASS] 2.4  - Ensure insecure registries are not used[PASS] 2.5  - Ensure aufs storage driver is not used[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured[INFO]      * Docker daemon not listening on TCP[INFO] 2.7  - Ensure the default ulimit is configured appropriately[INFO]      * Default ulimit doesn't appear to be set[WARN] 2.8  - Enable user namespace support[PASS] 2.9  - Ensure the default cgroup usage has been confirmed[PASS] 2.10  - Ensure base device size is not changed until needed[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled[PASS] 2.12  - Ensure centralized and remote logging is configured[WARN] 2.13  - Ensure operations on legacy registry (v1) are Disabled[WARN] 2.14  - Ensure live restore is Enabled[WARN] 2.15  - Ensure Userland Proxy is Disabled[INFO] 2.16  - Ensure daemon-wide custom seccomp profile is applied, if needed[PASS] 2.17  - Ensure experimental features are avoided in production[WARN] 2.18  - Ensure containers are restricted from acquiring new privileges[INFO] 3 - Docker daemon configuration files[PASS] 3.1  - Ensure that docker.service file ownership is set to root:root[PASS] 3.2  - Ensure that docker.service file permissions are set to 644 or more restrictive[INFO] 3.3  - Ensure that docker.socket file ownership is set to root:root[INFO]      * File not found[INFO] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive[INFO]      * File not found[PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root[PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive[PASS] 3.7  - Ensure that registry certificate file ownership is set to root:root[PASS] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root[INFO]      * No TLS CA certificate found[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive[INFO]      * No TLS CA certificate found[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root[INFO]      * No TLS Server certificate found[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive[INFO]      * No TLS Server certificate found[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root[INFO]      * No TLS Key found[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400[INFO]      * No TLS Key found[WARN] 3.15  - Ensure that Docker socket file ownership is set to root:docker[WARN]      * Wrong ownership for /var/run/docker.sock[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive[PASS] 3.17  - Ensure that daemon.json file ownership is set to root:root[PASS] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive[INFO] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root[INFO]      * File not found[INFO] 3.20  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive[INFO]      * File not found[INFO] 4 - Container Images and Build File[INFO] 4.1  - Ensure a user for the container has been created[INFO]      * No containers running[NOTE] 4.2  - Ensure that containers use trusted base images[NOTE] 4.3  - Ensure unnecessary packages are not installed in the container[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches[WARN] 4.5  - Ensure Content trust for Docker is Enabled[WARN] 4.6  - Ensure HEALTHCHECK instructions have been added to the container image[WARN]      * No Healthcheck found: [docker.io/elfgzp/gortal:latest][PASS] 4.7  - Ensure update instructions are not use alone in the Dockerfile[NOTE] 4.8  - Ensure setuid and setgid permissions are removed in the images[INFO] 4.9  - Ensure COPY is used instead of ADD in Dockerfile[INFO]      * ADD in image history: [docker.io/elfgzp/gortal:latest][INFO]      * ADD in image history: [docker.io/docker/docker-bench-security:latest][INFO]      * ADD in image history: [registry.cn-hangzhou.aliyuncs.com/arpet/docker-dd-agent:release][NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles[NOTE] 4.11  - Ensure verified packages are only Installed[INFO] 5 - Container Runtime[INFO]      * No containers running, skipping Section 5[INFO] 6 - Docker Security Operations[INFO] 6.1  - Avoid image sprawl[INFO]      * There are currently: 3 images[INFO] 6.2  - Avoid container sprawl[INFO]      * There are currently a total of 1 containers, with 1 of them currently running[INFO] 7 - Docker Swarm Configuration[PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed[PASS] 7.2  - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)[PASS] 7.3  - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled)[PASS] 7.4  - Ensure data exchanged between containers are encrypted on different nodes on the overlay network[PASS] 7.5  - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled)[PASS] 7.6  - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled)[PASS] 7.7  - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)[PASS] 7.8  - Ensure node certificates are rotated as appropriate (Swarm mode not enabled)[PASS] 7.9  - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled)[PASS] 7.10  - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled)

从上图结果可以看到其中标红【WARN】是需要改进的，标绿【PASS】表示通过检测，【INFO】项的话，看需要是否进行调整，如调整完成，可在重新检测规避风险。

关注我让你成为云端最靓的builder