nanopenguin/bachelor-thesis
Archived
1
0
Fork 0
Code Actions

Added more data

Browse Source
This commit is contained in:
Benedikt Galbavy 2025-05-18 17:34:11 +02:00
parent 1589881898
commit cd112d132f
28 changed files with 5698 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

147
attack_notes.md
View File

@ -1,5 +1,21 @@
# base # base
```sh
$ nmap -sS 192.168.56.10
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-17 12:10 EDT
Nmap scan report for gitea.vm.local (192.168.56.10)
Host is up (0.00011s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
2222/tcp open EtherNetIP-1
MAC Address: 08:00:27:D6:26:3F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
```
assumed ssh access: assumed ssh access:
```sh ```sh
msfconsole msfconsole
@ -20,7 +36,7 @@ msf6 auxiliary(scanner/ssh/ssh_login) > sessions -u 1
access shell access shell
```sh ```sh
msf6 > sessions -i 1 msf6 > sessions -i 1
apt install dnsutils apt install dnsutils nmap
``` ```
assuming services are known, docker service names can be guessed assuming services are known, docker service names can be guessed
@ -88,117 +104,60 @@ docker default subnets are 0.0.0.0/16, assuming 172.18.0.0/16
``` ```
nmap -sS 172.18.0.0/16 nmap -sS 172.18.0.0/16
Starting Nmap 7.80 ( https://nmap.org ) at 2025-05-12 18:33 UTC Starting Nmap 7.80 ( https://nmap.org ) at 2025-05-17 16:31 UTC
Nmap scan report for sandbox (172.18.0.1) Nmap scan report for sandbox (172.18.0.1)
Host is up (0.000011s latency). Host is up (0.0000050s latency).
Not shown: 996 closed ports Not shown: 996 closed ports
PORT STATE SERVICE PORT STATE SERVICE
22/tcp open ssh 22/tcp open ssh
80/tcp open http 80/tcp open http
443/tcp open https 443/tcp open https
2222/tcp open EtherNetIP-1 2222/tcp open EtherNetIP-1
MAC Address: 6A:DF:AC:BC:46:C7 (Unknown) MAC Address: FA:B1:5A:9D:C7:A5 (Unknown)
Nmap scan report for vaultwarden.vagrant_internal (172.18.0.2) Nmap scan report for vaultwarden.vagrant_nginx (172.18.0.2)
Host is up (0.000012s latency). Host is up (0.0000050s latency).
Not shown: 999 closed ports Not shown: 999 closed ports
PORT STATE SERVICE PORT STATE SERVICE
80/tcp open http 80/tcp open http
MAC Address: 52:F1:5A:53:4C:D0 (Unknown) MAC Address: BE:9D:68:8A:B6:B6 (Unknown)
Nmap scan report for vaultwarden-db.vagrant_internal (172.18.0.3) Nmap scan report for nginx.vagrant_nginx (172.18.0.3)
Host is up (0.000010s latency). Host is up (0.0000050s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
5432/tcp open postgresql
MAC Address: BA:40:F3:B6:75:F4 (Unknown)
Nmap scan report for gitea.vagrant_internal (172.18.0.4)
Host is up (0.000010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
MAC Address: C2:B1:A8:B0:84:4B (Unknown)
Nmap scan report for gitea-db.vagrant_internal (172.18.0.5)
Host is up (0.0000070s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
5432/tcp open postgresql
MAC Address: C6:59:C3:0C:1D:1D (Unknown)
Nmap scan report for nginx.vagrant_internal (172.18.0.6)
Host is up (0.0000080s latency).
Not shown: 998 closed ports Not shown: 998 closed ports
PORT STATE SERVICE PORT STATE SERVICE
80/tcp open http 80/tcp open http
443/tcp open https 443/tcp open https
MAC Address: 9A:7F:8F:2C:1A:0C (Unknown) MAC Address: D6:71:74:1E:27:A2 (Unknown)
Nmap scan report for gitea.vagrant_nginx (172.18.0.5)
Host is up (0.0000050s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
MAC Address: 9A:E8:19:FC:FF:25 (Unknown)
``` ```
This scan reveals an open port 5432, which is commonly used for PostgreSQL, and an open port 22 on the gateway. # docker bench security
meterpreter: according to [docs](https://github.com/docker/docker-bench-security)
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker build --no-cache -t docker-bench-security .
``` ```
sessions -i 2 Ubuntu run config
```sh
meterpreter > sysinfo docker run --rm --net host --pid host --userns host --cap-add audit_control \
Computer : 172.18.0.7 -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
OS : Ubuntu 22.04 (Linux 5.15.0-136-generic) -v /etc:/etc:ro \
Architecture : x64 -v /lib/systemd/system:/lib/systemd/system:ro \
BuildTuple : i486-linux-musl -v /usr/bin/containerd:/usr/bin/containerd:ro \
Meterpreter : x86/linux -v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
meterpreter > portfwd add -l 5432 -p 5432 -r 172.18.0.3 -v /var/lib:/var/lib:ro \
[*] Forward TCP relay created: (local) :5432 -> (remote) 172.18.0.3:543 -v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker-bench-security
``` ```
```
msf6 > use auxiliary/scanner/postgres/postgres_version
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(scanner/postgres/postgres_version) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_version) > run
[*] 127.0.0.1:5432 Postgres - Version Unknown (Pre-Auth)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/postgres/postgres_version) > use auxiliary/scanner/postgres/postgres_login
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session
msf6 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_login) > run
[!] No active DB -- Credential data will not be saved!
[-] 127.0.0.1:5432 - LOGIN FAILED: :@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fbackend_startup.c L800 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :tiger@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fbackend_startup.c L800 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :postgres@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fbackend_startup.c L800 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :password@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fbackend_startup.c L800 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :admin@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fbackend_startup.c L800 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:tiger@template1 (Incorrect: EOFError)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:password@template1 (Incorrect: EOFError)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:@template1 (Incorrect: EOFError)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:tiger@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:postgres@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:password@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:tiger@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:postgres@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:password@template1 (Incorrect: EOFError)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L321 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: EOFError)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 0 credentials were successful.
[*] You can open a Postgres session with these credentials and CreateSession set to true
[*] Auxiliary module execution completed
```
conclusion: it secure, thank you very much, instlal your updates guys

0
attack_notes_base.md Normal file
View File

111
attack_notes_hybrid.md Normal file
View File

@ -0,0 +1,111 @@
no diffs until ssh
nmap -sS 172.18.0.0/16
```sh
Starting Nmap 7.80 ( https://nmap.org ) at 2025-05-18 13:11 UTC
Nmap scan report for postgres (172.18.0.1)
Host is up (0.000012s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
2222/tcp open EtherNetIP-1
5432/tcp open postgresql
MAC Address: 26:54:2A:8A:53:02 (Unknown)
Nmap scan report for nginx.vagrant_internal (172.18.0.2)
Host is up (0.000012s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
MAC Address: CE:E7:60:35:0E:C1 (Unknown)
Nmap scan report for gitea.vagrant_internal (172.18.0.4)
Host is up (0.000012s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
MAC Address: 7E:05:23:CA:55:6D (Unknown)
Nmap scan report for vaultwarden.vagrant_internal (172.18.0.5)
Host is up (0.000012s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 12:EB:C9:6D:07:4B (Unknown)
```
additional port 5432
This scan reveals an open port 5432, which is commonly used for PostgreSQL, and an open port 22 on the gateway.
meterpreter:
```
msf6 > sessions -u 1
msf6 > sessions -i 2
meterpreter > portfwd add -l 5432 -p 5432 -r 172.18.0.1
[*] Forward TCP relay created: (local) :5432 -> (remote) 172.18.0.1:5432
```
```sh
msf6 auxiliary(server/capture/postgresql) > use auxiliary/scanner/postgres/postgres_version
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(scanner/postgres/postgres_version) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_version) > run
[*] 127.0.0.1:5432 Postgres - Version Unknown (Pre-Auth)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
```sh
msf6 auxiliary(scanner/postgres/postgres_login) > use auxiliary/scanner/postgres/postgres_login
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session
msf6 auxiliary(scanner/postgres/postgres_login) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_login) > set BLANK_PASSWORDS true
BLANK_PASSWORDS => true
msf6 auxiliary(scanner/postgres/postgres_login) > run
[!] No active DB -- Credential data will not be saved!
[-] 127.0.0.1:5432 - LOGIN FAILED: :@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L2273 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L2273 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :tiger@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L2273 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :postgres@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L2273 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :password@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L2273 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :admin@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L2273 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:tiger@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:password@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:tiger@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:postgres@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:password@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:tiger@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:postgres@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:password@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 0 credentials were successful.
[*] You can open a Postgres session with these credentials and CreateSession set to true
[*] Auxiliary module execution completed
```
```sh
```
```sh
```

5
logrotate-notes.md
View File

@ -1,5 +0,0 @@
````sh
sudo logrotate -f /etc/logrotate.d/docker-containers
ls -lh /var/lib/docker/containers/*/*.log*
```

236
measurements/docker-bench/base.log Normal file
View File

@ -0,0 +1,236 @@
Initializing 2025-05-18T11:42:35+00:00
Section A - Check results
[INFO] 1 - Host Configuration
[INFO] 1.1 - Linux Hosts Specific Configuration
[WARN] 1.1.1 - Ensure a separate partition for containers has been created (Automated)
[INFO] 1.1.2 - Ensure only trusted users are allowed to control Docker daemon (Automated)
[INFO] * Users: vagrant,git
[WARN] 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated)
[WARN] 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)
[WARN] 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)
[WARN] 1.1.6 - Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)
[WARN] 1.1.7 - Ensure auditing is configured for Docker files and directories - docker.service (Automated)
[WARN] 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)
[WARN] 1.1.9 - Ensure auditing is configured for Docker files and directories - docker.socket (Automated)
[WARN] 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)
[INFO] 1.1.11 - Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)
[INFO] * File not found
[WARN] 1.1.12 - 1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)
[INFO] 1.1.13 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)
[INFO] * File not found
[WARN] 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)
[WARN] 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)
[WARN] 1.1.16 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)
[WARN] 1.1.17 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)
[WARN] 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)
[INFO] 1.2 - General Configuration
[NOTE] 1.2.1 - Ensure the container host has been Hardened (Manual)
[PASS] 1.2.2 - Ensure that the version of Docker is up to date (Manual)
[INFO] * Using 28.1.1 which is current
[INFO] * Check with your operating system vendor for support and security maintenance for Docker
[INFO] 2 - Docker daemon configuration
[NOTE] 2.1 - Run the Docker daemon as a non-root user, if possible (Manual)
[WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[PASS] 2.3 - Ensure the logging level is set to 'info' (Scored)
[PASS] 2.4 - Ensure Docker is allowed to make changes to iptables (Scored)
[PASS] 2.5 - Ensure insecure registries are not used (Scored)
[PASS] 2.6 - Ensure aufs storage driver is not used (Scored)
[INFO] 2.7 - Ensure TLS authentication for Docker daemon is configured (Scored)
[INFO] * Docker daemon not listening on TCP
[INFO] 2.8 - Ensure the default ulimit is configured appropriately (Manual)
[INFO] * Default ulimit doesn't appear to be set
[WARN] 2.9 - Enable user namespace support (Scored)
[PASS] 2.10 - Ensure the default cgroup usage has been confirmed (Scored)
[PASS] 2.11 - Ensure base device size is not changed until needed (Scored)
[WARN] 2.12 - Ensure that authorization for Docker client commands is enabled (Scored)
[WARN] 2.13 - Ensure centralized and remote logging is configured (Scored)
[WARN] 2.14 - Ensure containers are restricted from acquiring new privileges (Scored)
[WARN] 2.15 - Ensure live restore is enabled (Scored)
[WARN] 2.16 - Ensure Userland Proxy is Disabled (Scored)
[INFO] 2.17 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)
[INFO] Ensure that experimental features are not implemented in production (Scored) (Deprecated)
[INFO] 3 - Docker daemon configuration files
[PASS] 3.1 - Ensure that the docker.service file ownership is set to root:root (Automated)
[PASS] 3.2 - Ensure that docker.service file permissions are appropriately set (Automated)
[PASS] 3.3 - Ensure that docker.socket file ownership is set to root:root (Automated)
[PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)
[PASS] 3.5 - Ensure that the /etc/docker directory ownership is set to root:root (Automated)
[PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)
[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root (Automated)
[INFO] * Directory not found
[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)
[INFO] * Directory not found
[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root (Automated)
[INFO] * No TLS CA certificate found
[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)
[INFO] * No TLS CA certificate found
[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root (Automated)
[INFO] * No TLS Server certificate found
[INFO] 3.12 - Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)
[INFO] * No TLS Server certificate found
[INFO] 3.13 - Ensure that the Docker server certificate key file ownership is set to root:root (Automated)
[INFO] * No TLS Key found
[INFO] 3.14 - Ensure that the Docker server certificate key file permissions are set to 400 (Automated)
[INFO] * No TLS Key found
[PASS] 3.15 - Ensure that the Docker socket file ownership is set to root:docker (Automated)
[PASS] 3.16 - Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)
[INFO] 3.17 - Ensure that the daemon.json file ownership is set to root:root (Automated)
[INFO] * File not found
[INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)
[INFO] * File not found
[PASS] 3.19 - Ensure that the /etc/default/docker file ownership is set to root:root (Automated)
[PASS] 3.20 - Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)
[INFO] 3.21 - Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)
[INFO] * File not found
[INFO] 3.22 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)
[INFO] * File not found
[PASS] 3.23 - Ensure that the Containerd socket file ownership is set to root:root (Automated)
[PASS] 3.24 - Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)
[INFO] 4 - Container Images and Build File
[WARN] 4.1 - Ensure that a user for the container has been created (Automated)
[WARN] * Running as root: vaultwarden-db
[WARN] * Running as root: nginx
[WARN] * Running as root: vaultwarden
[WARN] * Running as root: vagrant-vulnerable-1
[WARN] * Running as root: gitea-db
[WARN] * Running as root: gitea
[NOTE] 4.2 - Ensure that containers use only trusted base images (Manual)
[NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container (Manual)
[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches (Manual)
[WARN] 4.5 - Ensure Content trust for Docker is Enabled (Automated)
[WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated)
[WARN] * No Healthcheck found: [vagrant-vulnerable:latest]
[WARN] * No Healthcheck found: [docker.gitea.com/gitea:latest]
[WARN] * No Healthcheck found: [postgres:latest]
[WARN] * No Healthcheck found: [nginx:latest]
[INFO] 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual)
[INFO] * Update instruction found: [vagrant-vulnerable:latest]
[INFO] * Update instruction found: [postgres:latest]
[NOTE] 4.8 - Ensure setuid and setgid permissions are removed (Manual)
[INFO] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Manual)
[INFO] * ADD in image history: [vagrant-vulnerable:latest]
[INFO] * ADD in image history: [vaultwarden/server:latest]
[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles (Manual)
[NOTE] 4.11 - Ensure only verified packages are installed (Manual)
[NOTE] 4.12 - Ensure all signed artifacts are validated (Manual)
[INFO] 5 - Container Runtime
[PASS] 5.1 - Ensure swarm mode is not Enabled, if not needed (Automated)
[PASS] 5.2 - Ensure that, if applicable, an AppArmor Profile is enabled (Automated)
[WARN] 5.3 - Ensure that, if applicable, SELinux security options are set (Automated)
[WARN] * No SecurityOptions Found: vaultwarden-db
[WARN] * No SecurityOptions Found: nginx
[WARN] * No SecurityOptions Found: vaultwarden
[WARN] * No SecurityOptions Found: vagrant-vulnerable-1
[WARN] * No SecurityOptions Found: gitea-db
[WARN] * No SecurityOptions Found: gitea
[PASS] 5.4 - Ensure that Linux kernel capabilities are restricted within containers (Automated)
[PASS] 5.5 - Ensure that privileged containers are not used (Automated)
[PASS] 5.6 - Ensure sensitive host system directories are not mounted on containers (Automated)
[WARN] 5.7 - Ensure sshd is not run within containers (Automated)
[WARN] * Container running sshd: vagrant-vulnerable-1
[WARN] * Container running sshd: gitea
[WARN] 5.8 - Ensure privileged ports are not mapped within containers (Automated)
[WARN] * Privileged Port in use: 80 in nginx
[WARN] * Privileged Port in use: 443 in nginx
[WARN] 5.9 - Ensure that only needed ports are open on the container (Manual)
[WARN] * Port in use: 80 in nginx
[WARN] * Port in use: 443 in nginx
[WARN] * Port in use: 2222 in vagrant-vulnerable-1
[PASS] 5.10 - Ensure that the host's network namespace is not shared (Automated)
[WARN] 5.11 - Ensure that the memory usage for containers is limited (Automated)
[WARN] * Container running without memory restrictions: vaultwarden-db
[WARN] * Container running without memory restrictions: nginx
[WARN] * Container running without memory restrictions: vaultwarden
[WARN] * Container running without memory restrictions: vagrant-vulnerable-1
[WARN] * Container running without memory restrictions: gitea-db
[WARN] * Container running without memory restrictions: gitea
[WARN] 5.12 - Ensure that CPU priority is set appropriately on containers (Automated)
[WARN] * Container running without CPU restrictions: vaultwarden-db
[WARN] * Container running without CPU restrictions: nginx
[WARN] * Container running without CPU restrictions: vaultwarden
[WARN] * Container running without CPU restrictions: vagrant-vulnerable-1
[WARN] * Container running without CPU restrictions: gitea-db
[WARN] * Container running without CPU restrictions: gitea
[WARN] 5.13 - Ensure that the container's root filesystem is mounted as read only (Automated)
[WARN] * Container running with root FS mounted R/W: vaultwarden-db
[WARN] * Container running with root FS mounted R/W: nginx
[WARN] * Container running with root FS mounted R/W: vaultwarden
[WARN] * Container running with root FS mounted R/W: vagrant-vulnerable-1
[WARN] * Container running with root FS mounted R/W: gitea-db
[WARN] * Container running with root FS mounted R/W: gitea
[WARN] 5.14 - Ensure that incoming container traffic is bound to a specific host interface (Automated)
[WARN] * Port being bound to wildcard IP: 0.0.0.0 in nginx
[WARN] * Port being bound to wildcard IP: 0.0.0.0 in nginx
[WARN] * Port being bound to wildcard IP: 0.0.0.0 in vagrant-vulnerable-1
[PASS] 5.15 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated)
[PASS] 5.16 - Ensure that the host's process namespace is not shared (Automated)
[PASS] 5.17 - Ensure that the host's IPC namespace is not shared (Automated)
[PASS] 5.18 - Ensure that host devices are not directly exposed to containers (Manual)
[INFO] 5.19 - Ensure that the default ulimit is overwritten at runtime if needed (Manual)
[INFO] * Container no default ulimit override: vaultwarden-db
[INFO] * Container no default ulimit override: nginx
[INFO] * Container no default ulimit override: vaultwarden
[INFO] * Container no default ulimit override: vagrant-vulnerable-1
[INFO] * Container no default ulimit override: gitea-db
[INFO] * Container no default ulimit override: gitea
[PASS] 5.20 - Ensure mount propagation mode is not set to shared (Automated)
[PASS] 5.21 - Ensure that the host's UTS namespace is not shared (Automated)
[PASS] 5.22 - Ensure the default seccomp profile is not Disabled (Automated)
