Advertisement
Guest User

Untitled

a guest
Jun 8th, 2022
168
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 17.54 KB | None | 0 0
  1. root@NUC1:/home/aerya# docker run -it --net host --pid host --cap-add audit_control     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST     -v /var/lib:/var/lib     -v /var/run/docker.sock:/var/run/docker.sock     -v /usr/lib/systemd:/usr/lib/systemd     -v /etc:/etc --label docker_bench_security     docker/docker-bench-security
  2. Unable to find image 'docker/docker-bench-security:latest' locally
  3. latest: Pulling from docker/docker-bench-security
  4. cd784148e348: Pull complete
  5. 48fe0d48816d: Pull complete
  6. 164e5e0f48c5: Pull complete
  7. 378ed37ea5ff: Pull complete
  8. Digest: sha256:ddbdf4f86af4405da4a8a7b7cc62bb63bfeb75e85bf22d2ece70c204d7cfabb8
  9. Status: Downloaded newer image for docker/docker-bench-security:latest
  10. # ------------------------------------------------------------------------------
  11. # Docker Bench for Security v1.3.4
  12. #
  13. # Docker, Inc. (c) 2015-
  14. #
  15. # Checks for dozens of common best-practices around deploying Docker containers in production.
  16. # Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
  17. # ------------------------------------------------------------------------------
  18.  
  19. Initializing Wed Jun  8 14:18:58 UTC 2022
  20.  
  21.  
  22. [INFO] 1 - Host Configuration
  23. [WARN] 1.1  - Ensure a separate partition for containers has been created
  24. [NOTE] 1.2  - Ensure the container host has been Hardened
  25. [INFO] 1.3  - Ensure Docker is up to date
  26. [INFO]      * Using 20.10.14, verify is it up to date as deemed necessary
  27. [INFO]      * Your operating system vendor may provide support and security maintenance for Docker
  28. [INFO] 1.4  - Ensure only trusted users are allowed to control Docker daemon
  29. [INFO]      * docker:x:997
  30. [WARN] 1.5  - Ensure auditing is configured for the Docker daemon
  31. [WARN] 1.6  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
  32. [WARN] 1.7  - Ensure auditing is configured for Docker files and directories - /etc/docker
  33. [WARN] 1.8  - Ensure auditing is configured for Docker files and directories - docker.service
  34. [WARN] 1.9  - Ensure auditing is configured for Docker files and directories - docker.socket
  35. [WARN] 1.10  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
  36. [INFO] 1.11  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
  37. [INFO]      * File not found
  38. [INFO] 1.12  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd
  39. [INFO]      * File not found
  40. [INFO] 1.13  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc
  41. [INFO]      * File not found
  42.  
  43.  
  44. [INFO] 2 - Docker daemon configuration
  45. [WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
  46. [PASS] 2.2  - Ensure the logging level is set to 'info'
  47. [PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
  48. [PASS] 2.4  - Ensure insecure registries are not used
  49. [PASS] 2.5  - Ensure aufs storage driver is not used
  50. [INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
  51. [INFO]      * Docker daemon not listening on TCP
  52. [INFO] 2.7  - Ensure the default ulimit is configured appropriately
  53. [INFO]      * Default ulimit doesn't appear to be set
  54. [WARN] 2.8  - Enable user namespace support
  55. [PASS] 2.9  - Ensure the default cgroup usage has been confirmed
  56. [PASS] 2.10  - Ensure base device size is not changed until needed
  57. [WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
  58. [WARN] 2.12  - Ensure centralized and remote logging is configured
  59. [INFO] 2.13  - Ensure operations on legacy registry (v1) are Disabled (Deprecated)
  60. [WARN] 2.14  - Ensure live restore is Enabled
  61. [WARN] 2.15  - Ensure Userland Proxy is Disabled
  62. [PASS] 2.16  - Ensure daemon-wide custom seccomp profile is applied, if needed
  63. [PASS] 2.17  - Ensure experimental features are avoided in production
  64. [WARN] 2.18  - Ensure containers are restricted from acquiring new privileges
  65.  
  66.  
