Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@NUC1:/home/aerya# docker run -it --net host --pid host --cap-add audit_control -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker_bench_security docker/docker-bench-security
- Unable to find image 'docker/docker-bench-security:latest' locally
- latest: Pulling from docker/docker-bench-security
- cd784148e348: Pull complete
- 48fe0d48816d: Pull complete
- 164e5e0f48c5: Pull complete
- 378ed37ea5ff: Pull complete
- Digest: sha256:ddbdf4f86af4405da4a8a7b7cc62bb63bfeb75e85bf22d2ece70c204d7cfabb8
- Status: Downloaded newer image for docker/docker-bench-security:latest
- # ------------------------------------------------------------------------------
- # Docker Bench for Security v1.3.4
- #
- # Docker, Inc. (c) 2015-
- #
- # Checks for dozens of common best-practices around deploying Docker containers in production.
- # Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
- # ------------------------------------------------------------------------------
- Initializing Wed Jun 8 14:18:58 UTC 2022
- [INFO] 1 - Host Configuration
- [WARN] 1.1 - Ensure a separate partition for containers has been created
- [NOTE] 1.2 - Ensure the container host has been Hardened
- [INFO] 1.3 - Ensure Docker is up to date
- [INFO] * Using 20.10.14, verify is it up to date as deemed necessary
- [INFO] * Your operating system vendor may provide support and security maintenance for Docker
- [INFO] 1.4 - Ensure only trusted users are allowed to control Docker daemon
- [INFO] * docker:x:997
- [WARN] 1.5 - Ensure auditing is configured for the Docker daemon
- [WARN] 1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker
- [WARN] 1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker
- [WARN] 1.8 - Ensure auditing is configured for Docker files and directories - docker.service
- [WARN] 1.9 - Ensure auditing is configured for Docker files and directories - docker.socket
- [WARN] 1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker
- [INFO] 1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
- [INFO] * File not found
- [INFO] 1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd
- [INFO] * File not found
- [INFO] 1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc
- [INFO] * File not found
- [INFO] 2 - Docker daemon configuration
- [WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge
- [PASS] 2.2 - Ensure the logging level is set to 'info'
- [PASS] 2.3 - Ensure Docker is allowed to make changes to iptables
- [PASS] 2.4 - Ensure insecure registries are not used
- [PASS] 2.5 - Ensure aufs storage driver is not used
- [INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured
- [INFO] * Docker daemon not listening on TCP
- [INFO] 2.7 - Ensure the default ulimit is configured appropriately
- [INFO] * Default ulimit doesn't appear to be set
- [WARN] 2.8 - Enable user namespace support
- [PASS] 2.9 - Ensure the default cgroup usage has been confirmed
- [PASS] 2.10 - Ensure base device size is not changed until needed
- [WARN] 2.11 - Ensure that authorization for Docker client commands is enabled
- [WARN] 2.12 - Ensure centralized and remote logging is configured
- [INFO] 2.13 - Ensure operations on legacy registry (v1) are Disabled (Deprecated)
- [WARN] 2.14 - Ensure live restore is Enabled
- [WARN] 2.15 - Ensure Userland Proxy is Disabled
- [PASS] 2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed
- [PASS] 2.17 - Ensure experimental features are avoided in production
- [WARN] 2.18 - Ensure containers are restricted from acquiring new privileges
- [INFO] 3 - Docker daemon configuration files
- [PASS] 3.1 - Ensure that docker.service file ownership is set to root:root
- [PASS] 3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive
- [PASS] 3.3 - Ensure that docker.socket file ownership is set to root:root
- [PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive
- [PASS] 3.5 - Ensure that /etc/docker directory ownership is set to root:root
- [PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
- [INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root
