19.6 使用第三方检测工具

前面笔者介绍了大量增强Docker安全性的手段。要逐一去检查会比较繁琐,好在已经有了一些进行自动化检查的开源工具,比较出名的有Docker Bench和clair。下面分别介绍。

19.6.1 Docker Bench

Docker Bench是一个开源项目,代码托管在https://github.com/docker/docker-bench-security

该项目按照互联网安全中心(Center for Internet Security,CIS)对于Docker 1.11+的安全规范进行一系列环境检查,发现当前Docker部署在配置、安全等方面的潜在问题。

CIS Docker规范在包括主机配置、Docker引擎、配置文件权限、镜像管理、容器运行时环境、安全项等六大方面都进行了相关的约束和规定。推荐大家在生产环境中使用Docker时,采用该规范作为部署的安全标准。

Docker Bench自身也提供了Docker镜像,采用如下命令,可以快速对本地环境进行安全检查。

  1. $ docker run -it --net host --pid host --cap-add audit_control \
  2.     -v /var/lib:/var/lib \
  3.     -v /var/run/docker.sock:/var/run/docker.sock \
  4.     -v /usr/lib/systemd:/usr/lib/systemd \
  5.     -v /etc:/etc --label docker_bench_security \
  6.     docker/docker-bench-security
  7. # -----------------------------------------------------------------------------
  8. # Docker Bench for Security v1.1.0
  9. #
  10. # Docker, Inc. (c) 2015-
  11. #
  12. # Checks for dozens of common best-practices around deploying Docker containers 
  13.   in production.
  14. # Inspired by the CIS Docker 1.11 Benchmark:
  15. # https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker16.110
  16. # -----------------------------------------------------------------------------
  17. Initializing Sun Sep  7 03:34:36 UTC 2016
  18. [INFO] 1 - Host Configuration
  19. [WARN] 1.1  - Create a separate partition for containers
  20. [PASS] 1.2  - Use an updated Linux Kernel
  21. [PASS] 1.4  - Remove all non-essential services from the host - Network
  22. [WARN] 1.5  - Keep Docker up to date
  23. [WARN]       * Using 1.10.3, when 1.12.0 is current as of 2016-07-28
  24. [INFO]       * Your operating system vendor may provide support and security 
  25.                maintenance for docker
  26. [INFO] 1.6  - Only allow trusted users to control Docker daemon
  27. [INFO]      * docker:x:999:ubuntu
  28. [WARN] 1.7  - Failed to inspect: auditctl command not found.
  29. [WARN] 1.8  - Failed to inspect: auditctl command not found.
  30. [WARN] 1.9  - Failed to inspect: auditctl command not found.
  31. [INFO] 1.10 - Audit Docker files and directories - docker.service
  32. [INFO]      * File not found
  33. [INFO] 1.11 - Audit Docker files and directories - docker.socket
  34. [INFO]      * File not found
  35. [WARN] 1.12 - Failed to inspect: auditctl command not found.
  36. ...

输出结果中,带有不同的级别,说明问题的严重程度。一般要尽量避免出现WARN或以上的问题。

19.6.2 clair

CoreOS团队推出的clair支持对容器的文件层进行扫描从而发现潜在漏洞,项目地址为https://github.com/coreos/clair

读者可以通过如下命令快速体验:

  1. $ curl -L https://raw.githubusercontent.com/coreos/clair/v1.2.2/docker-compose.
  2.     yml -o $HOME/docker-compose.yml
  3. $ mkdir $HOME/clair_config
  4. $ curl -L https://raw.githubusercontent.com/coreos/clair/v1.2.2/config.example.
  5.     yaml -o $HOME/clair_config/config.yaml
  6. $ $EDITOR $HOME/clair_config/config.yaml # Edit database source to be postgresql:// 
  7.     postgres:password@postgres:5432?sslmode=disable
  8. $ docker-compose -f $HOME/docker-compose.yml up -d