search

docker / docker-bench-security

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
Apache License 2.0
9.18k stars 1.02k forks source link

Ensure a separate partition for containers has been created (Automated) #555

Closed osorito closed 3 months ago

osorito commented 3 months ago

Describe the bug A clear and concise description of what the bug is.

The docker-bench-security gives the following error Ensure a separate partition for containers has been created (Automated)

Steps followed

git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sudo sh docker-bench-security.sh

Tested it sudo ./docker-bench-security.sh

Verified /var is on a separate partition

omar@Blaze:~$ sudo df -h
Filesystem      Size  Used Avail Use% Mounted on
tmpfs           197M  1.3M  196M   1% /run
/dev/sda1       3.9G  2.7G  1.2G  70% /
tmpfs           984M  3.1M  981M   1% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
/dev/sda16      881M   62M  758M   8% /boot
/dev/sda15      105M  6.1M   99M   6% /boot/efi
/dev/sdb2       6.1G  1.1G  4.8G  18% /var
/dev/sdb3       6.1G   88K  5.8G   1% /tmp
/dev/sdb1        13G  5.6M   12G   1% /home
tmpfs           197M   12K  197M   1% /run/user/1000
omar@Blaze:~$ sudo lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
sda       8:0    0    5G  0 disk 
├─sda1    8:1    0    4G  0 part /
├─sda14   8:14   0    4M  0 part 
├─sda15   8:15   0  106M  0 part /boot/efi
└─sda16 259:0    0  913M  0 part /boot
sdb       8:16   0   25G  0 disk 
├─sdb1    8:17   0 12.5G  0 part /home
├─sdb2    8:18   0  6.3G  0 part /var
└─sdb3    8:19   0  6.2G  0 part /tmp
sr0      11:0    1    4M  0 rom

Version

Distribution [Ubuntu 24.04]

omar@Blaze:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.04.1 LTS
Release:    24.04
Codename:   noble

Expected behavior A clear and concise description of what you expected to happen.

Those warnings should not happen.

Output If applicable, add output that you get from the tool or the related section 

omar@Blaze:~/docker-bench-security$ sudo ./docker-bench-security.sh
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.6.0
#
# Docker, Inc. (c) 2015-2024
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.6.0.
# --------------------------------------------------------------------------------------------

Initializing 2024-08-28T21:26:43+00:00

Section A - Check results

[INFO] 1 - Host Configuration
[INFO] 1.1 - Linux Hosts Specific Configuration
[WARN] 1.1.1 - Ensure a separate partition for containers has been created (Automated)
thaJeztah commented 3 months ago

I suspect the check expects "/var/lib/docker" to be in a partition separate from other "/var/" paths (as those will be used by other tools)

osorito commented 3 months ago

Since Ansible is on the table, I modified the server creation script.

omar@Blaze:~/docker-bench-security$ sudo lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
sda       8:0    0    5G  0 disk 
├─sda1    8:1    0    4G  0 part /
├─sda14   8:14   0    4M  0 part 
├─sda15   8:15   0  106M  0 part /boot/efi
└─sda16 259:0    0  913M  0 part /boot
sdb       8:16   0   25G  0 disk 
├─sdb1    8:17   0 12.5G  0 part /home
├─sdb2    8:18   0    5G  0 part /var
├─sdb3    8:19   0  6.3G  0 part /tmp
└─sdb4    8:20   0  1.2G  0 part /var/lib/docker
sr0      11:0    1    4M  0 rom 
#cloud-config
disk_setup:
  /dev/sdb:
    table_type: "gpt"
    layout:
      - 50
      - 20
      - 25
      - 5
    overwrite: true
.....
  - label: var_docker_disk
    filesystem: "ext4"
    device: "/dev/sdb"
    partition: "sdb4"
.....
  - cmd: mkfs -t %(filesystem)s -L %(label)s %(device)s
    label: var_lib_dockr
    filesystem: "ext4"
    device: "/dev/sdb4"

mounts:
  - ["/dev/sdb1", "/home"]
  - ["/dev/sdb4", "/var/lib/docker"]

Code should check to see if /var is on a separate partition.
How big should said /var/lib/docker partition be? on my case I made it 5% of disk size.

konstruktoid commented 3 months ago

The code expects docker info -f '{{ .DockerRootDir }}' to be a separate partition. Regarding size, it's always site specific. 5% might be enough in your case, if you increase the number of containers you might need to increase the size.