- [INFO] * Directory not found
- [INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive
- [INFO] * Directory not found
- [INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root
- [INFO] * No TLS CA certificate found
- [INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
- [INFO] * No TLS CA certificate found
- [INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root
- [INFO] * No TLS Server certificate found
- [INFO] 3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
- [INFO] * No TLS Server certificate found
- [INFO] 3.13 - Ensure that Docker server certificate key file ownership is set to root:root
- [INFO] * No TLS Key found
- [INFO] 3.14 - Ensure that Docker server certificate key file permissions are set to 400
- [INFO] * No TLS Key found
- [PASS] 3.15 - Ensure that Docker socket file ownership is set to root:docker
- [PASS] 3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive
- [INFO] 3.17 - Ensure that daemon.json file ownership is set to root:root
- [INFO] * File not found
- [INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive
- [INFO] * File not found
- [PASS] 3.19 - Ensure that /etc/default/docker file ownership is set to root:root
- [PASS] 3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
- [INFO] 4 - Container Images and Build File
- [WARN] 4.1 - Ensure a user for the container has been created
- [WARN] * Running as root: syncthing
- [WARN] * Running as root: sabnzbd
- [WARN] * Running as root: radarr
- [WARN] * Running as root: airvpn
- [WARN] * Running as root: duplicati
- [WARN] * Running as root: sonarr
- [WARN] * Running as root: watchtower
- [WARN] * Running as root: vnstat
- [NOTE] 4.2 - Ensure that containers use trusted base images
- [NOTE] 4.3 - Ensure unnecessary packages are not installed in the container
- [NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches
- [WARN] 4.5 - Ensure Content trust for Docker is Enabled
- [WARN] 4.6 - Ensure HEALTHCHECK instructions have been added to the container image
- [WARN] * No Healthcheck found: [linuxserver/sabnzbd:latest]
- [WARN] * No Healthcheck found: [lscr.io/linuxserver/syncthing:latest]
- [WARN] * No Healthcheck found: [linuxserver/radarr:nightly]
- [WARN] * No Healthcheck found: [ghcr.io/linuxserver/duplicati:latest]
- [WARN] * No Healthcheck found: [aquasec/trivy:latest]
- [WARN] * No Healthcheck found: [linuxserver/sonarr:latest]
- [WARN] * No Healthcheck found: [kodcloud/kodbox:latest]
- [WARN] * No Healthcheck found: [node:latest]
- [WARN] * No Healthcheck found: [vergoh/vnstat:latest]
- [WARN] * No Healthcheck found: [containrrr/watchtower:latest]
- [WARN] * No Healthcheck found: [hubblo/scaphandre:latest]
- [WARN] * No Healthcheck found: [radpenguin/megacmd-get:latest]
- [INFO] 4.7 - Ensure update instructions are not use alone in the Dockerfile
- [INFO] * Update instruction found: [kodcloud/kodbox:latest]
- [INFO] * Update instruction found: [node:latest]
- [INFO] * Update instruction found: [hubblo/scaphandre:latest]
- [INFO] * Update instruction found: [radpenguin/megacmd-get:latest]
- [NOTE] 4.8 - Ensure setuid and setgid permissions are removed in the images
- [INFO] 4.9 - Ensure COPY is used instead of ADD in Dockerfile
- [INFO] * ADD in image history: [linuxserver/sabnzbd:latest]
- [INFO] * ADD in image history: [lscr.io/linuxserver/syncthing:latest]
- [INFO] * ADD in image history: [qmcgaw/gluetun:latest]
- [INFO] * ADD in image history: [linuxserver/radarr:nightly]
- [INFO] * ADD in image history: [ghcr.io/linuxserver/duplicati:latest]
- [INFO] * ADD in image history: [aquasec/trivy:latest]
- [INFO] * ADD in image history: [linuxserver/sonarr:latest]
- [INFO] * ADD in image history: [kodcloud/kodbox:latest]
- [INFO] * ADD in image history: [node:latest]
- [INFO] * ADD in image history: [ghcr.io/wfg/openvpn-client:latest]
- [INFO] * ADD in image history: [vergoh/vnstat:latest]
- [INFO] * ADD in image history: [hubblo/scaphandre:latest]
- [INFO] * ADD in image history: [radpenguin/megacmd-get:latest]
- [INFO] * ADD in image history: [docker/docker-bench-security:latest]