  67. [INFO] 3 - Docker daemon configuration files
  68. [PASS] 3.1  - Ensure that docker.service file ownership is set to root:root
  69. [PASS] 3.2  - Ensure that docker.service file permissions are set to 644 or more restrictive
  70. [PASS] 3.3  - Ensure that docker.socket file ownership is set to root:root
  71. [PASS] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
  72. [PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
  73. [PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
  74. [INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
  75. [INFO]      * Directory not found
  76. [INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
  77. [INFO]      * Directory not found
  78. [INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
  79. [INFO]      * No TLS CA certificate found
  80. [INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
  81. [INFO]      * No TLS CA certificate found
  82. [INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
  83. [INFO]      * No TLS Server certificate found
  84. [INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
  85. [INFO]      * No TLS Server certificate found
  86. [INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
  87. [INFO]      * No TLS Key found
  88. [INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
  89. [INFO]      * No TLS Key found
  90. [PASS] 3.15  - Ensure that Docker socket file ownership is set to root:docker
  91. [PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
  92. [INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
  93. [INFO]      * File not found
  94. [INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
  95. [INFO]      * File not found
  96. [PASS] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
  97. [PASS] 3.20  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
  98.  
  99.  
  100. [INFO] 4 - Container Images and Build File
  101. [WARN] 4.1  - Ensure a user for the container has been created
  102. [WARN]      * Running as root: syncthing
  103. [WARN]      * Running as root: sabnzbd
  104. [WARN]      * Running as root: radarr
  105. [WARN]      * Running as root: airvpn
  106. [WARN]      * Running as root: duplicati
  107. [WARN]      * Running as root: sonarr
  108. [WARN]      * Running as root: watchtower
  109. [WARN]      * Running as root: vnstat
  110. [NOTE] 4.2  - Ensure that containers use trusted base images
  111. [NOTE] 4.3  - Ensure unnecessary packages are not installed in the container
  112. [NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
  113. [WARN] 4.5  - Ensure Content trust for Docker is Enabled
  114. [WARN] 4.6  - Ensure HEALTHCHECK instructions have been added to the container image
  115. [WARN]      * No Healthcheck found: [linuxserver/sabnzbd:latest]
  116. [WARN]      * No Healthcheck found: [lscr.io/linuxserver/syncthing:latest]
  117. [WARN]      * No Healthcheck found: [linuxserver/radarr:nightly]
  118. [WARN]      * No Healthcheck found: [ghcr.io/linuxserver/duplicati:latest]
  119. [WARN]      * No Healthcheck found: [aquasec/trivy:latest]
  120. [WARN]      * No Healthcheck found: [linuxserver/sonarr:latest]
  121. [WARN]      * No Healthcheck found: [kodcloud/kodbox:latest]
  122. [WARN]      * No Healthcheck found: [node:latest]
  123. [WARN]      * No Healthcheck found: [vergoh/vnstat:latest]
  124. [WARN]      * No Healthcheck found: [containrrr/watchtower:latest]
  125. [WARN]      * No Healthcheck found: [hubblo/scaphandre:latest]
  126. [WARN]      * No Healthcheck found: [radpenguin/megacmd-get:latest]
  127. [INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
  128. [INFO]      * Update instruction found: [kodcloud/kodbox:latest]
  129. [INFO]      * Update instruction found: [node:latest]
  130. [INFO]      * Update instruction found: [hubblo/scaphandre:latest]
  131. [INFO]      * Update instruction found: [radpenguin/megacmd-get:latest]
  132. [NOTE] 4.8  - Ensure setuid and setgid permissions are removed in the images
  133. [INFO] 4.9  - Ensure COPY is used instead of ADD in Dockerfile
  134. [INFO]      * ADD in image history: [linuxserver/sabnzbd:latest]
  135. [INFO]      * ADD in image history: [lscr.io/linuxserver/syncthing:latest]
  136. [INFO]      * ADD in image history: [qmcgaw/gluetun:latest]
  137. [INFO]      * ADD in image history: [linuxserver/radarr:nightly]
  138. [INFO]      * ADD in image history: [ghcr.io/linuxserver/duplicati:latest]
  139. [INFO]      * ADD in image history: [aquasec/trivy:latest]
  140. [INFO]      * ADD in image history: [linuxserver/sonarr:latest]
  141. [INFO]      * ADD in image history: [kodcloud/kodbox:latest]
  142. [INFO]      * ADD in image history: [node:latest]
  143. [INFO]      * ADD in image history: [ghcr.io/wfg/openvpn-client:latest]
  144. [INFO]      * ADD in image history: [vergoh/vnstat:latest]
  145. [INFO]      * ADD in image history: [hubblo/scaphandre:latest]
  146. [INFO]      * ADD in image history: [radpenguin/megacmd-get:latest]
  147. [INFO]      * ADD in image history: [docker/docker-bench-security:latest]
  148. [NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
  149. [NOTE] 4.11  - Ensure verified packages are only Installed
  150.  
  151.  
