Containers are like BYOD (Bring Your Own Device). They are infiltrating our ranks, and InfoSec professionals’ gut reaction is to hesitate in including them in their environments. But instead of dismissing containers out of hand, I thought it would be wiser to study them not only to be prepared for the inevitable but also to understand their usefulness and most importantly the security aspects of incorporating them into our organization. That initial exploration was covered in Part 1 of this series on container security, “ Quick Dive into Containers, Kubernetes and Security ”.
That quick dive showed that containers are an extremely useful tool and securing them wasn’t too dissimilar to what most are doing already. But I had never implemented them myself and have no one hear in my organization to lean on. So I went to the tried and true method of following existing, published best practices like the ones at the Centre for Internet Security (CIS). Part 2 of this series reminds us that we’re not alone. In most cases, some really smart people have already done the heavy lifting and were kind enough to share. Although free and at our fingertips, the right information can be a little tricky to find. This tutorial will attempt to accomplish 2 goals. First is to help save you time and frustration by avoiding the pitfalls I faced in getting the information, and second is to take a detailed look into the benchmarks themselves.
Quick Links ToC: Center for Internet Security | Seek and Ye Shall Find | Benchmarks Not the End All, Be All | Summary
Center for Internet Security
Image 1 Overview of CIS
The Center for Internet Security (CIS) is a non-profit entity that provides a vast number of resources for Cybersecurity Best Practice, Tools, Threat Intelligence and more. We’re going to focus on the “Best Practices” section that includes controls and benchmarks to safeguard private and public organizations against cyber threats. For those not familiar with these terms, CIS Controls are described as the following:
IT security leaders use CIS Controls to quickly establish the protections providing the highest payoff in their organizations. They guide you through a series of 20 foundational and advanced cybersecurity actions, where the most common attacks can be eliminated.And CIS Benchmarks are described as:
Proven guidelines will enable you to safeguard operating systems, software and networks that are most vulnerable to cyber attacks. They are continuously verified by a volunteer IT community to combat evolving cybersecurity challenges.The benchmarks are what we’re after. On a side note, they also provide a few virtual OS images hardened with their benchmark recommendations. Here are a few examples:
CIS Apache HTTP Server 2.4 Benchmark ( https://workbench.cisecurity.org/benchmarks/575 ) CIS Microsoft windows 8.1 Workstation Benchmark ( CIS Microsoft Windows 8.1 Workstation Benchmark ) CIS Microsoft SQL Server 2008 R2 Database Engine Benchmark [imported] ( https://workbench.cisecurity.org/benchmarks/275 )With all of this brilliant content, there’s got to be loads of documents on containers, right?
Finding Benchmarks!Gaining access to the treasure trove of content requires registration on CIS , but all of the information is free as downloadable PDFs. The frontend site itself is beautiful and engaging, but as you’ll quickly find out, the backend interface for the repository of benchmarks is a little clunky. You most likely won’t find what you need on your first attempt. I could see how many might just give up. But hang in there with me. I did eventually find my way through, and I’ll show you the way.
When logging in, the main page is presented:
Image 2
The only link with the word “benchmarks” is “Published Benchmarks List” (in red below).
Image 3
So I clicked it and was taken to view of all benchmarks organized by publication date. Unfortunately, there is no word search for this, and the only way to find something is to click through each page. To boot, this page is not helpful as you cannot search it.
Image 4
The only way to navigate through the vast library is here:
Image 5
After a little digging, I found a better way to search. On the left is a table of contents under your name as shown below. Select the “Benchmarks” link.
Image 6
You will be greeted with a page that allows a word search. w00t!
Image 7
Type in “Docker” and you will find various benchmarks:
Image 8
Logically it would be expected that clicking the link will allow you to download it, however this is not the case. Instead it loads a page with basic information, version number and contributors. Again, we are saved by the table of contents on the left:
Image 9
Click the “Files” section to be taken to a page where downloads for the benchmark are available. Here you will be able to find different versions of the benchmarks you are looking for. In this case we have found a Word document, PDF, and Excel document for Docker 1.13:
Image 10
Phew! As you can see, they are there, but finding them is not quite intuitive. Now that we found them, let’s take a look.
CIS Benchmark for Docker
https://www.cisecurity.org/benchmark/docker/https://workbench.cisecurity.org/benchmarks/363
CIS Docker 1.13.0 Benchmark [imported] v1.0.0Each individual benchmark can be overwhelming upon first glance. For more detailed benchmarks such as Windows, the list of controls can appear to go on forever. For the document “CIS_Docker_1.13.0_Benchmark_v1.0.0.xls”, it is separated into 4 different Excel tabs:
License Level 1 Docker Level 1 linux Host OS Level 2 DockerAlthough the tabs are convenient, the Word Document version of CIS Docker 1.13 Benchmark explains what each of the above levels means, so let’s take a look.
Image 11
The Overview section is definitely worth reading. It gives you an idea of what to expect from the document, and the intended audience section is especially helpful.
In this case it provides prescriptive guidance for establishing a secure configuration posture for Docker container version 1.13.0.
I have installed Docker on my Windows computer, and the version is 18.03 as shown below. The benchmarks are a little out of date but are still very much relevant.
Image 12 Seek and Ye Shall Find
I don’t know the exact reason why it’s such an old version, although it probably has to do with the amount of time it takes to create such in-depth benchmarks and the amount of changes between versions needed. In an attempt to find out, I tweeted @CISecurity , who promptly responded that there were not enough significant changes to make another version. The tweet is shown below:
Image 13
Image 14
@DevSecOpsGeer also replied to the tweet with a Docker Community Edition Benchmark for 17.06. Found here https://docs.docker.com/compliance/cis/docker_ce/
Image 15
Now that we have an updated Community Edition, let’s dive in to the finer details and get some specific recommendations for Docker security.
The Profile Definitions AKA SectionsCIS breaks up the recommendations into configuration ‘profiles’, a group of recommendations based around certain intentions.
Level 1 Docker
As stated in the benchmark itself, this group of configurations is intended to:
Be practical and prudent; Provide a clear security benefit; and Not inhibit the utility of the technology beyond acceptable means.In normal terms, this means configurations that make sense, are easy to implement without affecting the container operationally, and won’t affect its use, speed or reliability.
Level 1 Linux Host OS
Also being a level one, the Linux Host configurations have the same exact bulleted intentions as above for Level 1 Docker but focused on Operating System configurations.
Level 2 Docker
Recommendations for this configuration have one or more of the following characteristics:
Are intended for environments or use cases where security is paramount Acts as defense in depth measure May negatively inhibit the utility or performance of the technologyThe configurationsare important for critical systems, whether that be from an uptime perspective or the data its holding. Due to these configurations being ‘serious’ and further tightening security, they may sacrifice usability or performance for the sake of security.
Key Format Difference Between the Excel and WordIn the Excel spreadsheet, the different profiles are separated by tabs, and in the Word document the recommendations are just in order.
Image 16
Another item of note is that in the Word document, a Level 2 configuration will be mixed among Level 1s.
Image 17
Image 18
If you want to configure all Level 1 recommendations first, I would suggest using the Excel version. As it is all grouped together. Keep this in mind for all of the benchmarks, as they all have the same format.
Analysis of Each SectionThe document breaks recommendations into sections:
Host Configuration Docker daemon Configuration Docker daemon configuration files Container Images and Build File Container Runtime Docker Security Operations Analysis of Host ConfigurationSome people may be asking the question why does a Docker benchmark guide have host configuration guidance? Recommendations here are nothing groundbreaking, as most know security is best done in-depth. As such, having a strong host machine to then use for docker containers is a smart way to go.
Most of this includes hardening the host as expected. However there are recommendations on the way docker is installed and configured on the host, such as limiting the docker user from being able to alter the host system.
As with any benchmark, there is an audit section of all the docker daemon activities (basically advanced logs of what is going on in the containers). They also include logging docker related files and directories. These recommendations are great to use. As with defense-in-depth, it’s not just removing vulnerabilities, its reducing access that a malicious user inside a container could do as well as reviewing logs for anything malicious.
Image 19 Docker Daemon Configuration Section
The Docker daemon of course has its own section. The daemon is the foundation in Docker. In short it is the building block for everything else.
Again, defense-in-depth is important here. So there are recommendations on restricting network traffic between containers, adding logging and even TLS for accessing the docker daemon over the network.
These recommendations are quite detailed with the exact commands to enable or disable certain items. As a result, an inexperienced user can go through these lists and secure their docker daemon.
Image 20 Docker Daemon Configuration Files Containers are small and generally for very specifi