API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 8th, 2022
165
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 17.54 KB | None | 0 0
raw download clone embed print report
  1. root@NUC1:/home/aerya# docker run -it --net host --pid host --cap-add audit_control     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST     -v /var/lib:/var/lib     -v /var/run/docker.sock:/var/run/docker.sock     -v /usr/lib/systemd:/usr/lib/systemd     -v /etc:/etc --label docker_bench_security     docker/docker-bench-security
  2. Unable to find image 'docker/docker-bench-security:latest' locally
  3. latest: Pulling from docker/docker-bench-security
  4. cd784148e348: Pull complete
  5. 48fe0d48816d: Pull complete
  6. 164e5e0f48c5: Pull complete
  7. 378ed37ea5ff: Pull complete
  8. Digest: sha256:ddbdf4f86af4405da4a8a7b7cc62bb63bfeb75e85bf22d2ece70c204d7cfabb8
  9. Status: Downloaded newer image for docker/docker-bench-security:latest
  10. # ------------------------------------------------------------------------------
  11. # Docker Bench for Security v1.3.4
  12. #
  13. # Docker, Inc. (c) 2015-
  14. #
  15. # Checks for dozens of common best-practices around deploying Docker containers in production.
  16. # Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
  17. # ------------------------------------------------------------------------------
  18.  
  19. Initializing Wed Jun  8 14:18:58 UTC 2022
  20.  
  21.  
  22. [INFO] 1 - Host Configuration
  23. [WARN] 1.1  - Ensure a separate partition for containers has been created
  24. [NOTE] 1.2  - Ensure the container host has been Hardened
  25. [INFO] 1.3  - Ensure Docker is up to date
  26. [INFO]      * Using 20.10.14, verify is it up to date as deemed necessary
  27. [INFO]      * Your operating system vendor may provide support and security maintenance for Docker
  28. [INFO] 1.4  - Ensure only trusted users are allowed to control Docker daemon
  29. [INFO]      * docker:x:997
  30. [WARN] 1.5  - Ensure auditing is configured for the Docker daemon
  31. [WARN] 1.6  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
  32. [WARN] 1.7  - Ensure auditing is configured for Docker files and directories - /etc/docker
  33. [WARN] 1.8  - Ensure auditing is configured for Docker files and directories - docker.service
  34. [WARN] 1.9  - Ensure auditing is configured for Docker files and directories - docker.socket
  35. [WARN] 1.10  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
  36. [INFO] 1.11  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
  37. [INFO]      * File not found
  38. [INFO] 1.12  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd
  39. [INFO]      * File not found
  40. [INFO] 1.13  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc
  41. [INFO]      * File not found
  42.  
  43.  
  44. [INFO] 2 - Docker daemon configuration
  45. [WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
  46. [PASS] 2.2  - Ensure the logging level is set to 'info'
  47. [PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
  48. [PASS] 2.4  - Ensure insecure registries are not used
  49. [PASS] 2.5  - Ensure aufs storage driver is not used
  50. [INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
  51. [INFO]      * Docker daemon not listening on TCP
  52. [INFO] 2.7  - Ensure the default ulimit is configured appropriately
  53. [INFO]      * Default ulimit doesn't appear to be set
  54. [WARN] 2.8  - Enable user namespace support
  55. [PASS] 2.9  - Ensure the default cgroup usage has been confirmed
  56. [PASS] 2.10  - Ensure base device size is not changed until needed
  57. [WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
  58. [WARN] 2.12  - Ensure centralized and remote logging is configured
  59. [INFO] 2.13  - Ensure operations on legacy registry (v1) are Disabled (Deprecated)
  60. [WARN] 2.14  - Ensure live restore is Enabled
  61. [WARN] 2.15  - Ensure Userland Proxy is Disabled
  62. [PASS] 2.16  - Ensure daemon-wide custom seccomp profile is applied, if needed
  63. [PASS] 2.17  - Ensure experimental features are avoided in production
  64. [WARN] 2.18  - Ensure containers are restricted from acquiring new privileges
  65.  
  66.  
