Docker Bench Cheat Blatt
Überblick
Docker Bench for Security ist ein wichtiges Open-Source-Skript, das automatisch nach Dutzenden von gemeinsamen Best Practices rund um die Bereitstellung von Docker-Containern in Produktionsumgebungen überprüft. Dieses von Docker Inc. entwickelte und gepflegte Tool implementiert die im CIS Docker Benchmark skizzierten Sicherheitsempfehlungen und bietet einen umfassenden Sicherheitsbewertungsrahmen für Docker-Installationen. Das Tool führt automatisierte Sicherheitsaudits durch die Prüfung von Docker-Daemon-Konfiguration, Host-Konfiguration, Docker-Daemon-Konfigurationsdateien, Container-Images, Container-Laufzeit und Docker-Sicherheitsoperationen durch, so dass es ein unverzichtbares Werkzeug für DevSecOps-Teams und Sicherheitsexperten, die mit Container-Umgebungen arbeiten.
Die Kernfunktionalität von Docker Bench konzentriert sich auf seine Fähigkeit, über 100 automatisierte Sicherheitskontrollen durchzuführen, die kritische Bereiche einschließlich Host-Konfigurationshärten, Docker Daemon Sicherheitseinstellungen, Container-Bildsicherheitspraktiken, Container-Laufzeit-Sicherheitskonfigurationen und Docker-Datei-Sicherheitsbest Practices abdecken. Jede Prüfung wird auf spezifische CIS Docker Benchmark Empfehlungen abgebildet und bietet klare Hinweise zu Sicherheitsverbesserungen und Compliance-Anforderungen. Das Tool erstellt detaillierte Berichte, die Ergebnisse nach Schweregraden kategorisieren, so dass es für Sicherheitsteams leicht ist, die Sanierungsbemühungen zu priorisieren und Sicherheitsverbesserungen im Laufe der Zeit zu verfolgen.
Die Stärke von Docker Bench liegt in der umfassenden Erfassung von Docker-Sicherheitsdomänen und seiner Fähigkeit, nahtlos in CI/CD-Pipelines für eine kontinuierliche Sicherheitsüberwachung zu integrieren. Das Tool unterstützt mehrere Ausgabeformate, darunter menschlesbare Textberichte, JSON für die programmatische Verarbeitung und Integration mit Sicherheits-Orchestrationsplattformen. Dank seines leichten Designs und minimalen Abhängigkeiten eignet es sich für den Einsatz in verschiedenen Umgebungen, von Entwicklungsarbeitsplätzen bis hin zur Produktion von Kubernetes-Clustern, die es Unternehmen ermöglichen, einheitliche Sicherheitsstandards in ihren gesamten Prozessen des Container-Lebenszyklusmanagements zu erhalten.
Installation
Direkter Download und Ausführung
Installation und Betrieb Docker Bench direkt:
```bash
Download and run Docker Bench
git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security sudo ./docker-bench-security.sh
Alternative: Download specific version
wget https://github.com/docker/docker-bench-security/archive/v1.5.0.tar.gz tar -xzf v1.5.0.tar.gz cd docker-bench-security-1.5.0 sudo ./docker-bench-security.sh
Make executable and run
chmod +x docker-bench-security.sh sudo ./docker-bench-security.sh
Run with specific options
sudo ./docker-bench-security.sh -l /var/log/docker-bench.log ```_
Docker Container Ausführung
Ich bin nicht da. Bank als Container:
```bash
Run Docker Bench container
docker run --rm --net host --pid host --userns host --cap-add audit_control \ -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /etc:/etc:ro \ -v /usr/bin/containerd:/usr/bin/containerd:ro \ -v /usr/bin/runc:/usr/bin/runc:ro \ -v /usr/lib/systemd:/usr/lib/systemd:ro \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --label docker_bench_security \ docker/docker-bench-security
Run with custom configuration
docker run --rm --net host --pid host --userns host --cap-add audit_control \ -v /path/to/custom/config:/usr/local/bin/docker-bench-security/config \ -v /etc:/etc:ro \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ docker/docker-bench-security
Run with output to file
docker run --rm --net host --pid host --userns host --cap-add audit_control \ -v /etc:/etc:ro \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ -v $(pwd):/tmp \ docker/docker-bench-security -l /tmp/docker-bench-report.log ```_
Kubernetes Bereitstellung
Docker einsetzen Bank in Kubernetes:
```yaml
docker-bench-job.yaml
apiVersion: batch/v1 kind: Job metadata: name: docker-bench-security namespace: security spec: template: spec: hostPID: true hostNetwork: true serviceAccountName: docker-bench-security containers: - name: docker-bench-security image: docker/docker-bench-security command: ["./docker-bench-security.sh"] args: ["-l", "/tmp/docker-bench-report.log", "-j"] securityContext: privileged: true volumeMounts: - name: docker-sock mountPath: /var/run/docker.sock readOnly: true - name: etc mountPath: /etc readOnly: true - name: var-lib mountPath: /var/lib readOnly: true - name: usr-bin-containerd mountPath: /usr/bin/containerd readOnly: true - name: usr-bin-runc mountPath: /usr/bin/runc readOnly: true - name: output mountPath: /tmp volumes: - name: docker-sock hostPath: path: /var/run/docker.sock - name: etc hostPath: path: /etc - name: var-lib hostPath: path: /var/lib - name: usr-bin-containerd hostPath: path: /usr/bin/containerd - name: usr-bin-runc hostPath: path: /usr/bin/runc - name: output hostPath: path: /tmp/docker-bench-output restartPolicy: Never backoffLimit: 1
ServiceAccount and RBAC
apiVersion: v1 kind: ServiceAccount metadata: name: docker-bench-security namespace: security
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: docker-bench-security rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"]
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: docker-bench-security roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: docker-bench-security subjects: - kind: ServiceAccount name: docker-bench-security namespace: security ```_
Benutzerdefinierte Installation
```bash
Create custom Docker Bench installation
mkdir -p /opt/docker-bench-security cd /opt/docker-bench-security
Download latest version
curl -L https://github.com/docker/docker-bench-security/archive/master.tar.gz|tar -xz --strip-components=1
Create wrapper script
cat > /usr/local/bin/docker-bench ``<< 'EOF'
!/bin/bash
cd /opt/docker-bench-security sudo ./docker-bench-security.sh "$@" EOF
chmod +x /usr/local/bin/docker-bench
Test installation
docker-bench --help ```_
Basisnutzung
Standard Sicherheitsaudit
Durchführung grundlegender Docker Sicherheitsaudits:
```bash
Run complete security audit
sudo ./docker-bench-security.sh
Run with verbose output
sudo ./docker-bench-security.sh -v
Run with specific log file
sudo ./docker-bench-security.sh -l /var/log/docker-bench-$(date +%Y%m%d).log
Run with JSON output
sudo ./docker-bench-security.sh -j
Run with both log and JSON output
sudo ./docker-bench-security.sh -l docker-bench.log -j
Run specific test sections
sudo ./docker-bench-security.sh -c host_configuration sudo ./docker-bench-security.sh -c docker_daemon_configuration sudo ./docker-bench-security.sh -c container_images ```_
Selektive Prüfung
Durchführung spezifischer Sicherheitskontrollen:
```bash
Run only host configuration checks
sudo ./docker-bench-security.sh -c host_configuration
Run only Docker daemon checks
sudo ./docker-bench-security.sh -c docker_daemon_configuration
Run only container runtime checks
sudo ./docker-bench-security.sh -c container_runtime
Run only Docker security operations checks
sudo ./docker-bench-security.sh -c docker_security_operations
Run only container image checks
sudo ./docker-bench-security.sh -c container_images
Run only network configuration checks
sudo ./docker-bench-security.sh -c docker_daemon_configuration_files
Skip specific checks
sudo ./docker-bench-security.sh -e check_2_1,check_2_2
Include only specific checks
sudo ./docker-bench-security.sh -i check_4_1,check_4_2,check_4_3 ```_
Ausgabeformatierung
Anpassung der Ausgabeformate:
```bash
Generate JSON report
sudo ./docker-bench-security.sh -j >`` docker-bench-report.json
Generate log file with timestamp
sudo ./docker-bench-security.sh -l "docker-bench-$(date +%Y%m%d-%H%M%S).log"
Generate both console and file output
sudo ./docker-bench-security.sh -l docker-bench.log|tee console-output.txt
Generate quiet output (only failures)
sudo ./docker-bench-security.sh -q
Generate summary only
sudo ./docker-bench-security.sh -s
Custom output directory
mkdir -p /var/log/docker-bench sudo ./docker-bench-security.sh -l /var/log/docker-bench/audit-$(date +%Y%m%d).log ```_
Erweiterte Funktionen
Individuelle Konfiguration
Erstellen von benutzerdefinierten Docker Bench-Konfigurationen:
```bash
Create custom configuration directory
mkdir -p ~/.docker-bench-security
Create custom test exclusions
cat > ~/.docker-bench-security/excluded_checks << 'EOF'
Exclude specific checks that don't apply to our environment
check_2_1 # Restrict network traffic between containers check_2_8 # Enable user namespace support check_4_6 # Add HEALTHCHECK instruction to container image EOF
Create custom included checks
cat > ~/.docker-bench-security/included_checks << 'EOF'
Include only critical security checks
check_1_1_1 # Ensure a separate partition for containers has been created check_1_1_2 # Ensure only trusted users are allowed to control Docker daemon check_2_1 # Restrict network traffic between containers check_2_2 # Set the logging level check_2_3 # Allow Docker to make changes to iptables EOF
Run with custom configuration
| sudo ./docker-bench-security.sh -e $(cat ~/.docker-bench-security/excluded_checks | grep -v '^#' | tr '\n' ',') | ```_
Integration von CI/CD
Integration von Docker Bench in CI/CD-Pipelines:
```yaml
.gitlab-ci.yml
docker_security_scan:
stage: security
image: docker:latest
services:
- docker: dind
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: "/certs"
before_script:
- docker info
script:
-|
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc: /etc:ro \
-v /usr/bin/containerd: /usr/bin/containerd:ro \
-v /usr/bin/runc: /usr/bin/runc:ro \
-v /usr/lib/systemd: /usr/lib/systemd:ro \
-v /var/lib: /var/lib:ro \
-v /var/run/docker.sock: /var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security -j > docker-bench-report.json
-|
# Parse results and fail if critical issues found
| CRITICAL_ISSUES=$(jq '.tests[] | select(.result == "FAIL" and .severity == "CRITICAL") | length' docker-bench-report.json) |
if [ "$CRITICAL_ISSUES" -gt 0 ]; then
echo "Critical security issues found: $CRITICAL_ISSUES"
exit 1
fi
artifacts:
reports:
junit: docker-bench-report.json
paths:
- docker-bench-report.json
expire_in: 1 week
only:
- master
- develop
_yaml
GitHub Actions workflow
name: Docker Security Scan on: push: branches: [main, develop] pull_request: branches: [main]
jobs: docker-bench-security: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3
- name: Run Docker Bench Security
run: |
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /etc: /etc:ro \
-v /var/lib: /var/lib:ro \
-v /var/run/docker.sock: /var/run/docker.sock:ro \
-v $\\\\{\\\\{ github.workspace \\\\}\\\\}: /tmp \
docker/docker-bench-security -j -l /tmp/docker-bench-report.json
- name: Parse Security Results
run: |
# Check for critical failures
| CRITICAL_FAILS=$(jq '[.tests[] | select(.result == "FAIL" and .severity == "CRITICAL")] | length' docker-bench-report.json) | | HIGH_FAILS=$(jq '[.tests[] | select(.result == "FAIL" and .severity == "HIGH")] | length' docker-bench-report.json) |
echo "Critical failures: $CRITICAL_FAILS"
echo "High severity failures: $HIGH_FAILS"
# Fail build if critical issues found
if [ "$CRITICAL_FAILS" -gt 0 ]; then
echo ": :error::Critical security issues found"
exit 1
fi
# Warning for high severity issues
if [ "$HIGH_FAILS" -gt 0 ]; then
echo ": :warning::High severity security issues found"
fi
- name: Upload Security Report
uses: actions/upload-artifact@v3
with:
name: docker-bench-security-report
path: docker-bench-report.json
retention-days: 30
```_
Automatisierte Entfernung
Erstellen von automatisierten Abhilfeskripten:
```bash
!/bin/bash
docker-bench-remediation.sh - Automated remediation for common Docker security issues
Function to remediate specific Docker Bench findings
remediate_docker_security() \\{ local check_id="$1" local description="$2"
echo "Remediating: $check_id - $description"
case "$check_id" in
"check_2_2")
# Set Docker daemon logging level
echo "Setting Docker daemon logging level to info"
sudo mkdir -p /etc/docker
echo '\\\\{"log-level": "info"\\\\}'|sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
;;
"check_2_5")
# Disable legacy registry
echo "Disabling legacy registry (v1)"
sudo mkdir -p /etc/docker
jq '. + \\\\{"disable-legacy-registry": true\\\\}' /etc/docker/daemon.json|sudo tee /etc/docker/daemon.json.tmp
sudo mv /etc/docker/daemon.json.tmp /etc/docker/daemon.json
sudo systemctl restart docker
;;
"check_2_8")
# Enable user namespace support
echo "Enabling user namespace support"
sudo mkdir -p /etc/docker
jq '. + \\\\{"userns-remap": "default"\\\\}' /etc/docker/daemon.json|sudo tee /etc/docker/daemon.json.tmp
sudo mv /etc/docker/daemon.json.tmp /etc/docker/daemon.json
sudo systemctl restart docker
;;
"check_2_11")
# Enable Docker Content Trust
echo "Enabling Docker Content Trust"
echo 'export DOCKER_CONTENT_TRUST=1'|sudo tee -a /etc/environment
export DOCKER_CONTENT_TRUST=1
;;
"check_2_13")
# Configure centralized and remote logging
echo "Configuring centralized logging"
sudo mkdir -p /etc/docker
jq '. + \\\\{"log-driver": "syslog", "log-opts": \\\\{"syslog-address": "tcp://localhost:514"\\\\}\\\\}' /etc/docker/daemon.json|sudo tee /etc/docker/daemon.json.tmp
sudo mv /etc/docker/daemon.json.tmp /etc/docker/daemon.json
sudo systemctl restart docker
;;
"check_2_14")
# Disable operations on legacy registry
echo "Disabling operations on legacy registry"
sudo mkdir -p /etc/docker
jq '. + \\\\{"disable-legacy-registry": true\\\\}' /etc/docker/daemon.json|sudo tee /etc/docker/daemon.json.tmp
sudo mv /etc/docker/daemon.json.tmp /etc/docker/daemon.json
sudo systemctl restart docker
;;
*)
echo "No automated remediation available for $check_id"
;;
esac
\\}
Run Docker Bench and parse results
echo "Running Docker Bench Security scan..." sudo ./docker-bench-security.sh -j > docker-bench-results.json
Parse failed checks and attempt remediation
echo "Parsing results and attempting remediation..." | jq -r '.tests[] | select(.result == "FAIL") | "(.id) | (.desc)"' docker-bench-results.json | while IFS=' | ' read -r check_id description; do | remediate_docker_security "$check_id" "$description" done
Re-run Docker Bench to verify improvements
echo "Re-running Docker Bench to verify improvements..." sudo ./docker-bench-security.sh -j > docker-bench-results-after.json
Compare results
echo "Comparing before and after results..." | BEFORE_FAILS=$(jq '[.tests[] | select(.result == "FAIL")] | length' docker-bench-results.json) | | AFTER_FAILS=$(jq '[.tests[] | select(.result == "FAIL")] | length' docker-bench-results-after.json) |
echo "Failed checks before remediation: $BEFORE_FAILS" echo "Failed checks after remediation: $AFTER_FAILS" echo "Improvements: $((BEFORE_FAILS - AFTER_FAILS))" ```_
Automatisierungsskripte
Umfassende Sicherheitsüberwachung
```python
!/usr/bin/env python3
Comprehensive Docker security monitoring with Docker Bench
import subprocess import json import os import smtplib from datetime import datetime, timedelta from email.mime.text import MIMEText from email.mime.multipart import MIMEMultipart import logging
class DockerBenchMonitoring: def init(self, config_file="docker-bench-config.json"): self.config_file = config_file self.load_config() self.setup_logging()
def load_config(self):
"""Load monitoring configuration"""
try:
with open(self.config_file, 'r') as f:
self.config = json.load(f)
except FileNotFoundError:
# Default configuration
self.config = \\\\{
"monitoring": \\\\{
"interval_hours": 24,
"severity_threshold": "HIGH",
"max_failures": 5
\\\\},
"notifications": \\\\{
"email": \\\\{
"enabled": False,
"smtp_server": "localhost",
"smtp_port": 587,
"username": "",
"password": "",
"from": "docker-bench@example.com",
"to": "security@example.com"
\\\\},
"webhook": \\\\{
"enabled": False,
"url": "",
"headers": \\\\{\\\\}
\\\\}
\\\\},
"remediation": \\\\{
"auto_remediate": False,
"allowed_checks": []
\\\\}
\\\\}
def setup_logging(self):
"""Setup logging configuration"""
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('docker-bench-monitoring.log'),
logging.StreamHandler()
]
)
self.logger = logging.getLogger(__name__)
def run_docker_bench(self, output_file=None):
"""Run Docker Bench Security scan"""
if not output_file:
output_file = f"docker-bench-\\\\{datetime.now().strftime('%Y%m%d-%H%M%S')\\\\}.json"
self.logger.info("Running Docker Bench Security scan...")
try:
# Run Docker Bench as container
cmd = [
"docker", "run", "--rm", "--net", "host", "--pid", "host",
"--userns", "host", "--cap-add", "audit_control",
"-v", "/etc:/etc:ro",
"-v", "/usr/bin/containerd:/usr/bin/containerd:ro",
"-v", "/usr/bin/runc:/usr/bin/runc:ro",
"-v", "/usr/lib/systemd:/usr/lib/systemd:ro",
"-v", "/var/lib:/var/lib:ro",
"-v", "/var/run/docker.sock:/var/run/docker.sock:ro",
"--label", "docker_bench_security",
"docker/docker-bench-security", "-j"
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if result.returncode == 0:
# Parse JSON output
scan_results = json.loads(result.stdout)
# Save results to file
with open(output_file, 'w') as f:
json.dump(scan_results, f, indent=2)
self.logger.info(f"Docker Bench scan completed. Results saved to \\\\{output_file\\\\}")
return scan_results, output_file
else:
self.logger.error(f"Docker Bench scan failed: \\\\{result.stderr\\\\}")
return None, None
except subprocess.TimeoutExpired:
self.logger.error("Docker Bench scan timed out")
return None, None
except json.JSONDecodeError as e:
self.logger.error(f"Failed to parse Docker Bench output: \\\\{e\\\\}")
return None, None
except Exception as e:
self.logger.error(f"Error running Docker Bench: \\\\{e\\\\}")
return None, None
def analyze_results(self, scan_results):
"""Analyze Docker Bench results"""
if not scan_results:
return None
analysis = \\\\{
"timestamp": datetime.now().isoformat(),
"total_checks": len(scan_results.get("tests", [])),
"passed": 0,
"failed": 0,
"warnings": 0,
"info": 0,
"critical_failures": [],
"high_failures": [],
"medium_failures": [],
"summary": \\\\{\\\\}
\\\\}
# Analyze each test result
for test in scan_results.get("tests", []):
result = test.get("result", "").upper()
severity = test.get("severity", "INFO").upper()
if result == "PASS":
analysis["passed"] += 1
elif result == "FAIL":
analysis["failed"] += 1
# Categorize by severity
if severity == "CRITICAL":
analysis["critical_failures"].append(test)
elif severity == "HIGH":
analysis["high_failures"].append(test)
elif severity == "MEDIUM":
analysis["medium_failures"].append(test)
elif result == "WARN":
analysis["warnings"] += 1
else:
analysis["info"] += 1
# Generate summary by section
sections = \\\\{\\\\}
for test in scan_results.get("tests", []):
section = test.get("section", "Unknown")
if section not in sections:
sections[section] = \\\\{"total": 0, "passed": 0, "failed": 0\\\\}
sections[section]["total"] += 1
if test.get("result", "").upper() == "PASS":
sections[section]["passed"] += 1
elif test.get("result", "").upper() == "FAIL":
sections[section]["failed"] += 1
analysis["summary"] = sections
self.logger.info(f"Analysis complete: \\\\{analysis['passed']\\\\} passed, \\\\{analysis['failed']\\\\} failed")
return analysis
def check_thresholds(self, analysis):
"""Check if results exceed configured thresholds"""
if not analysis:
return False
threshold_config = self.config.get("monitoring", \\\\{\\\\})
severity_threshold = threshold_config.get("severity_threshold", "HIGH")
max_failures = threshold_config.get("max_failures", 5)
# Count failures by severity
critical_count = len(analysis.get("critical_failures", []))
high_count = len(analysis.get("high_failures", []))
medium_count = len(analysis.get("medium_failures", []))
# Check thresholds
if severity_threshold == "CRITICAL" and critical_count > max_failures:
return True
elif severity_threshold == "HIGH" and (critical_count + high_count) > max_failures:
return True
elif severity_threshold == "MEDIUM" and (critical_count + high_count + medium_count) > max_failures:
return True
return False
def send_notification(self, analysis, threshold_exceeded=False):
"""Send notification about scan results"""
notification_config = self.config.get("notifications", \\\\{\\\\})
# Prepare notification content
subject = "Docker Bench Security Report"
if threshold_exceeded:
subject += " - ALERT: Thresholds Exceeded"
body = self.generate_notification_body(analysis, threshold_exceeded)
# Send email notification
if notification_config.get("email", \\\\{\\\\}).get("enabled", False):
self.send_email_notification(subject, body)
# Send webhook notification
if notification_config.get("webhook", \\\\{\\\\}).get("enabled", False):
self.send_webhook_notification(analysis, threshold_exceeded)
def generate_notification_body(self, analysis, threshold_exceeded):
"""Generate notification message body"""
body = f"""
Docker Bench Security Scan Report Generated: \\{analysis['timestamp']\\}
SUMMARY:
Total Checks: \\{analysis['total_checks']\\} Passed: \\{analysis['passed']\\} Failed: \\{analysis['failed']\\} Warnings: \\{analysis['warnings']\\}
FAILURES BY SEVERITY:
Critical: \\{len(analysis['critical_failures'])\\} High: \\{len(analysis['high_failures'])\\} Medium: \\{len(analysis['medium_failures'])\\}
"""
if threshold_exceeded:
body += "\n⚠️ ALERT: Security thresholds have been exceeded!\n\n"
# Add critical failures details
if analysis['critical_failures']:
body += "CRITICAL FAILURES:\n"
body += "==================\n"
for failure in analysis['critical_failures'][:5]: # Limit to first 5
body += f"- \\\\{failure.get('id', 'Unknown')\\\\}: \\\\{failure.get('desc', 'No description')\\\\}\n"
if len(analysis['critical_failures']) > 5:
body += f"... and \\\\{len(analysis['critical_failures']) - 5\\\\} more\n"
body += "\n"
# Add section summary
body += "SUMMARY BY SECTION:\n"
body += "==================\n"
for section, stats in analysis['summary'].items():
pass_rate = (stats['passed'] / stats['total']) * 100 if stats['total'] > 0 else 0
body += f"\\\\{section\\\\}: \\\\{stats['passed']\\\\}/\\\\{stats['total']\\\\} passed (\\\\{pass_rate:.1f\\\\}%)\n"
return body
def send_email_notification(self, subject, body):
"""Send email notification"""
email_config = self.config.get("notifications", \\\\{\\\\}).get("email", \\\\{\\\\})
try:
msg = MIMEMultipart()
msg['From'] = email_config["from"]
msg['To'] = email_config["to"]
msg['Subject'] = subject
msg.attach(MIMEText(body, 'plain'))
server = smtplib.SMTP(email_config["smtp_server"], email_config["smtp_port"])
server.starttls()
if email_config.get("username") and email_config.get("password"):
server.login(email_config["username"], email_config["password"])
text = msg.as_string()
server.sendmail(email_config["from"], email_config["to"], text)
server.quit()
self.logger.info("Email notification sent successfully")
except Exception as e:
self.logger.error(f"Failed to send email notification: \\\\{e\\\\}")
def send_webhook_notification(self, analysis, threshold_exceeded):
"""Send webhook notification"""
webhook_config = self.config.get("notifications", \\\\{\\\\}).get("webhook", \\\\{\\\\})
try:
import requests
payload = \\\\{
"timestamp": analysis["timestamp"],
"alert": threshold_exceeded,
"summary": \\\\{
"total_checks": analysis["total_checks"],
"passed": analysis["passed"],
"failed": analysis["failed"],
"critical_failures": len(analysis["critical_failures"]),
"high_failures": len(analysis["high_failures"])
\\\\},
"details": analysis
\\\\}
headers = webhook_config.get("headers", \\\\{\\\\})
headers["Content-Type"] = "application/json"
response = requests.post(
webhook_config["url"],
json=payload,
headers=headers,
timeout=30
)
if response.status_code == 200:
self.logger.info("Webhook notification sent successfully")
else:
self.logger.error(f"Webhook notification failed: \\\\{response.status_code\\\\}")
except Exception as e:
self.logger.error(f"Failed to send webhook notification: \\\\{e\\\\}")
def run_monitoring_cycle(self):
"""Run complete monitoring cycle"""
self.logger.info("Starting Docker Bench monitoring cycle")
# Run Docker Bench scan
scan_results, output_file = self.run_docker_bench()
if not scan_results:
self.logger.error("Failed to run Docker Bench scan")
return False
# Analyze results
analysis = self.analyze_results(scan_results)
if not analysis:
self.logger.error("Failed to analyze scan results")
return False
# Check thresholds
threshold_exceeded = self.check_thresholds(analysis)
if threshold_exceeded:
self.logger.warning("Security thresholds exceeded!")
# Send notifications
self.send_notification(analysis, threshold_exceeded)
# Save analysis results
analysis_file = f"docker-bench-analysis-\\\\{datetime.now().strftime('%Y%m%d-%H%M%S')\\\\}.json"
with open(analysis_file, 'w') as f:
json.dump(analysis, f, indent=2)
self.logger.info(f"Monitoring cycle completed. Analysis saved to \\\\{analysis_file\\\\}")
return True
Usage
if name == "main": monitor = DockerBenchMonitoring() monitor.run_monitoring_cycle() ```_
Compliance Reporting Script
```python
!/usr/bin/env python3
Docker Bench compliance reporting
import json import subprocess from datetime import datetime import pandas as pd
class DockerBenchCompliance: def init(self): self.cis_mapping = self.load_cis_mapping()
def load_cis_mapping(self):
"""Load CIS Docker Benchmark mapping"""
return \\\\{
"1": "Host Configuration",
"2": "Docker daemon configuration",
"3": "Docker daemon configuration files",
"4": "Container Images and Build File",
"5": "Container Runtime",
"6": "Docker Security Operations"
\\\\}
def run_compliance_scan(self, output_format="json"):
"""Run Docker Bench compliance scan"""
cmd = [
"docker", "run", "--rm", "--net", "host", "--pid", "host",
"--userns", "host", "--cap-add", "audit_control",
"-v", "/etc:/etc:ro",
"-v", "/var/lib:/var/lib:ro",
"-v", "/var/run/docker.sock:/var/run/docker.sock:ro",
"docker/docker-bench-security"
]
if output_format == "json":
cmd.append("-j")
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
if result.returncode == 0:
if output_format == "json":
return json.loads(result.stdout)
else:
return result.stdout
else:
print(f"Docker Bench scan failed: \\\\{result.stderr\\\\}")
return None
except Exception as e:
print(f"Error running Docker Bench: \\\\{e\\\\}")
return None
def generate_compliance_report(self, scan_results):
"""Generate compliance report"""
if not scan_results:
return None
report = \\\\{
"report_metadata": \\\\{
"generated_at": datetime.now().isoformat(),
"benchmark": "CIS Docker Benchmark v1.2.0",
"tool": "Docker Bench for Security"
\\\\},
"executive_summary": \\\\{\\\\},
"detailed_results": \\\\{\\\\},
"recommendations": []
\\\\}
# Calculate overall compliance score
total_tests = len(scan_results.get("tests", []))
passed_tests = len([t for t in scan_results.get("tests", []) if t.get("result") == "PASS"])
compliance_score = (passed_tests / total_tests) * 100 if total_tests > 0 else 0
report["executive_summary"] = \\\\{
"overall_compliance_score": round(compliance_score, 2),
"total_controls": total_tests,
"passed_controls": passed_tests,
"failed_controls": total_tests - passed_tests,
"compliance_level": self.get_compliance_level(compliance_score)
\\\\}
# Group results by CIS section
sections = \\\\{\\\\}
for test in scan_results.get("tests", []):
section_id = test.get("id", "").split("_")[1] if "_" in test.get("id", "") else "unknown"
section_name = self.cis_mapping.get(section_id, f"Section \\\\{section_id\\\\}")
if section_name not in sections:
sections[section_name] = \\\\{
"total": 0,
"passed": 0,
"failed": 0,
"tests": []
\\\\}
sections[section_name]["total"] += 1
sections[section_name]["tests"].append(test)
if test.get("result") == "PASS":
sections[section_name]["passed"] += 1
else:
sections[section_name]["failed"] += 1
# Calculate section compliance scores
for section_name, section_data in sections.items():
section_score = (section_data["passed"] / section_data["total"]) * 100
section_data["compliance_score"] = round(section_score, 2)
report["detailed_results"] = sections
# Generate recommendations
failed_tests = [t for t in scan_results.get("tests", []) if t.get("result") == "FAIL"]
for test in failed_tests[:10]: # Top 10 recommendations
recommendation = \\\\{
"control_id": test.get("id", ""),
"title": test.get("desc", ""),
"severity": test.get("severity", "MEDIUM"),
"remediation": self.get_remediation_guidance(test.get("id", ""))
\\\\}
report["recommendations"].append(recommendation)
return report
def get_compliance_level(self, score):
"""Determine compliance level based on score"""
if score >= 95:
return "Excellent"
elif score >= 85:
return "Good"
elif score >= 70:
return "Fair"
elif score >= 50:
return "Poor"
else:
return "Critical"
def get_remediation_guidance(self, check_id):
"""Get remediation guidance for specific check"""
remediation_guide = \\\\{
"check_2_2": "Configure Docker daemon logging level by adding '\"log-level\": \"info\"' to /etc/docker/daemon.json",
"check_2_5": "Disable legacy registry by adding '\"disable-legacy-registry\": true' to /etc/docker/daemon.json",
"check_2_8": "Enable user namespace support by adding '\"userns-remap\": \"default\"' to /etc/docker/daemon.json",
"check_2_11": "Enable Docker Content Trust by setting DOCKER_CONTENT_TRUST=1 environment variable",
"check_2_13": "Configure centralized logging by setting appropriate log driver in /etc/docker/daemon.json",
"check_4_1": "Create a user for the container in Dockerfile using USER instruction",
"check_4_6": "Add HEALTHCHECK instruction to container image Dockerfile",
"check_5_1": "Do not disable AppArmor Profile by avoiding --security-opt apparmor=unconfined",
"check_5_2": "Do not disable SELinux security options by avoiding --security-opt label=disable"
\\\\}
return remediation_guide.get(check_id, "Refer to CIS Docker Benchmark documentation for detailed remediation steps")
def export_to_csv(self, report, filename="docker-compliance-report.csv"):
"""Export compliance report to CSV"""
# Prepare data for CSV export
csv_data = []
for section_name, section_data in report["detailed_results"].items():
for test in section_data["tests"]:
csv_data.append(\\\\{
"Section": section_name,
"Control_ID": test.get("id", ""),
"Description": test.get("desc", ""),
"Result": test.get("result", ""),
"Severity": test.get("severity", ""),
"Section_Compliance_Score": section_data["compliance_score"]
\\\\})
# Create DataFrame and export
df = pd.DataFrame(csv_data)
df.to_csv(filename, index=False)
print(f"Compliance report exported to \\\\{filename\\\\}")
def generate_html_report(self, report, filename="docker-compliance-report.html"):
"""Generate HTML compliance report"""
html_template = """
Docker Security Compliance Report
Generated: \\\\{report_date\\\\}
Benchmark: \\\\{benchmark\\\\}
Executive Summary
Overall Compliance Score: \\\\{compliance_score\\\\}%
Compliance Level: \\\\{compliance_level\\\\}
Total Controls: \\\\{total_controls\\\\}
Passed: \\\\{passed_controls\\\\}
Failed: \\\\{failed_controls\\\\}
Top Recommendations
\\\\{recommendations_html\\\\} """
# Generate sections HTML
sections_html = ""
for section_name, section_data in report["detailed_results"].items():
score_class = self.get_score_class(section_data["compliance_score"])
tests_html = ""
for test in section_data["tests"]:
result_class = "pass" if test.get("result") == "PASS" else "fail"
tests_html += f"""
<tr class="\\\\{result_class\\\\}">
<td>\\\\{test.get("id", "")\\\\}</td>
<td>\\\\{test.get("desc", "")\\\\}</td>
<td>\\\\{test.get("result", "")\\\\}</td>
<td>\\\\{test.get("severity", "")\\\\}</td>
</tr>
"""
sections_html += f"""
<div class="section">
<h3>\\\\{section_name\\\\}</h3>
<p><strong>Section Score:</strong> <span class="\\\\{score_class\\\\}">\\\\{section_data["compliance_score"]\\\\}%</span></p>
<table>
<tr>
<th>Control ID</th>
<th>Description</th>
<th>Result</th>
<th>Severity</th>
</tr>
\\\\{tests_html\\\\}
</table>
</div>
"""
# Generate recommendations HTML
recommendations_html = "<ul>"
for rec in report["recommendations"]:
recommendations_html += f"""
<li>
<strong>\\\\{rec["control_id"]\\\\}</strong>: \\\\{rec["title"]\\\\}
<br><small><strong>Remediation:</strong> \\\\{rec["remediation"]\\\\}</small>
</li>
"""
recommendations_html += "</ul>"
# Fill template
compliance_class = self.get_score_class(report["executive_summary"]["overall_compliance_score"])
html_content = html_template.format(
report_date=report["report_metadata"]["generated_at"],
benchmark=report["report_metadata"]["benchmark"],
compliance_score=report["executive_summary"]["overall_compliance_score"],
compliance_class=compliance_class,
compliance_level=report["executive_summary"]["compliance_level"],
total_controls=report["executive_summary"]["total_controls"],
passed_controls=report["executive_summary"]["passed_controls"],
failed_controls=report["executive_summary"]["failed_controls"],
sections_html=sections_html,
recommendations_html=recommendations_html
)
with open(filename, 'w') as f:
f.write(html_content)
print(f"HTML compliance report generated: \\\\{filename\\\\}")
def get_score_class(self, score):
"""Get CSS class for compliance score"""
if score >= 95:
return "excellent"
elif score >= 85:
return "good"
elif score >= 70:
return "fair"
elif score >= 50:
return "poor"
else:
return "critical"
Usage
if name == "main": compliance = DockerBenchCompliance()
# Run compliance scan
scan_results = compliance.run_compliance_scan()
if scan_results:
# Generate compliance report
report = compliance.generate_compliance_report(scan_results)
# Export to different formats
compliance.export_to_csv(report)
compliance.generate_html_report(report)
# Save JSON report
with open("docker-compliance-report.json", 'w') as f:
json.dump(report, f, indent=2)
print(f"Compliance Score: \\\\{report['executive_summary']['overall_compliance_score']\\\\}%")
print(f"Compliance Level: \\\\{report['executive_summary']['compliance_level']\\\\}")
```_
Integrationsbeispiele
Integration von Kubernets
```yaml
docker-bench-daemonset.yaml
apiVersion: apps/v1 kind: DaemonSet metadata: name: docker-bench-security namespace: security labels: app: docker-bench-security spec: selector: matchLabels: app: docker-bench-security template: metadata: labels: app: docker-bench-security spec: hostPID: true hostNetwork: true serviceAccountName: docker-bench-security containers: - name: docker-bench-security image: docker/docker-bench-security command: ["./docker-bench-security.sh"] args: ["-j", "-l", "/tmp/docker-bench-report.log"] securityContext: privileged: true volumeMounts: - name: docker-sock mountPath: /var/run/docker.sock readOnly: true - name: etc mountPath: /etc readOnly: true - name: var-lib mountPath: /var/lib readOnly: true - name: usr-bin-containerd mountPath: /usr/bin/containerd readOnly: true - name: usr-bin-runc mountPath: /usr/bin/runc readOnly: true - name: output mountPath: /tmp resources: limits: memory: "256Mi" cpu: "200m" requests: memory: "128Mi" cpu: "100m" volumes: - name: docker-sock hostPath: path: /var/run/docker.sock - name: etc hostPath: path: /etc - name: var-lib hostPath: path: /var/lib - name: usr-bin-containerd hostPath: path: /usr/bin/containerd - name: usr-bin-runc hostPath: path: /usr/bin/runc - name: output hostPath: path: /var/log/docker-bench restartPolicy: Always tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule ```_
Prometheus Integration
```yaml
docker-bench-exporter.yaml
apiVersion: apps/v1 kind: Deployment metadata: name: docker-bench-exporter namespace: monitoring spec: replicas: 1 selector: matchLabels: app: docker-bench-exporter template: metadata: labels: app: docker-bench-exporter spec: containers: - name: docker-bench-exporter image: custom/docker-bench-exporter:latest ports: - containerPort: 8080 env: - name: SCAN_INTERVAL value: "3600" # 1 hour volumeMounts: - name: docker-sock mountPath: /var/run/docker.sock readOnly: true volumes: - name: docker-sock hostPath: path: /var/run/docker.sock
apiVersion: v1 kind: Service metadata: name: docker-bench-exporter namespace: monitoring labels: app: docker-bench-exporter spec: ports: - port: 8080 targetPort: 8080 name: metrics selector: app: docker-bench-exporter
apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: docker-bench-exporter namespace: monitoring spec: selector: matchLabels: app: docker-bench-exporter endpoints: - port: metrics interval: 60s path: /metrics ```_
Fehlerbehebung
Gemeinsame Themen
Permissionsprobleme: ```bash
Ensure Docker daemon is running
sudo systemctl status docker sudo systemctl start docker
Check Docker socket permissions
ls -la /var/run/docker.sock sudo chmod 666 /var/run/docker.sock
Run with proper privileges
sudo ./docker-bench-security.sh
Check user groups
groups $USER sudo usermod -aG docker $USER ```_
Container Ausführungsfragen: ```bash
Check Docker version compatibility
docker version
Pull latest Docker Bench image
docker pull docker/docker-bench-security:latest
Run with debug output
docker run --rm --net host --pid host --userns host --cap-add audit_control \ -v /etc:/etc:ro \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ docker/docker-bench-security -v
Check container logs
| docker logs $(docker ps -a | grep docker-bench-security | awk '\\{print $1\\}') | ```_
Ausgangs- und Parsingfragen: ```bash
Verify JSON output format
./docker-bench-security.sh -j|jq '.'
Check log file permissions
touch docker-bench.log chmod 644 docker-bench.log
Validate output directory
mkdir -p /var/log/docker-bench sudo chown $USER:$USER /var/log/docker-bench
Test specific checks
./docker-bench-security.sh -c host_configuration -v ```_
Leistungsoptimierung
Optimieren von Docker Nennleistung:
```bash
Run specific sections only
./docker-bench-security.sh -c container_runtime
Skip time-consuming checks
./docker-bench-security.sh -e check_1_1_1,check_1_1_2
Use faster execution mode
./docker-bench-security.sh -q
Limit resource usage
docker run --rm --memory=256m --cpus=0.5 \ --net host --pid host --userns host --cap-add audit_control \ -v /etc:/etc:ro \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ docker/docker-bench-security ```_
Sicherheitsüberlegungen
Sichere Nutzungspraktiken
Umweltschutz: - Ich bin nicht da. Bank in isolierten Umgebungen, wenn möglich - Netzzugriff bei Sicherheitsscans begrenzen - Verwenden Sie schreibgeschützte Halterungen für Systemverzeichnisse - Implementierung richtiger Zugriffskontrollen für Scan-Ergebnisse - Regelmäßige Updates von Docker Bench und Docker Daemon
Datenschutz: - Verschlüsseln Sie sensible Scanergebnisse und Berichte - Implementieren Sie sichere Speicherung von Compliance-Daten - Verwenden Sie sichere Kanäle für die Übertragung von Berichten - Regelmäßige Reinigung von temporären Dateien und Protokollen - Umsetzung von Datenschutzbestimmungen
Operationelle Sicherheit
Monitoring and Alerting: - Über uns Bench Ausführung und Ergebnisse - Alarmierung für kritische Sicherheitsergebnisse einrichten - Track Compliance Score Trends im Laufe der Zeit - Ergänzende automatisierte Abhilfe gegebenenfalls - Regelmäßige Überprüfung der Sicherheitskonfigurationen
** Integrationssicherheit:** - Secure CI/CD Pipeline Integration - Schützen Sie API-Tasten und Anmeldeinformationen - Implementierung richtiger RBAC für Kubernetes-Einsätze - Monitor für nicht autorisierte Gebrauch von Docker Bench - Regelmäßige Sicherheitsbewertung der Überwachungsinfrastruktur
Referenzen
- Dockerbank für Sicherheit GitHub
- [CIS Docker Benchmark](https://_LINK_5___
- (LINK_5)
- [NIST Container Security Guide](https://LINK_5
- Beamte Sicherheitsdokumentation