Monitor-oriented Docker Bench for Security
This post is also available in : Spanish
Docker Bench for security with Pandora FMS
Although the main purpose of Pandora FMS is to monitor: its flexibility allows us to extend it as far as we need it. That’s why we now bring you Security with Docker Bench and suggest some ideas to use with our open source version.
At Pandora FMS, over the years, we have followed Docker closely. A plug-in has even been created to monitor the health of Docker Swarm, so we’re talking about creating and monitoring a large number of application containers or containers.
The container process is the process of distributing and implementing applications in a portable way in a predictable way, but we should not neglect the possible vulnerabilities. Implementing safety with Docker Bench for security is just one of its approaches. Docker is widely used in open source and free software projects, and Docker Bench for security is also one of them; its code is based on GitHub and is licensed under Apache 2.0 . Docker Bench is made by Docker’s own team, based on business recommendations, and in GitHub receive improvements and error capture from the enthusiastic free software community.
In our case we will show in a virtual test machine with Ubuntu 18 with Docker installed from scratch, that is, a dedicated and exclusive server to house containers and with the latest updates available. The user used is jimmy and we have configured it to run sudo without a password.
Installing Security with Docker Bench for security
To install Docker Bench we will do it in our user folder with the following code:
git clone https://github.com/docker/docker-bench-security.git
With the first line we go to our user folder, with the second we download the source code, with the third we enter the directory and with the fourth we finally run it. The exit is extensive, but you will see something similar to this, initially:
First time execution of bash “docker-bench-security.sh”
Analysing the first results
Look at the red coloured texts of the last figure: these are the ones we are interested in monitoring with Pandora FMS. Now, not everything is bad in a first attempt; in the following figure in all the section 7 it has been approved and at the end it shows us a summary of the verified aspects and our score, the higher, the better:
General Security Score with Docker Bench
This is where we will begin to use the Standard Input that accompanies the Command Interpreter: a program (in this case Docker Bench for security) will deliver the result to another program with which we will filter it (we will use grep to filter lines) and finally we will filter the second field delimited by the separator “:” (cut command) to obtain only a numeric value:
sudo ./docker-bench-security.sh | grep Score: | cut -d ':' -f 2
With the obtained value, which we consider as Generic numeric for our software agent installed in the virtual server Docker test, we add it to the code that we propose:
module_exec sudo ./docker-bench-security.sh | grep Score: | cut -d ':' -f 2
module_description Docker Bench Score
There would only remain the details on how to implement the software agents, for example with Ansible, Puppet or your favorite software for these tasks.
Improving the score
For every warning, our score will be damaged; let’s go back to our command terminal and let our fingers fly on the keyboard to see where the problems are:
./docker-bench-security.sh | grep [WARN]
We will get only the warnings (note the use of ” \\\” with grep to be able to enter the square brackets straight):
Getting only the warnings from Docker Bench
Strengthening our containers
We obtained 74 verifications, but we cannot analyse them all here, so we will focus on specific cases:
Section 1.1: “Make sure you have the containers on a separate disk partition” so we created a virtual hard drive which we added to our virtual machine and moved everything in the /var/lib/docker directory and added symbolic links so as not to change the other values we have set. We want ease and speed, however Security with Docker Bench does not improve because it is not able to detect where these symbolic links lead. Issue for Docker Bench. We can help solve this by putting it in the GitHub repository; but since we are absolutely sure that this aspect is fixed, we can also exclude this check with the following command:
sudo ./docker-bench-security.sh -e check_1_1
If we had some other tests to exclude we would add a comma without spaces and the test code and so on.
Score; I made that abstraction by reviewing the Docker Bench source code. It turns out that in some tests if it is passed sum score and if the subtraction is failed, but in some others only provide zero and are the ones that return the label ” [INFO]” (example: 1.4 always returns zero). For each approved sum and for each warning subtract. There are even functions like 1.6 that can always provide one of the three values: -1, 0 or 1. But the 1.3 check (if Docker is running the latest stable version) if passed, it does not add points…
Unique execution of verification 1.3
Given this panorama, apparently confusing, it turns out that they do not qualify the “score” as a real score and here is the good thing about free software:
We will be able to modify the Security with Docker Bench to our liking and convenience; all this panorama of considerations is something common in the field of monitoring.
To further improve the score we solved the tests from 1.5 to 1.11 when installing auditd :
sudo apt-get install auditd
From 12 points we go to 27 only with the above and properly configuring the rules:
sudo nano /etc/audit/rules.d/audit.rules
with the following configurations:
-w /lib/systemd/system/docker.service -p wa
-w /lib/systemd/system/docker.socket -p wa
-w /usr/bin/docker-containerd -p wa
-w /usr/bin/docker-runc -p wa-w /usr/bin/docker -p wa
-w /var/lib/docker -p wa
-w /etc/docker -p wa
-w /etc/default/docker -p wa
-w /etc/docker/daemon.json -p wa
We got a score of 42!
Finally, note that the route /var/lib/docker is mentioned, which should be modified if we don’t use symbolic links, as we explained in the section “Strengthening our containers”. We leave it to you as a challenge to review and delve into Docker Bench. If you wish, place your results and/or suggestions and/or comments below!
Do you want to know much better what Pandora FMS can offer you? Go here.
Nowadays, many companies and organizations around the world already have Pandora FMS. Do you want to know some of our clients and read some of our success stories? Check out here.
If you have more than 100 devices to monitor you can contact us through the following form.
Also, remember that if your monitoring needs are more limited you have at your disposal the OpenSource version of Pandora FMS. Find more information here.