[NOTE] 5.23 - Ensure that docker exec commands are not used with the privileged option (Automated)
[NOTE] 5.24 - Ensure that docker exec commands are not used with the user=root option (Manual)
[PASS] 5.25 - Ensure that cgroup usage is confirmed (Automated)
[WARN] 5.26 - Ensure that the container is restricted from acquiring additional privileges (Automated)
[WARN] * Privileges not restricted: vaultwarden-db
[WARN] * Privileges not restricted: nginx
[WARN] * Privileges not restricted: vaultwarden
[WARN] * Privileges not restricted: vagrant-vulnerable-1
[WARN] * Privileges not restricted: gitea-db
[WARN] * Privileges not restricted: gitea
[WARN] 5.27 - Ensure that container health is checked at runtime (Automated)
[WARN] * Health check not set: vaultwarden-db
[WARN] * Health check not set: nginx
[WARN] * Health check not set: vagrant-vulnerable-1
[WARN] * Health check not set: gitea-db
[WARN] * Health check not set: gitea
[INFO] 5.28 - Ensure that Docker commands always make use of the latest version of their image (Manual)
[WARN] 5.29 - Ensure that the PIDs cgroup limit is used (Automated)
[WARN] * PIDs limit not set: vaultwarden-db
[WARN] * PIDs limit not set: nginx
[WARN] * PIDs limit not set: vaultwarden
[WARN] * PIDs limit not set: vagrant-vulnerable-1
[WARN] * PIDs limit not set: gitea-db
[WARN] * PIDs limit not set: gitea
[PASS] 5.30 - Ensure that Docker's default bridge 'docker0' is not used (Manual)
[PASS] 5.31 - Ensure that the host's user namespaces are not shared (Automated)
[PASS] 5.32 - Ensure that the Docker socket is not mounted inside any containers (Automated)
[INFO] 6 - Docker Security Operations
[INFO] 6.1 - Ensure that image sprawl is avoided (Manual)
[INFO] * There are currently: 6 images
[INFO] 6.2 - Ensure that container sprawl is avoided (Manual)
[INFO] * There are currently a total of 6 containers, with 6 of them currently running
[INFO] 7 - Docker Swarm Configuration
[PASS] 7.1 - Ensure that the minimum number of manager nodes have been created in a swarm (Automated) (Swarm mode not enabled)
[PASS] 7.2 - Ensure that swarm services are bound to a specific host interface (Automated) (Swarm mode not enabled)
[PASS] 7.3 - Ensure that all Docker swarm overlay networks are encrypted (Automated)
[PASS] 7.4 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual) (Swarm mode not enabled)
[PASS] 7.5 - Ensure that swarm manager is run in auto-lock mode (Automated) (Swarm mode not enabled)
[PASS] 7.6 - Ensure that the swarm manager auto-lock key is rotated periodically (Manual) (Swarm mode not enabled)
[PASS] 7.7 - Ensure that node certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS] 7.8 - Ensure that CA certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS] 7.9 - Ensure that management plane traffic is separated from data plane traffic (Manual) (Swarm mode not enabled)
Section C - Score
[INFO] Checks: 117
[INFO] Score: 1

723
measurements/docker-bench/base.log.json Normal file
View File

@ -0,0 +1,723 @@
{
"dockerbenchsecurity": "1.6.0",
"start": 1747568555,
"tests": [
{
"id": "1",
"desc": "Host Configuration",
"results": [
{
"id": "1.1.1",
"desc": "Ensure a separate partition for containers has been created (Automated)",
"result": "WARN"
},
{
"id": "1.1.2",
"desc": "Ensure only trusted users are allowed to control Docker daemon (Automated)",
"result": "INFO",
"details": "doubtfulusers: vagrant,git",
"items": [
"vagrant,git"
]
},
{
"id": "1.1.3",
"desc": "Ensure auditing is configured for the Docker daemon (Automated)",
"result": "WARN"
},
{
"id": "1.1.4",
"desc": "Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)",
"result": "WARN"
},
{
"id": "1.1.5",
"desc": "Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.6",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.7",
"desc": "Ensure auditing is configured for Docker files and directories - docker.service (Automated)",
"result": "WARN"
},
{
"id": "1.1.8",
"desc": "Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)",
"result": "WARN"
},
{
"id": "1.1.9",
"desc": "Ensure auditing is configured for Docker files and directories - docker.socket (Automated)",
"result": "WARN"
},
{
"id": "1.1.10",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.11",
"desc": "Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "1.1.12",
"desc": "1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)",
"result": "WARN"
},
{
"id": "1.1.13",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "1.1.14",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)",
"result": "WARN"
},
{
"id": "1.1.15",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)",
"result": "WARN"
},
{
"id": "1.1.16",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)",
"result": "WARN"
},
{
"id": "1.1.17",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)",
"result": "WARN"
},
{
"id": "1.1.18",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)",
"result": "WARN"
},
{
"id": "1.2.1",
"desc": "Ensure the container host has been Hardened (Manual)",
"result": "INFO"
},
{
"id": "1.2.2",
"desc": "Ensure that the version of Docker is up to date (Manual)",
"result": "PASS",
"details": "Using 28.1.1"
}
]
},
{
"id": "2",
"desc": "Docker daemon configuration",
"results": [
{
"id": "2.1",
"desc": "Run the Docker daemon as a non-root user, if possible (Manual)",
"result": "INFO"
},
{
"id": "2.2",
"desc": "Ensure network traffic is restricted between containers on the default bridge (Scored)",
"result": "WARN"
},
{
"id": "2.3",
"desc": "Ensure the logging level is set to 'info' (Scored)",
"result": "PASS"
},
{
"id": "2.4",
"desc": "Ensure Docker is allowed to make changes to iptables (Scored)",
"result": "PASS"
},
{
"id": "2.5",
"desc": "Ensure insecure registries are not used (Scored)",
"result": "PASS"
},
{
"id": "2.6",
"desc": "Ensure aufs storage driver is not used (Scored)",
"result": "PASS"
},
{
"id": "2.7",
"desc": "Ensure TLS authentication for Docker daemon is configured (Scored)",
"result": "INFO",
"details": "Docker daemon not listening on TCP"
},
{
"id": "2.8",
"desc": "Ensure the default ulimit is configured appropriately (Manual)",
"result": "INFO",
"details": "Default ulimit doesn't appear to be set"
},
{
"id": "2.9",
"desc": "Enable user namespace support (Scored)",
"result": "WARN"
},
{
"id": "2.10",
"desc": "Ensure the default cgroup usage has been confirmed (Scored)",
"result": "PASS"
},
{
"id": "2.11",
"desc": "Ensure base device size is not changed until needed (Scored)",
"result": "PASS"
},
{
"id": "2.12",
"desc": "Ensure that authorization for Docker client commands is enabled (Scored)",
"result": "WARN"
},
{
"id": "2.13",
"desc": "Ensure centralized and remote logging is configured (Scored)",
"result": "WARN"
},
{
"id": "2.14",
"desc": "Ensure containers are restricted from acquiring new privileges (Scored)",
"result": "WARN"
},
{
"id": "2.15",
"desc": "Ensure live restore is enabled (Scored)",
"result": "WARN"
},
{
"id": "2.16",
"desc": "Ensure Userland Proxy is Disabled (Scored)",
"result": "WARN"
},
{
"id": "2.17",
"desc": "Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)",
"result": "INFO"
},
{
"id": "2.18",
"desc": "Ensure that experimental features are not implemented in production (Scored)",
"result": "INFO"
}
]
},
{
"id": "3",
"desc": "Docker daemon configuration files",
"results": [
{
"id": "3.1",
"desc": "Ensure that the docker.service file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.2",
"desc": "Ensure that docker.service file permissions are appropriately set (Automated)",
"result": "PASS"
},
{
"id": "3.3",
"desc": "Ensure that docker.socket file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.4",
"desc": "Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)",
"result": "PASS"
},
{
"id": "3.5",
"desc": "Ensure that the /etc/docker directory ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.6",
"desc": "Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.7",
"desc": "Ensure that registry certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "Directory not found"
},
{
"id": "3.8",
"desc": "Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "Directory not found"
},
{
"id": "3.9",
"desc": "Ensure that TLS CA certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS CA certificate found"
},
{
"id": "3.10",
"desc": "Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "No TLS CA certificate found"
},
{
"id": "3.11",
"desc": "Ensure that Docker server certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS Server certificate found"
},
{
"id": "3.12",
"desc": "Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "No TLS Server certificate found"
},
{
"id": "3.13",
"desc": "Ensure that the Docker server certificate key file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS Key found"
},
{
"id": "3.14",
"desc": "Ensure that the Docker server certificate key file permissions are set to 400 (Automated)",
"result": "INFO",
"details": "No TLS Key found"
},
{
"id": "3.15",
"desc": "Ensure that the Docker socket file ownership is set to root:docker (Automated)",
"result": "PASS"
},
{
"id": "3.16",
"desc": "Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.17",
"desc": "Ensure that the daemon.json file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.18",
"desc": "Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.19",
"desc": "Ensure that the /etc/default/docker file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.20",
"desc": "Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.21",
"desc": "Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.22",
"desc": "Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.23",
"desc": "Ensure that the Containerd socket file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.24",
"desc": "Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)",
"result": "PASS"
}
]
},
{
"id": "4",
"desc": "Container Images and Build File",
"results": [
{
"id": "4.1",
"desc": "Ensure that a user for the container has been created (Automated)",
"result": "WARN",
"details": "running as root: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea"
]
},
{
"id": "4.2",
"desc": "Ensure that containers use only trusted base images (Manual)",
"result": "NOTE"
},
{
"id": "4.3",
"desc": "Ensure that unnecessary packages are not installed in the container (Manual)",
"result": "NOTE"
},
{
"id": "4.4",
"desc": "Ensure images are scanned and rebuilt to include security patches (Manual)",
"result": "NOTE"
},
{
"id": "4.5",
"desc": "Ensure Content trust for Docker is Enabled (Automated)",
"result": "WARN"
},
{
"id": "4.6",
"desc": "Ensure that HEALTHCHECK instructions have been added to container images (Automated)",
"result": "WARN",
"details": "Images w/o HEALTHCHECK: [vagrant-vulnerable:latest] [docker.gitea.com/gitea:latest] [postgres:latest] [nginx:latest]",
"items": [
"[vagrant-vulnerable:latest]","[docker.gitea.com/gitea:latest]","[postgres:latest]","[nginx:latest]"
]
},
{
"id": "4.7",
"desc": "Ensure update instructions are not used alone in the Dockerfile (Manual)",
"result": "INFO",
"details": "Update instructions found: [vagrant-vulnerable:latest] [postgres:latest]",
"items": [
"[vagrant-vulnerable:latest]","[postgres:latest]"
]
},
{
"id": "4.8",
"desc": "Ensure setuid and setgid permissions are removed (Manual)",
"result": "NOTE"
},
{
"id": "4.9",
"desc": "Ensure that COPY is used instead of ADD in Dockerfiles (Manual)",
"result": "INFO",
"details": "Images using ADD: [vagrant-vulnerable:latest] [vaultwarden/server:latest]",
"items": [
"[vagrant-vulnerable:latest]","[vaultwarden/server:latest]"
]
},
{
"id": "4.10",
"desc": "Ensure secrets are not stored in Dockerfiles (Manual)",
"result": "NOTE"
},
{
"id": "4.11",
"desc": "Ensure only verified packages are installed (Manual)",
"result": "NOTE"
},
{
"id": "4.12",
"desc": "Ensure all signed artifacts are validated (Manual)",
"result": "NOTE"
}
]
},
{
"id": "5",
"desc": "Container Runtime",
"results": [
{
"id": "5.1",
"desc": "Ensure swarm mode is not Enabled, if not needed (Automated)",
"result": "PASS"
},
{
"id": "5.2",
"desc": "Ensure that, if applicable, an AppArmor Profile is enabled (Automated)",
"result": "PASS"
},
{
"id": "5.3",
"desc": "Ensure that, if applicable, SELinux security options are set (Automated)",
"result": "WARN",
"details": "Containers with no SecurityOptions: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea"
]
},
{
"id": "5.4",
"desc": "Ensure that Linux kernel capabilities are restricted within containers (Automated)",
"result": "PASS"
},
{
"id": "5.5",
"desc": "Ensure that privileged containers are not used (Automated)",
"result": "PASS"
},
{
"id": "5.6",
"desc": "Ensure sensitive host system directories are not mounted on containers (Automated)",
"result": "PASS"
},
{
"id": "5.7",
"desc": "Ensure sshd is not run within containers (Automated)",
"result": "WARN",
"details": "Containers with sshd/docker exec failures: vagrant-vulnerable-1 gitea",
"items": [
"vagrant-vulnerable-1","gitea"
]
},
{
"id": "5.8",
"desc": "Ensure privileged ports are not mapped within containers (Automated)",
"result": "WARN",
"details": "Containers using privileged ports: nginx:80 nginx:443",
"items": [
"nginx:80","nginx:443"
]
},
{
"id": "5.9",
"desc": "Ensure that only needed ports are open on the container (Manual)",
"result": "WARN",
"details": "Containers with open ports: nginx:80 nginx:443 vagrant-vulnerable-1:2222",
"items": [
"nginx:80","nginx:443","vagrant-vulnerable-1:2222"
]
},
{
"id": "5.10",
"desc": "Ensure that the host's network namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.11",
"desc": "Ensure that the memory usage for containers is limited (Automated)",
"result": "WARN",
"details": "Container running without memory restrictions: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea"
]
},
{
"id": "5.12",
"desc": "Ensure that CPU priority is set appropriately on containers (Automated)",
"result": "WARN",
"details": "Containers running without CPU restrictions: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea"
]
},
{
"id": "5.13",
"desc": "Ensure that the container's root filesystem is mounted as read only (Automated)",
"result": "WARN",
"details": "Containers running with root FS mounted R/W: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea"
]
},
{
"id": "5.14",
"desc": "Ensure that incoming container traffic is bound to a specific host interface (Automated)",
"result": "WARN",
"details": "Containers with port bound to wildcard IP: nginx:0.0.0.0 nginx:0.0.0.0 vagrant-vulnerable-1:0.0.0.0",
"items": [
"nginx:0.0.0.0","nginx:0.0.0.0","vagrant-vulnerable-1:0.0.0.0"
]
},
{
"id": "5.15",
"desc": "Ensure that the 'on-failure' container restart policy is set to '5' (Automated)",
"result": "PASS"
},
{
"id": "5.16",
"desc": "Ensure that the host's process namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.17",
"desc": "Ensure that the host's IPC namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.18",
"desc": "Ensure that host devices are not directly exposed to containers (Manual)",
"result": "PASS"
},
{
"id": "5.19",
"desc": "Ensure that the default ulimit is overwritten at runtime if needed (Manual)",
"result": "INFO",
"details": "Containers with no default ulimit override: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea"
]
},
{
"id": "5.20",
"desc": "Ensure mount propagation mode is not set to shared (Automated)",
"result": "PASS"
},
{
"id": "5.21",
"desc": "Ensure that the host's UTS namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.22",
"desc": "Ensure the default seccomp profile is not Disabled (Automated)",
"result": "PASS"
},
{
"id": "5.23",
"desc": "Ensure that docker exec commands are not used with the privileged option (Automated)",
"result": "NOTE"
},
{
"id": "5.24",
"desc": "Ensure that docker exec commands are not used with the user=root option (Manual)",
"result": "NOTE"
},
{
"id": "5.25",
"desc": "Ensure that cgroup usage is confirmed (Automated)",
"result": "PASS"
},
{
"id": "5.26",
"desc": "Ensure that the container is restricted from acquiring additional privileges (Automated)",
"result": "WARN",
"details": "Containers without restricted privileges: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea"
]
},
{
"id": "5.27",
"desc": "Ensure that container health is checked at runtime (Automated)",
"result": "WARN",
"details": "Containers without health check: vaultwarden-db nginx vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db","nginx","vagrant-vulnerable-1","gitea-db","gitea"
]
},
{
"id": "5.28",
"desc": "Ensure that Docker commands always make use of the latest version of their image (Manual)",
"result": "INFO"
},
{
"id": "5.29",
"desc": "Ensure that the PIDs cgroup limit is used (Automated)",
"result": "WARN",
"details": "Containers without PIDs cgroup limit: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea"
]
},
{
"id": "5.30",
"desc": "Ensure that Docker's default bridge 'docker0' is not used (Manual)",
"result": "PASS"
},
{
"id": "5.31",
"desc": "Ensure that the host's user namespaces are not shared (Automated)",
"result": "PASS"
},
{
"id": "5.32",
"desc": "Ensure that the Docker socket is not mounted inside any containers (Automated)",
"result": "PASS"
}
]
},
{
"id": "6",
"desc": "Docker Security Operations",
"results": [
{
"id": "6.1",
"desc": "Ensure that image sprawl is avoided (Manual)",
"result": "INFO",
"details": "6 active/6 in use"
},
{
"id": "6.2",
"desc": "Ensure that container sprawl is avoided (Manual)",
"result": "INFO",
"details": "6 total/6 running"
}
]
},
{
"id": "7",
"desc": "Docker Swarm Configuration",
"results": [
{
"id": "7.1",
"desc": "Ensure that the minimum number of manager nodes have been created in a swarm (Automated)",
"result": "PASS"
},
{
"id": "7.2",
"desc": "Ensure that swarm services are bound to a specific host interface (Automated)",
"result": "PASS"
},
{
"id": "7.3",
"desc": "Ensure that all Docker swarm overlay networks are encrypted (Automated)",
"result": "PASS"
},
{
"id": "7.4",
"desc": "Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual)",
"result": "PASS"
},
{
"id": "7.5",
"desc": "Ensure that swarm manager is run in auto-lock mode (Automated)",
"result": "PASS"
},
{
"id": "7.6",
"desc": "Ensure that the swarm manager auto-lock key is rotated periodically (Manual)",
"result": "PASS"
},
{
"id": "7.7",
"desc": "Ensure that node certificates are rotated as appropriate (Manual)",
"result": "PASS"
},
{
"id": "7.8",
"desc": "Ensure that CA certificates are rotated as appropriate (Manual)",
"result": "PASS"
},
{
"id": "7.9",
"desc": "Ensure that management plane traffic is separated from data plane traffic (Manual)",
"result": "PASS"
}
]
}
],
"checks": 117,
"score": 1,
"end": 1747568565
}

236
measurements/docker-bench/base_cleaned.log Normal file
View File

@ -0,0 +1,236 @@
Initializing 2025-05-18T11:42:35+00:00
Section A - Check results[0m
[INFO][0m 1 - Host Configuration
[INFO][0m 1.1 - Linux Hosts Specific Configuration
[WARN][0m 1.1.1 - Ensure a separate partition for containers has been created (Automated)
[INFO][0m 1.1.2 - Ensure only trusted users are allowed to control Docker daemon (Automated)
[INFO][0m * Users: vagrant,git
[WARN][0m 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated)
[WARN][0m 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)
[WARN][0m 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)
[WARN][0m 1.1.6 - Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)
[WARN][0m 1.1.7 - Ensure auditing is configured for Docker files and directories - docker.service (Automated)
[WARN][0m 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)
[WARN][0m 1.1.9 - Ensure auditing is configured for Docker files and directories - docker.socket (Automated)
[WARN][0m 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)
[INFO][0m 1.1.11 - Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)
[INFO][0m * File not found
[WARN][0m 1.1.12 - 1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)
[INFO][0m 1.1.13 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)
[INFO][0m * File not found
[WARN][0m 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)
[WARN][0m 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)
[WARN][0m 1.1.16 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)
[WARN][0m 1.1.17 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)
[WARN][0m 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)
[INFO][0m 1.2 - General Configuration
[NOTE][0m 1.2.1 - Ensure the container host has been Hardened (Manual)
[PASS][0m 1.2.2 - Ensure that the version of Docker is up to date (Manual)
[INFO][0m * Using 28.1.1 which is current
[INFO][0m * Check with your operating system vendor for support and security maintenance for Docker
[INFO][0m 2 - Docker daemon configuration
[NOTE][0m 2.1 - Run the Docker daemon as a non-root user, if possible (Manual)
[WARN][0m 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[PASS][0m 2.3 - Ensure the logging level is set to 'info' (Scored)
[PASS][0m 2.4 - Ensure Docker is allowed to make changes to iptables (Scored)
[PASS][0m 2.5 - Ensure insecure registries are not used (Scored)
[PASS][0m 2.6 - Ensure aufs storage driver is not used (Scored)
[INFO][0m 2.7 - Ensure TLS authentication for Docker daemon is configured (Scored)
[INFO][0m * Docker daemon not listening on TCP
[INFO][0m 2.8 - Ensure the default ulimit is configured appropriately (Manual)
[INFO][0m * Default ulimit doesn't appear to be set
[WARN][0m 2.9 - Enable user namespace support (Scored)
[PASS][0m 2.10 - Ensure the default cgroup usage has been confirmed (Scored)
[PASS][0m 2.11 - Ensure base device size is not changed until needed (Scored)