  152. [INFO] 5 - Container Runtime
  153. [PASS] 5.1  - Ensure AppArmor Profile is Enabled
  154. [WARN] 5.2  - Ensure SELinux security options are set, if applicable
  155. [WARN]      * No SecurityOptions Found: syncthing
  156. [WARN]      * No SecurityOptions Found: sabnzbd
  157. [WARN]      * No SecurityOptions Found: radarr
  158. [WARN]      * No SecurityOptions Found: airvpn
  159. [WARN]      * No SecurityOptions Found: duplicati
  160. [WARN]      * No SecurityOptions Found: sonarr
  161. [WARN]      * No SecurityOptions Found: watchtower
  162. [WARN]      * No SecurityOptions Found: vnstat
  163. [WARN] 5.3  - Ensure Linux Kernel Capabilities are restricted within containers
  164. [WARN]      * Capabilities added: CapAdd=[NET_ADMIN] to airvpn
  165. [PASS] 5.4  - Ensure privileged containers are not used
  166. [PASS] 5.5  - Ensure sensitive host system directories are not mounted on containers
  167. [PASS] 5.6  - Ensure ssh is not run within containers
  168. [WARN] 5.7  - Ensure privileged ports are not mapped within containers
  169. [WARN]      * Privileged Port in use: 2 in duplicati
  170. [NOTE] 5.8  - Ensure only needed ports are open on the container
  171. [WARN] 5.9  - Ensure the host's network namespace is not shared
  172. [WARN]      * Container running with networking mode 'host': vnstat
  173. [WARN] 5.10  - Ensure memory usage for container is limited
  174. [WARN]      * Container running without memory restrictions: syncthing
  175. [WARN]      * Container running without memory restrictions: sabnzbd
  176. [WARN]      * Container running without memory restrictions: radarr
  177. [WARN]      * Container running without memory restrictions: airvpn
  178. [WARN]      * Container running without memory restrictions: duplicati
  179. [WARN]      * Container running without memory restrictions: sonarr
  180. [WARN]      * Container running without memory restrictions: watchtower
  181. [WARN]      * Container running without memory restrictions: vnstat
  182. [WARN] 5.11  - Ensure CPU priority is set appropriately on the container
  183. [WARN]      * Container running without CPU restrictions: syncthing
  184. [WARN]      * Container running without CPU restrictions: sabnzbd
  185. [WARN]      * Container running without CPU restrictions: radarr
  186. [WARN]      * Container running without CPU restrictions: airvpn
  187. [WARN]      * Container running without CPU restrictions: duplicati
  188. [WARN]      * Container running without CPU restrictions: sonarr
  189. [WARN]      * Container running without CPU restrictions: watchtower
  190. [WARN]      * Container running without CPU restrictions: vnstat
  191. [WARN] 5.12  - Ensure the container's root filesystem is mounted as read only
  192. [WARN]      * Container running with root FS mounted R/W: syncthing
  193. [WARN]      * Container running with root FS mounted R/W: sabnzbd
  194. [WARN]      * Container running with root FS mounted R/W: radarr
  195. [WARN]      * Container running with root FS mounted R/W: airvpn
  196. [WARN]      * Container running with root FS mounted R/W: duplicati
  197. [WARN]      * Container running with root FS mounted R/W: sonarr
  198. [WARN]      * Container running with root FS mounted R/W: watchtower
  199. [WARN]      * Container running with root FS mounted R/W: vnstat
  200. [WARN] 5.13  - Ensure incoming container traffic is binded to a specific host interface
  201. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in syncthing
  202. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in syncthing
  203. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in syncthing
  204. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in syncthing
  205. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in sabnzbd
  206. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in airvpn
  207. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in duplicati
  208. [WARN]      * Port being bound to wildcard IP: 0.0.0.0 in sonarr
  209. [WARN] 5.14  - Ensure 'on-failure' container restart policy is set to '5'
  210. [WARN]      * MaximumRetryCount is not set to 5: syncthing
  211. [WARN]      * MaximumRetryCount is not set to 5: sabnzbd
  212. [WARN]      * MaximumRetryCount is not set to 5: radarr
  213. [WARN]      * MaximumRetryCount is not set to 5: airvpn
  214. [WARN]      * MaximumRetryCount is not set to 5: duplicati
  215. [WARN]      * MaximumRetryCount is not set to 5: sonarr
  216. [WARN]      * MaximumRetryCount is not set to 5: watchtower
  217. [WARN]      * MaximumRetryCount is not set to 5: vnstat
  218. [PASS] 5.15  - Ensure the host's process namespace is not shared
