Docker Bench for SecurityでDockerコンテナのセキュリティ診断を行う
sited by docker/docker-bench-security · GitHub
モチベーション
Docker環境のセキュリティ診断ツールを触ってみる
Dockerのセキュリティ
Dockerが日常的に利用されるようになり、そのセキュリティの重要性も日に日に増してきている。Docker社もセキュリティには力を入れており、Docker Seicurity BlogでDockerのセキュリティポリシーやCVE情報等、Dockerのセキュリティ周辺情報を提供している。
加えて、同社はホワイトペーパー”Introduction to Container Security“でDockerコンテナを使うことでインフラリソースの追加投入をぜずにセキュリティを強化できることを述べており、特に以下の3点を言及している。
コンテナは基盤となるインフラのリソースを使うことなく、ホストの攻撃ベクトル(攻撃経路)を減らすために、アプリケーション同士やアプリケーションとホストを分離する保護レイヤを追加する。
コンテナと仮想マシンは同一環境にデプロイ可能でそれらはサービスをセキュアに分離するレイヤを提供する。
コンテナの本質は高速かつ簡易なOS、アプリケション及びインフラの各レイヤへのパッチ、アップデートを可能にさせることであり、システム全体のセキュリティ・コンプライアンスを維持を支援することである。
コンテナで1つレイヤーを追加し、適切にサービスとリソースの管理を行うことでセキュリティレベルが向上するという主張だ。
そんなコンテナのセキュリティだが、先日、Docker、VMware、楽天、Cognitive Scale、Internet Securities ExchangeらはCenter for Internet Securityと共にCIS Docker 1.6 Benchmarkと称したDocker Engineのベンチマーク調査をしている。この調査では、CISのセキュリティベンチマークプログラムが、組織がセキュリティのアセスメントと堅牢化をするための明確な定義を持ち、公正に議論されたベストプラクティスを提供していること、また、このコミュニティベースのベンチマークがLinuxやDockerの推奨設定を提供していると述べている。
Docker Bench for Securityはこのベンチマーク調査の推奨設定を基準にDockerコンテナの設定を自動的に診断するツールである。
環境の準備
Docker Bench for Securityを使うために環境の準備を行う。今回はVagrant上にUbuntu14.04を起動して、Dockerのインストールする。またテスト用のコンテナとしてNginxのコンテナを準備する。
Dockerのインストール
まずはUbuntu14.04にて試験を実施するために、Docker: Installation of Ubuntuに従い必要な環境を準備する。
ローカルのvagrant box listに保存されているubuntu14_04を使う。
$ vagrant init ubuntu14_04
Vagrantfileを編集する。
# 以下の行のコメントを外す # config.vm.network :private_network, ip: "192.168.33.10"
VMを起動して環境情報を確認、最新化、dockerのインストールを行う。
$ vagrant up $ vagrant ssh $ vagrant@vagrant-ubuntu-trusty-64:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty$ vagrant@vagrant-ubuntu-trusty-64:~$ uname -a Linux vagrant-ubuntu-trusty-64 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ sudo apt-get update $ sudo apt-get upgrade $ vagrant@vagrant-ubuntu-trusty-64:~$ wget -qO- https://get.docker.com/ | sh
テストをしてみる。
vagrant@vagrant-ubuntu-trusty-64:~$ sudo docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from hello-world a8219747be10: Pull complete 91c95931e552: Already exists hello-world:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security. Digest: sha256:aa03e5d0d5553b4c3473e89c8619cf79df368babd18681cf5daeb82aab55838d Status: Downloaded newer image for hello-world:latest Hello from Docker. This message shows that your installation appears to be working correctly.