  67. [INFO] 3 - Docker daemon configuration files
  68. [PASS] 3.1  - Ensure that docker.service file ownership is set to root:root
  69. [PASS] 3.2  - Ensure that docker.service file permissions are set to 644 or more restrictive
  70. [PASS] 3.3  - Ensure that docker.socket file ownership is set to root:root
  71. [PASS] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
  72. [PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
  73. [PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
  74. [INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
  75. [INFO]      * Directory not found
  76. [INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
  77. [INFO]      * Directory not found
  78. [INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
  79. [INFO]      * No TLS CA certificate found
  80. [INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
  81. [INFO]      * No TLS CA certificate found
  82. [INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
  83. [INFO]      * No TLS Server certificate found
  84. [INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
  85. [INFO]      * No TLS Server certificate found
  86. [INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
  87. [INFO]      * No TLS Key found
  88. [INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
  89. [INFO]      * No TLS Key found
  90. [PASS] 3.15  - Ensure that Docker socket file ownership is set to root:docker
  91. [PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
  92. [INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
  93. [INFO]      * File not found
  94. [INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
  95. [INFO]      * File not found
  96. [PASS] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
  97. [PASS] 3.20  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
  98.  
  99.  
  100. [INFO] 4 - Container Images and Build File
  101. [WARN] 4.1  - Ensure a user for the container has been created
  102. [WARN]      * Running as root: syncthing
  103. [WARN]      * Running as root: sabnzbd
  104. [WARN]      * Running as root: radarr
  105. [WARN]      * Running as root: airvpn
  106. [WARN]      * Running as root: duplicati
  107. [WARN]      * Running as root: sonarr
  108. [WARN]      * Running as root: watchtower
  109. [WARN]      * Running as root: vnstat
  110. [NOTE] 4.2  - Ensure that containers use trusted base images
  111. [NOTE] 4.3  - Ensure unnecessary packages are not installed in the container
  112. [NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
  113. [WARN] 4.5  - Ensure Content trust for Docker is Enabled
  114. [WARN] 4.6  - Ensure HEALTHCHECK instructions have been added to the container image
  115. [WARN]      * No Healthcheck found: [linuxserver/sabnzbd:latest]
  116. [WARN]      * No Healthcheck found: [lscr.io/linuxserver/syncthing:latest]
  117. [WARN]      * No Healthcheck found: [linuxserver/radarr:nightly]
  118. [WARN]      * No Healthcheck found: [ghcr.io/linuxserver/duplicati:latest]
  119. [WARN]      * No Healthcheck found: [aquasec/trivy:latest]
  120. [WARN]      * No Healthcheck found: [linuxserver/sonarr:latest]
  121. [WARN]      * No Healthcheck found: [kodcloud/kodbox:latest]
  122. [WARN]      * No Healthcheck found: [node:latest]
  123. [WARN]      * No Healthcheck found: [vergoh/vnstat:latest]
  124. [WARN]      * No Healthcheck found: [containrrr/watchtower:latest]
  125. [WARN]      * No Healthcheck found: [hubblo/scaphandre:latest]
  126. [WARN]      * No Healthcheck found: [radpenguin/megacmd-get:latest]
  127. [INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
  128. [INFO]      * Update instruction found: [kodcloud/kodbox:latest]
  129. [INFO]      * Update instruction found: [node:latest]
  130. [INFO]      * Update instruction found: [hubblo/scaphandre:latest]
  131. [INFO]      * Update instruction found: [radpenguin/megacmd-get:latest]
  132. [NOTE] 4.8  - Ensure setuid and setgid permissions are removed in the images
  133. [INFO] 4.9  - Ensure COPY is used instead of ADD in Dockerfile
  134. [INFO]      * ADD in image history: [linuxserver/sabnzbd:latest]
  135. [INFO]      * ADD in image history: [lscr.io/linuxserver/syncthing:latest]
  136. [INFO]      * ADD in image history: [qmcgaw/gluetun:latest]
  137. [INFO]      * ADD in image history: [linuxserver/radarr:nightly]
  138. [INFO]      * ADD in image history: [ghcr.io/linuxserver/duplicati:latest]
  139. [INFO]      * ADD in image history: [aquasec/trivy:latest]
  140. [INFO]      * ADD in image history: [linuxserver/sonarr:latest]
  141. [INFO]      * ADD in image history: [kodcloud/kodbox:latest]
  142. [INFO]      * ADD in image history: [node:latest]
  143. [INFO]      * ADD in image history: [ghcr.io/wfg/openvpn-client:latest]
  144. [INFO]      * ADD in image history: [vergoh/vnstat:latest]
  145. [INFO]      * ADD in image history: [hubblo/scaphandre:latest]
  146. [INFO]      * ADD in image history: [radpenguin/megacmd-get:latest]
  147. [INFO]      * ADD in image history: [docker/docker-bench-security:latest]
  148. [NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
  149. [NOTE] 4.11  - Ensure verified packages are only Installed
  150.  
  151.  
