Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker-bench-security check 2.2 icc issue #480

Open
fbinliu opened this issue Aug 4, 2021 · 15 comments
Open

Docker-bench-security check 2.2 icc issue #480

fbinliu opened this issue Aug 4, 2021 · 15 comments

Comments

@fbinliu
Copy link

fbinliu commented Aug 4, 2021
edited
Loading

Docker Desktop (windows) version: Docker 20.10.7, build f0df350
Docker Bench Security: Docker Bench for Security v1.3.4
Execution enviornment: WSL2 Ubuntu 20.0.4
Issue:
From the scan, I've got the following warning:
[WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge

I have then added the following into my daemon.json file:
"icc": false
And then restarted my Docker Desktop (Windows) and then verified it is in effect (following CIS steps):
docker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}'
got this result: "com.docker.network.bridge.enable_icc:false"

But when i re-run Docker Bench Security container, I still got the same warning of 2.1 which is not expected considering i've set "icc" to false.

Also, according to CIS Docker Benchmark v1.3.1, this network traffic control should be control 2.2 instead of the current 2.1, so please correct.

Appreciate your check and feedback on this.
@konstruktoid
Copy link
Collaborator

Thanks @fbinliu for reporting this.
Will check ASAP.

@konstruktoid
Copy link
Collaborator

Hi again, the icc test is 2.2 (https://github.com/docker/docker-bench-security/blob/master/tests/2_docker_daemon_configuration.sh#L24-L44).
Are you using the Docker container or running the script?

@konstruktoid
Copy link
Collaborator

Ah, I just noticed that you're using 1.3.4 which is an obsolete version.

See #405 and please try using the shell script instead.

@fbinliu
Copy link
Author

fbinliu commented Aug 5, 2021

Hi, i have downloaded the latest version (v1.3.6), and used the shell script (sh docker-bench-security.sh) and also verified that icc is set to false via "docker network ls --quiet |xargs docker network inspect --format '{{ .Name }}: {{ .Options }}'", but still get [WARN] at check_2_2, shown as "Ensure network traffic is restricted between containers on the default bridge (Scored)", appreciate your further check on this very much.

@konstruktoid
Copy link
Collaborator

I can't reproduce this.
Could you repeat the same steps and paste the output?

$ cat /etc/docker/daemon.json
{
        "icc": false
}
$ docker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}'
bridge: map[com.docker.network.bridge.default_bridge:true com.docker.network.bridge.enable_icc:false com.docker.network.bridge.enable_ip_masquerade:true com.docker.network.bridge.host_binding_ipv4:0.0.0.0 com.docker.network.bridge.name:docker0 com.docker.network.driver.mtu:1500]
host: map[]
none: map[]
$ sudo bash docker-bench-security.sh -c check_2_1,check_2_2,check_2_3
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.3.6
#
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.3.1.
# --------------------------------------------------------------------------------------------

Initializing 2021-08-05T22:57:30+00:00


Section A - Check results
[NOTE] 2.1 - Run the Docker daemon as a non-root user, if possible (Manual)
[PASS] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[PASS] 2.3 - Ensure the logging level is set to 'info' (Scored)


Section C - Score

[INFO] Checks: 3
[INFO] Score: 2

$ sudo rm /etc/docker/daemon.json
$ sudo systemctl restart docker.service
$ cat /etc/docker/daemon.json
cat: /etc/docker/daemon.json: No such file or directory
$ docker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}'
bridge: map[com.docker.network.bridge.default_bridge:true com.docker.network.bridge.enable_icc:true com.docker.network.bridge.enable_ip_masquerade:true com.docker.network.bridge.host_binding_ipv4:0.0.0.0 com.docker.network.bridge.name:docker0 com.docker.network.driver.mtu:1500]
host: map[]
none: map[]
$ sudo bash docker-bench-security.sh -c check_2_1,check_2_2,check_2_3
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.3.6
#
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.3.1.
# --------------------------------------------------------------------------------------------

Initializing 2021-08-05T22:59:25+00:00


Section A - Check results
[NOTE] 2.1 - Run the Docker daemon as a non-root user, if possible (Manual)
[WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[PASS] 2.3 - Ensure the logging level is set to 'info' (Scored)


Section C - Score

[INFO] Checks: 3
[INFO] Score: 0

@fbinliu
Copy link
Author

fbinliu commented Aug 6, 2021

Hi, sure, here is the output for conducting the same steps. I am now wondering if this error comes due to my running docker bench security on my WSL2 Ubuntu distro?