Nginxコンテナの作成
Docker Bench for Securityテスト用のNginxコンテナを作成する。
sudo docker run --name mynginx1 -P -d nginx
Nginxのコンテナが起動していることを確認する。
$ vagrant@vagrant-ubuntu-trusty-64:~$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e4fe8ff26f13 nginx "nginx -g 'daemon of 6 seconds ago Up 6 seconds 0.0.0.0:32769->80/tcp, 0.0.0.0:32768->443/tcp mynginx1 $ vagrant@vagrant-ubuntu-trusty-64:~$ curl http://localhost:32769 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>
Docker Bench for Securityを使ってみる
docker/docker-bench-security · GitHubに有るように、Docker Bench for Securityはそれ自体がコンテナイメージとして登録されているため、以下のコマンドを実行するだけで、Docker Bench for Securityコンテナを起動したホストで管理しているコンテナに対してセキュリティ診断を行える。
vagrant@vagrant-ubuntu-trusty-64:~$ sudo docker run -it --net host --pid host --cap-add audit_control \ -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker-bench-security \ diogomonica/docker-bench-security
先ほど作成したNginxコンテナの診断結果。
# ------------------------------------------------------------------------------ # CIS Docker 1.6 Benchmark v1.0.0 checker # # Docker, Inc. (c) 2015 # # Provides automated tests for the CIS Docker 1.6 Benchmark: # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf # ------------------------------------------------------------------------------ Initializing Mon Jun 29 23:04:01 UTC 2015 [INFO] 1 - Host Configuration [WARN] 1.1 - Create a separate partition for containers [PASS] 1.2 - Use an updated Linux Kernel [WARN] 1.5 - Remove all non-essential services from the host - Network [WARN] * Host listening on: 8 ports [PASS] 1.6 - Keep Docker up to date [INFO] 1.7 - Only allow trusted users to control Docker daemon [INFO] * docker❌999: [WARN] 1.8 - Failed to inspect: auditctl command not found. [WARN] 1.9 - Failed to inspect: auditctl command not found. [WARN] 1.10 - Failed to inspect: auditctl command not found. [WARN] 1.11 - Failed to inspect: auditctl command not found. [WARN] 1.12 - Failed to inspect: auditctl command not found. [WARN] 1.13 - Failed to inspect: auditctl command not found. [WARN] 1.14 - Failed to inspect: auditctl command not found. [WARN] 1.15 - Failed to inspect: auditctl command not found. [WARN] 1.16 - Failed to inspect: auditctl command not found. [WARN] 1.17 - Failed to inspect: auditctl command not found. [WARN] 1.18 - Failed to inspect: auditctl command not found. [INFO] 2 - Docker Daemon Configuration [PASS] 2.1 - Do not use lxc execution driver [WARN] 2.2 - Restrict network traffic between containers [PASS] 2.3 - Set the logging level [PASS] 2.4 - Allow Docker to make changes to iptables [PASS] 2.5 - Do not use insecure registries [INFO] 2.6 - Setup a local registry mirror [INFO] * No local registry currently configured [WARN] 2.7 - Do not use the aufs storage driver [PASS] 2.8 - Do not bind Docker to another IP/Port or a Unix socket [INFO] 2.9 - Configure TLS authentication for Docker daemon [INFO] * Docker daemon not listening on TCP [INFO] 2.10 - Set default ulimit as appropriate [INFO] * Default ulimit doesn't appear to be set [INFO] 3 - Docker Daemon Configuration Files [INFO] 3.1 - Verify that docker.service file ownership is set to root:root [INFO] * File not found [INFO] 3.2 - Verify that docker.service file permissions are set to 644 [INFO] * File not found [INFO] 3.3 - Verify that docker-registry.service file ownership is set to root:root [INFO] * File not found [INFO] 3.4 - Verify that docker-registry.service file permissions are set to 644 [INFO] * File not found [INFO] 3.5 - Verify that docker.socket file ownership is set to root:root [INFO] * File not found [INFO] 3.6 - Verify that docker.socket file permissions are set to 644 [INFO] * File not found [INFO] 3.7 - Verify that Docker environment file ownership is set to root:root [INFO] * File not found [INFO] 3.8 - Verify that Docker environment file permissions are set to 644 [INFO] * File not found [INFO] 3.9 - Verify that docker-network environment file ownership is set to root:root [INFO] * File not found [INFO] 3.10 - Verify that docker-network environment file permissions are set to 644 [INFO] * File not found [INFO] 3.11 - Verify that docker-registry environment file ownership is