Docker Bench Cheat Blatt¶
_
Im Überblick
Docker Bench for Security ist ein wichtiges Open-Source-Skript, das automatisch nach Dutzenden von gemeinsamen Best Practices rund um die Bereitstellung von Docker-Containern in Produktionsumgebungen überprüft. Dieses von Docker Inc. entwickelte und gepflegte Tool implementiert die im CIS Docker Benchmark skizzierten Sicherheitsempfehlungen und bietet einen umfassenden Sicherheitsbewertungsrahmen für Docker-Installationen. Das Tool führt automatisierte Sicherheitsaudits durch die Prüfung von Docker-Daemon-Konfiguration, Host-Konfiguration, Docker-Daemon-Konfigurationsdateien, Container-Images, Container-Laufzeit und Docker-Sicherheitsoperationen durch, so dass es ein unverzichtbares Werkzeug für DevSecOps-Teams und Sicherheitsexperten, die mit Container-Umgebungen arbeiten.
Die Kernfunktionalität von Docker Bench konzentriert sich auf seine Fähigkeit, über 100 automatisierte Sicherheitskontrollen durchzuführen, die kritische Bereiche einschließlich Host-Konfigurationshärten, Docker Daemon Sicherheitseinstellungen, Container-Bildsicherheitspraktiken, Container-Laufzeit-Sicherheitskonfigurationen und Docker-Datei-Sicherheitsbest Practices abdecken. Jede Prüfung wird auf spezifische CIS Docker Benchmark Empfehlungen abgebildet und bietet klare Hinweise zu Sicherheitsverbesserungen und Compliance-Anforderungen. Das Tool erstellt detaillierte Berichte, die Ergebnisse nach Schweregraden kategorisieren, so dass es für Sicherheitsteams leicht ist, die Sanierungsbemühungen zu priorisieren und Sicherheitsverbesserungen im Laufe der Zeit zu verfolgen.
Die Stärke von Docker Bench liegt in der umfassenden Erfassung von Docker-Sicherheitsdomänen und seiner Fähigkeit, nahtlos in CI/CD-Pipelines für eine kontinuierliche Sicherheitsüberwachung zu integrieren. Das Tool unterstützt mehrere Ausgabeformate, darunter menschlesbare Textberichte, JSON für die programmatische Verarbeitung und Integration mit Sicherheits-Orchestrationsplattformen. Dank seines leichten Designs und minimalen Abhängigkeiten eignet es sich für den Einsatz in verschiedenen Umgebungen, von Entwicklungsarbeitsplätzen bis hin zur Produktion von Kubernetes-Clustern, die es Unternehmen ermöglichen, einheitliche Sicherheitsstandards in ihren gesamten Prozessen des Container-Lebenszyklusmanagements zu erhalten.
• Installation
Direkter Download und Ausführung¶
Installation und Betrieb Docker Bench direkt:
# Download and run Docker Bench
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sudo ./docker-bench-security.sh
# Alternative: Download specific version
wget https://github.com/docker/docker-bench-security/archive/v1.5.0.tar.gz
tar -xzf v1.5.0.tar.gz
cd docker-bench-security-1.5.0
sudo ./docker-bench-security.sh
# Make executable and run
chmod +x docker-bench-security.sh
sudo ./docker-bench-security.sh
# Run with specific options
sudo ./docker-bench-security.sh -l /var/log/docker-bench.log
Docker Container Ausführung¶
Ich bin nicht da. Bank als Container:
# Run Docker Bench container
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security
# Run with custom configuration
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /path/to/custom/config:/usr/local/bin/docker-bench-security/config \
-v /etc:/etc:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
docker/docker-bench-security
# Run with output to file
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /etc:/etc:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v $(pwd):/tmp \
docker/docker-bench-security -l /tmp/docker-bench-report.log
Kubernetes Bereitstellung¶
Docker einsetzen Bank in Kubernetes:
# docker-bench-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: docker-bench-security
namespace: security
spec:
template:
spec:
hostPID: true
hostNetwork: true
serviceAccountName: docker-bench-security
containers:
- name: docker-bench-security
image: docker/docker-bench-security
command: ["./docker-bench-security.sh"]
args: ["-l", "/tmp/docker-bench-report.log", "-j"]
securityContext:
privileged: true
volumeMounts:
- name: docker-sock
mountPath: /var/run/docker.sock
readOnly: true
- name: etc
mountPath: /etc
readOnly: true
- name: var-lib
mountPath: /var/lib
readOnly: true
- name: usr-bin-containerd
mountPath: /usr/bin/containerd
readOnly: true
- name: usr-bin-runc
mountPath: /usr/bin/runc
readOnly: true
- name: output
mountPath: /tmp
volumes:
- name: docker-sock
hostPath:
path: /var/run/docker.sock
- name: etc
hostPath:
path: /etc
- name: var-lib
hostPath:
path: /var/lib
- name: usr-bin-containerd
hostPath:
path: /usr/bin/containerd
- name: usr-bin-runc
hostPath:
path: /usr/bin/runc
- name: output
hostPath:
path: /tmp/docker-bench-output
restartPolicy: Never
backoffLimit: 1
---
# ServiceAccount and RBAC
apiVersion: v1
kind: ServiceAccount
metadata:
name: docker-bench-security
namespace: security
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: docker-bench-security
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: docker-bench-security
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: docker-bench-security
subjects:
- kind: ServiceAccount
name: docker-bench-security
namespace: security
Custom Installation¶
# Create custom Docker Bench installation
mkdir -p /opt/docker-bench-security
cd /opt/docker-bench-security
# Download latest version
curl -L https://github.com/docker/docker-bench-security/archive/master.tar.gz|tar -xz --strip-components=1
# Create wrapper script
cat > /usr/local/bin/docker-bench ``<< 'EOF'
#!/bin/bash
cd /opt/docker-bench-security
sudo ./docker-bench-security.sh "$@"
EOF
chmod +x /usr/local/bin/docker-bench
# Test installation
docker-bench --help
oder Basisnutzung
Standard Security Audit¶
Durchführung grundlegender Docker Sicherheitsaudits:
# Run complete security audit
sudo ./docker-bench-security.sh
# Run with verbose output
sudo ./docker-bench-security.sh -v
# Run with specific log file
sudo ./docker-bench-security.sh -l /var/log/docker-bench-$(date +%Y%m%d).log
# Run with JSON output
sudo ./docker-bench-security.sh -j
# Run with both log and JSON output
sudo ./docker-bench-security.sh -l docker-bench.log -j
# Run specific test sections
sudo ./docker-bench-security.sh -c host_configuration
sudo ./docker-bench-security.sh -c docker_daemon_configuration
sudo ./docker-bench-security.sh -c container_images
Selektive Prüfung¶
Durchführung spezifischer Sicherheitskontrollen:
# Run only host configuration checks
sudo ./docker-bench-security.sh -c host_configuration
# Run only Docker daemon checks
sudo ./docker-bench-security.sh -c docker_daemon_configuration
# Run only container runtime checks
sudo ./docker-bench-security.sh -c container_runtime
# Run only Docker security operations checks
sudo ./docker-bench-security.sh -c docker_security_operations
# Run only container image checks
sudo ./docker-bench-security.sh -c container_images
# Run only network configuration checks
sudo ./docker-bench-security.sh -c docker_daemon_configuration_files
# Skip specific checks
sudo ./docker-bench-security.sh -e check_2_1,check_2_2
# Include only specific checks
sudo ./docker-bench-security.sh -i check_4_1,check_4_2,check_4_3
Ausgabeformatierung¶
Anpassung der Ausgabeformate:
# Generate JSON report
sudo ./docker-bench-security.sh -j >`` docker-bench-report.json
# Generate log file with timestamp
sudo ./docker-bench-security.sh -l "docker-bench-$(date +%Y%m%d-%H%M%S).log"
# Generate both console and file output
sudo ./docker-bench-security.sh -l docker-bench.log|tee console-output.txt
# Generate quiet output (only failures)
sudo ./docker-bench-security.sh -q
# Generate summary only
sudo ./docker-bench-security.sh -s
# Custom output directory
mkdir -p /var/log/docker-bench
sudo ./docker-bench-security.sh -l /var/log/docker-bench/audit-$(date +%Y%m%d).log
Erweiterte Eigenschaften
Individuelle Konfiguration¶
Erstellen von benutzerdefinierten Docker Bench-Konfigurationen:
# Create custom configuration directory
mkdir -p ~/.docker-bench-security
# Create custom test exclusions
cat > ~/.docker-bench-security/excluded_checks << 'EOF'
# Exclude specific checks that don't apply to our environment
check_2_1 # Restrict network traffic between containers
check_2_8 # Enable user namespace support
check_4_6 # Add HEALTHCHECK instruction to container image
EOF
# Create custom included checks
cat > ~/.docker-bench-security/included_checks << 'EOF'
# Include only critical security checks
check_1_1_1 # Ensure a separate partition for containers has been created
check_1_1_2 # Ensure only trusted users are allowed to control Docker daemon
check_2_1 # Restrict network traffic between containers
check_2_2 # Set the logging level
check_2_3 # Allow Docker to make changes to iptables
EOF
# Run with custom configuration
sudo ./docker-bench-security.sh -e $(cat ~/.docker-bench-security/excluded_checks|grep -v '^#'|tr '\n' ',')
Integration mit CI/CD¶
Integration von Docker Bench in CI/CD-Pipelines:
# .gitlab-ci.yml
docker_security_scan:
stage: security
image: docker:latest
services:
- docker:dind
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: "/certs"
before_script:
- docker info
script:
-|
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security -j > docker-bench-report.json
-|
# Parse results and fail if critical issues found
CRITICAL_ISSUES=$(jq '.tests[]|select(.result == "FAIL" and .severity == "CRITICAL")|length' docker-bench-report.json)
if [ "$CRITICAL_ISSUES" -gt 0 ]; then
echo "Critical security issues found: $CRITICAL_ISSUES"
exit 1
fi
artifacts:
reports:
junit: docker-bench-report.json
paths:
- docker-bench-report.json
expire_in: 1 week
only:
- master
- develop
```_
```yaml
# GitHub Actions workflow
name: Docker Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
docker-bench-security:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Docker Bench Security
run:|
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /etc:/etc:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v $\\\\{\\\\{ github.workspace \\\\}\\\\}:/tmp \
docker/docker-bench-security -j -l /tmp/docker-bench-report.json
- name: Parse Security Results
run:|
# Check for critical failures
CRITICAL_FAILS=$(jq '[.tests[]|select(.result == "FAIL" and .severity == "CRITICAL")]|length' docker-bench-report.json)
HIGH_FAILS=$(jq '[.tests[]|select(.result == "FAIL" and .severity == "HIGH")]|length' docker-bench-report.json)
echo "Critical failures: $CRITICAL_FAILS"
echo "High severity failures: $HIGH_FAILS"
# Fail build if critical issues found
if [ "$CRITICAL_FAILS" -gt 0 ]; then
echo "::error::Critical security issues found"
exit 1
fi
# Warning for high severity issues
if [ "$HIGH_FAILS" -gt 0 ]; then
echo "::warning::High severity security issues found"
fi
- name: Upload Security Report
uses: actions/upload-artifact@v3
with:
name: docker-bench-security-report
path: docker-bench-report.json
retention-days: 30
```_
### Automatisierte Entfernung
Erstellen von automatisierten Abhilfeskripten:
```bash
#!/bin/bash
# docker-bench-remediation.sh - Automated remediation for common Docker security issues
# Function to remediate specific Docker Bench findings
remediate_docker_security() \\\\{
local check_id="$1"
local description="$2"
echo "Remediating: $check_id - $description"
case "$check_id" in
"check_2_2")
# Set Docker daemon logging level
echo "Setting Docker daemon logging level to info"
sudo mkdir -p /etc/docker
echo '\\\\{"log-level": "info"\\\\}'|sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
;;
"check_2_5")
# Disable legacy registry
echo "Disabling legacy registry (v1)"
sudo mkdir -p /etc/docker
jq '. + \\\\{"disable-legacy-registry": true\\\\}' /etc/docker/daemon.json|sudo tee /etc/docker/daemon.json.tmp
sudo mv /etc/docker/daemon.json.tmp /etc/docker/daemon.json
sudo systemctl restart docker
;;
"check_2_8")
# Enable user namespace support
echo "Enabling user namespace support"
sudo mkdir -p /etc/docker
jq '. + \\\\{"userns-remap": "default"\\\\}' /etc/docker/daemon.json|sudo tee /etc/docker/daemon.json.tmp
sudo mv /etc/docker/daemon.json.tmp /etc/docker/daemon.json
sudo systemctl restart docker
;;
"check_2_11")
# Enable Docker Content Trust
echo "Enabling Docker Content Trust"
echo 'export DOCKER_CONTENT_TRUST=1'|sudo tee -a /etc/environment
export DOCKER_CONTENT_TRUST=1
;;
"check_2_13")
# Configure centralized and remote logging
echo "Configuring centralized logging"
sudo mkdir -p /etc/docker
jq '. + \\\\{"log-driver": "syslog", "log-opts": \\\\{"syslog-address": "tcp://localhost:514"\\\\}\\\\}' /etc/docker/daemon.json|sudo tee /etc/docker/daemon.json.tmp
sudo mv /etc/docker/daemon.json.tmp /etc/docker/daemon.json
sudo systemctl restart docker
;;
"check_2_14")
# Disable operations on legacy registry
echo "Disabling operations on legacy registry"
sudo mkdir -p /etc/docker
jq '. + \\\\{"disable-legacy-registry": true\\\\}' /etc/docker/daemon.json|sudo tee /etc/docker/daemon.json.tmp
sudo mv /etc/docker/daemon.json.tmp /etc/docker/daemon.json
sudo systemctl restart docker
;;
*)
echo "No automated remediation available for $check_id"
;;
esac
\\\\}
# Run Docker Bench and parse results
echo "Running Docker Bench Security scan..."
sudo ./docker-bench-security.sh -j > docker-bench-results.json
# Parse failed checks and attempt remediation
echo "Parsing results and attempting remediation..."
jq -r '.tests[]|select(.result == "FAIL")|"\(.id)|\(.desc)"' docker-bench-results.json|while IFS='|' read -r check_id description; do
remediate_docker_security "$check_id" "$description"
done
# Re-run Docker Bench to verify improvements
echo "Re-running Docker Bench to verify improvements..."
sudo ./docker-bench-security.sh -j > docker-bench-results-after.json
# Compare results
echo "Comparing before and after results..."
BEFORE_FAILS=$(jq '[.tests[]|select(.result == "FAIL")]|length' docker-bench-results.json)
AFTER_FAILS=$(jq '[.tests[]|select(.result == "FAIL")]|length' docker-bench-results-after.json)
echo "Failed checks before remediation: $BEFORE_FAILS"
echo "Failed checks after remediation: $AFTER_FAILS"
echo "Improvements: $((BEFORE_FAILS - AFTER_FAILS))"
Automatisierungsskripte
Comprehensive Security Monitoring¶
#!/usr/bin/env python3
# Comprehensive Docker security monitoring with Docker Bench
import subprocess
import json
import os
import smtplib
from datetime import datetime, timedelta
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
import logging
class DockerBenchMonitoring:
def __init__(self, config_file="docker-bench-config.json"):
self.config_file = config_file
self.load_config()
self.setup_logging()
def load_config(self):
"""Load monitoring configuration"""
try:
with open(self.config_file, 'r') as f:
self.config = json.load(f)
except FileNotFoundError:
# Default configuration
self.config = \\\\{
"monitoring": \\\\{
"interval_hours": 24,
"severity_threshold": "HIGH",
"max_failures": 5
\\\\},
"notifications": \\\\{
"email": \\\\{
"enabled": False,
"smtp_server": "localhost",
"smtp_port": 587,
"username": "",
"password": "",
"from": "docker-bench@example.com",
"to": "security@example.com"
\\\\},
"webhook": \\\\{
"enabled": False,
"url": "",
"headers": \\\\{\\\\}
\\\\}
\\\\},
"remediation": \\\\{
"auto_remediate": False,
"allowed_checks": []
\\\\}
\\\\}
def setup_logging(self):
"""Setup logging configuration"""
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('docker-bench-monitoring.log'),
logging.StreamHandler()
]
)
self.logger = logging.getLogger(__name__)
def run_docker_bench(self, output_file=None):
"""Run Docker Bench Security scan"""
if not output_file:
output_file = f"docker-bench-\\\\{datetime.now().strftime('%Y%m%d-%H%M%S')\\\\}.json"
self.logger.info("Running Docker Bench Security scan...")
try:
# Run Docker Bench as container
cmd = [
"docker", "run", "--rm", "--net", "host", "--pid", "host",
"--userns", "host", "--cap-add", "audit_control",
"-v", "/etc:/etc:ro",
"-v", "/usr/bin/containerd:/usr/bin/containerd:ro",
"-v", "/usr/bin/runc:/usr/bin/runc:ro",
"-v", "/usr/lib/systemd:/usr/lib/systemd:ro",
"-v", "/var/lib:/var/lib:ro",
"-v", "/var/run/docker.sock:/var/run/docker.sock:ro",
"--label", "docker_bench_security",
"docker/docker-bench-security", "-j"
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if result.returncode == 0:
# Parse JSON output
scan_results = json.loads(result.stdout)
# Save results to file
with open(output_file, 'w') as f:
json.dump(scan_results, f, indent=2)
self.logger.info(f"Docker Bench scan completed. Results saved to \\\\{output_file\\\\}")
return scan_results, output_file
else:
self.logger.error(f"Docker Bench scan failed: \\\\{result.stderr\\\\}")
return None, None
except subprocess.TimeoutExpired:
self.logger.error("Docker Bench scan timed out")
return None, None
except json.JSONDecodeError as e:
self.logger.error(f"Failed to parse Docker Bench output: \\\\{e\\\\}")
return None, None
except Exception as e:
self.logger.error(f"Error running Docker Bench: \\\\{e\\\\}")
return None, None
def analyze_results(self, scan_results):
"""Analyze Docker Bench results"""
if not scan_results:
return None
analysis = \\\\{
"timestamp": datetime.now().isoformat(),
"total_checks": len(scan_results.get("tests", [])),
"passed": 0,
"failed": 0,
"warnings": 0,
"info": 0,
"critical_failures": [],
"high_failures": [],
"medium_failures": [],
"summary": \\\\{\\\\}
\\\\}
# Analyze each test result
for test in scan_results.get("tests", []):
result = test.get("result", "").upper()
severity = test.get("severity", "INFO").upper()
if result == "PASS":
analysis["passed"] += 1
elif result == "FAIL":
analysis["failed"] += 1
# Categorize by severity
if severity == "CRITICAL":
analysis["critical_failures"].append(test)
elif severity == "HIGH":
analysis["high_failures"].append(test)
elif severity == "MEDIUM":
analysis["medium_failures"].append(test)
elif result == "WARN":
analysis["warnings"] += 1
else:
analysis["info"] += 1
# Generate summary by section
sections = \\\\{\\\\}
for test in scan_results.get("tests", []):
section = test.get("section", "Unknown")
if section not in sections:
sections[section] = \\\\{"total": 0, "passed": 0, "failed": 0\\\\}
sections[section]["total"] += 1
if test.get("result", "").upper() == "PASS":
sections[section]["passed"] += 1
elif test.get("result", "").upper() == "FAIL":
sections[section]["failed"] += 1
analysis["summary"] = sections
self.logger.info(f"Analysis complete: \\\\{analysis['passed']\\\\} passed, \\\\{analysis['failed']\\\\} failed")
return analysis
def check_thresholds(self, analysis):
"""Check if results exceed configured thresholds"""
if not analysis:
return False
threshold_config = self.config.get("monitoring", \\\\{\\\\})
severity_threshold = threshold_config.get("severity_threshold", "HIGH")
max_failures = threshold_config.get("max_failures", 5)
# Count failures by severity
critical_count = len(analysis.get("critical_failures", []))
high_count = len(analysis.get("high_failures", []))
medium_count = len(analysis.get("medium_failures", []))
# Check thresholds
if severity_threshold == "CRITICAL" and critical_count > max_failures:
return True
elif severity_threshold == "HIGH" and (critical_count + high_count) > max_failures:
return True
elif severity_threshold == "MEDIUM" and (critical_count + high_count + medium_count) > max_failures:
return True
return False
def send_notification(self, analysis, threshold_exceeded=False):
"""Send notification about scan results"""
notification_config = self.config.get("notifications", \\\\{\\\\})
# Prepare notification content
subject = "Docker Bench Security Report"
if threshold_exceeded:
subject += " - ALERT: Thresholds Exceeded"
body = self.generate_notification_body(analysis, threshold_exceeded)
# Send email notification
if notification_config.get("email", \\\\{\\\\}).get("enabled", False):
self.send_email_notification(subject, body)
# Send webhook notification
if notification_config.get("webhook", \\\\{\\\\}).get("enabled", False):
self.send_webhook_notification(analysis, threshold_exceeded)
def generate_notification_body(self, analysis, threshold_exceeded):
"""Generate notification message body"""
body = f"""
Docker Bench Security Scan Report
Generated: \\\\{analysis['timestamp']\\\\}
SUMMARY:
========
Total Checks: \\\\{analysis['total_checks']\\\\}
Passed: \\\\{analysis['passed']\\\\}
Failed: \\\\{analysis['failed']\\\\}
Warnings: \\\\{analysis['warnings']\\\\}
FAILURES BY SEVERITY:
====================
Critical: \\\\{len(analysis['critical_failures'])\\\\}
High: \\\\{len(analysis['high_failures'])\\\\}
Medium: \\\\{len(analysis['medium_failures'])\\\\}
"""
if threshold_exceeded:
body += "\n⚠️ ALERT: Security thresholds have been exceeded!\n\n"
# Add critical failures details
if analysis['critical_failures']:
body += "CRITICAL FAILURES:\n"
body += "==================\n"
for failure in analysis['critical_failures'][:5]: # Limit to first 5
body += f"- \\\\{failure.get('id', 'Unknown')\\\\}: \\\\{failure.get('desc', 'No description')\\\\}\n"
if len(analysis['critical_failures']) > 5:
body += f"... and \\\\{len(analysis['critical_failures']) - 5\\\\} more\n"
body += "\n"
# Add section summary
body += "SUMMARY BY SECTION:\n"
body += "==================\n"
for section, stats in analysis['summary'].items():
pass_rate = (stats['passed'] / stats['total']) * 100 if stats['total'] > 0 else 0
body += f"\\\\{section\\\\}: \\\\{stats['passed']\\\\}/\\\\{stats['total']\\\\} passed (\\\\{pass_rate:.1f\\\\}%)\n"
return body
def send_email_notification(self, subject, body):
"""Send email notification"""
email_config = self.config.get("notifications", \\\\{\\\\}).get("email", \\\\{\\\\})
try:
msg = MIMEMultipart()
msg['From'] = email_config["from"]
msg['To'] = email_config["to"]
msg['Subject'] = subject
msg.attach(MIMEText(body, 'plain'))
server = smtplib.SMTP(email_config["smtp_server"], email_config["smtp_port"])
server.starttls()
if email_config.get("username") and email_config.get("password"):
server.login(email_config["username"], email_config["password"])
text = msg.as_string()
server.sendmail(email_config["from"], email_config["to"], text)
server.quit()
self.logger.info("Email notification sent successfully")
except Exception as e:
self.logger.error(f"Failed to send email notification: \\\\{e\\\\}")
def send_webhook_notification(self, analysis, threshold_exceeded):
"""Send webhook notification"""
webhook_config = self.config.get("notifications", \\\\{\\\\}).get("webhook", \\\\{\\\\})
try:
import requests
payload = \\\\{
"timestamp": analysis["timestamp"],
"alert": threshold_exceeded,
"summary": \\\\{
"total_checks": analysis["total_checks"],
"passed": analysis["passed"],
"failed": analysis["failed"],
"critical_failures": len(analysis["critical_failures"]),
"high_failures": len(analysis["high_failures"])
\\\\},
"details": analysis
\\\\}
headers = webhook_config.get("headers", \\\\{\\\\})
headers["Content-Type"] = "application/json"
response = requests.post(
webhook_config["url"],
json=payload,
headers=headers,
timeout=30
)
if response.status_code == 200:
self.logger.info("Webhook notification sent successfully")
else:
self.logger.error(f"Webhook notification failed: \\\\{response.status_code\\\\}")
except Exception as e:
self.logger.error(f"Failed to send webhook notification: \\\\{e\\\\}")
def run_monitoring_cycle(self):
"""Run complete monitoring cycle"""
self.logger.info("Starting Docker Bench monitoring cycle")
# Run Docker Bench scan
scan_results, output_file = self.run_docker_bench()
if not scan_results:
self.logger.error("Failed to run Docker Bench scan")
return False
# Analyze results
analysis = self.analyze_results(scan_results)
if not analysis:
self.logger.error("Failed to analyze scan results")
return False
# Check thresholds
threshold_exceeded = self.check_thresholds(analysis)
if threshold_exceeded:
self.logger.warning("Security thresholds exceeded!")
# Send notifications
self.send_notification(analysis, threshold_exceeded)
# Save analysis results
analysis_file = f"docker-bench-analysis-\\\\{datetime.now().strftime('%Y%m%d-%H%M%S')\\\\}.json"
with open(analysis_file, 'w') as f:
json.dump(analysis, f, indent=2)
self.logger.info(f"Monitoring cycle completed. Analysis saved to \\\\{analysis_file\\\\}")
return True
# Usage
if __name__ == "__main__":
monitor = DockerBenchMonitoring()
monitor.run_monitoring_cycle()
Compliance Reporting Script¶
#!/usr/bin/env python3
# Docker Bench compliance reporting
import json
import subprocess
from datetime import datetime
import pandas as pd
class DockerBenchCompliance:
def __init__(self):
self.cis_mapping = self.load_cis_mapping()
def load_cis_mapping(self):
"""Load CIS Docker Benchmark mapping"""
return \\\\{
"1": "Host Configuration",
"2": "Docker daemon configuration",
"3": "Docker daemon configuration files",
"4": "Container Images and Build File",
"5": "Container Runtime",
"6": "Docker Security Operations"
\\\\}
def run_compliance_scan(self, output_format="json"):
"""Run Docker Bench compliance scan"""
cmd = [
"docker", "run", "--rm", "--net", "host", "--pid", "host",
"--userns", "host", "--cap-add", "audit_control",
"-v", "/etc:/etc:ro",
"-v", "/var/lib:/var/lib:ro",
"-v", "/var/run/docker.sock:/var/run/docker.sock:ro",
"docker/docker-bench-security"
]
if output_format == "json":
cmd.append("-j")
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if result.returncode == 0:
if output_format == "json":
return json.loads(result.stdout)
else:
return result.stdout
else:
print(f"Docker Bench scan failed: \\\\{result.stderr\\\\}")
return None
except Exception as e:
print(f"Error running Docker Bench: \\\\{e\\\\}")
return None
def generate_compliance_report(self, scan_results):
"""Generate compliance report"""
if not scan_results:
return None
report = \\\\{
"report_metadata": \\\\{
"generated_at": datetime.now().isoformat(),
"benchmark": "CIS Docker Benchmark v1.2.0",
"tool": "Docker Bench for Security"
\\\\},
"executive_summary": \\\\{\\\\},
"detailed_results": \\\\{\\\\},
"recommendations": []
\\\\}
# Calculate overall compliance score
total_tests = len(scan_results.get("tests", []))
passed_tests = len([t for t in scan_results.get("tests", []) if t.get("result") == "PASS"])
compliance_score = (passed_tests / total_tests) * 100 if total_tests > 0 else 0
report["executive_summary"] = \\\\{
"overall_compliance_score": round(compliance_score, 2),
"total_controls": total_tests,
"passed_controls": passed_tests,
"failed_controls": total_tests - passed_tests,
"compliance_level": self.get_compliance_level(compliance_score)
\\\\}
# Group results by CIS section
sections = \\\\{\\\\}
for test in scan_results.get("tests", []):
section_id = test.get("id", "").split("_")[1] if "_" in test.get("id", "") else "unknown"
section_name = self.cis_mapping.get(section_id, f"Section \\\\{section_id\\\\}")
if section_name not in sections:
sections[section_name] = \\\\{
"total": 0,
"passed": 0,
"failed": 0,
"tests": []
\\\\}
sections[section_name]["total"] += 1
sections[section_name]["tests"].append(test)
if test.get("result") == "PASS":
sections[section_name]["passed"] += 1
else:
sections[section_name]["failed"] += 1
# Calculate section compliance scores
for section_name, section_data in sections.items():
section_score = (section_data["passed"] / section_data["total"]) * 100
section_data["compliance_score"] = round(section_score, 2)
report["detailed_results"] = sections
# Generate recommendations
failed_tests = [t for t in scan_results.get("tests", []) if t.get("result") == "FAIL"]
for test in failed_tests[:10]: # Top 10 recommendations
recommendation = \\\\{
"control_id": test.get("id", ""),
"title": test.get("desc", ""),
"severity": test.get("severity", "MEDIUM"),
"remediation": self.get_remediation_guidance(test.get("id", ""))
\\\\}
report["recommendations"].append(recommendation)
return report
def get_compliance_level(self, score):
"""Determine compliance level based on score"""
if score >= 95:
return "Excellent"
elif score >= 85:
return "Good"
elif score >= 70:
return "Fair"
elif score >= 50:
return "Poor"
else:
return "Critical"
def get_remediation_guidance(self, check_id):
"""Get remediation guidance for specific check"""
remediation_guide = \\\\{
"check_2_2": "Configure Docker daemon logging level by adding '\"log-level\": \"info\"' to /etc/docker/daemon.json",
"check_2_5": "Disable legacy registry by adding '\"disable-legacy-registry\": true' to /etc/docker/daemon.json",
"check_2_8": "Enable user namespace support by adding '\"userns-remap\": \"default\"' to /etc/docker/daemon.json",
"check_2_11": "Enable Docker Content Trust by setting DOCKER_CONTENT_TRUST=1 environment variable",
"check_2_13": "Configure centralized logging by setting appropriate log driver in /etc/docker/daemon.json",
"check_4_1": "Create a user for the container in Dockerfile using USER instruction",
"check_4_6": "Add HEALTHCHECK instruction to container image Dockerfile",
"check_5_1": "Do not disable AppArmor Profile by avoiding --security-opt apparmor=unconfined",
"check_5_2": "Do not disable SELinux security options by avoiding --security-opt label=disable"
\\\\}
return remediation_guide.get(check_id, "Refer to CIS Docker Benchmark documentation for detailed remediation steps")
def export_to_csv(self, report, filename="docker-compliance-report.csv"):
"""Export compliance report to CSV"""
# Prepare data for CSV export
csv_data = []
for section_name, section_data in report["detailed_results"].items():
for test in section_data["tests"]:
csv_data.append(\\\\{
"Section": section_name,
"Control_ID": test.get("id", ""),
"Description": test.get("desc", ""),
"Result": test.get("result", ""),
"Severity": test.get("severity", ""),
"Section_Compliance_Score": section_data["compliance_score"]
\\\\})
# Create DataFrame and export
df = pd.DataFrame(csv_data)
df.to_csv(filename, index=False)
print(f"Compliance report exported to \\\\{filename\\\\}")
def generate_html_report(self, report, filename="docker-compliance-report.html"):
"""Generate HTML compliance report"""
html_template = """
<!DOCTYPE html>
<html>
<head>
<title>Docker Compliance Report</title>
<style>
body \\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}
.header \\\\{ background-color: #f0f0f0; padding: 20px; \\\\}
.summary \\\\{ background-color: #e6f3ff; padding: 15px; margin: 20px 0; \\\\}
.section \\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; \\\\}
.excellent \\\\{ color: #4caf50; \\\\}
.good \\\\{ color: #8bc34a; \\\\}
.fair \\\\{ color: #ff9800; \\\\}
.poor \\\\{ color: #f44336; \\\\}
.critical \\\\{ color: #d32f2f; \\\\}
table \\\\{ width: 100%; border-collapse: collapse; margin: 10px 0; \\\\}
th, td \\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}
th \\\\{ background-color: #f2f2f2; \\\\}
.pass \\\\{ background-color: #c8e6c9; \\\\}
.fail \\\\{ background-color: #ffcdd2; \\\\}
</style>
</head>
<body>
<div class="header">
<h1>Docker Security Compliance Report</h1>
<p>Generated: \\\\{report_date\\\\}</p>
<p>Benchmark: \\\\{benchmark\\\\}</p>
</div>
<div class="summary">
<h2>Executive Summary</h2>
<p><strong>Overall Compliance Score:</strong> <span class="\\\\{compliance_class\\\\}">\\\\{compliance_score\\\\}%</span></p>
<p><strong>Compliance Level:</strong> \\\\{compliance_level\\\\}</p>
<p><strong>Total Controls:</strong> \\\\{total_controls\\\\}</p>
<p><strong>Passed:</strong> \\\\{passed_controls\\\\}</p>
<p><strong>Failed:</strong> \\\\{failed_controls\\\\}</p>
</div>
\\\\{sections_html\\\\}
<div class="section">
<h2>Top Recommendations</h2>
\\\\{recommendations_html\\\\}
</div>
</body>
</html>
"""
# Generate sections HTML
sections_html = ""
for section_name, section_data in report["detailed_results"].items():
score_class = self.get_score_class(section_data["compliance_score"])
tests_html = ""
for test in section_data["tests"]:
result_class = "pass" if test.get("result") == "PASS" else "fail"
tests_html += f"""
<tr class="\\\\{result_class\\\\}">
<td>\\\\{test.get("id", "")\\\\}</td>
<td>\\\\{test.get("desc", "")\\\\}</td>
<td>\\\\{test.get("result", "")\\\\}</td>
<td>\\\\{test.get("severity", "")\\\\}</td>
</tr>
"""
sections_html += f"""
<div class="section">
<h3>\\\\{section_name\\\\}</h3>
<p><strong>Section Score:</strong> <span class="\\\\{score_class\\\\}">\\\\{section_data["compliance_score"]\\\\}%</span></p>
<table>
<tr>
<th>Control ID</th>
<th>Description</th>
<th>Result</th>
<th>Severity</th>
</tr>
\\\\{tests_html\\\\}
</table>
</div>
"""
# Generate recommendations HTML
recommendations_html = "<ul>"
for rec in report["recommendations"]:
recommendations_html += f"""
<li>
<strong>\\\\{rec["control_id"]\\\\}</strong>: \\\\{rec["title"]\\\\}
<br><small><strong>Remediation:</strong> \\\\{rec["remediation"]\\\\}</small>
</li>
"""
recommendations_html += "</ul>"
# Fill template
compliance_class = self.get_score_class(report["executive_summary"]["overall_compliance_score"])
html_content = html_template.format(
report_date=report["report_metadata"]["generated_at"],
benchmark=report["report_metadata"]["benchmark"],
compliance_score=report["executive_summary"]["overall_compliance_score"],
compliance_class=compliance_class,
compliance_level=report["executive_summary"]["compliance_level"],
total_controls=report["executive_summary"]["total_controls"],
passed_controls=report["executive_summary"]["passed_controls"],
failed_controls=report["executive_summary"]["failed_controls"],
sections_html=sections_html,
recommendations_html=recommendations_html
)
with open(filename, 'w') as f:
f.write(html_content)
print(f"HTML compliance report generated: \\\\{filename\\\\}")
def get_score_class(self, score):
"""Get CSS class for compliance score"""
if score >= 95:
return "excellent"
elif score >= 85:
return "good"
elif score >= 70:
return "fair"
elif score >= 50:
return "poor"
else:
return "critical"
# Usage
if __name__ == "__main__":
compliance = DockerBenchCompliance()
# Run compliance scan
scan_results = compliance.run_compliance_scan()
if scan_results:
# Generate compliance report
report = compliance.generate_compliance_report(scan_results)
# Export to different formats
compliance.export_to_csv(report)
compliance.generate_html_report(report)
# Save JSON report
with open("docker-compliance-report.json", 'w') as f:
json.dump(report, f, indent=2)
print(f"Compliance Score: \\\\{report['executive_summary']['overall_compliance_score']\\\\}%")
print(f"Compliance Level: \\\\{report['executive_summary']['compliance_level']\\\\}")
Integrationsbeispiele
Kubernets Integration¶
# docker-bench-daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: docker-bench-security
namespace: security
labels:
app: docker-bench-security
spec:
selector:
matchLabels:
app: docker-bench-security
template:
metadata:
labels:
app: docker-bench-security
spec:
hostPID: true
hostNetwork: true
serviceAccountName: docker-bench-security
containers:
- name: docker-bench-security
image: docker/docker-bench-security
command: ["./docker-bench-security.sh"]
args: ["-j", "-l", "/tmp/docker-bench-report.log"]
securityContext:
privileged: true
volumeMounts:
- name: docker-sock
mountPath: /var/run/docker.sock
readOnly: true
- name: etc
mountPath: /etc
readOnly: true
- name: var-lib
mountPath: /var/lib
readOnly: true
- name: usr-bin-containerd
mountPath: /usr/bin/containerd
readOnly: true
- name: usr-bin-runc
mountPath: /usr/bin/runc
readOnly: true
- name: output
mountPath: /tmp
resources:
limits:
memory: "256Mi"
cpu: "200m"
requests:
memory: "128Mi"
cpu: "100m"
volumes:
- name: docker-sock
hostPath:
path: /var/run/docker.sock
- name: etc
hostPath:
path: /etc
- name: var-lib
hostPath:
path: /var/lib
- name: usr-bin-containerd
hostPath:
path: /usr/bin/containerd
- name: usr-bin-runc
hostPath:
path: /usr/bin/runc
- name: output
hostPath:
path: /var/log/docker-bench
restartPolicy: Always
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
Prometheus Integration¶
# docker-bench-exporter.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: docker-bench-exporter
namespace: monitoring
spec:
replicas: 1
selector:
matchLabels:
app: docker-bench-exporter
template:
metadata:
labels:
app: docker-bench-exporter
spec:
containers:
- name: docker-bench-exporter
image: custom/docker-bench-exporter:latest
ports:
- containerPort: 8080
env:
- name: SCAN_INTERVAL
value: "3600" # 1 hour
volumeMounts:
- name: docker-sock
mountPath: /var/run/docker.sock
readOnly: true
volumes:
- name: docker-sock
hostPath:
path: /var/run/docker.sock
---
apiVersion: v1
kind: Service
metadata:
name: docker-bench-exporter
namespace: monitoring
labels:
app: docker-bench-exporter
spec:
ports:
- port: 8080
targetPort: 8080
name: metrics
selector:
app: docker-bench-exporter
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: docker-bench-exporter
namespace: monitoring
spec:
selector:
matchLabels:
app: docker-bench-exporter
endpoints:
- port: metrics
interval: 60s
path: /metrics
Fehlerbehebung
Häufige Fragen¶
Permissionsprobleme:
# Ensure Docker daemon is running
sudo systemctl status docker
sudo systemctl start docker
# Check Docker socket permissions
ls -la /var/run/docker.sock
sudo chmod 666 /var/run/docker.sock
# Run with proper privileges
sudo ./docker-bench-security.sh
# Check user groups
groups $USER
sudo usermod -aG docker $USER
```_
**Container Ausführungsfragen:**
```bash
# Check Docker version compatibility
docker version
# Pull latest Docker Bench image
docker pull docker/docker-bench-security:latest
# Run with debug output
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /etc:/etc:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
docker/docker-bench-security -v
# Check container logs
docker logs $(docker ps -a|grep docker-bench-security|awk '\\\\{print $1\\\\}')
```_
**Ausgangs- und Parsingfragen:**
```bash
# Verify JSON output format
./docker-bench-security.sh -j|jq '.'
# Check log file permissions
touch docker-bench.log
chmod 644 docker-bench.log
# Validate output directory
mkdir -p /var/log/docker-bench
sudo chown $USER:$USER /var/log/docker-bench
# Test specific checks
./docker-bench-security.sh -c host_configuration -v
```_
### Leistungsoptimierung
Optimieren von Docker Nennleistung:
```bash
# Run specific sections only
./docker-bench-security.sh -c container_runtime
# Skip time-consuming checks
./docker-bench-security.sh -e check_1_1_1,check_1_1_2
# Use faster execution mode
./docker-bench-security.sh -q
# Limit resource usage
docker run --rm --memory=256m --cpus=0.5 \
--net host --pid host --userns host --cap-add audit_control \
-v /etc:/etc:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
docker/docker-bench-security
Sicherheitsbedenken
Sichere Nutzungspraktiken¶
Umweltschutz: - Laufen Sie Docker Bank in isolierten Umgebungen, wenn möglich - Netzzugriff bei Sicherheitsscans begrenzen - Verwenden Sie nur lesbare Halterungen für Systemverzeichnisse - Implementieren Sie die richtigen Zugriffskontrollen für Scan-Ergebnisse - Regelmäßige Updates von Docker Bench und Docker Daemon
Datenschutz: - Verschlüsseln Sie sensible Scanergebnisse und Berichte - Implementierung eines sicheren Speichers für Compliance-Daten - Verwenden Sie sichere Kanäle für die Übermittlung von Berichten - Regelmäßige Reinigung von temporären Dateien und Protokollen - Umsetzung von Datenschutzrichtlinien
Operationelle Sicherheit¶
Monitoring and Alerting: - Docker Bench Ausführung und Ergebnisse überwachen - Ja. Alarmierung für kritische Sicherheitsergebnisse einrichten - Track Compliance Score Trends im Laufe der Zeit - gegebenenfalls automatisierte Abhilfemaßnahmen durchführen - Regelmäßige Überprüfung der Sicherheitskonfigurationen
** Integrationssicherheit:** - Sichere Integration von CI/CD-Pipeline - Schützen Sie API-Tasten und Anmeldeinformationen - Implementierung der richtigen RBAC für Kubernetes-Einsätze - Monitor für nicht autorisierte Docker Bench-Nutzung - Regelmäßige Sicherheitsbewertung der Überwachungsinfrastruktur
Referenzen
ANHANG Dockerbank für Sicherheit GitHub 2. CIS Docker Benchmark 3. Docker Security Best Practices 4. NIST Container Security Guide 5. Beamte Sicherheitsdokumentation