- [NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles
- [NOTE] 4.11 - Ensure verified packages are only Installed
- [INFO] 5 - Container Runtime
- [PASS] 5.1 - Ensure AppArmor Profile is Enabled
- [WARN] 5.2 - Ensure SELinux security options are set, if applicable
- [WARN] * No SecurityOptions Found: syncthing
- [WARN] * No SecurityOptions Found: sabnzbd
- [WARN] * No SecurityOptions Found: radarr
- [WARN] * No SecurityOptions Found: airvpn
- [WARN] * No SecurityOptions Found: duplicati
- [WARN] * No SecurityOptions Found: sonarr
- [WARN] * No SecurityOptions Found: watchtower
- [WARN] * No SecurityOptions Found: vnstat
- [WARN] 5.3 - Ensure Linux Kernel Capabilities are restricted within containers
- [WARN] * Capabilities added: CapAdd=[NET_ADMIN] to airvpn
- [PASS] 5.4 - Ensure privileged containers are not used
- [PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers
- [PASS] 5.6 - Ensure ssh is not run within containers
- [WARN] 5.7 - Ensure privileged ports are not mapped within containers
- [WARN] * Privileged Port in use: 2 in duplicati
- [NOTE] 5.8 - Ensure only needed ports are open on the container
- [WARN] 5.9 - Ensure the host's network namespace is not shared
- [WARN] * Container running with networking mode 'host': vnstat
- [WARN] 5.10 - Ensure memory usage for container is limited
- [WARN] * Container running without memory restrictions: syncthing
- [WARN] * Container running without memory restrictions: sabnzbd
- [WARN] * Container running without memory restrictions: radarr
- [WARN] * Container running without memory restrictions: airvpn
- [WARN] * Container running without memory restrictions: duplicati
- [WARN] * Container running without memory restrictions: sonarr
- [WARN] * Container running without memory restrictions: watchtower
- [WARN] * Container running without memory restrictions: vnstat
- [WARN] 5.11 - Ensure CPU priority is set appropriately on the container
- [WARN] * Container running without CPU restrictions: syncthing
- [WARN] * Container running without CPU restrictions: sabnzbd
- [WARN] * Container running without CPU restrictions: radarr
- [WARN] * Container running without CPU restrictions: airvpn
- [WARN] * Container running without CPU restrictions: duplicati
- [WARN] * Container running without CPU restrictions: sonarr
- [WARN] * Container running without CPU restrictions: watchtower
- [WARN] * Container running without CPU restrictions: vnstat
- [WARN] 5.12 - Ensure the container's root filesystem is mounted as read only
- [WARN] * Container running with root FS mounted R/W: syncthing
- [WARN] * Container running with root FS mounted R/W: sabnzbd
- [WARN] * Container running with root FS mounted R/W: radarr
- [WARN] * Container running with root FS mounted R/W: airvpn
- [WARN] * Container running with root FS mounted R/W: duplicati
- [WARN] * Container running with root FS mounted R/W: sonarr
- [WARN] * Container running with root FS mounted R/W: watchtower
- [WARN] * Container running with root FS mounted R/W: vnstat
- [WARN] 5.13 - Ensure incoming container traffic is binded to a specific host interface
- [WARN] * Port being bound to wildcard IP: 0.0.0.0 in syncthing
- [WARN] * Port being bound to wildcard IP: 0.0.0.0 in syncthing
- [WARN] * Port being bound to wildcard IP: 0.0.0.0 in syncthing
- [WARN] * Port being bound to wildcard IP: 0.0.0.0 in syncthing
- [WARN] * Port being bound to wildcard IP: 0.0.0.0 in sabnzbd
- [WARN] * Port being bound to wildcard IP: 0.0.0.0 in airvpn
- [WARN] * Port being bound to wildcard IP: 0.0.0.0 in duplicati
- [WARN] * Port being bound to wildcard IP: 0.0.0.0 in sonarr
- [WARN] 5.14 - Ensure 'on-failure' container restart policy is set to '5'
- [WARN] * MaximumRetryCount is not set to 5: syncthing
- [WARN] * MaximumRetryCount is not set to 5: sabnzbd
- [WARN] * MaximumRetryCount is not set to 5: radarr
- [WARN] * MaximumRetryCount is not set to 5: airvpn
- [WARN] * MaximumRetryCount is not set to 5: duplicati
- [WARN] * MaximumRetryCount is not set to 5: sonarr
- [WARN] * MaximumRetryCount is not set to 5: watchtower