set to root:root [INFO] * File not found [INFO] 3.12 - Verify that docker-registry environment file permissions are set to 644 [INFO] * File not found [INFO] 3.13 - Verify that docker-storage environment file ownership is set to root:root [INFO] * File not found [INFO] 3.14 - Verify that docker-storage environment file permissions are set to 644 [INFO] * File not found [PASS] 3.15 - Verify that /etc/docker directory ownership is set to root:root [PASS] 3.16 - Verify that /etc/docker directory permissions are set to 755 [INFO] 3.17 - Verify that registry certificate file ownership is set to root:root [INFO] * Directory not found [INFO] 3.18 - Verify that registry certificate file permissions are set to 444 [INFO] * Directory not found [INFO] 3.19 - Verify that TLS CA certificate file ownership is set to root:root [INFO] * No TLS CA certificate found [INFO] 3.20 - Verify that TLS CA certificate file permissions are set to 444 [INFO] * No TLS CA certificate found [INFO] 3.21 - Verify that Docker server certificate file ownership is set to root:root [INFO] * No TLS Server certificate found [INFO] 3.22 - Verify that Docker server certificate file permissions are set to 444 [INFO] * No TLS Server certificate found [INFO] 3.23 - Verify that Docker server key file ownership is set to root:root [INFO] * No TLS Key found [INFO] 3.24 - Verify that Docker server key file permissions are set to 400 [INFO] * No TLS Key found [INFO] 3.25 - Verify that Docker socket file ownership is set to root:docker [INFO] * File not found [INFO] 3.26 - Verify that Docker socket file permissions are set to 660 [INFO] * File not found [INFO] 4 - Container Images and Build Files [WARN] 4.1 - Create a user for the container [WARN] * Running as root: e4fe8ff26f13 [INFO] 5 - Container Runtime [WARN] 5.1 - Verify AppArmor Profile, if applicable [WARN] * No AppArmorProfile Found: e4fe8ff26f13 [WARN] 5.2 - Verify SELinux security options, if applicable [WARN] * No SecurityOptions Found: e4fe8ff26f13 [PASS] 5.3 - Verify that containers are running only a single main process [PASS] 5.4 - Restrict Linux Kernel Capabilities within containers [PASS] 5.5 - Do not use privileged containers [PASS] 5.6 - Do not mount sensitive host system directories on containers [PASS] 5.7 - Do not run ssh within containers sh: 443 80: bad number [PASS] 5.8 - Do not map privileged ports within containers [PASS] 5.10 - Do not use host network mode on container [WARN] 5.11 - Limit memory usage for container [WARN] * Container running without memory restrictions: e4fe8ff26f13 [WARN] 5.12 - Set container CPU priority appropriately [WARN] * Container running without CPU restrictions: e4fe8ff26f13 [WARN] 5.13 - Mount container's root filesystem as read only [WARN] * Container running with root FS mounted R/W: e4fe8ff26f13 [PASS] 5.14 - Bind incoming container traffic to a specific host interface [PASS] 5.15 - Do not set the 'on-failure' container restart policy to always [PASS] 5.16 - Do not share the host's process namespace [PASS] 5.17 - Do not share the host's IPC namespace [PASS] 5.18 - Do not directly expose host devices to containers [INFO] 5.19 - Override default ulimit at runtime only if needed [INFO] * Container no default ulimit override: e4fe8ff26f13 [INFO] 6 - Docker Security Operations [INFO] 6.6 - Avoid image sprawl [INFO] * There are currently: 3 images [INFO] 6.7 - Avoid container sprawl [INFO] * There are currently a total of 2 containers, with 2 of them currently running
見て分かる通り、セキュリティの文脈で色々な指摘をされている。
所感
Docker Bench for Securityは非常に簡単にDockerコンテナのセキュリティ診断を可能にさせるツールだった。コンテナのセキュリティに不安がある人もこのツールの診断内容に従って一つずつセキュリティ・ホールを潰していくことで堅牢なコンテナ環境ができる。一方でセキュリティ診断はWhite paper: Introduction to Container SecurityやUnderstanding Docker Security and Best Practices | Docker Blogに書かれているSecurity Best Practicesにもとづいており、このコンセプトの達成を支援するものだ。そのためオリジナルのコンセプトを理解するべきであるし、そもそも自分の想定するセキュリティとマッチしているのかも判断する必要がある。
参考
Docker Bench for Security
Dockerのセキュリティ周辺情報
- Docker Security Blog
- White paper: Introduction to Container Security
- Understanding Docker Security and Best Practices | Docker Blog
- Center for Internet Security :: Security Benchmarks Division