[WARN][0m 2.12 - Ensure that authorization for Docker client commands is enabled (Scored)
[WARN][0m 2.13 - Ensure centralized and remote logging is configured (Scored)
[WARN][0m 2.14 - Ensure containers are restricted from acquiring new privileges (Scored)
[WARN][0m 2.15 - Ensure live restore is enabled (Scored)
[WARN][0m 2.16 - Ensure Userland Proxy is Disabled (Scored)
[INFO][0m 2.17 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)
[INFO][0m Ensure that experimental features are not implemented in production (Scored) (Deprecated)
[INFO][0m 3 - Docker daemon configuration files
[PASS][0m 3.1 - Ensure that the docker.service file ownership is set to root:root (Automated)
[PASS][0m 3.2 - Ensure that docker.service file permissions are appropriately set (Automated)
[PASS][0m 3.3 - Ensure that docker.socket file ownership is set to root:root (Automated)
[PASS][0m 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)
[PASS][0m 3.5 - Ensure that the /etc/docker directory ownership is set to root:root (Automated)
[PASS][0m 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)
[INFO][0m 3.7 - Ensure that registry certificate file ownership is set to root:root (Automated)
[INFO][0m * Directory not found
[INFO][0m 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)
[INFO][0m * Directory not found
[INFO][0m 3.9 - Ensure that TLS CA certificate file ownership is set to root:root (Automated)
[INFO][0m * No TLS CA certificate found
[INFO][0m 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)
[INFO][0m * No TLS CA certificate found
[INFO][0m 3.11 - Ensure that Docker server certificate file ownership is set to root:root (Automated)
[INFO][0m * No TLS Server certificate found
[INFO][0m 3.12 - Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)
[INFO][0m * No TLS Server certificate found
[INFO][0m 3.13 - Ensure that the Docker server certificate key file ownership is set to root:root (Automated)
[INFO][0m * No TLS Key found
[INFO][0m 3.14 - Ensure that the Docker server certificate key file permissions are set to 400 (Automated)
[INFO][0m * No TLS Key found
[PASS][0m 3.15 - Ensure that the Docker socket file ownership is set to root:docker (Automated)
[PASS][0m 3.16 - Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)
[INFO][0m 3.17 - Ensure that the daemon.json file ownership is set to root:root (Automated)
[INFO][0m * File not found
[INFO][0m 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)
[INFO][0m * File not found
[PASS][0m 3.19 - Ensure that the /etc/default/docker file ownership is set to root:root (Automated)
[PASS][0m 3.20 - Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)
[INFO][0m 3.21 - Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)
[INFO][0m * File not found
[INFO][0m 3.22 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)
[INFO][0m * File not found
[PASS][0m 3.23 - Ensure that the Containerd socket file ownership is set to root:root (Automated)
[PASS][0m 3.24 - Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)
[INFO][0m 4 - Container Images and Build File
[WARN][0m 4.1 - Ensure that a user for the container has been created (Automated)
[WARN][0m * Running as root: vaultwarden-db
[WARN][0m * Running as root: nginx
[WARN][0m * Running as root: vaultwarden
[WARN][0m * Running as root: vagrant-vulnerable-1
[WARN][0m * Running as root: gitea-db
[WARN][0m * Running as root: gitea
[NOTE][0m 4.2 - Ensure that containers use only trusted base images (Manual)
[NOTE][0m 4.3 - Ensure that unnecessary packages are not installed in the container (Manual)
[NOTE][0m 4.4 - Ensure images are scanned and rebuilt to include security patches (Manual)
[WARN][0m 4.5 - Ensure Content trust for Docker is Enabled (Automated)
[WARN][0m 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated)
[WARN][0m * No Healthcheck found: [vagrant-vulnerable:latest]
[WARN][0m * No Healthcheck found: [docker.gitea.com/gitea:latest]
[WARN][0m * No Healthcheck found: [postgres:latest]
[WARN][0m * No Healthcheck found: [nginx:latest]
[INFO][0m 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual)
[INFO][0m * Update instruction found: [vagrant-vulnerable:latest]
[INFO][0m * Update instruction found: [postgres:latest]
[NOTE][0m 4.8 - Ensure setuid and setgid permissions are removed (Manual)
[INFO][0m 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Manual)
[INFO][0m * ADD in image history: [vagrant-vulnerable:latest]
[INFO][0m * ADD in image history: [vaultwarden/server:latest]
[NOTE][0m 4.10 - Ensure secrets are not stored in Dockerfiles (Manual)
[NOTE][0m 4.11 - Ensure only verified packages are installed (Manual)
[NOTE][0m 4.12 - Ensure all signed artifacts are validated (Manual)
[INFO][0m 5 - Container Runtime
[PASS][0m 5.1 - Ensure swarm mode is not Enabled, if not needed (Automated)
[PASS][0m 5.2 - Ensure that, if applicable, an AppArmor Profile is enabled (Automated)
[WARN][0m 5.3 - Ensure that, if applicable, SELinux security options are set (Automated)
[WARN][0m * No SecurityOptions Found: vaultwarden-db
[WARN][0m * No SecurityOptions Found: nginx
[WARN][0m * No SecurityOptions Found: vaultwarden
[WARN][0m * No SecurityOptions Found: vagrant-vulnerable-1
[WARN][0m * No SecurityOptions Found: gitea-db
[WARN][0m * No SecurityOptions Found: gitea
[PASS][0m 5.4 - Ensure that Linux kernel capabilities are restricted within containers (Automated)
[PASS][0m 5.5 - Ensure that privileged containers are not used (Automated)
[PASS][0m 5.6 - Ensure sensitive host system directories are not mounted on containers (Automated)
[WARN][0m 5.7 - Ensure sshd is not run within containers (Automated)
[WARN][0m * Container running sshd: vagrant-vulnerable-1
[WARN][0m * Container running sshd: gitea
[WARN][0m 5.8 - Ensure privileged ports are not mapped within containers (Automated)
[WARN][0m * Privileged Port in use: 80 in nginx
[WARN][0m * Privileged Port in use: 443 in nginx
[WARN][0m 5.9 - Ensure that only needed ports are open on the container (Manual)
[WARN][0m * Port in use: 80 in nginx
[WARN][0m * Port in use: 443 in nginx
[WARN][0m * Port in use: 2222 in vagrant-vulnerable-1
[PASS][0m 5.10 - Ensure that the host's network namespace is not shared (Automated)
[WARN][0m 5.11 - Ensure that the memory usage for containers is limited (Automated)
[WARN][0m * Container running without memory restrictions: vaultwarden-db
[WARN][0m * Container running without memory restrictions: nginx
[WARN][0m * Container running without memory restrictions: vaultwarden
[WARN][0m * Container running without memory restrictions: vagrant-vulnerable-1
[WARN][0m * Container running without memory restrictions: gitea-db
[WARN][0m * Container running without memory restrictions: gitea
[WARN][0m 5.12 - Ensure that CPU priority is set appropriately on containers (Automated)
[WARN][0m * Container running without CPU restrictions: vaultwarden-db
[WARN][0m * Container running without CPU restrictions: nginx
[WARN][0m * Container running without CPU restrictions: vaultwarden
[WARN][0m * Container running without CPU restrictions: vagrant-vulnerable-1
[WARN][0m * Container running without CPU restrictions: gitea-db
[WARN][0m * Container running without CPU restrictions: gitea
[WARN][0m 5.13 - Ensure that the container's root filesystem is mounted as read only (Automated)
[WARN][0m * Container running with root FS mounted R/W: vaultwarden-db
[WARN][0m * Container running with root FS mounted R/W: nginx
[WARN][0m * Container running with root FS mounted R/W: vaultwarden
[WARN][0m * Container running with root FS mounted R/W: vagrant-vulnerable-1
[WARN][0m * Container running with root FS mounted R/W: gitea-db
[WARN][0m * Container running with root FS mounted R/W: gitea
[WARN][0m 5.14 - Ensure that incoming container traffic is bound to a specific host interface (Automated)
[WARN][0m * Port being bound to wildcard IP: 0.0.0.0 in nginx
[WARN][0m * Port being bound to wildcard IP: 0.0.0.0 in nginx
[WARN][0m * Port being bound to wildcard IP: 0.0.0.0 in vagrant-vulnerable-1
[PASS][0m 5.15 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated)
[PASS][0m 5.16 - Ensure that the host's process namespace is not shared (Automated)
[PASS][0m 5.17 - Ensure that the host's IPC namespace is not shared (Automated)
[PASS][0m 5.18 - Ensure that host devices are not directly exposed to containers (Manual)
[INFO][0m 5.19 - Ensure that the default ulimit is overwritten at runtime if needed (Manual)
[INFO][0m * Container no default ulimit override: vaultwarden-db
[INFO][0m * Container no default ulimit override: nginx
[INFO][0m * Container no default ulimit override: vaultwarden
[INFO][0m * Container no default ulimit override: vagrant-vulnerable-1
[INFO][0m * Container no default ulimit override: gitea-db
[INFO][0m * Container no default ulimit override: gitea
[PASS][0m 5.20 - Ensure mount propagation mode is not set to shared (Automated)
[PASS][0m 5.21 - Ensure that the host's UTS namespace is not shared (Automated)
[PASS][0m 5.22 - Ensure the default seccomp profile is not Disabled (Automated)
[NOTE][0m 5.23 - Ensure that docker exec commands are not used with the privileged option (Automated)
[NOTE][0m 5.24 - Ensure that docker exec commands are not used with the user=root option (Manual)
[PASS][0m 5.25 - Ensure that cgroup usage is confirmed (Automated)
[WARN][0m 5.26 - Ensure that the container is restricted from acquiring additional privileges (Automated)
[WARN][0m * Privileges not restricted: vaultwarden-db
[WARN][0m * Privileges not restricted: nginx
[WARN][0m * Privileges not restricted: vaultwarden
[WARN][0m * Privileges not restricted: vagrant-vulnerable-1
[WARN][0m * Privileges not restricted: gitea-db
[WARN][0m * Privileges not restricted: gitea
[WARN][0m 5.27 - Ensure that container health is checked at runtime (Automated)
[WARN][0m * Health check not set: vaultwarden-db
[WARN][0m * Health check not set: nginx
[WARN][0m * Health check not set: vagrant-vulnerable-1
[WARN][0m * Health check not set: gitea-db
[WARN][0m * Health check not set: gitea
[INFO][0m 5.28 - Ensure that Docker commands always make use of the latest version of their image (Manual)
[WARN][0m 5.29 - Ensure that the PIDs cgroup limit is used (Automated)
[WARN][0m * PIDs limit not set: vaultwarden-db
[WARN][0m * PIDs limit not set: nginx
[WARN][0m * PIDs limit not set: vaultwarden
[WARN][0m * PIDs limit not set: vagrant-vulnerable-1
[WARN][0m * PIDs limit not set: gitea-db
[WARN][0m * PIDs limit not set: gitea
[PASS][0m 5.30 - Ensure that Docker's default bridge 'docker0' is not used (Manual)
[PASS][0m 5.31 - Ensure that the host's user namespaces are not shared (Automated)
[PASS][0m 5.32 - Ensure that the Docker socket is not mounted inside any containers (Automated)
[INFO][0m 6 - Docker Security Operations
[INFO][0m 6.1 - Ensure that image sprawl is avoided (Manual)
[INFO][0m * There are currently: 6 images
[INFO][0m 6.2 - Ensure that container sprawl is avoided (Manual)
[INFO][0m * There are currently a total of 6 containers, with 6 of them currently running
[INFO][0m 7 - Docker Swarm Configuration
[PASS][0m 7.1 - Ensure that the minimum number of manager nodes have been created in a swarm (Automated) (Swarm mode not enabled)
[PASS][0m 7.2 - Ensure that swarm services are bound to a specific host interface (Automated) (Swarm mode not enabled)
[PASS][0m 7.3 - Ensure that all Docker swarm overlay networks are encrypted (Automated)
[PASS][0m 7.4 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual) (Swarm mode not enabled)
[PASS][0m 7.5 - Ensure that swarm manager is run in auto-lock mode (Automated) (Swarm mode not enabled)
[PASS][0m 7.6 - Ensure that the swarm manager auto-lock key is rotated periodically (Manual) (Swarm mode not enabled)
[PASS][0m 7.7 - Ensure that node certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS][0m 7.8 - Ensure that CA certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS][0m 7.9 - Ensure that management plane traffic is separated from data plane traffic (Manual) (Swarm mode not enabled)
Section C - Score[0m
[INFO][0m Checks: 117
[INFO][0m Score: 1

733
measurements/docker-bench/base_cleaned.log.json Normal file
View File

@ -0,0 +1,733 @@
{
"dockerbenchsecurity": "1.6.0",
"start": 1747568555,
"tests": [
{
"id": "1",
"desc": "Host Configuration",
"results": [
{
"id": "1.1.1",
"desc": "Ensure a separate partition for containers has been created (Automated)",
"result": "WARN"
},
{
"id": "1.1.2",
"desc": "Ensure only trusted users are allowed to control Docker daemon (Automated)",
"result": "INFO",
"details": "doubtfulusers: vagrant,git",
"items": [
"vagrant,git"
]
},
{
"id": "1.1.3",
"desc": "Ensure auditing is configured for the Docker daemon (Automated)",
"result": "WARN"
},
{
"id": "1.1.4",
"desc": "Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)",
"result": "WARN"
},
{
"id": "1.1.5",
"desc": "Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.6",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.7",
"desc": "Ensure auditing is configured for Docker files and directories - docker.service (Automated)",
"result": "WARN"
},
{
"id": "1.1.8",
"desc": "Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)",
"result": "WARN"
},
{
"id": "1.1.9",
"desc": "Ensure auditing is configured for Docker files and directories - docker.socket (Automated)",
"result": "WARN"
},
{
"id": "1.1.10",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.11",
"desc": "Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "1.1.12",
"desc": "1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)",
"result": "WARN"
},
{
"id": "1.1.13",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "1.1.14",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)",
"result": "WARN"
},
{
"id": "1.1.15",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)",
"result": "WARN"
},
{
"id": "1.1.16",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)",
"result": "WARN"
},
{
"id": "1.1.17",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)",
"result": "WARN"
},
{
"id": "1.1.18",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)",
"result": "WARN"
},
{
"id": "1.2.1",
"desc": "Ensure the container host has been Hardened (Manual)",
"result": "INFO"
},
{
"id": "1.2.2",
"desc": "Ensure that the version of Docker is up to date (Manual)",
"result": "PASS",
"details": "Using 28.1.1"
}
]
},
{
"id": "2",
"desc": "Docker daemon configuration",
"results": [
{
"id": "2.1",
"desc": "Run the Docker daemon as a non-root user, if possible (Manual)",
"result": "INFO"
},
{
"id": "2.2",
"desc": "Ensure network traffic is restricted between containers on the default bridge (Scored)",
"result": "WARN"
},
{
"id": "2.3",
"desc": "Ensure the logging level is set to 'info' (Scored)",
"result": "PASS"
},
{
"id": "2.4",
"desc": "Ensure Docker is allowed to make changes to iptables (Scored)",
"result": "PASS"
},
{
"id": "2.5",
"desc": "Ensure insecure registries are not used (Scored)",
"result": "PASS"
},
{
"id": "2.6",
"desc": "Ensure aufs storage driver is not used (Scored)",
"result": "PASS"
},
{
"id": "2.7",
"desc": "Ensure TLS authentication for Docker daemon is configured (Scored)",
"result": "INFO",
"details": "Docker daemon not listening on TCP"
},
{
"id": "2.8",
"desc": "Ensure the default ulimit is configured appropriately (Manual)",
"result": "INFO",
"details": "Default ulimit doesn't appear to be set"
},
{
"id": "2.9",
"desc": "Enable user namespace support (Scored)",
"result": "WARN"
},
{
"id": "2.10",
"desc": "Ensure the default cgroup usage has been confirmed (Scored)",
"result": "PASS"
},
{
"id": "2.11",
"desc": "Ensure base device size is not changed until needed (Scored)",
"result": "PASS"
},
{
"id": "2.12",
"desc": "Ensure that authorization for Docker client commands is enabled (Scored)",
"result": "WARN"
},
{
"id": "2.13",
"desc": "Ensure centralized and remote logging is configured (Scored)",
"result": "WARN"
},
{
"id": "2.14",
"desc": "Ensure containers are restricted from acquiring new privileges (Scored)",
"result": "WARN"
},
{
"id": "2.15",
"desc": "Ensure live restore is enabled (Scored)",
"result": "WARN"
},
{
"id": "2.16",
"desc": "Ensure Userland Proxy is Disabled (Scored)",
"result": "WARN"
},
{
"id": "2.17",
"desc": "Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)",
"result": "INFO"
},
{
"id": "2.18",
"desc": "Ensure that experimental features are not implemented in production (Scored)",
"result": "INFO"
}
]
},
{
"id": "3",
"desc": "Docker daemon configuration files",
"results": [
{
"id": "3.1",
"desc": "Ensure that the docker.service file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.2",
"desc": "Ensure that docker.service file permissions are appropriately set (Automated)",
"result": "PASS"
},
{
"id": "3.3",
"desc": "Ensure that docker.socket file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.4",
"desc": "Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)",
"result": "PASS"
},
{
"id": "3.5",
"desc": "Ensure that the /etc/docker directory ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.6",
"desc": "Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.7",
"desc": "Ensure that registry certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "Directory not found"
},
{
"id": "3.8",
"desc": "Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "Directory not found"
},
{
"id": "3.9",
"desc": "Ensure that TLS CA certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS CA certificate found"
},
{
"id": "3.10",
"desc": "Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "No TLS CA certificate found"
},
{
"id": "3.11",
"desc": "Ensure that Docker server certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS Server certificate found"
},
{
"id": "3.12",
"desc": "Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "No TLS Server certificate found"
},
{
"id": "3.13",
"desc": "Ensure that the Docker server certificate key file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS Key found"
},
{
"id": "3.14",
"desc": "Ensure that the Docker server certificate key file permissions are set to 400 (Automated)",
"result": "INFO",
"details": "No TLS Key found"
},
{
"id": "3.15",
"desc": "Ensure that the Docker socket file ownership is set to root:docker (Automated)",
"result": "PASS"
},
{
"id": "3.16",
"desc": "Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.17",
"desc": "Ensure that the daemon.json file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.18",
"desc": "Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.19",
"desc": "Ensure that the /etc/default/docker file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.20",
"desc": "Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.21",
"desc": "Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.22",
"desc": "Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.23",
"desc": "Ensure that the Containerd socket file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.24",
"desc": "Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)",
"result": "PASS"
}
]
},
{
"id": "4",
"desc": "Container Images and Build File",
"results": [
{
"id": "4.1",
"desc": "Ensure that a user for the container has been created (Automated)",
"result": "WARN",
"details": "running as root: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "4.5",
"desc": "Ensure Content trust for Docker is Enabled (Automated)",
"result": "WARN"
},
{
"id": "4.6",
"desc": "Ensure that HEALTHCHECK instructions have been added to container images (Automated)",
"result": "WARN",
"details": "Images w/o HEALTHCHECK: [vagrant-vulnerable:latest] [docker.gitea.com/gitea:latest] [postgres:latest] [nginx:latest]",
"items": [
"[vagrant-vulnerable:latest]",
"[docker.gitea.com/gitea:latest]",
"[postgres:latest]",
"[nginx:latest]"
]
},
{
"id": "4.7",
"desc": "Ensure update instructions are not used alone in the Dockerfile (Manual)",
"result": "INFO",
"details": "Update instructions found: [vagrant-vulnerable:latest] [postgres:latest]",
"items": [
"[vagrant-vulnerable:latest]",
"[postgres:latest]"
]
},
{
"id": "4.9",
"desc": "Ensure that COPY is used instead of ADD in Dockerfiles (Manual)",
"result": "INFO",
"details": "Images using ADD: [vagrant-vulnerable:latest] [vaultwarden/server:latest]",
"items": [
"[vagrant-vulnerable:latest]",
"[vaultwarden/server:latest]"
]
}
]
},
{
"id": "5",
"desc": "Container Runtime",
"results": [
{
"id": "5.1",
"desc": "Ensure swarm mode is not Enabled, if not needed (Automated)",
"result": "PASS"
},
{
"id": "5.2",
"desc": "Ensure that, if applicable, an AppArmor Profile is enabled (Automated)",
"result": "PASS"
},
{
"id": "5.3",
"desc": "Ensure that, if applicable, SELinux security options are set (Automated)",
"result": "WARN",
"details": "Containers with no SecurityOptions: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.4",
"desc": "Ensure that Linux kernel capabilities are restricted within containers (Automated)",
"result": "PASS"
},
{
"id": "5.5",
"desc": "Ensure that privileged containers are not used (Automated)",
"result": "PASS"
},
{
"id": "5.6",
"desc": "Ensure sensitive host system directories are not mounted on containers (Automated)",
"result": "PASS"
},
{
"id": "5.7",
"desc": "Ensure sshd is not run within containers (Automated)",
"result": "WARN",
"details": "Containers with sshd/docker exec failures: vagrant-vulnerable-1 gitea",
"items": [
"vagrant-vulnerable-1",
"gitea"
]
},
{
"id": "5.8",
"desc": "Ensure privileged ports are not mapped within containers (Automated)",
"result": "WARN",
"details": "Containers using privileged ports: nginx:80 nginx:443",
"items": [
"nginx:80",
"nginx:443"
]
},
{
"id": "5.9",
"desc": "Ensure that only needed ports are open on the container (Manual)",
"result": "WARN",
"details": "Containers with open ports: nginx:80 nginx:443 vagrant-vulnerable-1:2222",
"items": [
"nginx:80",
"nginx:443",
"vagrant-vulnerable-1:2222"
]
},
{
"id": "5.10",
"desc": "Ensure that the host's network namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.11",
"desc": "Ensure that the memory usage for containers is limited (Automated)",
"result": "WARN",
"details": "Container running without memory restrictions: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.12",
"desc": "Ensure that CPU priority is set appropriately on containers (Automated)",
"result": "WARN",
"details": "Containers running without CPU restrictions: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.13",
"desc": "Ensure that the container's root filesystem is mounted as read only (Automated)",
"result": "WARN",
"details": "Containers running with root FS mounted R/W: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.14",
"desc": "Ensure that incoming container traffic is bound to a specific host interface (Automated)",
"result": "WARN",
"details": "Containers with port bound to wildcard IP: nginx:0.0.0.0 nginx:0.0.0.0 vagrant-vulnerable-1:0.0.0.0",
"items": [
"nginx:0.0.0.0",
"nginx:0.0.0.0",
"vagrant-vulnerable-1:0.0.0.0"
]
},
{
"id": "5.15",
"desc": "Ensure that the 'on-failure' container restart policy is set to '5' (Automated)",
"result": "PASS"
},
{
"id": "5.16",
"desc": "Ensure that the host's process namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.17",
"desc": "Ensure that the host's IPC namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.18",
"desc": "Ensure that host devices are not directly exposed to containers (Manual)",
"result": "PASS"
},
{
"id": "5.19",
"desc": "Ensure that the default ulimit is overwritten at runtime if needed (Manual)",
"result": "INFO",
"details": "Containers with no default ulimit override: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.20",
"desc": "Ensure mount propagation mode is not set to shared (Automated)",
"result": "PASS"
},
{
"id": "5.21",
"desc": "Ensure that the host's UTS namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.22",
"desc": "Ensure the default seccomp profile is not Disabled (Automated)",
"result": "PASS"
},
{
"id": "5.25",
"desc": "Ensure that cgroup usage is confirmed (Automated)",
"result": "PASS"
},
{
"id": "5.26",
"desc": "Ensure that the container is restricted from acquiring additional privileges (Automated)",
"result": "WARN",
"details": "Containers without restricted privileges: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.27",
"desc": "Ensure that container health is checked at runtime (Automated)",
"result": "WARN",
"details": "Containers without health check: vaultwarden-db nginx vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.28",
"desc": "Ensure that Docker commands always make use of the latest version of their image (Manual)",
"result": "INFO"
},
{
"id": "5.29",
"desc": "Ensure that the PIDs cgroup limit is used (Automated)",
"result": "WARN",
"details": "Containers without PIDs cgroup limit: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.30",
"desc": "Ensure that Docker's default bridge 'docker0' is not used (Manual)",
"result": "PASS"
},
{
"id": "5.31",
"desc": "Ensure that the host's user namespaces are not shared (Automated)",
"result": "PASS"
},
{
"id": "5.32",
"desc": "Ensure that the Docker socket is not mounted inside any containers (Automated)",
"result": "PASS"
}
]
},
{
"id": "6",
"desc": "Docker Security Operations",
"results": [
{
"id": "6.1",
"desc": "Ensure that image sprawl is avoided (Manual)",
"result": "INFO",
"details": "6 active/6 in use"
},
{
"id": "6.2",
"desc": "Ensure that container sprawl is avoided (Manual)",
"result": "INFO",
"details": "6 total/6 running"
}
]
},
{
"id": "7",
"desc": "Docker Swarm Configuration",
"results": [
{
"id": "7.1",
"desc": "Ensure that the minimum number of manager nodes have been created in a swarm (Automated)",
"result": "PASS"
},
{
"id": "7.2",
"desc": "Ensure that swarm services are bound to a specific host interface (Automated)",
"result": "PASS"
},
{
"id": "7.3",
"desc": "Ensure that all Docker swarm overlay networks are encrypted (Automated)",
"result": "PASS"
},
{
"id": "7.4",
"desc": "Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual)",
"result": "PASS"
},
{
"id": "7.5",
"desc": "Ensure that swarm manager is run in auto-lock mode (Automated)",
"result": "PASS"
},
{
"id": "7.6",
"desc": "Ensure that the swarm manager auto-lock key is rotated periodically (Manual)",
"result": "PASS"
},
{
"id": "7.7",
"desc": "Ensure that node certificates are rotated as appropriate (Manual)",
"result": "PASS"
},
{
"id": "7.8",
"desc": "Ensure that CA certificates are rotated as appropriate (Manual)",
"result": "PASS"
},
{
"id": "7.9",
"desc": "Ensure that management plane traffic is separated from data plane traffic (Manual)",
"result": "PASS"
}
]
}
],
"checks": 117,
"score": 1,
"end": 1747568565
}

216
measurements/docker-bench/hybrid.log Normal file
View File

@ -0,0 +1,216 @@
Initializing 2025-05-18T12:00:06+00:00
Section A - Check results
[INFO] 1 - Host Configuration
[INFO] 1.1 - Linux Hosts Specific Configuration
[WARN] 1.1.1 - Ensure a separate partition for containers has been created (Automated)
[INFO] 1.1.2 - Ensure only trusted users are allowed to control Docker daemon (Automated)
[INFO] * Users: vagrant,git
[WARN] 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated)
[WARN] 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)
[WARN] 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)
[WARN] 1.1.6 - Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)
[WARN] 1.1.7 - Ensure auditing is configured for Docker files and directories - docker.service (Automated)
[WARN] 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)
[WARN] 1.1.9 - Ensure auditing is configured for Docker files and directories - docker.socket (Automated)
[WARN] 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)
[INFO] 1.1.11 - Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)
[INFO] * File not found
[WARN] 1.1.12 - 1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)
[INFO] 1.1.13 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)
[INFO] * File not found
[WARN] 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)
[WARN] 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)
[WARN] 1.1.16 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)
[WARN] 1.1.17 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)
[WARN] 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)
[INFO] 1.2 - General Configuration
[NOTE] 1.2.1 - Ensure the container host has been Hardened (Manual)
[PASS] 1.2.2 - Ensure that the version of Docker is up to date (Manual)
[INFO] * Using 28.1.1 which is current
[INFO] * Check with your operating system vendor for support and security maintenance for Docker
[INFO] 2 - Docker daemon configuration
[NOTE] 2.1 - Run the Docker daemon as a non-root user, if possible (Manual)
[WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[PASS] 2.3 - Ensure the logging level is set to 'info' (Scored)
[PASS] 2.4 - Ensure Docker is allowed to make changes to iptables (Scored)
[PASS] 2.5 - Ensure insecure registries are not used (Scored)
[PASS] 2.6 - Ensure aufs storage driver is not used (Scored)
[INFO] 2.7 - Ensure TLS authentication for Docker daemon is configured (Scored)
[INFO] * Docker daemon not listening on TCP
[INFO] 2.8 - Ensure the default ulimit is configured appropriately (Manual)
[INFO] * Default ulimit doesn't appear to be set
[WARN] 2.9 - Enable user namespace support (Scored)
[PASS] 2.10 - Ensure the default cgroup usage has been confirmed (Scored)
[PASS] 2.11 - Ensure base device size is not changed until needed (Scored)
[WARN] 2.12 - Ensure that authorization for Docker client commands is enabled (Scored)
[WARN] 2.13 - Ensure centralized and remote logging is configured (Scored)
[WARN] 2.14 - Ensure containers are restricted from acquiring new privileges (Scored)
[WARN] 2.15 - Ensure live restore is enabled (Scored)
[WARN] 2.16 - Ensure Userland Proxy is Disabled (Scored)
[INFO] 2.17 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)
[INFO] Ensure that experimental features are not implemented in production (Scored) (Deprecated)
[INFO] 3 - Docker daemon configuration files
[PASS] 3.1 - Ensure that the docker.service file ownership is set to root:root (Automated)
[PASS] 3.2 - Ensure that docker.service file permissions are appropriately set (Automated)
[PASS] 3.3 - Ensure that docker.socket file ownership is set to root:root (Automated)
[PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)
[PASS] 3.5 - Ensure that the /etc/docker directory ownership is set to root:root (Automated)
[PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)
[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root (Automated)
[INFO] * Directory not found
[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)
[INFO] * Directory not found
[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root (Automated)
[INFO] * No TLS CA certificate found
[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)
[INFO] * No TLS CA certificate found
[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root (Automated)
[INFO] * No TLS Server certificate found
[INFO] 3.12 - Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)
[INFO] * No TLS Server certificate found
[INFO] 3.13 - Ensure that the Docker server certificate key file ownership is set to root:root (Automated)
[INFO] * No TLS Key found
[INFO] 3.14 - Ensure that the Docker server certificate key file permissions are set to 400 (Automated)
[INFO] * No TLS Key found
[PASS] 3.15 - Ensure that the Docker socket file ownership is set to root:docker (Automated)
[PASS] 3.16 - Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)
[INFO] 3.17 - Ensure that the daemon.json file ownership is set to root:root (Automated)
[INFO] * File not found
[INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)
[INFO] * File not found
[PASS] 3.19 - Ensure that the /etc/default/docker file ownership is set to root:root (Automated)
[PASS] 3.20 - Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)
[INFO] 3.21 - Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)
[INFO] * File not found
[INFO] 3.22 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)
[INFO] * File not found
[PASS] 3.23 - Ensure that the Containerd socket file ownership is set to root:root (Automated)
[PASS] 3.24 - Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)
[INFO] 4 - Container Images and Build File
[WARN] 4.1 - Ensure that a user for the container has been created (Automated)
[WARN] * Running as root: gitea
[WARN] * Running as root: vaultwarden
[WARN] * Running as root: nginx
[WARN] * Running as root: vagrant-vulnerable-1
[NOTE] 4.2 - Ensure that containers use only trusted base images (Manual)
[NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container (Manual)
[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches (Manual)
[WARN] 4.5 - Ensure Content trust for Docker is Enabled (Automated)
[WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated)
[WARN] * No Healthcheck found: [vagrant-vulnerable:latest]
[WARN] * No Healthcheck found: [docker.gitea.com/gitea:latest]
[WARN] * No Healthcheck found: [nginx:latest]
[INFO] 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual)
[INFO] * Update instruction found: [vagrant-vulnerable:latest]
[NOTE] 4.8 - Ensure setuid and setgid permissions are removed (Manual)
[INFO] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Manual)
[INFO] * ADD in image history: [vagrant-vulnerable:latest]
[INFO] * ADD in image history: [vaultwarden/server:latest]
[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles (Manual)
[NOTE] 4.11 - Ensure only verified packages are installed (Manual)
[NOTE] 4.12 - Ensure all signed artifacts are validated (Manual)
[INFO] 5 - Container Runtime
[PASS] 5.1 - Ensure swarm mode is not Enabled, if not needed (Automated)
[PASS] 5.2 - Ensure that, if applicable, an AppArmor Profile is enabled (Automated)
[WARN] 5.3 - Ensure that, if applicable, SELinux security options are set (Automated)
[WARN] * No SecurityOptions Found: gitea
[WARN] * No SecurityOptions Found: vaultwarden
[WARN] * No SecurityOptions Found: nginx
[WARN] * No SecurityOptions Found: vagrant-vulnerable-1
[PASS] 5.4 - Ensure that Linux kernel capabilities are restricted within containers (Automated)
[PASS] 5.5 - Ensure that privileged containers are not used (Automated)
[PASS] 5.6 - Ensure sensitive host system directories are not mounted on containers (Automated)
[WARN] 5.7 - Ensure sshd is not run within containers (Automated)
[WARN] * Container running sshd: gitea
[WARN] * Container running sshd: vagrant-vulnerable-1
[WARN] 5.8 - Ensure privileged ports are not mapped within containers (Automated)
[WARN] * Privileged Port in use: 80 in nginx
[WARN] * Privileged Port in use: 443 in nginx
[WARN] 5.9 - Ensure that only needed ports are open on the container (Manual)
[WARN] * Port in use: 80 in nginx
[WARN] * Port in use: 443 in nginx
[WARN] * Port in use: 2222 in vagrant-vulnerable-1
[PASS] 5.10 - Ensure that the host's network namespace is not shared (Automated)
[WARN] 5.11 - Ensure that the memory usage for containers is limited (Automated)
[WARN] * Container running without memory restrictions: gitea
[WARN] * Container running without memory restrictions: vaultwarden
[WARN] * Container running without memory restrictions: nginx
[WARN] * Container running without memory restrictions: vagrant-vulnerable-1
[WARN] 5.12 - Ensure that CPU priority is set appropriately on containers (Automated)
[WARN] * Container running without CPU restrictions: gitea
[WARN] * Container running without CPU restrictions: vaultwarden
[WARN] * Container running without CPU restrictions: nginx
[WARN] * Container running without CPU restrictions: vagrant-vulnerable-1
[WARN] 5.13 - Ensure that the container's root filesystem is mounted as read only (Automated)
[WARN] * Container running with root FS mounted R/W: gitea
[WARN] * Container running with root FS mounted R/W: vaultwarden
[WARN] * Container running with root FS mounted R/W: nginx
[WARN] * Container running with root FS mounted R/W: vagrant-vulnerable-1
[WARN] 5.14 - Ensure that incoming container traffic is bound to a specific host interface (Automated)
[WARN] * Port being bound to wildcard IP: 0.0.0.0 in nginx
[WARN] * Port being bound to wildcard IP: 0.0.0.0 in nginx
[WARN] * Port being bound to wildcard IP: 0.0.0.0 in vagrant-vulnerable-1
[PASS] 5.15 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated)
[PASS] 5.16 - Ensure that the host's process namespace is not shared (Automated)
[PASS] 5.17 - Ensure that the host's IPC namespace is not shared (Automated)
[PASS] 5.18 - Ensure that host devices are not directly exposed to containers (Manual)
[INFO] 5.19 - Ensure that the default ulimit is overwritten at runtime if needed (Manual)
[INFO] * Container no default ulimit override: gitea
[INFO] * Container no default ulimit override: vaultwarden
[INFO] * Container no default ulimit override: nginx
[INFO] * Container no default ulimit override: vagrant-vulnerable-1
[PASS] 5.20 - Ensure mount propagation mode is not set to shared (Automated)
[PASS] 5.21 - Ensure that the host's UTS namespace is not shared (Automated)
[PASS] 5.22 - Ensure the default seccomp profile is not Disabled (Automated)
[NOTE] 5.23 - Ensure that docker exec commands are not used with the privileged option (Automated)
[NOTE] 5.24 - Ensure that docker exec commands are not used with the user=root option (Manual)
[PASS] 5.25 - Ensure that cgroup usage is confirmed (Automated)
[WARN] 5.26 - Ensure that the container is restricted from acquiring additional privileges (Automated)
[WARN] * Privileges not restricted: gitea
[WARN] * Privileges not restricted: vaultwarden
[WARN] * Privileges not restricted: nginx
[WARN] * Privileges not restricted: vagrant-vulnerable-1
[WARN] 5.27 - Ensure that container health is checked at runtime (Automated)
[WARN] * Health check not set: gitea
[WARN] * Health check not set: nginx
[WARN] * Health check not set: vagrant-vulnerable-1
[INFO] 5.28 - Ensure that Docker commands always make use of the latest version of their image (Manual)
[WARN] 5.29 - Ensure that the PIDs cgroup limit is used (Automated)
[WARN] * PIDs limit not set: gitea
[WARN] * PIDs limit not set: vaultwarden
[WARN] * PIDs limit not set: nginx
[WARN] * PIDs limit not set: vagrant-vulnerable-1
[PASS] 5.30 - Ensure that Docker's default bridge 'docker0' is not used (Manual)
[PASS] 5.31 - Ensure that the host's user namespaces are not shared (Automated)
[PASS] 5.32 - Ensure that the Docker socket is not mounted inside any containers (Automated)
[INFO] 6 - Docker Security Operations
[INFO] 6.1 - Ensure that image sprawl is avoided (Manual)
[INFO] * There are currently: 4 images
[INFO] 6.2 - Ensure that container sprawl is avoided (Manual)
[INFO] * There are currently a total of 4 containers, with 4 of them currently running
[INFO] 7 - Docker Swarm Configuration
[PASS] 7.1 - Ensure that the minimum number of manager nodes have been created in a swarm (Automated) (Swarm mode not enabled)
[PASS] 7.2 - Ensure that swarm services are bound to a specific host interface (Automated) (Swarm mode not enabled)
[PASS] 7.3 - Ensure that all Docker swarm overlay networks are encrypted (Automated)
[PASS] 7.4 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual) (Swarm mode not enabled)
[PASS] 7.5 - Ensure that swarm manager is run in auto-lock mode (Automated) (Swarm mode not enabled)
[PASS] 7.6 - Ensure that the swarm manager auto-lock key is rotated periodically (Manual) (Swarm mode not enabled)
[PASS] 7.7 - Ensure that node certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS] 7.8 - Ensure that CA certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS] 7.9 - Ensure that management plane traffic is separated from data plane traffic (Manual) (Swarm mode not enabled)
Section C - Score
[INFO] Checks: 117
[INFO] Score: 1

723
measurements/docker-bench/hybrid.log.json Normal file
View File

@ -0,0 +1,723 @@
{
"dockerbenchsecurity": "1.6.0",
"start": 1747569606,
"tests": [
{
"id": "1",
"desc": "Host Configuration",
"results": [
{
"id": "1.1.1",
"desc": "Ensure a separate partition for containers has been created (Automated)",
"result": "WARN"
},
{
"id": "1.1.2",
"desc": "Ensure only trusted users are allowed to control Docker daemon (Automated)",
"result": "INFO",
"details": "doubtfulusers: vagrant,git",
"items": [
"vagrant,git"
]
},
{
"id": "1.1.3",
"desc": "Ensure auditing is configured for the Docker daemon (Automated)",
"result": "WARN"
},
{
"id": "1.1.4",
"desc": "Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)",
"result": "WARN"
},
{
"id": "1.1.5",
"desc": "Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.6",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.7",
"desc": "Ensure auditing is configured for Docker files and directories - docker.service (Automated)",
"result": "WARN"
},
{
"id": "1.1.8",
"desc": "Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)",
"result": "WARN"
},
{
"id": "1.1.9",
"desc": "Ensure auditing is configured for Docker files and directories - docker.socket (Automated)",
"result": "WARN"
},
{
"id": "1.1.10",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.11",
"desc": "Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "1.1.12",
"desc": "1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)",
"result": "WARN"
},
{
"id": "1.1.13",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "1.1.14",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)",
"result": "WARN"
},
{
"id": "1.1.15",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)",
"result": "WARN"
},
{
"id": "1.1.16",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)",
"result": "WARN"
},
{
"id": "1.1.17",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)",
"result": "WARN"
},
{
"id": "1.1.18",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)",
"result": "WARN"
},
{
"id": "1.2.1",
"desc": "Ensure the container host has been Hardened (Manual)",
"result": "INFO"
},
{
"id": "1.2.2",
"desc": "Ensure that the version of Docker is up to date (Manual)",
"result": "PASS",
"details": "Using 28.1.1"
}
]
},
{
"id": "2",
"desc": "Docker daemon configuration",
"results": [
{
"id": "2.1",
"desc": "Run the Docker daemon as a non-root user, if possible (Manual)",
"result": "INFO"
},
{
"id": "2.2",
"desc": "Ensure network traffic is restricted between containers on the default bridge (Scored)",
"result": "WARN"
},
{
"id": "2.3",
"desc": "Ensure the logging level is set to 'info' (Scored)",
"result": "PASS"
},
{
"id": "2.4",
"desc": "Ensure Docker is allowed to make changes to iptables (Scored)",
"result": "PASS"
},
{
"id": "2.5",
"desc": "Ensure insecure registries are not used (Scored)",
"result": "PASS"
},
{
"id": "2.6",
"desc": "Ensure aufs storage driver is not used (Scored)",
"result": "PASS"
},
{
"id": "2.7",
"desc": "Ensure TLS authentication for Docker daemon is configured (Scored)",
"result": "INFO",
"details": "Docker daemon not listening on TCP"
},
{
"id": "2.8",
"desc": "Ensure the default ulimit is configured appropriately (Manual)",
"result": "INFO",
"details": "Default ulimit doesn't appear to be set"
},
{
"id": "2.9",
"desc": "Enable user namespace support (Scored)",
"result": "WARN"
},
{
"id": "2.10",
"desc": "Ensure the default cgroup usage has been confirmed (Scored)",
"result": "PASS"
},
{
"id": "2.11",
"desc": "Ensure base device size is not changed until needed (Scored)",
"result": "PASS"
},
{
"id": "2.12",
"desc": "Ensure that authorization for Docker client commands is enabled (Scored)",