$ cat daemon.json | grep icc 
"icc": false,
$ sudo sh docker-bench-security.sh -c check_2_2
[sudo] password for fliu:
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.3.6
#
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.3.1.
# --------------------------------------------------------------------------------------------
$ cat daemon.json | grep icc 
"icc": false,
$ sudo sh docker-bench-security.sh -c check_2_2
[sudo] password for fliu:
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.3.6
#
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.3.1.
# --------------------------------------------------------------------------------------------

Initializing 2021-08-06T10:39:38+02:00


Section A - Check results
[WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)


Section C - Score

[INFO] Checks: 1
[INFO] Score: -1
$ docker network ls --quiet |xargs docker network inspect --format '{{ .Name }}: {{ .Options }}'
bridge: map[com.docker.network.bridge.default_bridge:true com.docker.network.bridge.enable_icc:false com.docker.network.bridge.enable_ip_masquerade:true com.docker.network.bridge.host_binding_ipv4:0.0.0.0 com.docker.network.bridge.name:docker0 com.docker.network.driver.mtu:1500]
clair-analyze-local-images_default: map[]
host: map[]
none: map[]
play-with-kubernetesgithubio_default: map[]

@konstruktoid
Copy link
Collaborator

$ cat daemon.json | grep icc
"icc": false,

It shouldn't really matter if it's on WSL since the daemon.json is a basic JSON file.

Can you run the actual code and share the output?

grep "icc" "/etc/docker/daemon.json" | sed 's/.*://g' | tr -d '" ',

@fbinliu
Copy link
Author

fbinliu commented Aug 6, 2021

hi, i don't have daemon.json in /etc/docker because my machine is a Windows machine and I've installed Docker Desktop. The daemon.json is located in my case in .docker folder in my home directory. Here is the result of running the actual code:

.docker$ grep "icc" "daemon.json" | sed 's/.*://g' | tr -d '" ',
false

@konstruktoid
Copy link
Collaborator

That might be the issue, since https://github.com/docker/docker-bench-security/blob/master/functions/helper_lib.sh#L100 only checks the config file if defined using --config-file or the default /etc/docker/daemon.json.

@fbinliu
Copy link
Author

fbinliu commented Aug 6, 2021

ok, i see, so is there so far any way to run docker-bench-security for a docker server running on a Windows machine?

@konstruktoid
Copy link
Collaborator

If the only issue is that the config file is in the "wrong" place, I can add the path(s) for those as well.

@fbinliu
Copy link
Author

fbinliu commented Aug 6, 2021

Oh, that would be awesome indeed if it could be done, so that docker-bench-security can also be executed for docker runtime in WSL2 on a Windows machine. My path for config file (daemon.json) is as follows, not sure for other people:

$ pwd
/mnt/c/Users/<user-login-name>/.docker
$ ls -a | grep daemon
daemon.json

@konstruktoid
Copy link
Collaborator

I'll try too find some universal logic regarding WSL paths.

If you find any other issues, please report them as well (separately).

@fbinliu
Copy link
Author

fbinliu commented Aug 6, 2021

Ya, sure, appreciate your effort on this very much. Together we go further! No other issue so far. Feel free to close this issue if necessary for your administration and looking forward to the update on this (with a new version eventually :).

@konstruktoid
Copy link
Collaborator

Related: #446

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@konstruktoid @fbinliu