  219. [PASS] 5.16  - Ensure the host's IPC namespace is not shared
  220. [PASS] 5.17  - Ensure host devices are not directly exposed to containers
  221. [INFO] 5.18  - Ensure the default ulimit is overwritten at runtime, only if needed
  222. [INFO]      * Container no default ulimit override: syncthing
  223. [INFO]      * Container no default ulimit override: sabnzbd
  224. [INFO]      * Container no default ulimit override: radarr
  225. [INFO]      * Container no default ulimit override: airvpn
  226. [INFO]      * Container no default ulimit override: duplicati
  227. [INFO]      * Container no default ulimit override: sonarr
  228. [INFO]      * Container no default ulimit override: watchtower
  229. [INFO]      * Container no default ulimit override: vnstat
  230. [PASS] 5.19  - Ensure mount propagation mode is not set to shared
  231. [PASS] 5.20  - Ensure the host's UTS namespace is not shared
  232. [PASS] 5.21  - Ensure the default seccomp profile is not Disabled
  233. [NOTE] 5.22  - Ensure docker exec commands are not used with privileged option
  234. [NOTE] 5.23  - Ensure docker exec commands are not used with user option
  235. [PASS] 5.24  - Ensure cgroup usage is confirmed
  236. [WARN] 5.25  - Ensure the container is restricted from acquiring additional privileges
  237. [WARN]      * Privileges not restricted: syncthing
  238. [WARN]      * Privileges not restricted: sabnzbd
  239. [WARN]      * Privileges not restricted: radarr
  240. [WARN]      * Privileges not restricted: airvpn
  241. [WARN]      * Privileges not restricted: duplicati
  242. [WARN]      * Privileges not restricted: sonarr
  243. [WARN]      * Privileges not restricted: watchtower
  244. [WARN]      * Privileges not restricted: vnstat
  245. [WARN] 5.26  - Ensure container health is checked at runtime
  246. [WARN]      * Health check not set: syncthing
  247. [WARN]      * Health check not set: sabnzbd
  248. [WARN]      * Health check not set: radarr
  249. [WARN]      * Health check not set: duplicati
  250. [WARN]      * Health check not set: sonarr
  251. [WARN]      * Health check not set: watchtower
  252. [WARN]      * Health check not set: vnstat
  253. [INFO] 5.27  - Ensure docker commands always get the latest version of the image
  254. [WARN] 5.28  - Ensure PIDs cgroup limit is used
  255. [WARN]      * PIDs limit not set: syncthing
  256. [WARN]      * PIDs limit not set: sabnzbd
  257. [WARN]      * PIDs limit not set: radarr
  258. [WARN]      * PIDs limit not set: airvpn
  259. [WARN]      * PIDs limit not set: duplicati
  260. [WARN]      * PIDs limit not set: sonarr
  261. [WARN]      * PIDs limit not set: watchtower
  262. [WARN]      * PIDs limit not set: vnstat
  263. [INFO] 5.29  - Ensure Docker's default bridge docker0 is not used
  264. [INFO]      * Container in docker0 network: syncthing
  265. [INFO]      * Container in docker0 network: watchtower
  266. [INFO]      * Container in docker0 network: sonarr
  267. [INFO]      * Container in docker0 network: sabnzbd
  268. [INFO]      * Container in docker0 network: airvpn
  269. [INFO]      * Container in docker0 network: duplicati
  270. [PASS] 5.30  - Ensure the host's user namespaces is not shared
  271. [WARN] 5.31  - Ensure the Docker socket is not mounted inside any containers
  272. [WARN]      * Docker socket shared: watchtower
  273.  
  274.  
  275. [INFO] 6 - Docker Security Operations
  276. [INFO] 6.1  - Avoid image sprawl
  277. [INFO]      * There are currently: 15 images
  278. [INFO] 6.2  - Avoid container sprawl
  279. [INFO]      * There are currently a total of 22 containers, with 9 of them currently running
  280.  
  281.  
  282. [INFO] 7 - Docker Swarm Configuration
  283. [PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
  284. [PASS] 7.2  - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
  285. [PASS] 7.3  - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled)
  286. [PASS] 7.4  - Ensure data exchanged between containers are encrypted on different nodes on the overlay network
  287. [PASS] 7.5  - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled)
  288. [PASS] 7.6  - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled)
  289. [PASS] 7.7  - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
  290. [PASS] 7.8  - Ensure node certificates are rotated as appropriate (Swarm mode not enabled)
  291. [PASS] 7.9  - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled)
  292. [PASS] 7.10  - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled)
  293.  
  294. [INFO] Checks: 105
  295. [INFO] Score: 10
  296.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement