search

docker / docker-bench-security

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
Apache License 2.0
9.17k stars 1.02k forks source link

Test 1.8 is WARN on docker.service, but auditing is enabled. #465

Closed paulhargreaves closed 3 years ago

paulhargreaves commented 3 years ago

# Docker Bench for Security v1.3.4

[PASS] 1.5  - Ensure auditing is configured for the Docker daemon
[PASS] 1.6  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[PASS] 1.7  - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.8  - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.9  - Ensure auditing is configured for Docker files and directories - docker.socket

The files are in the right place, auditing is enabled.

# ls -la /lib/systemd/system/docker.service
-rw-r--r-- 1 root root 1185 Mar  3 16:51 /lib/systemd/system/docker.service

# sudo auditctl -l
-w /usr/bin/docker -p wa
-w /var/lib/docker -p wa
-w /etc/docker -p wa
-w /lib/systemd/system/docker.service -p wa
-w /lib/systemd/system/docker.socket -p wa
-w /etc/default/docker -p wa
-w /etc/docker/daemon.json -p wa
-w /usr/bin/docker-containerd -p wa
-w /usr/bin/docker-runc -p wa

I can't see why this test is failing. I'm passing through /lib/systemd/system (this is Arch linux, so following the Ubuntu receipe)

# sudo docker run --rm --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /etc:/etc:ro \
    -v /lib/systemd/system:/lib/systemd/system:ro \
    -v /usr/bin/containerd:/usr/bin/containerd:ro \
    -v /usr/bin/runc:/usr/bin/runc:ro \
    -v /usr/lib/systemd:/usr/lib/systemd:ro \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
    docker/docker-bench-security

# uname -a
Linux ripper 5.11.2-arch1-1 #1 SMP PREEMPT Fri, 26 Feb 2021 18:26:41 +0000 x86_64 GNU/Linux

Running directly on the host without docker I get a pass:

# source helper_lib.sh 
# source 1_host_configuration.sh 
# source output_lib.sh 
# check_1_2_6
tee: '': No such file or directory
[PASS] 1.2.6  - Ensure auditing is configured for Docker files and directories - docker.service (Scored)

So I'm obviously doing something wrong, but what?

konstruktoid commented 3 years ago

Hi @paulhargreaves, it seems you're using the Docker container, can you reproduce this error with the script as well?

paulhargreaves commented 3 years ago

I haven't ran the full script, but when I just source in that one test (per above) it passes, so it's definitely something about it running in the container, I just don't know where to start to diagnose where the problem lies.

konstruktoid commented 3 years ago

No need, I can help you with that. It's the classic https://github.com/docker/docker-bench-security/issues/405 from 2019.

paulhargreaves commented 3 years ago

Ah, sigh, ok thanks. I'll close and stop running it as a container.