- [WARN] * MaximumRetryCount is not set to 5: vnstat
- [PASS] 5.15 - Ensure the host's process namespace is not shared
- [PASS] 5.16 - Ensure the host's IPC namespace is not shared
- [PASS] 5.17 - Ensure host devices are not directly exposed to containers
- [INFO] 5.18 - Ensure the default ulimit is overwritten at runtime, only if needed
- [INFO] * Container no default ulimit override: syncthing
- [INFO] * Container no default ulimit override: sabnzbd
- [INFO] * Container no default ulimit override: radarr
- [INFO] * Container no default ulimit override: airvpn
- [INFO] * Container no default ulimit override: duplicati
- [INFO] * Container no default ulimit override: sonarr
- [INFO] * Container no default ulimit override: watchtower
- [INFO] * Container no default ulimit override: vnstat
- [PASS] 5.19 - Ensure mount propagation mode is not set to shared
- [PASS] 5.20 - Ensure the host's UTS namespace is not shared
- [PASS] 5.21 - Ensure the default seccomp profile is not Disabled
- [NOTE] 5.22 - Ensure docker exec commands are not used with privileged option
- [NOTE] 5.23 - Ensure docker exec commands are not used with user option
- [PASS] 5.24 - Ensure cgroup usage is confirmed
- [WARN] 5.25 - Ensure the container is restricted from acquiring additional privileges
- [WARN] * Privileges not restricted: syncthing
- [WARN] * Privileges not restricted: sabnzbd
- [WARN] * Privileges not restricted: radarr
- [WARN] * Privileges not restricted: airvpn
- [WARN] * Privileges not restricted: duplicati
- [WARN] * Privileges not restricted: sonarr
- [WARN] * Privileges not restricted: watchtower
- [WARN] * Privileges not restricted: vnstat
- [WARN] 5.26 - Ensure container health is checked at runtime
- [WARN] * Health check not set: syncthing
- [WARN] * Health check not set: sabnzbd
- [WARN] * Health check not set: radarr
- [WARN] * Health check not set: duplicati
- [WARN] * Health check not set: sonarr
- [WARN] * Health check not set: watchtower
- [WARN] * Health check not set: vnstat
- [INFO] 5.27 - Ensure docker commands always get the latest version of the image
- [WARN] 5.28 - Ensure PIDs cgroup limit is used
- [WARN] * PIDs limit not set: syncthing
- [WARN] * PIDs limit not set: sabnzbd
- [WARN] * PIDs limit not set: radarr
- [WARN] * PIDs limit not set: airvpn
- [WARN] * PIDs limit not set: duplicati
- [WARN] * PIDs limit not set: sonarr
- [WARN] * PIDs limit not set: watchtower
- [WARN] * PIDs limit not set: vnstat
- [INFO] 5.29 - Ensure Docker's default bridge docker0 is not used
- [INFO] * Container in docker0 network: syncthing
- [INFO] * Container in docker0 network: watchtower
- [INFO] * Container in docker0 network: sonarr
- [INFO] * Container in docker0 network: sabnzbd
- [INFO] * Container in docker0 network: airvpn
- [INFO] * Container in docker0 network: duplicati
- [PASS] 5.30 - Ensure the host's user namespaces is not shared
- [WARN] 5.31 - Ensure the Docker socket is not mounted inside any containers
- [WARN] * Docker socket shared: watchtower
- [INFO] 6 - Docker Security Operations
- [INFO] 6.1 - Avoid image sprawl
- [INFO] * There are currently: 15 images
- [INFO] 6.2 - Avoid container sprawl
- [INFO] * There are currently a total of 22 containers, with 9 of them currently running
- [INFO] 7 - Docker Swarm Configuration
- [PASS] 7.1 - Ensure swarm mode is not Enabled, if not needed
- [PASS] 7.2 - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
- [PASS] 7.3 - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled)
- [PASS] 7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network
- [PASS] 7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled)
- [PASS] 7.6 - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled)
- [PASS] 7.7 - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
- [PASS] 7.8 - Ensure node certificates are rotated as appropriate (Swarm mode not enabled)
- [PASS] 7.9 - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled)
- [PASS] 7.10 - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled)
- [INFO] Checks: 105
- [INFO] Score: 10
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement