search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.5k stars 1.49k forks source link

Lynis stops working if you set up tls in /etc/docker/daemon.json #1539

Closed osorito closed 2 months ago

osorito commented 2 months ago

Describe the bug A clear and concise description of what the bug is.

Lynis hangs up if I run the test with tls enabled in /etc/docker/daemon.json

To install Lynis

sudo mkdir -p /usr/local/lynis
cd /usr/local
sudo wget https://downloads.cisofy.com/lynis/lynis-3.1.1.tar.gz
sudo   tar xfvz lynis-3.1.1.tar.gz
sudo   chown node:node lynis

Docker daemon configuration /etc/docker/daemon.json

node@Blaze:~$ sudo cat /etc/docker/daemon.json

{
  "log-driver": "syslog",
  "icc": false ,
  "log-level": "info",
  "iptables": true,
  "insecure-registries": [],
  "live-restore": true,
  "userland-proxy": false ,
  "userns-remap": "default",
  "tls": true,
  "tlsverify": true,
  "tlscacert": "/etc/docker/certs/ca.pem",
  "tlscert": "/etc/docker/certs/server_cert.pem",
  "tlskey": "/etc/docker/certs/server_key.pem",
  "hosts": ["tcp://0.0.0.0:2376"]
}

Add this to ~/.bashrc

export DOCKER_HOST=tcp://127.0.0.1:2376 DOCKER_TLS_VERIFY=1 Result of docker version

node@Blaze:~$ docker version
Client: Docker Engine - Community
 Version:           27.2.0
 API version:       1.47
 Go version:        go1.21.13
 Git commit:        3ab4256
 Built:             Tue Aug 27 14:15:15 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          27.2.0
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.21.13
  Git commit:       3ab5c7d
  Built:            Tue Aug 27 14:15:15 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.21
  GitCommit:        472731909fa34bd7bc9c087e4c27943f9835f111
 runc:
  Version:          1.1.13
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Status of docker

node@Blaze:~$ sudo systemctl status docker
● docker.service - Docker Application Container Engine
     Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/docker.service.d
             └─override.conf
     Active: active (running) since Fri 2024-08-30 18:42:25 UTC; 7s ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
   Main PID: 43588 (dockerd)
      Tasks: 9
     Memory: 20.8M (peak: 21.5M)
        CPU: 320ms
     CGroup: /system.slice/docker.service
             └─43588 /usr/bin/dockerd --no-new-privileges --containerd=/run/containerd/containerd.sock

node@Blaze:~$ sudo cat /etc/systemd/system/docker.service.d/override.conf
 [Service] 
ExecStart= 
ExecStart=/usr/bin/dockerd --no-new-privileges --containerd=/run/containerd/containerd.sock  

node@Blaze:~$ docker ps -a
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES

The logs stop here

sudo cat /var/log/lynis-report.dat
certificates=150
kernel_entropy=256
rng_found=0
docker_daemon_running=1
node@Blaze:~$

If I remove the tls lines from configuration this is the result in container side.

node@Blaze:~$ sudo cat /etc/docker/daemon.json

{
  "log-driver": "syslog",
  "icc": false ,
  "log-level": "info",
  "iptables": true,
  "insecure-registries": [],
  "live-restore": true,
  "userland-proxy": false ,
  "userns-remap": "default"
}

Comment ~/.bashrc #export DOCKER_HOST=tcp://127.0.0.1:2376 DOCKER_TLS_VERIFY=1

run

source ~/.bashrc
sudo systemctl daemon-reload
sudo systemctl restart docker

The report works.

[+] Containers
------------------------------------
    - Docker
      - Docker daemon                                         [ RUNNING ]
        - Docker info output (warnings)                       [ NONE ]
      - Containers
        - Total containers                                    [ 0 ]
    - File permissions                                        [ OK ]

After the change, if I return /etc/docker/daemon.json to how it was and un comment ~/.bashrc source bash, reload the daemon, restart the service

This is the output

[+] Containers
------------------------------------
    - Docker
      - Docker daemon                                         [ RUNNING ]
        - Docker status                                       [ ERROR ]
        - Docker info output (warnings)                       [ NONE ]

Version

node@Blaze:~$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

Expected behavior A clear and concise description of what you expected to happen.

The test should run with or without tls enable on /etc/docker/daemon.json

The code that get stuck is here

    # Test        : CONT-8104
    # Description : Checking Docker info for any warnings
    # Notes       : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory
    if HasData "${DOCKERBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Docker info for any warnings"
    if [ ${SKIPTEST} -eq 0 ]; then
        COUNT=0
        LogText "Test: Check for any warnings"
        FIND=$(${DOCKERBINARY} version 2>&1)
        if [ $? -gt 0 ]; then
            Display --indent 8 --text "- Docker status" --result "${STATUS_ERROR}" --color RED
            LogText "Result: disabling further Docker tests as docker version gave exit code other than zero (0)"
            RUN_DOCKER_TESTS=0
        fi

What the test is doing is the same I do in console docker version 2>&1

node@Blaze:~$ docker version 2>&1
Client: Docker Engine - Community
 Version:           27.2.0
 API version:       1.47
 Go version:        go1.21.13
 Git commit:        3ab4256
 Built:             Tue Aug 27 14:15:15 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          27.2.0
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.21.13
  Git commit:       3ab5c7d
  Built:            Tue Aug 27 14:15:15 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.21
  GitCommit:        472731909fa34bd7bc9c087e4c27943f9835f111
 runc:
  Version:          1.1.13
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output If applicable, add output that you get from the tool or the related section of lynis.log


================================================================================

  Lynis security scan details:

  Hardening index : 87 [#################   ]
  Tests performed : 260
  Plugins enabled : 0

  Components:
  - Firewall               [V]
  - Malware scanner        [V]

  Scan mode:
  Normal [ ]  Forensics [ ]  Integration [ ]  Pentest [V] (running privileged)

  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

Additional context Add any other context about the problem here.

osorito commented 2 months ago

To make it work made following changes.

 sudo cat /etc/docker/daemon.json

{
  "log-driver": "syslog",
  "log-level": "info",
  "iptables": true,
  "insecure-registries": [],
  "live-restore": true,
  "userland-proxy": false,
  "tls": true,
  "tlscacert": "/etc/docker/certs.d/ca.pem",
  "tlscert": "/etc/docker/certs.d/server_cert.pem",
  "tlskey": "/etc/docker/certs.d/server_key.pem",
  "hosts": ["tcp://0.0.0.0:2376","unix:///var/run/docker.sock"]
}
sudo cat /etc/systemd/system/docker.service.d/override.conf
[Service]
ExecStart= 
ExecStart=/usr/bin/dockerd --tlsverify --no-new-privileges --icc=false --userns-remap=default --default-ulimit nproc=1024:2048 --default-ulimit nofile=100:200 --containerd=/run/containerd/containerd.sock  
[+] Containers
------------------------------------
    - Docker
      - Docker daemon                                         [ RUNNING ]
        - Docker info output (warnings)                       [ NONE ]
      - Containers
        - Total containers                                    [ 0 ]
    - File permissions                                        [ OK ]
mboelen commented 2 months ago

Thanks for sharing and especially the detailed troubleshooting. Good to see it is working with the changes that you made.