"result": "WARN"
},
{
"id": "2.13",
"desc": "Ensure centralized and remote logging is configured (Scored)",
"result": "WARN"
},
{
"id": "2.14",
"desc": "Ensure containers are restricted from acquiring new privileges (Scored)",
"result": "WARN"
},
{
"id": "2.15",
"desc": "Ensure live restore is enabled (Scored)",
"result": "WARN"
},
{
"id": "2.16",
"desc": "Ensure Userland Proxy is Disabled (Scored)",
"result": "WARN"
},
{
"id": "2.17",
"desc": "Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)",
"result": "INFO"
},
{
"id": "2.18",
"desc": "Ensure that experimental features are not implemented in production (Scored)",
"result": "INFO"
}
]
},
{
"id": "3",
"desc": "Docker daemon configuration files",
"results": [
{
"id": "3.1",
"desc": "Ensure that the docker.service file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.2",
"desc": "Ensure that docker.service file permissions are appropriately set (Automated)",
"result": "PASS"
},
{
"id": "3.3",
"desc": "Ensure that docker.socket file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.4",
"desc": "Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)",
"result": "PASS"
},
{
"id": "3.5",
"desc": "Ensure that the /etc/docker directory ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.6",
"desc": "Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.7",
"desc": "Ensure that registry certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "Directory not found"
},
{
"id": "3.8",
"desc": "Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "Directory not found"
},
{
"id": "3.9",
"desc": "Ensure that TLS CA certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS CA certificate found"
},
{
"id": "3.10",
"desc": "Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "No TLS CA certificate found"
},
{
"id": "3.11",
"desc": "Ensure that Docker server certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS Server certificate found"
},
{
"id": "3.12",
"desc": "Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "No TLS Server certificate found"
},
{
"id": "3.13",
"desc": "Ensure that the Docker server certificate key file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS Key found"
},
{
"id": "3.14",
"desc": "Ensure that the Docker server certificate key file permissions are set to 400 (Automated)",
"result": "INFO",
"details": "No TLS Key found"
},
{
"id": "3.15",
"desc": "Ensure that the Docker socket file ownership is set to root:docker (Automated)",
"result": "PASS"
},
{
"id": "3.16",
"desc": "Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.17",
"desc": "Ensure that the daemon.json file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.18",
"desc": "Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.19",
"desc": "Ensure that the /etc/default/docker file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.20",
"desc": "Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.21",
"desc": "Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.22",
"desc": "Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.23",
"desc": "Ensure that the Containerd socket file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.24",
"desc": "Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)",
"result": "PASS"
}
]
},
{
"id": "4",
"desc": "Container Images and Build File",
"results": [
{
"id": "4.1",
"desc": "Ensure that a user for the container has been created (Automated)",
"result": "WARN",
"details": "running as root: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea","vaultwarden","nginx","vagrant-vulnerable-1"
]
},
{
"id": "4.2",
"desc": "Ensure that containers use only trusted base images (Manual)",
"result": "NOTE"
},
{
"id": "4.3",
"desc": "Ensure that unnecessary packages are not installed in the container (Manual)",
"result": "NOTE"
},
{
"id": "4.4",
"desc": "Ensure images are scanned and rebuilt to include security patches (Manual)",
"result": "NOTE"
},
{
"id": "4.5",
"desc": "Ensure Content trust for Docker is Enabled (Automated)",
"result": "WARN"
},
{
"id": "4.6",
"desc": "Ensure that HEALTHCHECK instructions have been added to container images (Automated)",
"result": "WARN",
"details": "Images w/o HEALTHCHECK: [vagrant-vulnerable:latest] [docker.gitea.com/gitea:latest] [nginx:latest]",
"items": [
"[vagrant-vulnerable:latest]","[docker.gitea.com/gitea:latest]","[nginx:latest]"
]
},
{
"id": "4.7",
"desc": "Ensure update instructions are not used alone in the Dockerfile (Manual)",
"result": "INFO",
"details": "Update instructions found: [vagrant-vulnerable:latest]",
"items": [
"[vagrant-vulnerable:latest]"
]
},
{
"id": "4.8",
"desc": "Ensure setuid and setgid permissions are removed (Manual)",
"result": "NOTE"
},
{
"id": "4.9",
"desc": "Ensure that COPY is used instead of ADD in Dockerfiles (Manual)",
"result": "INFO",
"details": "Images using ADD: [vagrant-vulnerable:latest] [vaultwarden/server:latest]",
"items": [
"[vagrant-vulnerable:latest]","[vaultwarden/server:latest]"
]
},
{
"id": "4.10",
"desc": "Ensure secrets are not stored in Dockerfiles (Manual)",
"result": "NOTE"
},
{
"id": "4.11",
"desc": "Ensure only verified packages are installed (Manual)",
"result": "NOTE"
},
{
"id": "4.12",
"desc": "Ensure all signed artifacts are validated (Manual)",
"result": "NOTE"
}
]
},
{
"id": "5",
"desc": "Container Runtime",
"results": [
{
"id": "5.1",
"desc": "Ensure swarm mode is not Enabled, if not needed (Automated)",
"result": "PASS"
},
{
"id": "5.2",
"desc": "Ensure that, if applicable, an AppArmor Profile is enabled (Automated)",
"result": "PASS"
},
{
"id": "5.3",
"desc": "Ensure that, if applicable, SELinux security options are set (Automated)",
"result": "WARN",
"details": "Containers with no SecurityOptions: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea","vaultwarden","nginx","vagrant-vulnerable-1"
]
},
{
"id": "5.4",
"desc": "Ensure that Linux kernel capabilities are restricted within containers (Automated)",
"result": "PASS"
},
{
"id": "5.5",
"desc": "Ensure that privileged containers are not used (Automated)",
"result": "PASS"
},
{
"id": "5.6",
"desc": "Ensure sensitive host system directories are not mounted on containers (Automated)",
"result": "PASS"
},
{
"id": "5.7",
"desc": "Ensure sshd is not run within containers (Automated)",
"result": "WARN",
"details": "Containers with sshd/docker exec failures: gitea vagrant-vulnerable-1",
"items": [
"gitea","vagrant-vulnerable-1"
]
},
{
"id": "5.8",
"desc": "Ensure privileged ports are not mapped within containers (Automated)",
"result": "WARN",
"details": "Containers using privileged ports: nginx:80 nginx:443",
"items": [
"nginx:80","nginx:443"
]
},
{
"id": "5.9",
"desc": "Ensure that only needed ports are open on the container (Manual)",
"result": "WARN",
"details": "Containers with open ports: nginx:80 nginx:443 vagrant-vulnerable-1:2222",
"items": [
"nginx:80","nginx:443","vagrant-vulnerable-1:2222"
]
},
{
"id": "5.10",
"desc": "Ensure that the host's network namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.11",
"desc": "Ensure that the memory usage for containers is limited (Automated)",
"result": "WARN",
"details": "Container running without memory restrictions: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea","vaultwarden","nginx","vagrant-vulnerable-1"
]
},
{
"id": "5.12",
"desc": "Ensure that CPU priority is set appropriately on containers (Automated)",
"result": "WARN",
"details": "Containers running without CPU restrictions: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea","vaultwarden","nginx","vagrant-vulnerable-1"
]
},
{
"id": "5.13",
"desc": "Ensure that the container's root filesystem is mounted as read only (Automated)",
"result": "WARN",
"details": "Containers running with root FS mounted R/W: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea","vaultwarden","nginx","vagrant-vulnerable-1"
]
},
{
"id": "5.14",
"desc": "Ensure that incoming container traffic is bound to a specific host interface (Automated)",
"result": "WARN",
"details": "Containers with port bound to wildcard IP: nginx:0.0.0.0 nginx:0.0.0.0 vagrant-vulnerable-1:0.0.0.0",
"items": [
"nginx:0.0.0.0","nginx:0.0.0.0","vagrant-vulnerable-1:0.0.0.0"
]
},
{
"id": "5.15",
"desc": "Ensure that the 'on-failure' container restart policy is set to '5' (Automated)",
"result": "PASS"
},
{
"id": "5.16",
"desc": "Ensure that the host's process namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.17",
"desc": "Ensure that the host's IPC namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.18",
"desc": "Ensure that host devices are not directly exposed to containers (Manual)",
"result": "PASS"
},
{
"id": "5.19",
"desc": "Ensure that the default ulimit is overwritten at runtime if needed (Manual)",
"result": "INFO",
"details": "Containers with no default ulimit override: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea","vaultwarden","nginx","vagrant-vulnerable-1"
]
},
{
"id": "5.20",
"desc": "Ensure mount propagation mode is not set to shared (Automated)",
"result": "PASS"
},
{
"id": "5.21",
"desc": "Ensure that the host's UTS namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.22",
"desc": "Ensure the default seccomp profile is not Disabled (Automated)",
"result": "PASS"
},
{
"id": "5.23",
"desc": "Ensure that docker exec commands are not used with the privileged option (Automated)",
"result": "NOTE"
},
{
"id": "5.24",
"desc": "Ensure that docker exec commands are not used with the user=root option (Manual)",
"result": "NOTE"
},
{
"id": "5.25",
"desc": "Ensure that cgroup usage is confirmed (Automated)",
"result": "PASS"
},
{
"id": "5.26",
"desc": "Ensure that the container is restricted from acquiring additional privileges (Automated)",
"result": "WARN",
"details": "Containers without restricted privileges: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea","vaultwarden","nginx","vagrant-vulnerable-1"
]
},
{
"id": "5.27",
"desc": "Ensure that container health is checked at runtime (Automated)",
"result": "WARN",
"details": "Containers without health check: gitea nginx vagrant-vulnerable-1",
"items": [
"gitea","nginx","vagrant-vulnerable-1"
]
},
{
"id": "5.28",
"desc": "Ensure that Docker commands always make use of the latest version of their image (Manual)",
"result": "INFO"
},
{
"id": "5.29",
"desc": "Ensure that the PIDs cgroup limit is used (Automated)",
"result": "WARN",
"details": "Containers without PIDs cgroup limit: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea","vaultwarden","nginx","vagrant-vulnerable-1"
]
},
{
"id": "5.30",
"desc": "Ensure that Docker's default bridge 'docker0' is not used (Manual)",
"result": "PASS"
},
{
"id": "5.31",
"desc": "Ensure that the host's user namespaces are not shared (Automated)",
"result": "PASS"
},
{
"id": "5.32",
"desc": "Ensure that the Docker socket is not mounted inside any containers (Automated)",
"result": "PASS"
}
]
},
{
"id": "6",
"desc": "Docker Security Operations",
"results": [
{
"id": "6.1",
"desc": "Ensure that image sprawl is avoided (Manual)",
"result": "INFO",
"details": "4 active/4 in use"
},
{
"id": "6.2",
"desc": "Ensure that container sprawl is avoided (Manual)",
"result": "INFO",
"details": "4 total/4 running"
}
]
},
{
"id": "7",
"desc": "Docker Swarm Configuration",
"results": [
{
"id": "7.1",
"desc": "Ensure that the minimum number of manager nodes have been created in a swarm (Automated)",
"result": "PASS"
},
{
"id": "7.2",
"desc": "Ensure that swarm services are bound to a specific host interface (Automated)",
"result": "PASS"
},
{
"id": "7.3",
"desc": "Ensure that all Docker swarm overlay networks are encrypted (Automated)",
"result": "PASS"
},
{
"id": "7.4",
"desc": "Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual)",
"result": "PASS"
},
{
"id": "7.5",
"desc": "Ensure that swarm manager is run in auto-lock mode (Automated)",
"result": "PASS"
},
{
"id": "7.6",
"desc": "Ensure that the swarm manager auto-lock key is rotated periodically (Manual)",
"result": "PASS"
},
{
"id": "7.7",
"desc": "Ensure that node certificates are rotated as appropriate (Manual)",
"result": "PASS"
},
{
"id": "7.8",
"desc": "Ensure that CA certificates are rotated as appropriate (Manual)",
"result": "PASS"
},
{
"id": "7.9",
"desc": "Ensure that management plane traffic is separated from data plane traffic (Manual)",
"result": "PASS"
}
]
}
],
"checks": 117,
"score": 1,
"end": 1747569613
}

216
measurements/docker-bench/hybrid_cleaned.log Normal file
View File

@ -0,0 +1,216 @@
Initializing 2025-05-18T12:00:06+00:00
Section A - Check results[0m
[INFO][0m 1 - Host Configuration
[INFO][0m 1.1 - Linux Hosts Specific Configuration
[WARN][0m 1.1.1 - Ensure a separate partition for containers has been created (Automated)
[INFO][0m 1.1.2 - Ensure only trusted users are allowed to control Docker daemon (Automated)
[INFO][0m * Users: vagrant,git
[WARN][0m 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated)
[WARN][0m 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)
[WARN][0m 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)
[WARN][0m 1.1.6 - Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)
[WARN][0m 1.1.7 - Ensure auditing is configured for Docker files and directories - docker.service (Automated)
[WARN][0m 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)
[WARN][0m 1.1.9 - Ensure auditing is configured for Docker files and directories - docker.socket (Automated)
[WARN][0m 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)
[INFO][0m 1.1.11 - Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)
[INFO][0m * File not found
[WARN][0m 1.1.12 - 1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)
[INFO][0m 1.1.13 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)
[INFO][0m * File not found
[WARN][0m 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)
[WARN][0m 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)
[WARN][0m 1.1.16 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)
[WARN][0m 1.1.17 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)
[WARN][0m 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)
[INFO][0m 1.2 - General Configuration
[NOTE][0m 1.2.1 - Ensure the container host has been Hardened (Manual)
[PASS][0m 1.2.2 - Ensure that the version of Docker is up to date (Manual)
[INFO][0m * Using 28.1.1 which is current
[INFO][0m * Check with your operating system vendor for support and security maintenance for Docker
[INFO][0m 2 - Docker daemon configuration
[NOTE][0m 2.1 - Run the Docker daemon as a non-root user, if possible (Manual)
[WARN][0m 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[PASS][0m 2.3 - Ensure the logging level is set to 'info' (Scored)
[PASS][0m 2.4 - Ensure Docker is allowed to make changes to iptables (Scored)
[PASS][0m 2.5 - Ensure insecure registries are not used (Scored)
[PASS][0m 2.6 - Ensure aufs storage driver is not used (Scored)
[INFO][0m 2.7 - Ensure TLS authentication for Docker daemon is configured (Scored)
[INFO][0m * Docker daemon not listening on TCP
[INFO][0m 2.8 - Ensure the default ulimit is configured appropriately (Manual)
[INFO][0m * Default ulimit doesn't appear to be set
[WARN][0m 2.9 - Enable user namespace support (Scored)
[PASS][0m 2.10 - Ensure the default cgroup usage has been confirmed (Scored)
[PASS][0m 2.11 - Ensure base device size is not changed until needed (Scored)
[WARN][0m 2.12 - Ensure that authorization for Docker client commands is enabled (Scored)
[WARN][0m 2.13 - Ensure centralized and remote logging is configured (Scored)
[WARN][0m 2.14 - Ensure containers are restricted from acquiring new privileges (Scored)
[WARN][0m 2.15 - Ensure live restore is enabled (Scored)
[WARN][0m 2.16 - Ensure Userland Proxy is Disabled (Scored)
[INFO][0m 2.17 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)
[INFO][0m Ensure that experimental features are not implemented in production (Scored) (Deprecated)
[INFO][0m 3 - Docker daemon configuration files
[PASS][0m 3.1 - Ensure that the docker.service file ownership is set to root:root (Automated)
[PASS][0m 3.2 - Ensure that docker.service file permissions are appropriately set (Automated)
[PASS][0m 3.3 - Ensure that docker.socket file ownership is set to root:root (Automated)
[PASS][0m 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)
[PASS][0m 3.5 - Ensure that the /etc/docker directory ownership is set to root:root (Automated)
[PASS][0m 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)
[INFO][0m 3.7 - Ensure that registry certificate file ownership is set to root:root (Automated)
[INFO][0m * Directory not found
[INFO][0m 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)
[INFO][0m * Directory not found
[INFO][0m 3.9 - Ensure that TLS CA certificate file ownership is set to root:root (Automated)
[INFO][0m * No TLS CA certificate found
[INFO][0m 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)
[INFO][0m * No TLS CA certificate found
[INFO][0m 3.11 - Ensure that Docker server certificate file ownership is set to root:root (Automated)
[INFO][0m * No TLS Server certificate found
[INFO][0m 3.12 - Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)
[INFO][0m * No TLS Server certificate found
[INFO][0m 3.13 - Ensure that the Docker server certificate key file ownership is set to root:root (Automated)
[INFO][0m * No TLS Key found
[INFO][0m 3.14 - Ensure that the Docker server certificate key file permissions are set to 400 (Automated)
[INFO][0m * No TLS Key found
[PASS][0m 3.15 - Ensure that the Docker socket file ownership is set to root:docker (Automated)
[PASS][0m 3.16 - Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)
[INFO][0m 3.17 - Ensure that the daemon.json file ownership is set to root:root (Automated)
[INFO][0m * File not found
[INFO][0m 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)
[INFO][0m * File not found
[PASS][0m 3.19 - Ensure that the /etc/default/docker file ownership is set to root:root (Automated)
[PASS][0m 3.20 - Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)
[INFO][0m 3.21 - Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)
[INFO][0m * File not found
[INFO][0m 3.22 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)
[INFO][0m * File not found
[PASS][0m 3.23 - Ensure that the Containerd socket file ownership is set to root:root (Automated)
[PASS][0m 3.24 - Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)
[INFO][0m 4 - Container Images and Build File
[WARN][0m 4.1 - Ensure that a user for the container has been created (Automated)
[WARN][0m * Running as root: gitea
[WARN][0m * Running as root: vaultwarden
[WARN][0m * Running as root: nginx
[WARN][0m * Running as root: vagrant-vulnerable-1
[NOTE][0m 4.2 - Ensure that containers use only trusted base images (Manual)
[NOTE][0m 4.3 - Ensure that unnecessary packages are not installed in the container (Manual)
[NOTE][0m 4.4 - Ensure images are scanned and rebuilt to include security patches (Manual)
[WARN][0m 4.5 - Ensure Content trust for Docker is Enabled (Automated)
[WARN][0m 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated)
[WARN][0m * No Healthcheck found: [vagrant-vulnerable:latest]
[WARN][0m * No Healthcheck found: [docker.gitea.com/gitea:latest]
[WARN][0m * No Healthcheck found: [nginx:latest]
[INFO][0m 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual)
[INFO][0m * Update instruction found: [vagrant-vulnerable:latest]
[NOTE][0m 4.8 - Ensure setuid and setgid permissions are removed (Manual)
[INFO][0m 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Manual)
[INFO][0m * ADD in image history: [vagrant-vulnerable:latest]
[INFO][0m * ADD in image history: [vaultwarden/server:latest]
[NOTE][0m 4.10 - Ensure secrets are not stored in Dockerfiles (Manual)
[NOTE][0m 4.11 - Ensure only verified packages are installed (Manual)
[NOTE][0m 4.12 - Ensure all signed artifacts are validated (Manual)
[INFO][0m 5 - Container Runtime
[PASS][0m 5.1 - Ensure swarm mode is not Enabled, if not needed (Automated)
[PASS][0m 5.2 - Ensure that, if applicable, an AppArmor Profile is enabled (Automated)
[WARN][0m 5.3 - Ensure that, if applicable, SELinux security options are set (Automated)
[WARN][0m * No SecurityOptions Found: gitea
[WARN][0m * No SecurityOptions Found: vaultwarden
[WARN][0m * No SecurityOptions Found: nginx
[WARN][0m * No SecurityOptions Found: vagrant-vulnerable-1
[PASS][0m 5.4 - Ensure that Linux kernel capabilities are restricted within containers (Automated)
[PASS][0m 5.5 - Ensure that privileged containers are not used (Automated)
[PASS][0m 5.6 - Ensure sensitive host system directories are not mounted on containers (Automated)
[WARN][0m 5.7 - Ensure sshd is not run within containers (Automated)
[WARN][0m * Container running sshd: gitea
[WARN][0m * Container running sshd: vagrant-vulnerable-1
[WARN][0m 5.8 - Ensure privileged ports are not mapped within containers (Automated)
[WARN][0m * Privileged Port in use: 80 in nginx
[WARN][0m * Privileged Port in use: 443 in nginx
[WARN][0m 5.9 - Ensure that only needed ports are open on the container (Manual)
[WARN][0m * Port in use: 80 in nginx
[WARN][0m * Port in use: 443 in nginx
[WARN][0m * Port in use: 2222 in vagrant-vulnerable-1
[PASS][0m 5.10 - Ensure that the host's network namespace is not shared (Automated)
[WARN][0m 5.11 - Ensure that the memory usage for containers is limited (Automated)
[WARN][0m * Container running without memory restrictions: gitea
[WARN][0m * Container running without memory restrictions: vaultwarden
[WARN][0m * Container running without memory restrictions: nginx
[WARN][0m * Container running without memory restrictions: vagrant-vulnerable-1
[WARN][0m 5.12 - Ensure that CPU priority is set appropriately on containers (Automated)
