Docker Bench security
Docker Bench Security is a docker image which audits a VM running docker containers. You can run this image and see if there are security issues in your system. This is a very useful docker image that can be used to perform security audits on your production VMs.
To Run the bench security container
docker run -it --net host --pid host --cap-add audit_control \ -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker_bench_security \ docker/docker-bench-security
the output it generates looks something like this
# ------------------------------------------------------------------------------ # Docker Bench for Security v1.0.0 # # Docker, Inc. (c) 2015- # # Checks for dozens of common best-practices around deploying Docker containers in production. # Inspired by the CIS Docker 1.11 Benchmark: # https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker16.110 # ------------------------------------------------------------------------------ Initializing Sun Jun 26 22:30:48 UTC 2016 [INFO] 1 - Host Configuration [WARN] 1.1 - Create a separate partition for containers [PASS] 1.2 - Use an updated Linux Kernel [PASS] 1.4 - Remove all non-essential services from the host - Network [PASS] 1.5 - Keep Docker up to date [INFO] * Using 1.12.02 which is current as of 2016-06-02 .....
You can get more details on each issue using this PDF
The most important security issues that should be addressed are
Update the docker to latest version (Update package image):
Enable user namespace support (better) or Create a user for the container: It is a good practice to run the container as a non-root user, if possible. Though user namespace mapping is now available, if a user is already defined in the container image, the container is run as that user by default and specific user namespace remapping is not required. In order to enable user namespace set DOCKER_OPTS="--userns-remap="default" and restart your docker daemon. The PDF has all the instructions on how to do it.
Restrict container from acquiring additional privileges: We should be running the containers using --security-opt=no-new-privileges flag. for e.g.,
docker run --rm -it --security-opt=no-new-privileges busybox bash
There are other warnings which may be addressed if you like
Limit memory usage for container
Set container CPU priority appropriately
Mount container's root filesystem as read only
Bind incoming container traffic to a specific host interface
Set the 'on-failure' container restart policy to 5
Verify AppArmor Profile, if applicable etc
Note:
If you enable user namespaces then you cannot use quite a few features such as --net host etc and if you need to run a container with such privileges (even when user namespace enabled) then use --userns=host with docker run to avoid the user namespace.