  152. [INFO] 5 - Container Runtime
  153. [PASS] 5.1  - Ensure AppArmor Profile is Enabled
  154. [WARN] 5.2  - Ensure SELinux security options are set, if applicable
  155. [WARN]      * No SecurityOptions Found: syncthing
  156. [WARN]      * No SecurityOptions Found: sabnzbd
  157. [WARN]      * No SecurityOptions Found: radarr
  158. [WARN]      * No SecurityOptions Found: airvpn
  159. [WARN]      * No SecurityOptions Found: duplicati
  160. [WARN]      * No SecurityOptions Found: sonarr
  161. [WARN]      * No SecurityOptions Found: watchtower
  162. [WARN]      * No SecurityOptions Found: vnstat
  163. [WARN] 5.3  - Ensure Linux Kernel Capabilities are restricted within containers
  164. [WARN]      * Capabilities added: CapAdd=[NET_ADMIN] to airvpn
  165. [PASS] 5.4  - Ensure privileged containers are not used
  166. [PASS] 5.5  - Ensure sensitive host system directories are not mounted on containers
  167. [PASS] 5.6  - Ensure ssh is not run within containers
  168. [WARN] 5.7  - Ensure privileged ports are not mapped within containers
  169. [WARN]      * Privileged Port in use: 2 in duplicati
  170. [NOTE] 5.8  - Ensure only needed ports are open on the container
  171. [WARN] 5.9  - Ensure the host's network namespace is not shared
  172. [WARN]      * Container running with networking mode 'host': vnstat
  173. [WARN] 5.10  - Ensure memory usage for container is limited
  174. [WARN]      * Container running without memory restrictions: syncthing
  175. [WARN]      * Container running without memory restrictions: sabnzbd
  176. [WARN]      * Container running without memory restrictions: radarr
  177. [WARN]      * Container running without memory restrictions: airvpn
  178. [WARN]      * Container running without memory restrictions: duplicati
  179. [WARN]      * Container running without memory restrictions: sonarr
  180. [WARN]      * Container running without memory restrictions: watchtower
  181. [WARN]      * Container running without memory restrictions: vnstat
  182. [WARN] 5.11  - Ensure CPU priority is set appropriately on the container
  183. [WARN]      * Container running without CPU restrictions: syncthing
  184. [WARN]      * Container running without CPU restrictions: sabnzbd
  185. [WARN]      * Container running without CPU restrictions: radarr
  186. [WARN]      * Container running without CPU restrictions: airvpn
  187. [WARN]      * Container running without CPU restrictions: duplicati
  188. [WARN]      * Container running without CPU restrictions: sonarr
  189. [WARN]      * Container running without CPU restrictions: watchtower
  190. [WARN]      * Container running without CPU restrictions: vnstat
  191. [WARN] 5.12  - Ensure the container's root filesystem is mounted as read only
  192. [WARN]      * Container running with root FS mounted R/W: syncthing
  193. [WARN]      * Container running with root FS mounted R/W: sabnzbd
  194. [WARN]      * Container running with root FS mounted R/W: radarr
  195. [WARN]      * Container running with root FS mounted R/W: airvpn
  196. [WARN]      * Container running with root FS mounted R/W: duplicati
  197. [WARN]      * Container running with root FS mounted R/W: sonarr
  198. [WARN]      * Container running with root FS mounted R/W: watchtower
  199. [WARN]      * Container running with root FS mounted R/W: vnstat
  200. [WARN] 5.13  - Ensure incoming container traffic is binded to a specific host interface
  201. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in syncthing
  202. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in syncthing
  203. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in syncthing
  204. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in syncthing
  205. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in sabnzbd
  206. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in airvpn
  207. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in duplicati
  208. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in sonarr
  209. [WARN] 5.14  - Ensure 'on-failure' container restart policy is set to '5'
  210. [WARN]      * MaximumRetryCount is not set to 5: syncthing
  211. [WARN]      * MaximumRetryCount is not set to 5: sabnzbd
  212. [WARN]      * MaximumRetryCount is not set to 5: radarr
  213. [WARN]      * MaximumRetryCount is not set to 5: airvpn
  214. [WARN]      * MaximumRetryCount is not set to 5: duplicati
  215. [WARN]      * MaximumRetryCount is not set to 5: sonarr
  216. [WARN]      * MaximumRetryCount is not set to 5: watchtower
  217. [WARN]      * MaximumRetryCount is not set to 5: vnstat
  218. [PASS] 5.15  - Ensure the host's process namespace is not shared
  219. [PASS] 5.16  - Ensure the host's IPC namespace is not shared
  220. [PASS] 5.17  - Ensure host devices are not directly exposed to containers
  221. [INFO] 5.18  - Ensure the default ulimit is overwritten at runtime, only if needed
  222. [INFO]      * Container no default ulimit override: syncthing
  223. [INFO]      * Container no default ulimit override: sabnzbd
  224. [INFO]      * Container no default ulimit override: radarr
  225. [INFO]      * Container no default ulimit override: airvpn
  226. [INFO]      * Container no default ulimit override: duplicati
  227. [INFO]      * Container no default ulimit override: sonarr
  228. [INFO]      * Container no default ulimit override: watchtower
  229. [INFO]      * Container no default ulimit override: vnstat
  230. [PASS] 5.19  - Ensure mount propagation mode is not set to shared
  231. [PASS] 5.20  - Ensure the host's UTS namespace is not shared
  232. [PASS] 5.21  - Ensure the default seccomp profile is not Disabled
  233. [NOTE] 5.22  - Ensure docker exec commands are not used with privileged option
  234. [NOTE] 5.23  - Ensure docker exec commands are not used with user option
  235. [PASS] 5.24  - Ensure cgroup usage is confirmed
  236. [WARN] 5.25  - Ensure the container is restricted from acquiring additional privileges
  237. [WARN]      * Privileges not restricted: syncthing
  238. [WARN]      * Privileges not restricted: sabnzbd
  239. [WARN]      * Privileges not restricted: radarr
  240. [WARN]      * Privileges not restricted: airvpn
  241. [WARN]      * Privileges not restricted: duplicati
  242. [WARN]      * Privileges not restricted: sonarr
  243. [WARN]      * Privileges not restricted: watchtower
  244. [WARN]      * Privileges not restricted: vnstat
  245. [WARN] 5.26  - Ensure container health is checked at runtime
  246. [WARN]      * Health check not set: syncthing
  247. [WARN]      * Health check not set: sabnzbd
  248. [WARN]      * Health check not set: radarr
  249. [WARN]      * Health check not set: duplicati
  250. [WARN]      * Health check not set: sonarr
  251. [WARN]      * Health check not set: watchtower
  252. [WARN]      * Health check not set: vnstat
  253. [INFO] 5.27  - Ensure docker commands always get the latest version of the image
  254. [WARN] 5.28  - Ensure PIDs cgroup limit is used
  255. [WARN]      * PIDs limit not set: syncthing
  256. [WARN]      * PIDs limit not set: sabnzbd
  257. [WARN]      * PIDs limit not set: radarr
  258. [WARN]      * PIDs limit not set: airvpn
  259. [WARN]      * PIDs limit not set: duplicati
  260. [WARN]      * PIDs limit not set: sonarr
  261. [WARN]      * PIDs limit not set: watchtower
  262. [WARN]      * PIDs limit not set: vnstat
  263. [INFO] 5.29  - Ensure Docker's default bridge docker0 is not used
  264. [INFO]      * Container in docker0 network: syncthing
  265. [INFO]      * Container in docker0 network: watchtower
  266. [INFO]      * Container in docker0 network: sonarr
  267. [INFO]      * Container in docker0 network: sabnzbd
  268. [INFO]      * Container in docker0 network: airvpn
  269. [INFO]      * Container in docker0 network: duplicati
  270. [PASS] 5.30  - Ensure the host's user namespaces is not shared
  271. [WARN] 5.31  - Ensure the Docker socket is not mounted inside any containers
  272. [WARN]      * Docker socket shared: watchtower
  273.  
  274.  
  275. [INFO] 6 - Docker Security Operations
  276. [INFO] 6.1  - Avoid image sprawl
  277. [INFO]      * There are currently: 15 images
  278. [INFO] 6.2  - Avoid container sprawl
  279. [INFO]      * There are currently a total of 22 containers, with 9 of them currently running
  280.  
  281.  
  282. [INFO] 7 - Docker Swarm Configuration
  283. [PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
  284. [PASS] 7.2  - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
  285. [PASS] 7.3  - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled)
  286. [PASS] 7.4  - Ensure data exchanged between containers are encrypted on different nodes on the overlay network
  287. [PASS] 7.5  - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled)
  288. [PASS] 7.6  - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled)
  289. [PASS] 7.7  - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
  290. [PASS] 7.8  - Ensure node certificates are rotated as appropriate (Swarm mode not enabled)
  291. [PASS] 7.9  - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled)
  292. [PASS] 7.10  - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled)
  293.  
  294. [INFO] Checks: 105
  295. [INFO] Score: 10
  296.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!