[WARN][0m * Container running without CPU restrictions: gitea
[WARN][0m * Container running without CPU restrictions: vaultwarden
[WARN][0m * Container running without CPU restrictions: nginx
[WARN][0m * Container running without CPU restrictions: vagrant-vulnerable-1
[WARN][0m 5.13 - Ensure that the container's root filesystem is mounted as read only (Automated)
[WARN][0m * Container running with root FS mounted R/W: gitea
[WARN][0m * Container running with root FS mounted R/W: vaultwarden
[WARN][0m * Container running with root FS mounted R/W: nginx
[WARN][0m * Container running with root FS mounted R/W: vagrant-vulnerable-1
[WARN][0m 5.14 - Ensure that incoming container traffic is bound to a specific host interface (Automated)
[WARN][0m * Port being bound to wildcard IP: 0.0.0.0 in nginx
[WARN][0m * Port being bound to wildcard IP: 0.0.0.0 in nginx
[WARN][0m * Port being bound to wildcard IP: 0.0.0.0 in vagrant-vulnerable-1
[PASS][0m 5.15 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated)
[PASS][0m 5.16 - Ensure that the host's process namespace is not shared (Automated)
[PASS][0m 5.17 - Ensure that the host's IPC namespace is not shared (Automated)
[PASS][0m 5.18 - Ensure that host devices are not directly exposed to containers (Manual)
[INFO][0m 5.19 - Ensure that the default ulimit is overwritten at runtime if needed (Manual)
[INFO][0m * Container no default ulimit override: gitea
[INFO][0m * Container no default ulimit override: vaultwarden
[INFO][0m * Container no default ulimit override: nginx
[INFO][0m * Container no default ulimit override: vagrant-vulnerable-1
[PASS][0m 5.20 - Ensure mount propagation mode is not set to shared (Automated)
[PASS][0m 5.21 - Ensure that the host's UTS namespace is not shared (Automated)
[PASS][0m 5.22 - Ensure the default seccomp profile is not Disabled (Automated)
[NOTE][0m 5.23 - Ensure that docker exec commands are not used with the privileged option (Automated)
[NOTE][0m 5.24 - Ensure that docker exec commands are not used with the user=root option (Manual)
[PASS][0m 5.25 - Ensure that cgroup usage is confirmed (Automated)
[WARN][0m 5.26 - Ensure that the container is restricted from acquiring additional privileges (Automated)
[WARN][0m * Privileges not restricted: gitea
[WARN][0m * Privileges not restricted: vaultwarden
[WARN][0m * Privileges not restricted: nginx
[WARN][0m * Privileges not restricted: vagrant-vulnerable-1
[WARN][0m 5.27 - Ensure that container health is checked at runtime (Automated)
[WARN][0m * Health check not set: gitea
[WARN][0m * Health check not set: nginx
[WARN][0m * Health check not set: vagrant-vulnerable-1
[INFO][0m 5.28 - Ensure that Docker commands always make use of the latest version of their image (Manual)
[WARN][0m 5.29 - Ensure that the PIDs cgroup limit is used (Automated)
[WARN][0m * PIDs limit not set: gitea
[WARN][0m * PIDs limit not set: vaultwarden
[WARN][0m * PIDs limit not set: nginx
[WARN][0m * PIDs limit not set: vagrant-vulnerable-1
[PASS][0m 5.30 - Ensure that Docker's default bridge 'docker0' is not used (Manual)
[PASS][0m 5.31 - Ensure that the host's user namespaces are not shared (Automated)
[PASS][0m 5.32 - Ensure that the Docker socket is not mounted inside any containers (Automated)
[INFO][0m 6 - Docker Security Operations
[INFO][0m 6.1 - Ensure that image sprawl is avoided (Manual)
[INFO][0m * There are currently: 4 images
[INFO][0m 6.2 - Ensure that container sprawl is avoided (Manual)
[INFO][0m * There are currently a total of 4 containers, with 4 of them currently running
[INFO][0m 7 - Docker Swarm Configuration
[PASS][0m 7.1 - Ensure that the minimum number of manager nodes have been created in a swarm (Automated) (Swarm mode not enabled)
[PASS][0m 7.2 - Ensure that swarm services are bound to a specific host interface (Automated) (Swarm mode not enabled)
[PASS][0m 7.3 - Ensure that all Docker swarm overlay networks are encrypted (Automated)
[PASS][0m 7.4 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual) (Swarm mode not enabled)
[PASS][0m 7.5 - Ensure that swarm manager is run in auto-lock mode (Automated) (Swarm mode not enabled)
[PASS][0m 7.6 - Ensure that the swarm manager auto-lock key is rotated periodically (Manual) (Swarm mode not enabled)
[PASS][0m 7.7 - Ensure that node certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS][0m 7.8 - Ensure that CA certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS][0m 7.9 - Ensure that management plane traffic is separated from data plane traffic (Manual) (Swarm mode not enabled)
Section C - Score[0m
[INFO][0m Checks: 117
[INFO][0m Score: 1

713
measurements/docker-bench/hybrid_cleaned.log.json Normal file
View File

@ -0,0 +1,713 @@
{
"dockerbenchsecurity": "1.6.0",
"start": 1747569606,
"tests": [
{
"id": "1",
"desc": "Host Configuration",
"results": [
{
"id": "1.1.1",
"desc": "Ensure a separate partition for containers has been created (Automated)",
"result": "WARN"
},
{
"id": "1.1.2",
"desc": "Ensure only trusted users are allowed to control Docker daemon (Automated)",
"result": "INFO",
"details": "doubtfulusers: vagrant,git",
"items": [
"vagrant,git"
]
},
{
"id": "1.1.3",
"desc": "Ensure auditing is configured for the Docker daemon (Automated)",
"result": "WARN"
},
{
"id": "1.1.4",
"desc": "Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)",
"result": "WARN"
},
{
"id": "1.1.5",
"desc": "Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.6",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.7",
"desc": "Ensure auditing is configured for Docker files and directories - docker.service (Automated)",
"result": "WARN"
},
{
"id": "1.1.8",
"desc": "Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)",
"result": "WARN"
},
{
"id": "1.1.9",
"desc": "Ensure auditing is configured for Docker files and directories - docker.socket (Automated)",
"result": "WARN"
},
{
"id": "1.1.10",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.11",
"desc": "Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "1.1.12",
"desc": "1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)",
"result": "WARN"
},
{
"id": "1.1.13",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "1.1.14",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)",
"result": "WARN"
},
{
"id": "1.1.15",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)",
"result": "WARN"
},
{
"id": "1.1.16",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)",
"result": "WARN"
},
{
"id": "1.1.17",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)",
"result": "WARN"
},
{
"id": "1.1.18",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)",
"result": "WARN"
},
{
"id": "1.2.1",
"desc": "Ensure the container host has been Hardened (Manual)",
"result": "INFO"
},
{
"id": "1.2.2",
"desc": "Ensure that the version of Docker is up to date (Manual)",
"result": "PASS",
"details": "Using 28.1.1"
}
]
},
{
"id": "2",
"desc": "Docker daemon configuration",
"results": [
{
"id": "2.1",
"desc": "Run the Docker daemon as a non-root user, if possible (Manual)",
"result": "INFO"
},
{
"id": "2.2",
"desc": "Ensure network traffic is restricted between containers on the default bridge (Scored)",
"result": "WARN"
},
{
"id": "2.3",
"desc": "Ensure the logging level is set to 'info' (Scored)",
"result": "PASS"
},
{
"id": "2.4",
"desc": "Ensure Docker is allowed to make changes to iptables (Scored)",
"result": "PASS"
},
{
"id": "2.5",
"desc": "Ensure insecure registries are not used (Scored)",
"result": "PASS"
},
{
"id": "2.6",
"desc": "Ensure aufs storage driver is not used (Scored)",
"result": "PASS"
},
{
"id": "2.7",
"desc": "Ensure TLS authentication for Docker daemon is configured (Scored)",
"result": "INFO",
"details": "Docker daemon not listening on TCP"
},
{
"id": "2.8",
"desc": "Ensure the default ulimit is configured appropriately (Manual)",
"result": "INFO",
"details": "Default ulimit doesn't appear to be set"
},
{
"id": "2.9",
"desc": "Enable user namespace support (Scored)",
"result": "WARN"
},
{
"id": "2.10",
"desc": "Ensure the default cgroup usage has been confirmed (Scored)",
"result": "PASS"
},
{
"id": "2.11",
"desc": "Ensure base device size is not changed until needed (Scored)",
"result": "PASS"
},
{
"id": "2.12",
"desc": "Ensure that authorization for Docker client commands is enabled (Scored)",
"result": "WARN"
},
{
"id": "2.13",
"desc": "Ensure centralized and remote logging is configured (Scored)",
"result": "WARN"
},
{
"id": "2.14",
"desc": "Ensure containers are restricted from acquiring new privileges (Scored)",
"result": "WARN"
},
{
"id": "2.15",
"desc": "Ensure live restore is enabled (Scored)",
"result": "WARN"
},
{
"id": "2.16",
"desc": "Ensure Userland Proxy is Disabled (Scored)",
"result": "WARN"
},
{
"id": "2.17",
"desc": "Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)",
"result": "INFO"
},
{
"id": "2.18",
"desc": "Ensure that experimental features are not implemented in production (Scored)",
"result": "INFO"
}
]
},
{
"id": "3",
"desc": "Docker daemon configuration files",
"results": [
{
"id": "3.1",
"desc": "Ensure that the docker.service file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.2",
"desc": "Ensure that docker.service file permissions are appropriately set (Automated)",
"result": "PASS"
},
{
"id": "3.3",
"desc": "Ensure that docker.socket file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.4",
"desc": "Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)",
"result": "PASS"
},
{
"id": "3.5",
"desc": "Ensure that the /etc/docker directory ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.6",
"desc": "Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.7",
"desc": "Ensure that registry certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "Directory not found"
},
{
"id": "3.8",
"desc": "Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "Directory not found"
},
{
"id": "3.9",
"desc": "Ensure that TLS CA certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS CA certificate found"
},
{
"id": "3.10",
"desc": "Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "No TLS CA certificate found"
},
{
"id": "3.11",
"desc": "Ensure that Docker server certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS Server certificate found"
},
{
"id": "3.12",
"desc": "Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "No TLS Server certificate found"
},
{
"id": "3.13",
"desc": "Ensure that the Docker server certificate key file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS Key found"
},
{
"id": "3.14",
"desc": "Ensure that the Docker server certificate key file permissions are set to 400 (Automated)",
"result": "INFO",
"details": "No TLS Key found"
},
{
"id": "3.15",
"desc": "Ensure that the Docker socket file ownership is set to root:docker (Automated)",
"result": "PASS"
},
{
"id": "3.16",
"desc": "Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.17",
"desc": "Ensure that the daemon.json file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.18",
"desc": "Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.19",
"desc": "Ensure that the /etc/default/docker file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.20",
"desc": "Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.21",
"desc": "Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.22",
"desc": "Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.23",
"desc": "Ensure that the Containerd socket file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.24",
"desc": "Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)",
"result": "PASS"
}
]
},
{
"id": "4",
"desc": "Container Images and Build File",
"results": [
{
"id": "4.1",
"desc": "Ensure that a user for the container has been created (Automated)",
"result": "WARN",
"details": "running as root: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea",
"vaultwarden",
"nginx",
"vagrant-vulnerable-1"
]
},
{
"id": "4.5",
"desc": "Ensure Content trust for Docker is Enabled (Automated)",
"result": "WARN"
},
{
"id": "4.6",
"desc": "Ensure that HEALTHCHECK instructions have been added to container images (Automated)",
"result": "WARN",
"details": "Images w/o HEALTHCHECK: [vagrant-vulnerable:latest] [docker.gitea.com/gitea:latest] [nginx:latest]",
"items": [
"[vagrant-vulnerable:latest]",
"[docker.gitea.com/gitea:latest]",
"[nginx:latest]"
]
},
{
"id": "4.7",
"desc": "Ensure update instructions are not used alone in the Dockerfile (Manual)",
"result": "INFO",
"details": "Update instructions found: [vagrant-vulnerable:latest]",
"items": [
"[vagrant-vulnerable:latest]"
]
},
{
"id": "4.9",
"desc": "Ensure that COPY is used instead of ADD in Dockerfiles (Manual)",
"result": "INFO",
"details": "Images using ADD: [vagrant-vulnerable:latest] [vaultwarden/server:latest]",
"items": [
"[vagrant-vulnerable:latest]",
"[vaultwarden/server:latest]"
]
}
]
},
{
"id": "5",
"desc": "Container Runtime",
"results": [
{
"id": "5.1",
"desc": "Ensure swarm mode is not Enabled, if not needed (Automated)",
"result": "PASS"
},
{
"id": "5.2",
"desc": "Ensure that, if applicable, an AppArmor Profile is enabled (Automated)",
"result": "PASS"
},
{
"id": "5.3",
"desc": "Ensure that, if applicable, SELinux security options are set (Automated)",
"result": "WARN",
"details": "Containers with no SecurityOptions: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea",
"vaultwarden",
"nginx",
"vagrant-vulnerable-1"
]
},
{
"id": "5.4",
"desc": "Ensure that Linux kernel capabilities are restricted within containers (Automated)",
"result": "PASS"
},
{
"id": "5.5",
"desc": "Ensure that privileged containers are not used (Automated)",
"result": "PASS"
},
{
"id": "5.6",
"desc": "Ensure sensitive host system directories are not mounted on containers (Automated)",
"result": "PASS"
},
{
"id": "5.7",
"desc": "Ensure sshd is not run within containers (Automated)",
"result": "WARN",
"details": "Containers with sshd/docker exec failures: gitea vagrant-vulnerable-1",
"items": [
"gitea",
"vagrant-vulnerable-1"
]
},
{
"id": "5.8",
"desc": "Ensure privileged ports are not mapped within containers (Automated)",
"result": "WARN",
"details": "Containers using privileged ports: nginx:80 nginx:443",
"items": [
"nginx:80",
"nginx:443"
]
},
{
"id": "5.9",
"desc": "Ensure that only needed ports are open on the container (Manual)",
"result": "WARN",
"details": "Containers with open ports: nginx:80 nginx:443 vagrant-vulnerable-1:2222",
"items": [
"nginx:80",
"nginx:443",
"vagrant-vulnerable-1:2222"
]
},
{
"id": "5.10",
"desc": "Ensure that the host's network namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.11",
"desc": "Ensure that the memory usage for containers is limited (Automated)",
"result": "WARN",
"details": "Container running without memory restrictions: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea",
"vaultwarden",
"nginx",
"vagrant-vulnerable-1"
]
},
{
"id": "5.12",
"desc": "Ensure that CPU priority is set appropriately on containers (Automated)",
"result": "WARN",
"details": "Containers running without CPU restrictions: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea",
"vaultwarden",
"nginx",
"vagrant-vulnerable-1"
]
},
{
"id": "5.13",
"desc": "Ensure that the container's root filesystem is mounted as read only (Automated)",
"result": "WARN",
"details": "Containers running with root FS mounted R/W: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea",
"vaultwarden",
"nginx",
"vagrant-vulnerable-1"
]
},
{
"id": "5.14",
"desc": "Ensure that incoming container traffic is bound to a specific host interface (Automated)",
"result": "WARN",
"details": "Containers with port bound to wildcard IP: nginx:0.0.0.0 nginx:0.0.0.0 vagrant-vulnerable-1:0.0.0.0",
"items": [
"nginx:0.0.0.0",
"nginx:0.0.0.0",
"vagrant-vulnerable-1:0.0.0.0"
]
},
{
"id": "5.15",
"desc": "Ensure that the 'on-failure' container restart policy is set to '5' (Automated)",
"result": "PASS"
},
{
"id": "5.16",
"desc": "Ensure that the host's process namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.17",
"desc": "Ensure that the host's IPC namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.18",
"desc": "Ensure that host devices are not directly exposed to containers (Manual)",
"result": "PASS"
},
{
"id": "5.19",
"desc": "Ensure that the default ulimit is overwritten at runtime if needed (Manual)",
"result": "INFO",
"details": "Containers with no default ulimit override: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea",
"vaultwarden",
"nginx",
"vagrant-vulnerable-1"
]
},
{
"id": "5.20",
"desc": "Ensure mount propagation mode is not set to shared (Automated)",
"result": "PASS"
},
{
"id": "5.21",
"desc": "Ensure that the host's UTS namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.22",
"desc": "Ensure the default seccomp profile is not Disabled (Automated)",
"result": "PASS"
},
{
"id": "5.25",
"desc": "Ensure that cgroup usage is confirmed (Automated)",
"result": "PASS"
},
{
"id": "5.26",
"desc": "Ensure that the container is restricted from acquiring additional privileges (Automated)",
"result": "WARN",
"details": "Containers without restricted privileges: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea",
"vaultwarden",
"nginx",
"vagrant-vulnerable-1"
]
},
{
"id": "5.27",
"desc": "Ensure that container health is checked at runtime (Automated)",
"result": "WARN",
"details": "Containers without health check: gitea nginx vagrant-vulnerable-1",
"items": [
"gitea",
"nginx",
"vagrant-vulnerable-1"
]
},
{
"id": "5.28",
"desc": "Ensure that Docker commands always make use of the latest version of their image (Manual)",
"result": "INFO"
},
{
"id": "5.29",
"desc": "Ensure that the PIDs cgroup limit is used (Automated)",
"result": "WARN",
"details": "Containers without PIDs cgroup limit: gitea vaultwarden nginx vagrant-vulnerable-1",
"items": [
"gitea",
"vaultwarden",
"nginx",
"vagrant-vulnerable-1"
]
},
{
"id": "5.30",
"desc": "Ensure that Docker's default bridge 'docker0' is not used (Manual)",
"result": "PASS"
},
{
"id": "5.31",
"desc": "Ensure that the host's user namespaces are not shared (Automated)",
"result": "PASS"
},
{
"id": "5.32",
"desc": "Ensure that the Docker socket is not mounted inside any containers (Automated)",
"result": "PASS"
}
]
},
{
"id": "6",
"desc": "Docker Security Operations",
"results": [
{
"id": "6.1",
"desc": "Ensure that image sprawl is avoided (Manual)",
"result": "INFO",
"details": "4 active/4 in use"
},
{
"id": "6.2",
"desc": "Ensure that container sprawl is avoided (Manual)",
"result": "INFO",
"details": "4 total/4 running"
}
]
},
{
"id": "7",
"desc": "Docker Swarm Configuration",
"results": [
{
"id": "7.1",
"desc": "Ensure that the minimum number of manager nodes have been created in a swarm (Automated)",
"result": "PASS"
},
{
"id": "7.2",
"desc": "Ensure that swarm services are bound to a specific host interface (Automated)",
"result": "PASS"
},
{
"id": "7.3",
"desc": "Ensure that all Docker swarm overlay networks are encrypted (Automated)",
"result": "PASS"
},
{
"id": "7.4",
"desc": "Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual)",
"result": "PASS"
},
{
"id": "7.5",
"desc": "Ensure that swarm manager is run in auto-lock mode (Automated)",
"result": "PASS"
},
{
"id": "7.6",
"desc": "Ensure that the swarm manager auto-lock key is rotated periodically (Manual)",
"result": "PASS"
},
{
"id": "7.7",
"desc": "Ensure that node certificates are rotated as appropriate (Manual)",
"result": "PASS"
},
{
"id": "7.8",
"desc": "Ensure that CA certificates are rotated as appropriate (Manual)",
"result": "PASS"
},
{
"id": "7.9",
"desc": "Ensure that management plane traffic is separated from data plane traffic (Manual)",
"result": "PASS"
}
]
}
],
"checks": 117,
"score": 1,
"end": 1747569613
}

28
measurements/docker-bench/remove_notes.py Normal file
View File

@ -0,0 +1,28 @@
import json
import sys
def remove_note_objects(obj):
if isinstance(obj, list):
return [remove_note_objects(item) for item in obj if not (isinstance(item, dict) and item.get("result") == "NOTE")]
elif isinstance(obj, dict):
return {k: remove_note_objects(v) for k, v in obj.items()}
return obj
def main():
if len(sys.argv) != 3:
print("Usage: python remove_notes.py <input_file.json> <output_file.json>")
sys.exit(1)
input_file = sys.argv[1]
output_file = sys.argv[2]
with open(input_file, 'r', encoding='utf-8') as f:
data = json.load(f)
cleaned_data = remove_note_objects(data)
with open(output_file, 'w', encoding='utf-8') as f:
json.dump(cleaned_data, f, indent=4)
if __name__ == "__main__":
main()

61
measurements/performance/base_1.csv Normal file
View File

@ -0,0 +1,61 @@
Sample,CPU_idle_percent,Mem_available_MB
1,99.49,1143
2,100.00,1143
3,100.00,1143
4,100.00,1143
5,100.00,1143
6,100.00,1143
7,100.00,1143
8,98.46,1143
9,99.49,1143
10,100.00,1143
11,99.49,1143
12,98.02,1143
13,100.00,1143
14,100.00,1143
15,99.49,1143
16,100.00,1143
17,100.00,1143
18,100.00,1143
19,99.49,1167
20,98.98,1165
21,100.00,1165
22,100.00,1165
23,98.99,1153
24,100.00,1153
25,100.00,1153
26,100.00,1153
27,100.00,1153
28,99.50,1153
29,100.00,1153
30,100.00,1153
31,100.00,1153
32,99.49,1153
33,100.00,1153
34,99.49,1153
35,100.00,1153
36,100.00,1153
37,100.00,1153
38,96.98,1153
39,98.48,1151
40,99.49,1151
41,100.00,1151
42,100.00,1151
43,100.00,1151
44,97.45,1151
45,100.00,1154
46,100.00,1160
47,100.00,1160
48,100.00,1160
49,100.00,1161
50,100.00,1161
51,100.00,1161
52,100.00,1161
53,100.00,1161
54,100.00,1161
55,100.00,1161
56,100.00,1161
57,100.00,1161
58,100.00,1161
59,99.49,1160
60,100.00,1160
1 Sample CPU_idle_percent Mem_available_MB
2 1 99.49 1143
3 2 100.00 1143
4 3 100.00 1143
5 4 100.00 1143
6 5 100.00 1143
7 6 100.00 1143
8 7 100.00 1143
9 8 98.46 1143
10 9 99.49 1143
11 10 100.00 1143
12 11 99.49 1143
13 12 98.02 1143
14 13 100.00 1143
15 14 100.00 1143
16 15 99.49 1143
17 16 100.00 1143
18 17 100.00 1143
19 18 100.00 1143
20 19 99.49 1167
21 20 98.98 1165
22 21 100.00 1165
23 22 100.00 1165
24 23 98.99 1153
25 24 100.00 1153
26 25 100.00 1153
27 26 100.00 1153
28 27 100.00 1153
29 28 99.50 1153
30 29 100.00 1153
31 30 100.00 1153
32 31 100.00 1153
33 32 99.49 1153
34 33 100.00 1153
35 34 99.49 1153
36 35 100.00 1153
37 36 100.00 1153
38 37 100.00 1153
39 38 96.98 1153
40 39 98.48 1151
41 40 99.49 1151
42 41 100.00 1151
43 42 100.00 1151
44 43 100.00 1151
45 44 97.45 1151
46 45 100.00 1154
47 46 100.00 1160
48 47 100.00 1160
49 48 100.00 1160
50 49 100.00 1161
51 50 100.00 1161
52 51 100.00 1161
53 52 100.00 1161
54 53 100.00 1161
55 54 100.00 1161
56 55 100.00 1161
57 56 100.00 1161
58 57 100.00 1161
59 58 100.00 1161
60 59 99.49 1160
61 60 100.00 1160

61
measurements/performance/base_2.csv Normal file
View File

@ -0,0 +1,61 @@
Sample,CPU_idle_percent,Mem_available_MB
1,100.00,1148
2,100.00,1149
3,100.00,1149
4,100.00,1149
5,100.00,1149
6,100.00,1149
7,100.00,1150
8,100.00,1150
9,99.49,1150
10,99.49,1150
11,100.00,1150
12,96.94,1150
13,98.99,1150
14,100.00,1150
15,100.00,1150
16,100.00,1150
17,100.00,1151
18,100.00,1152
19,100.00,1152
20,99.49,1152
21,100.00,1152
22,100.00,1153
23,100.00,1153
24,100.00,1153
25,100.00,1154
26,100.00,1153
27,100.00,1153
28,100.00,1153
29,100.00,1154
30,100.00,1154
31,99.49,1154
32,100.00,1155
33,99.49,1155
34,100.00,1155
35,99.50,1155
36,99.49,1155
37,97.99,1155
38,100.00,1155
39,100.00,1155
40,100.00,1155
41,98.97,1155
42,100.00,1156
43,100.00,1155
44,100.00,1155
45,99.49,1155
46,100.00,1156
47,99.49,1156
48,100.00,1157
49,99.49,1157
50,100.00,1157
51,100.00,1158
52,100.00,1157
53,98.99,1157
54,100.00,1157
55,100.00,1157
56,100.00,1157
57,99.49,1157
58,100.00,1157
59,100.00,1157
60,99.49,1157
1 Sample CPU_idle_percent Mem_available_MB
2 1 100.00 1148
3 2 100.00 1149
4 3 100.00 1149
5 4 100.00 1149
6 5 100.00 1149
7 6 100.00 1149
8 7 100.00 1150
9 8 100.00 1150
10 9 99.49 1150
11 10 99.49 1150
12 11 100.00 1150
13 12 96.94 1150
14 13 98.99 1150
15 14 100.00 1150
16 15 100.00 1150
17 16 100.00 1150
18 17 100.00 1151
19 18 100.00 1152
20 19 100.00 1152
21 20 99.49 1152
22 21 100.00 1152
23 22 100.00 1153
24 23 100.00 1153
25 24 100.00 1153
26 25 100.00 1154
27 26 100.00 1153
28 27 100.00 1153
29 28 100.00 1153
30 29 100.00 1154
31 30 100.00 1154
32 31 99.49 1154
33 32 100.00 1155
34 33 99.49 1155
35 34 100.00 1155
36 35 99.50 1155
37 36 99.49 1155
38 37 97.99 1155
39 38 100.00 1155
40 39 100.00 1155
41 40 100.00 1155
42 41 98.97 1155
43 42 100.00 1156
44 43 100.00 1155
45 44 100.00 1155
46 45 99.49 1155
47 46 100.00 1156
48 47 99.49 1156
49 48 100.00 1157
50 49 99.49 1157
51 50 100.00 1157
52 51 100.00 1158
53 52 100.00 1157
54 53 98.99 1157
55 54 100.00 1157
56 55 100.00 1157
57 56 100.00 1157
58 57 99.49 1157
59 58 100.00 1157
60 59 100.00 1157
61 60 99.49 1157

61
measurements/performance/base_3.csv Normal file
View File

@ -0,0 +1,61 @@
Sample,CPU_idle_percent,Mem_available_MB
1,99.50,1144
2,99.50,1144
3,99.50,1144
4,100.00,1145
5,100.00,1146
6,99.03,1146
7,99.50,1145
8,96.91,1146
9,99.50,1146
10,99.50,1146
11,99.53,1146
12,100.00,1146
13,100.00,1146
14,99.50,1145
15,99.50,1145
16,99.50,1145
17,99.50,1145
18,100.00,1146
19,99.00,1146
20,98.51,1146
21,100.00,1147
22,100.00,1146
23,99.50,1146
24,99.02,1147
25,99.51,1147
26,99.51,1147
27,100.00,1147
28,99.50,1147
29,99.50,1147
30,99.50,1147
31,99.50,1148
32,99.52,1148
33,99.53,1148
34,99.50,1148
35,100.00,1148
36,100.00,1147
37,98.56,1147
38,97.99,1150
39,98.49,1150
40,98.99,1150
41,98.51,1150
42,100.00,1150
43,99.50,1149
44,100.00,1149
45,99.01,1149
46,99.01,1149
47,100.00,1149
48,100.00,1149
49,99.50,1149
50,98.99,1149
51,99.50,1149
52,99.50,1149
53,99.50,1149
54,100.00,1149
55,98.51,1149
56,100.00,1149
57,99.52,1149
58,99.51,1149
59,99.50,1149
60,99.50,1149
1 Sample CPU_idle_percent Mem_available_MB
2 1 99.50 1144
3 2 99.50 1144
4 3 99.50 1144
5 4 100.00 1145
6 5 100.00 1146
7 6 99.03 1146
8 7 99.50 1145
9 8 96.91 1146
10 9 99.50 1146
11 10 99.50 1146
12 11 99.53 1146
13 12 100.00 1146
14 13 100.00 1146
15 14 99.50 1145
16 15 99.50 1145
17 16 99.50 1145
18 17 99.50 1145
19 18 100.00 1146
20 19 99.00 1146
21 20 98.51 1146
22 21 100.00 1147
23 22 100.00 1146
24 23 99.50 1146
25 24 99.02 1147
26 25 99.51 1147
27 26 99.51 1147
28 27 100.00 1147
29 28 99.50 1147
30 29 99.50 1147
31 30 99.50 1147
32 31 99.50 1148
33 32 99.52 1148
34 33 99.53 1148
35 34 99.50 1148
36 35 100.00 1148
37 36 100.00 1147
38 37 98.56 1147
39 38 97.99 1150
40 39 98.49 1150
41 40 98.99 1150
42 41 98.51 1150
43 42 100.00 1150
44 43 99.50 1149
45 44 100.00 1149
46 45 99.01 1149
47 46 99.01 1149
48 47 100.00 1149
49 48 100.00 1149
50 49 99.50 1149
51 50 98.99 1149
52 51 99.50 1149
53 52 99.50 1149
54 53 99.50 1149
55 54 100.00 1149
56 55 98.51 1149
57 56 100.00 1149
58 57 99.52 1149
59 58 99.51 1149
60 59 99.50 1149
61 60 99.50 1149

61
measurements/performance/base_4.csv Normal file
View File

@ -0,0 +1,61 @@
Sample,CPU_idle_percent,Mem_available_MB
1,98.48,1163
2,99.49,1163
3,100.00,1163
4,100.00,1163
5,100.00,1163
6,99.49,1163
7,100.00,1164
8,98.99,1164
9,100.00,1163
10,100.00,1163
11,100.00,1163
12,99.49,1164
13,100.00,1165
14,98.97,1165
15,100.00,1165
16,100.00,1165
17,99.49,1165
18,100.00,1165
19,98.98,1165
20,99.49,1166
21,100.00,1166
22,100.00,1166
23,100.00,1166
24,95.94,1166
25,97.47,1166
26,99.49,1166
27,98.48,1166
28,98.98,1166
29,100.00,1166
30,100.00,1166
31,96.45,1166
32,99.49,1166
33,100.00,1167
34,100.00,1168
35,100.00,1168
36,100.00,1169
37,100.00,1168
38,100.00,1168
39,100.00,1168
40,100.00,1168
41,100.00,1168
42,100.00,1168
43,100.00,1168
44,100.00,1168
45,97.98,1168
46,98.98,1167
47,99.49,1167
48,100.00,1167
49,100.00,1167
50,100.00,1167
51,100.00,1167
52,99.49,1167
53,99.49,1167
54,99.49,1165
55,99.50,1165
56,100.00,1165
57,100.00,1165
58,99.00,1165
59,100.00,1165
60,100.00,1165
1 Sample CPU_idle_percent Mem_available_MB
2 1 98.48 1163
3 2 99.49 1163
4 3 100.00 1163
5 4 100.00 1163
6 5 100.00 1163
7 6 99.49 1163
8 7 100.00 1164
9 8 98.99 1164
10 9 100.00 1163
11 10 100.00 1163
12 11 100.00 1163
13 12 99.49 1164
14 13 100.00 1165
15 14 98.97 1165
16 15 100.00 1165
17 16 100.00 1165
18 17 99.49 1165
19 18 100.00 1165
20 19 98.98 1165
21 20 99.49 1166
22 21 100.00 1166
23 22 100.00 1166
24 23 100.00 1166
25 24 95.94 1166
26 25 97.47 1166
27 26 99.49 1166
28 27 98.48 1166
29 28 98.98 1166
30 29 100.00 1166
31 30 100.00 1166
32 31 96.45 1166
33 32 99.49 1166
34 33 100.00 1167
35 34 100.00 1168
36 35 100.00 1168
37 36 100.00 1169
38 37 100.00 1168
39 38 100.00 1168
40 39 100.00 1168
41 40 100.00 1168
42 41 100.00 1168
43 42 100.00 1168
44 43 100.00 1168
45 44 100.00 1168
46 45 97.98 1168
47 46 98.98 1167
48 47 99.49 1167
49 48 100.00 1167
50 49 100.00 1167
51 50 100.00 1167
52 51 100.00 1167
53 52 99.49 1167
54 53 99.49 1167
55 54 99.49 1165
56 55 99.50 1165
57 56 100.00 1165
58 57 100.00 1165
59 58 99.00 1165
60 59 100.00 1165
61 60 100.00 1165

61
measurements/performance/base_5.csv Normal file
View File

@ -0,0 +1,61 @@
Sample,CPU_idle_percent,Mem_available_MB
1,99.50,1143
2,100.00,1144
3,99.00,1144
4,99.50,1144
5,100.00,1144
6,99.49,1144
7,99.51,1144
8,100.00,1144
9,98.03,1144
10,99.51,1144
11,99.49,1145
12,99.50,1145
13,98.51,1145
14,100.00,1145
15,99.06,1144
16,100.00,1144
17,100.00,1144
18,100.00,1144
19,100.00,1144
20,100.00,1143
21,99.51,1143
22,100.00,1143
23,99.52,1143
24,100.00,1143
25,100.00,1143
26,99.06,1143
27,99.51,1143
28,99.52,1143
29,99.02,1143
30,100.00,1144
31,99.02,1144
32,100.00,1144
33,99.51,1144
34,99.02,1145
35,100.00,1145
36,100.00,1145
37,100.00,1145
38,97.05,1144
39,98.50,1145
40,99.01,1145
41,98.51,1145
42,99.51,1145
43,99.50,1145
44,99.50,1145
45,100.00,1145
46,99.49,1146
47,99.50,1146
48,100.00,1146
49,99.00,1147
50,99.05,1147
51,100.00,1147
52,99.50,1147
53,98.51,1148
54,99.51,1148
55,99.50,1148
56,99.58,1148
57,98.69,1148
58,99.50,1148
59,98.49,1148
60,99.50,1148
1 Sample CPU_idle_percent Mem_available_MB
2 1 99.50 1143
3 2 100.00 1144
4 3 99.00 1144
5 4 99.50 1144
6 5 100.00 1144
7 6 99.49 1144
8 7 99.51 1144
9 8 100.00 1144
10 9 98.03 1144
11 10 99.51 1144
12 11 99.49 1145
13 12 99.50 1145
14 13 98.51 1145
15 14 100.00 1145
16 15 99.06 1144
17 16 100.00 1144
18 17 100.00 1144
19 18 100.00 1144
20 19 100.00 1144
21 20 100.00 1143
22 21 99.51 1143
23 22 100.00 1143
24 23 99.52 1143
25 24 100.00 1143
26 25 100.00 1143
27 26 99.06 1143
28 27 99.51 1143
29 28 99.52 1143
30 29 99.02 1143
31 30 100.00 1144
32 31 99.02 1144
33 32 100.00 1144
34 33 99.51 1144
35 34 99.02 1145
36 35 100.00 1145
37 36 100.00 1145
38 37 100.00 1145
39 38 97.05 1144
40 39 98.50 1145
41 40 99.01 1145
42 41 98.51 1145
43 42 99.51 1145
44 43 99.50 1145
45 44 99.50 1145
46 45 100.00 1145
47 46 99.49 1146
48 47 99.50 1146
49 48 100.00 1146
50 49 99.00 1147
51 50 99.05 1147
52 51 100.00 1147
53 52 99.50 1147
54 53 98.51 1148
55 54 99.51 1148
56 55 99.50 1148
57 56 99.58 1148
58 57 98.69 1148
59 58 99.50 1148
60 59 98.49 1148
61 60 99.50 1148

61
measurements/performance/hybrid_1.csv Normal file
View File

@ -0,0 +1,61 @@
Sample,CPU_idle_percent,Mem_available_MB
1,100.00,1180
2,100.00,1180
3,100.00,1180
4,100.00,1180
5,100.00,1180
6,99.54,1180
7,100.00,1180
8,100.00,1180
9,99.50,1180
10,100.00,1180
11,100.00,1180
12,99.07,1180
13,100.00,1181
14,100.00,1181
15,100.00,1182
16,100.00,1182
17,99.50,1183
18,100.00,1183
19,99.51,1183
20,100.00,1183
21,100.00,1183
22,99.00,1182
23,100.00,1182
24,100.00,1182
25,99.00,1182
26,97.52,1185
27,99.00,1185
28,100.00,1185
29,100.00,1185
30,99.50,1185
31,99.50,1185
32,96.67,1185
33,100.00,1185
34,100.00,1185
35,100.00,1185
36,100.00,1185
37,99.50,1185
38,99.50,1185
39,100.00,1185
40,100.00,1185
41,99.49,1184
42,99.50,1184
43,100.00,1184
44,100.00,1184
45,100.00,1184
46,100.00,1184
47,100.00,1184
48,99.50,1184
49,100.00,1184
50,100.00,1184
51,99.51,1184
52,100.00,1184
53,99.51,1184
54,100.00,1184
55,99.50,1184
56,99.02,1183
57,100.00,1183
58,100.00,1183
59,99.53,1183
60,100.00,1183
1 Sample CPU_idle_percent Mem_available_MB
2 1 100.00 1180
3 2 100.00 1180
4 3 100.00 1180
5 4 100.00 1180
6 5 100.00 1180
7 6 99.54 1180
8 7 100.00 1180
9 8 100.00 1180
10 9 99.50 1180
11 10 100.00 1180
12 11 100.00 1180
13 12 99.07 1180
14 13 100.00 1181
15 14 100.00 1181
16 15 100.00 1182
17 16 100.00 1182
18 17 99.50 1183
19 18 100.00 1183
20 19 99.51 1183
21 20 100.00 1183
22 21 100.00 1183
23 22 99.00 1182
24 23 100.00 1182
25 24 100.00 1182
26 25 99.00 1182
27 26 97.52 1185
28 27 99.00 1185
29 28 100.00 1185
30 29 100.00 1185
31 30 99.50 1185
32 31 99.50 1185
33 32 96.67 1185
34 33 100.00 1185
35 34 100.00 1185
36 35 100.00 1185
37 36 100.00 1185
38 37 99.50 1185
39 38 99.50 1185
40 39 100.00 1185
41 40 100.00 1185
42 41 99.49 1184
43 42 99.50 1184
44 43 100.00 1184
45 44 100.00 1184
46 45 100.00 1184
47 46 100.00 1184
48 47 100.00 1184
49 48 99.50 1184
50 49 100.00 1184
51 50 100.00 1184
52 51 99.51 1184
53 52 100.00 1184
54 53 99.51 1184
55 54 100.00 1184
56 55 99.50 1184
57 56 99.02 1183
58 57 100.00 1183
59 58 100.00 1183
60 59 99.53 1183
61 60 100.00 1183

61
measurements/performance/hybrid_2.csv Normal file
View File

@ -0,0 +1,61 @@
Sample,CPU_idle_percent,Mem_available_MB
1,99.50,1187
2,100.00,1187
3,99.50,1186
4,99.00,1186
5,100.00,1186
6,100.00,1186
7,100.00,1186
8,100.00,1186
9,100.00,1186
10,100.00,1186
11,100.00,1186
12,99.52,1186
13,100.00,1186
14,99.01,1186
15,99.52,1186
16,99.50,1186
17,100.00,1186
18,99.50,1186
19,100.00,1187
20,100.00,1187
21,100.00,1187
22,99.51,1187
23,99.50,1187
24,97.98,1187
25,99.51,1187
26,99.51,1187
27,100.00,1187
28,100.00,1187
29,100.00,1187
30,99.00,1185
31,99.00,1185
32,100.00,1185
33,99.01,1185
34,99.51,1185
35,99.50,1185
36,99.00,1186
37,100.00,1186
38,99.50,1186
39,98.49,1186
40,98.51,1186
41,99.01,1186
42,99.51,1186
43,100.00,1186
44,98.99,1186
45,99.01,1186
46,100.00,1186
47,98.51,1186
48,100.00,1186
49,99.51,1187
50,99.50,1187
51,100.00,1187
52,98.03,1187
53,100.00,1187
54,99.02,1187
55,100.00,1187
56,100.00,1187
57,100.00,1188
58,100.00,1187
59,99.03,1188
60,99.51,1189
1 Sample CPU_idle_percent Mem_available_MB
2 1 99.50 1187
3 2 100.00 1187
4 3 99.50 1186
5 4 99.00 1186
6 5 100.00 1186
7 6 100.00 1186
8 7 100.00 1186
9 8 100.00 1186
10 9 100.00 1186
11 10 100.00 1186
12 11 100.00 1186
13 12 99.52 1186
14 13 100.00 1186
15 14 99.01 1186
16 15 99.52 1186
17 16 99.50 1186
18 17 100.00 1186
19 18 99.50 1186
20 19 100.00 1187
21 20 100.00 1187
22 21 100.00 1187
23 22 99.51 1187
24 23 99.50 1187
25 24 97.98 1187
26 25 99.51 1187
27 26 99.51 1187
28 27 100.00 1187
29 28 100.00 1187
30 29 100.00 1187
31 30 99.00 1185
32 31 99.00 1185
33 32 100.00 1185
34 33 99.01 1185
35 34 99.51 1185
36 35 99.50 1185
37 36 99.00 1186
38 37 100.00 1186
39 38 99.50 1186
40 39 98.49 1186
41 40 98.51 1186
42 41 99.01 1186
43 42 99.51 1186
44 43 100.00 1186
45 44 98.99 1186
46 45 99.01 1186
47 46 100.00 1186
48 47 98.51 1186
49 48 100.00 1186
50 49 99.51 1187
51 50 99.50 1187
52 51 100.00 1187
53 52 98.03 1187
54 53 100.00 1187
55 54 99.02 1187
56 55 100.00 1187
57 56 100.00 1187
58 57 100.00 1188
59 58 100.00 1187
60 59 99.03 1188
61 60 99.51 1189

61
measurements/performance/hybrid_3.csv Normal file
View File

@ -0,0 +1,61 @@
Sample,CPU_idle_percent,Mem_available_MB
1,100.00,1184
2,100.00,1184
3,100.00,1184
4,97.47,1189
5,99.49,1189
6,100.00,1189
7,100.00,1189
8,100.00,1189
9,100.00,1189
10,100.00,1189
11,100.00,1188
12,100.00,1188
13,96.46,1188
14,100.00,1188
15,100.00,1188
16,100.00,1188
17,100.00,1188
18,100.00,1188
19,100.00,1188
20,99.50,1188
21,100.00,1188
22,100.00,1188
23,100.00,1188
24,100.00,1188
25,100.00,1188
26,100.00,1188
27,100.00,1188
28,100.00,1188
29,99.49,1188
30,100.00,1188
31,100.00,1188
32,100.00,1188
33,100.00,1188
34,99.50,1188
35,100.00,1188
36,98.51,1188
37,100.00,1188
38,100.00,1188
39,99.50,1188
40,100.00,1189
41,100.00,1190
42,100.00,1190
43,100.00,1190
44,100.00,1190
45,100.00,1190
46,100.00,1190
47,100.00,1191
48,100.00,1191
49,100.00,1192
50,99.50,1192
51,99.50,1192
52,100.00,1192
53,100.00,1193
54,100.00,1193
55,100.00,1193
56,99.50,1193
57,100.00,1193
58,100.00,1194
59,100.00,1194
60,100.00,1195
1 Sample CPU_idle_percent Mem_available_MB
2 1 100.00 1184
3 2 100.00 1184
4 3 100.00 1184
5 4 97.47 1189
6 5 99.49 1189
7 6 100.00 1189
8 7 100.00 1189
9 8 100.00 1189
10 9 100.00 1189
11 10 100.00 1189
12 11 100.00 1188
13 12 100.00 1188
14 13 96.46 1188
15 14 100.00 1188
16 15 100.00 1188
17 16 100.00 1188
18 17 100.00 1188
19 18 100.00 1188
20 19 100.00 1188
21 20 99.50 1188
22 21 100.00 1188
23 22 100.00 1188
24 23 100.00 1188
25 24 100.00 1188
26 25 100.00 1188
27 26 100.00 1188
28 27 100.00 1188
29 28 100.00 1188
30 29 99.49 1188
31 30 100.00 1188
32 31 100.00 1188
33 32 100.00 1188
34 33 100.00 1188
35 34 99.50 1188
36 35 100.00 1188
37 36 98.51 1188
38 37 100.00 1188
39 38 100.00 1188
40 39 99.50 1188
41 40 100.00 1189
42 41 100.00 1190
43 42 100.00 1190
44 43 100.00 1190
45 44 100.00 1190
46 45 100.00 1190
47 46 100.00 1190
48 47 100.00 1191
49 48 100.00 1191
50 49 100.00 1192
51 50 99.50 1192
52 51 99.50 1192
53 52 100.00 1192
54 53 100.00 1193
55 54 100.00 1193
56 55 100.00 1193
57 56 99.50 1193
58 57 100.00 1193
59 58 100.00 1194
60 59 100.00 1194
61 60 100.00 1195

61
measurements/performance/hybrid_4.csv Normal file
View File

@ -0,0 +1,61 @@
Sample,CPU_idle_percent,Mem_available_MB
1,100.00,1179
2,100.00,1179
3,100.00,1179
4,100.00,1179
5,100.00,1179
6,100.00,1179
7,100.00,1179
8,100.00,1179
9,100.00,1179
10,100.00,1179
11,97.96,1179
12,99.49,1178
13,100.00,1178
14,100.00,1178
15,100.00,1178
16,100.00,1178
17,99.49,1178
18,100.00,1178
19,100.00,1178
20,99.49,1178
21,100.00,1178
22,100.00,1178
23,99.50,1179
24,100.00,1179
25,100.00,1179
26,100.00,1179
27,98.49,1179
28,100.00,1180
29,100.00,1180
30,100.00,1180
31,100.00,1180
32,100.00,1181
33,100.00,1181
34,99.50,1181
35,100.00,1181
36,100.00,1182
37,99.50,1182
38,100.00,1182
39,99.49,1182
40,97.42,1183
41,96.94,1182
42,100.00,1183
43,99.49,1183
44,100.00,1184
45,100.00,1184
46,98.99,1184
47,100.00,1184
48,100.00,1184
49,100.00,1185
50,100.00,1185
51,100.00,1186
52,100.00,1186
53,100.00,1186
54,100.00,1186
55,100.00,1186
56,99.49,1187
57,99.49,1187
58,100.00,1187
59,99.49,1187
60,99.49,1187
1 Sample CPU_idle_percent Mem_available_MB
2 1 100.00 1179
3 2 100.00 1179
4 3 100.00 1179
5 4 100.00 1179
6 5 100.00 1179
7 6 100.00 1179
8 7 100.00 1179
9 8 100.00 1179
10 9 100.00 1179
11 10 100.00 1179
12 11 97.96 1179
13 12 99.49 1178
14 13 100.00 1178
15 14 100.00 1178
16 15 100.00 1178
17 16 100.00 1178
18 17 99.49 1178
19 18 100.00 1178
20 19 100.00 1178
21 20 99.49 1178
22 21 100.00 1178
23 22 100.00 1178
24 23 99.50 1179
25 24 100.00 1179
26 25 100.00 1179
27 26 100.00 1179
28 27 98.49 1179
29 28 100.00 1180
30 29 100.00 1180
31 30 100.00 1180
32 31 100.00 1180
33 32 100.00 1181
34 33 100.00 1181
35 34 99.50 1181
36 35 100.00 1181
37 36 100.00 1182
38 37 99.50 1182
39 38 100.00 1182
40 39 99.49 1182
41 40 97.42 1183
42 41 96.94 1182
43 42 100.00 1183
44 43 99.49 1183
45 44 100.00 1184
46 45 100.00 1184
47 46 98.99 1184
48 47 100.00 1184
49 48 100.00 1184
50 49 100.00 1185
51 50 100.00 1185
52 51 100.00 1186
53 52 100.00 1186
54 53 100.00 1186
55 54 100.00 1186
56 55 100.00 1186
57 56 99.49 1187
58 57 99.49 1187
59 58 100.00 1187
60 59 99.49 1187
61 60 99.49 1187

61
measurements/performance/hybrid_5.csv Normal file
View File

@ -0,0 +1,61 @@
Sample,CPU_idle_percent,Mem_available_MB
1,100.00,1186
2,99.53,1186
3,100.00,1186
4,98.70,1186
5,100.00,1186
6,100.00,1186
7,99.51,1186
8,99.10,1186
9,98.59,1185
10,100.00,1185
11,99.50,1185
12,100.00,1185
13,99.50,1185
14,100.00,1185
15,99.51,1185
16,100.00,1185
17,99.04,1185
18,100.00,1185
19,100.00,1185
20,99.02,1186
21,100.00,1186
22,99.59,1186
23,99.52,1186
24,99.51,1186
25,100.00,1186
26,99.51,1186
27,100.00,1185
28,100.00,1185
29,99.51,1185
30,99.50,1185
31,99.01,1185
32,99.55,1185
33,100.00,1185
34,99.50,1185
35,100.00,1185
36,100.00,1185
37,97.51,1185
38,96.50,1184
39,98.99,1184
40,100.00,1184
41,99.00,1183
42,98.53,1183
43,98.05,1183
44,98.54,1183
45,99.51,1183
46,98.52,1183
47,100.00,1183
48,100.00,1183
49,97.51,1183
50,99.53,1183
51,100.00,1183
52,99.50,1183
53,99.51,1183
54,99.50,1183
55,100.00,1183
56,98.59,1183
57,100.00,1183
58,99.02,1183
59,99.52,1183
60,100.00,1183
1 Sample CPU_idle_percent Mem_available_MB
2 1 100.00 1186
3 2 99.53 1186
4 3 100.00 1186
5 4 98.70 1186
6 5 100.00 1186
7 6 100.00 1186
8 7 99.51 1186
9 8 99.10 1186
10 9 98.59 1185
11 10 100.00 1185
12 11 99.50 1185
13 12 100.00 1185
14 13 99.50 1185
15 14 100.00 1185
16 15 99.51 1185
17 16 100.00 1185
18 17 99.04 1185
19 18 100.00 1185
20 19 100.00 1185
21 20 99.02 1186
22 21 100.00 1186
23 22 99.59 1186
24 23 99.52 1186
25 24 99.51 1186
26 25 100.00 1186
27 26 99.51 1186
28 27 100.00 1185
29 28 100.00 1185
30 29 99.51 1185
31 30 99.50 1185
32 31 99.01 1185
33 32 99.55 1185
34 33 100.00 1185
35 34 99.50 1185
36 35 100.00 1185
37 36 100.00 1185
38 37 97.51 1185
39 38 96.50 1184
40 39 98.99 1184
41 40 100.00 1184
42 41 99.00 1183
43 42 98.53 1183
44 43 98.05 1183
45 44 98.54 1183
46 45 99.51 1183
47 46 98.52 1183
48 47 100.00 1183
49 48 100.00 1183
50 49 97.51 1183
51 50 99.53 1183
52 51 100.00 1183
53 52 99.50 1183
54 53 99.51 1183
55 54 99.50 1183
56 55 100.00 1183
57 56 98.59 1183
58 57 100.00 1183
59 58 99.02 1183
60 59 99.52 1183
61 60 100.00 1183

842
tex/thesis.tex
View File

@ -37,7 +37,9 @@
\graphicspath{./img} \graphicspath{./img}
\newenvironment{code}{\captionsetup{type=listing}}{} \newenvironment{code}{\captionsetup{type=listing}}{}
\SetupFloatingEnvironment{listing}{name=Raw Text} \SetupFloatingEnvironment{listing}{}
\usepackage{chngcntr}
\counterwithin{listing}{section}
% Die nachfolgenden Pakete stellen sonst nicht benötigte Features zur Verfügung % Die nachfolgenden Pakete stellen sonst nicht benötigte Features zur Verfügung
\usepackage{blindtext} \usepackage{blindtext}
@ -140,9 +142,9 @@ It should be noted, that the applications themselves are not the focus of the an
\autoref{fig:webservice-hybrid} illustrates two services running on a shared host system, rather than deploying a separate instance for each service. Initially the logging system was considered as a candidate for demonstrating a hybrid setup. However, since docker already manages logging---including support for external logging systems, as discussed in \autoref{ssub:background_service_redundancy}---this approach would neither be novel nor yield any measureable difference to the baseline. Disabling Docker's built-in logging systems would introduce an arbitrary change not reflective of real-world scenarios. As a resuilt the focus now lies on replacing the two database containers with a shared service on the host. This change is expected to produce more meaningful differences in a practical scenario. \autoref{fig:webservice-hybrid} illustrates two services running on a shared host system, rather than deploying a separate instance for each service. Initially the logging system was considered as a candidate for demonstrating a hybrid setup. However, since docker already manages logging---including support for external logging systems, as discussed in \autoref{ssub:background_service_redundancy}---this approach would neither be novel nor yield any measureable difference to the baseline. Disabling Docker's built-in logging systems would introduce an arbitrary change not reflective of real-world scenarios. As a resuilt the focus now lies on replacing the two database containers with a shared service on the host. This change is expected to produce more meaningful differences in a practical scenario.
\subsection{Third party software doesn't always play nice} \subsection{The caveats of the setup}
Even in such a comparatively simple scenario, conflicts and issues between the services can and do arrise\todo{complete section}. Even in a comparatively simple scenario such as the one described in this chapter, conflicts and may arise between the services---and even Docker itself. By default, all Docker containers are connected to the \texttt{docker0} network interface, which uses the subnet \texttt{172.17.0.0/16}\todo{cite: docker documentation}. An exception to this rule is Docker Compose, which creates a separate network for each Compose file. To alleviate this issue, a network must be defined in the Docker Compose file, and the corresponding subnet must be allowed in the PostgreSQL configuration\todo{cite: docker compose docs}.
\chapter{Reproducibility} \chapter{Reproducibility}
@ -161,25 +163,22 @@ Tools have been selected based on reproducibility and compatibility, but not per
\section{Tooling for the VM-Host} \section{Tooling for the VM-Host}
To evaluate the effectiveness of base configuration and the implemented measures, a series of controlled attacks are performed from the client VM against the running services in the docker host. At first Ubuntu Desktop was considered as the OS, however as the client VM is not the focus of this thesis and thus does not need to be representative of the real world to the same degree as the docker VM, Kali Linuxw as determined to be a better option due to the suite of preinstalled tooling for the simulated attacks. \todo{possible vagrant explanation}
The process is split into three phases, mirroring real world scenarios:
Reconnaissance: Tools like nmap, netcat and curl are used to discover any open ports, services, and misconfigurations.
Exploitation: Metasploit and custom scripts are used to test the effectiveness of known exploits on a specific configuration. Due to the reproducibility of the environment, effectiveness can be measured and compared as a simple pass/fail rate.
Post-Exploitation: After gaining access, tools like linpeas and manual inspecting are used to determine access to shared resources.
The goal in these tests is not to discover novel exploits, but to simulate real world attack paths and analyse the additional risk introduced by the hybrid architecture.
\section{Preparing for Attack} \section{Preparing for Attack}
To evaluate the effectiveness of base configuration and the implemented measures, a series of controlled attacks are performed from the client VM against the running services in the docker host. At first Ubuntu Desktop was considered as the OS, however as the client VM is not the focus of this thesis and thus does not need to be representative of the real world to the same degree as the docker VM, Kali Linux was determined to be a better option due to the suite of preinstalled tooling for the simulated attacks.
To evaluate the effectiveness of base configuration and the implemented measures, a series of controlled attacks are performed from the client VM against the running services in the docker host. The process is split into three phases, mirroring real world scenarios: To evaluate the effectiveness of base configuration and the implemented measures, a series of controlled attacks are performed from the client VM against the running services in the docker host. The process is split into three phases, mirroring real world scenarios:
Reconnaissance: Tools like nmap, netcat and curl are used to discover any open ports, services, and misconfigurations. \begin{itemize}
Exploitation: Metasploit and custom scripts are used to test the effectiveness of known exploits on a specific configuration. Due to the reproducibility of the environment, effectiveness can be measured and compared as a simple pass/fail rate. \item Reconnaissance: Tools like nmap, netcat and curl are used to discover any open ports, services, and misconfigurations.
Post-Exploitation: After gaining access, tools like linpeas and manual inspecting are used to determine access to shared resources. \item Exploitation: Metasploit and custom scripts are used to test the effectiveness of known exploits on a specific configuration. Due to the reproducibility of the environment, effectiveness can be measured and compared as a simple pass/fail rate.
\item Post-Exploitation: After gaining access, tools like linpeas and manual inspecting are used to determine access to shared resources.
\end{itemize}
The goal in these tests is not to discover novel exploits, but to simulate real world attack paths and analyse the additional risk introduced by the hybrid architecture. It should also be noted, that some tested measures only protect against a specific step, or assumes certain prerequisites---some steps will thus be skipped where applicable. The goal in these tests is not to discover novel exploits, but to simulate real world attack paths and analyse the additional risk introduced by the hybrid architecture. It should also be noted, that some tested measures only protect against a specific step, or assumes certain prerequisites---some steps will thus be skipped where applicable.
\section{Entrypoints} \section{Entrypoints}\label{sec:entrypoints}
While for most attacks the entry point will be the same as for regular usage---in most cases via the exposed HTTP(S) port---such attacks are limited to surface weaknesses. It is however realistic to expect attackers to gain access in some form, through misconfigurations, issues introduced in the further up the software supply chain, or in extrem cases even through zero-day exploits; thus it is prudent to adopt ``assume breach'' mindset for setups as described in this thesis \cite{souppaya_2017_application} \cite{avrahami_2019_breaking}---for the purposes of testing the configurations, an assumed breach will be provided via a docker container\todo{How will access be simulated?}. While for most attacks the entry point will be the same as for regular usage---in most cases via the exposed HTTP(S) port---such attacks are limited to surface weaknesses. It is however realistic to expect attackers to gain access in some form, through misconfigurations, issues introduced in the further up the software supply chain, or in extrem cases even through zero-day exploits; thus it is prudent to adopt ``assume breach'' mindset for setups as described in this thesis \cite{souppaya_2017_application} \cite{avrahami_2019_breaking}---for the purposes of testing the configurations, an assumed breach will be provided via a docker container\todo{How will access be simulated?}.
@ -191,40 +190,34 @@ This chapter describes the tests against the architecture. Each test starts with
\subsection{Base Configuration} \subsection{Base Configuration}
The base configuration is a minimal configuration, using default values wherever possible. The base configuration is minimal, relying on default values wherever possible.
\subsubsection*{Reconnaissance} \subsubsection*{Reconnaissance}
\paragraph*{NMap Scan} \paragraph*{NMap Scan}
As shown in \autoref{log:base:nmap_sS}, while no unexpected ports are open, it does reveal the setup redirecting to Gitea by default, instead of Bitwarden. This is not unexpected, since no other default has been specified. As shown in \autoref{log:base:nmap_sS}, although no unexpected ports are open, the scan does reveal that the setup redirects to Gitea by default, instead of Bitwarden or a blank page. This is behavior is expected, as no alternative default has been configured.
\paragraph*{Known services analysis} \paragraph*{Known services analysis}
The HTTP headers of the nginx entrypoint (\autoref{log:base:curl_I}) show a redirect and reveal the nginx version; following the redirect of the Gitea service (\autoref{log:base:curl_IL_gitea}) does not bring any new information; the body of this request (\autoref{log:base:curl_L_gitea}) forms the landing page of Gitea, and does not directly expose any critical data, however it does list the install version number, which paired with known security vulnerabilities \cite{gitea} can introduce a breach. The HTTP headers of the nginx entrypoint (\autoref{log:base:curl_I}) show a redirect and reveal the Nginx version; following the redirect of the Gitea service (\autoref{log:base:curl_IL_gitea}) does not bring any new information. The body of this request (\autoref{log:base:curl_L_gitea}) forms the landing page of Gitea, and does not directly expose any critical data. However, it does reveal the installations version number, which paired with known security vulnerabilities \cite{gitea} could pose a security risk. It also reveals the address \texttt{http://localhost:3000/} in a \texttt{<meta>} tag, though it is unclear if this reflects an active configuration or a visual misconfiguration. However, base64 encoded manifest includes the same address, implying it is indeed used internally.
Vaultwarden presents a similar issue (\autoref{log:base:curl_L_bitwarden}) after allowing the page to execute JavaScript, however its headers (\autoref{log:base:curl_IL_bitwarden}) [\textellipsis]. Vaultwarden presents a similar issue (\autoref{log:base:curl_L_bitwarden}) with regard to its version after allowing the page to execute JavaScript, albeit with a more complex set of HTTP headers (\autoref{log:base:curl_IL_bitwarden}).
\subsubsection*{Exploitation} \subsubsection*{Exploitation}
Detailed explanation of all scripts As the goal of this exercise is not to find novel exploits, and preliminary scans do not reveal any known vulnerabilities, it needs to be assumed the configuration is moderately safe as is. For multilayered security it is essential to test more components than just the external interface\todo{cite paper about this approach}. To simulate internal access, the container described in \autoref{sec:entrypoints} is used, as demonstrated in \autoref{log:base:metasploit:ssh_login}. Similar scans, as described before, confirm the presence of an open port 3000, as shown in \autoref{log:base:vuln:nmap}, but do not reveal any additional services.
\subsubsection*{Post-Exploitation} \subsubsection*{Post-Exploitation}
Detailed explanation of found consequences In a typical Docker Compose setup, Docker networks already provide strong encapsulation\todo{cite the paper about Docker network security}. As such the database for either service could not be accessed. The only successful container access was establishing direct communication with other public-facing services, effectively bypassing any potential firewall. However, this can again be alleviate by using a separate bridge network between each service and the Nginx container.
\subsection{Hybrid configuration}
\subsection{Outdated versions of services} \subsection{Outdated versions of services}
[TODO: Gitea 1.17.2] [TODO: Gitea 1.17.2]
\subsection{Firewall on host system}
\subsection{Firewall in separate docker container}
\subsection{Firewall in NGinX container}
\subsection{Separate docker networks}
\chapter{Discussion - NAME PENDING}\label{cha:discussion} \chapter{Discussion - NAME PENDING}\label{cha:discussion}
Introduction/Summary Introduction/Summary
@ -291,7 +284,7 @@ The security of both services in the tested setup can be further improved by imp
\begin{code} \begin{code}
\captionof{listing}{Vagrantfile} \captionof{listing}{Vagrantfile}
\label{code:Vagrantfile} \label{code:Vagrantfile}
\begin{minted}[breaklines]{ruby} \begin{minted}[breaklines,fontsize=\footnotesize]{ruby}
Vagrant.configure("2") do |config| Vagrant.configure("2") do |config|
BOX_NAME = "ubuntu/jammy64" BOX_NAME = "ubuntu/jammy64"
@ -342,7 +335,7 @@ end
\begin{code} \begin{code}
\captionof{listing}{sandbox/docker-compose.yml} \captionof{listing}{sandbox/docker-compose.yml}
\label{code:sandbox:docker} \label{code:sandbox:docker}
\begin{minted}[breaklines]{yaml} \begin{minted}[breaklines,fontsize=\footnotesize]{yaml}
services: services:
vaultwarden: vaultwarden:
image: vaultwarden/server:latest image: vaultwarden/server:latest
@ -429,7 +422,7 @@ networks:
\begin{code} \begin{code}
\captionof{listing}{sandbox/playbook.yml} \captionof{listing}{sandbox/playbook.yml}
\label{code:sandbox:ansible} \label{code:sandbox:ansible}
\begin{minted}[breaklines]{yaml} \begin{minted}[breaklines,fontsize=\footnotesize]{yaml}
--- ---
- hosts: all - hosts: all
become: true become: true
@ -596,7 +589,7 @@ networks:
\begin{code} \begin{code}
\captionof{listing}{sandbox/nginx.conf} \captionof{listing}{sandbox/nginx.conf}
\label{code:sandbox:nginx} \label{code:sandbox:nginx}
\begin{minted}[breaklines]{text} \begin{minted}[breaklines,fontsize=\footnotesize]{text}
server { server {
listen 443 ssl; listen 443 ssl;
server_name gitea.vm.local; server_name gitea.vm.local;
@ -636,7 +629,7 @@ server {
\begin{code} \begin{code}
\captionof{listing}{client/playbook.yml} \captionof{listing}{client/playbook.yml}
\label{code:client:ansible} \label{code:client:ansible}
\begin{minted}[breaklines]{yaml} \begin{minted}[breaklines,fontsize=\footnotesize]{yaml}
--- ---
- hosts: all - hosts: all
become: true become: true
@ -679,36 +672,39 @@ server {
\chapter{Test Results}\label{appendix_results} \chapter{Test Results}\label{appendix_results}
\section{Command Outputs}\label{appendix_logs} \section{Command Outputs}\label{appendix_logs}
All commands shown in the following section are either bash commands, or metasploit commands\footnote{Metasploit commands are entered into the metasploit console after starting it using the command \texttt{msfconsole}}, if not indicated otherwise. As metasploit commands usually consist of multiple configuration options, the listing itself often contains further commands, which are indicated by the default greater-than symbol.
\begin{code} \begin{code}
\captionof{listing}{\texttt{echo "Hello, World!"}} \captionof{listing}{\texttt{echo "Hello, World!"}}
\label{log:empty} \label{log:empty}
\begin{minted}[breaklines]{text} \begin{minted}[breaklines,fontsize=\footnotesize]{text}
Hello, World! Hello, World!
\end{minted} \end{minted}
\end{code} \end{code}
\begin{code} \begin{code}
\captionof{listing}{\texttt{sudo nmap -sS -p1-65535 192.168.56.10}} \captionof{listing}{\texttt{nmap -sS 192.168.56.10} on the base system (client)}
\label{log:base:nmap_sS} \label{log:base:nmap_sS}
\begin{minted}[breaklines]{text} \begin{minted}[breaklines,fontsize=\footnotesize]{shell}
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-19 08:09 EDT Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-17 12:10 EDT
Nmap scan report for gitea.vm.local (192.168.56.10) Nmap scan report for gitea.vm.local (192.168.56.10)
Host is up (0.00015s latency). Host is up (0.00011s latency).
Not shown: 65532 closed tcp ports (reset) Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE PORT STATE SERVICE
22/tcp open ssh 22/tcp open ssh
80/tcp open http 80/tcp open http
443/tcp open https 443/tcp open https
MAC Address: 08:00:27:14:E1:B8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) 2222/tcp open EtherNetIP-1
MAC Address: 08:00:27:D6:26:3F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
\end{minted} \end{minted}
\end{code} \end{code}
\begin{code} \begin{code}
\captionof{listing}{\texttt{curl -kI 192.168.56.10}} \captionof{listing}{\texttt{curl -kI 192.168.56.10} on the base system (client)}
\label{log:base:curl_I} \label{log:base:curl_I}
\begin{minted}[breaklines]{text} \begin{minted}[breaklines,fontsize=\footnotesize]{shell}
HTTP/1.1 301 Moved Permanently HTTP/1.1 301 Moved Permanently
Server: nginx/1.27.4 Server: nginx/1.27.4
Date: Sat, 19 Apr 2025 11:21:48 GMT Date: Sat, 19 Apr 2025 11:21:48 GMT
@ -720,9 +716,9 @@ Location: https://192.168.56.10/
\end{code} \end{code}
\begin{code} \begin{code}
\captionof{listing}{\texttt{curl -kIL bitwarden.vm.local}} \captionof{listing}{\texttt{curl -kIL bitwarden.vm.local} on the base system (client)}
\label{log:base:curl_IL_bitwarden} \label{log:base:curl_IL_bitwarden}
\begin{minted}[breaklines]{http} \begin{minted}[breaklines,fontsize=\footnotesize]{shell}
HTTP/1.1 301 Moved Permanently HTTP/1.1 301 Moved Permanently
Server: nginx/1.27.4 Server: nginx/1.27.4
Date: Sat, 19 Apr 2025 11:27:44 GMT Date: Sat, 19 Apr 2025 11:27:44 GMT
@ -749,17 +745,17 @@ cache-control: no-cache, no-store, max-age=0
\end{code} \end{code}
\begin{code} \begin{code}
\captionof{listing}{\texttt{curl -kL bitwarden.vm.local}} \captionof{listing}{\texttt{curl -kL bitwarden.vm.local} on the base system (client)}
\label{log:base:curl_L_bitwarden} \label{log:base:curl_L_bitwarden}
\begin{minted}[breaklines]{html} \begin{minted}[breaklines,fontsize=\footnotesize]{html}
<!doctype html><html class="theme_light"><head><meta charset="utf-8"/><meta name="viewport" content="width=1010"/><meta name="theme-color" content="#175DDC"/><title page-title>Vaultwarden Web</title><link rel="apple-touch-icon" sizes="180x180" href="images/apple-touch-icon.png"/><link rel="icon" type="image/png" sizes="32x32" href="images/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="16x16" href="images/favicon-16x16.png"/><link rel="mask-icon" href="images/safari-pinned-tab.svg" color="#175DDC"/><link rel="manifest" href="cca56971e438d22818d6.json"/><link rel="stylesheet" href="css/vaultwarden.css"/><script defer="defer" src="theme_head.4cb181fc19f2a308ba73.js"></script><link href="styles.210448eea764e08cd3db.css" rel="stylesheet"></head><body class="layout_frontend"><app-root><div class="tw-p-8 tw-flex"><img class="new-logo-themed" alt="Vaultwarden"/><div class="spinner-container tw-justify-center"><i class="bwi bwi-spinner bwi-spin bwi-3x tw-text-muted" title="Loading" aria-hidden="true"></i></div></div></app-root><script defer="defer" src="app/polyfills.c5a5bb8e63f572e1aad3.js"></script><script defer="defer" src="app/vendor.a472624478da807c2f59.js"></script><script defer="defer" src="app/main.d867124a6761f6de6826.js"></script><script defer="defer" src="styles.31d6cfe0d16ae931b73c.js"></script></body></html> <!doctype html><html class="theme_light"><head><meta charset="utf-8"/><meta name="viewport" content="width=1010"/><meta name="theme-color" content="#175DDC"/><title page-title>Vaultwarden Web</title><link rel="apple-touch-icon" sizes="180x180" href="images/apple-touch-icon.png"/><link rel="icon" type="image/png" sizes="32x32" href="images/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="16x16" href="images/favicon-16x16.png"/><link rel="mask-icon" href="images/safari-pinned-tab.svg" color="#175DDC"/><link rel="manifest" href="cca56971e438d22818d6.json"/><link rel="stylesheet" href="css/vaultwarden.css"/><script defer="defer" src="theme_head.4cb181fc19f2a308ba73.js"></script><link href="styles.210448eea764e08cd3db.css" rel="stylesheet"></head><body class="layout_frontend"><app-root><div class="tw-p-8 tw-flex"><img class="new-logo-themed" alt="Vaultwarden"/><div class="spinner-container tw-justify-center"><i class="bwi bwi-spinner bwi-spin bwi-3x tw-text-muted" title="Loading" aria-hidden="true"></i></div></div></app-root><script defer="defer" src="app/polyfills.c5a5bb8e63f572e1aad3.js"></script><script defer="defer" src="app/vendor.a472624478da807c2f59.js"></script><script defer="defer" src="app/main.d867124a6761f6de6826.js"></script><script defer="defer" src="styles.31d6cfe0d16ae931b73c.js"></script></body></html>
\end{minted} \end{minted}
\end{code} \end{code}
\begin{code} \begin{code}
\captionof{listing}{\texttt{curl -kIL gitea.vm.local}} \captionof{listing}{\texttt{curl -kIL gitea.vm.local} on the base system (client)}
\label{log:base:curl_IL_gitea} \label{log:base:curl_IL_gitea}
\begin{minted}[breaklines]{http} \begin{minted}[breaklines,fontsize=\footnotesize]{shell}
HTTP/1.1 301 Moved Permanently HTTP/1.1 301 Moved Permanently
Server: nginx/1.27.4 Server: nginx/1.27.4
Date: Sat, 19 Apr 2025 11:35:10 GMT Date: Sat, 19 Apr 2025 11:35:10 GMT
@ -776,19 +772,16 @@ Connection: keep-alive
\end{code} \end{code}
\begin{code} \begin{code}
\captionof{listing}{\texttt{curl -kL gitea.vm.local}; empty lines and some section omitted for brevity} \captionof{listing}{\texttt{curl -kL gitea.vm.local} on the base system (client); empty lines and repeating section omitted for brevity, shown with an elipsis instead}
\label{log:base:curl_L_gitea} \label{log:base:curl_L_gitea}
\begin{minted}[breaklines,obeytabs=true,tabsize=2,breakanywhere]{html} \begin{minted}[breaklines,obeytabs=true,tabsize=2,breakanywhere,fontsize=\footnotesize]{html}
<!DOCTYPE html> <!DOCTYPE html>
<html lang="en-US" data-theme="gitea-auto"> <html lang="en-US" data-theme="gitea-auto">
<head> <head>
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<title>Gitea: Git with a cup of tea</title> <title>Gitea: Git with a cup of tea</title>
<link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwLyIsImljb25zIjpbeyJzcmMiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMC9hc3NldHMvaW1nL2xvZ28uc3ZnIiwidHlwZSI6ImltYWdlL3N2Zyt4bWwiLCJzaXplcyI6IjUxMng1MTIifV19"> <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwLyIsImljb25zIjpbeyJzcmMiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMC9hc3NldHMvaW1nL2xvZ28uc3ZnIiwidHlwZSI6ImltYWdlL3N2Zyt4bWwiLCJzaXplcyI6IjUxMng1MTIifV19">
<meta name="author" content="Gitea - Git with a cup of tea"> ... meta tags ...
<meta name="description" content="Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go">
<meta name="keywords" content="go,git,self-hosted,gitea">
<meta name="referrer" content="no-referrer">
<link rel="icon" href="/assets/img/favicon.svg" type="image/svg+xml"> <link rel="icon" href="/assets/img/favicon.svg" type="image/svg+xml">
<link rel="alternate icon" href="/assets/img/favicon.png" type="image/png"> <link rel="alternate icon" href="/assets/img/favicon.png" type="image/png">
<script> <script>
@ -800,8 +793,8 @@ Connection: keep-alive
assetVersionEncoded: encodeURIComponent('1.23.7'), assetVersionEncoded: encodeURIComponent('1.23.7'),
assetUrlPrefix: '\/assets', assetUrlPrefix: '\/assets',
runModeIsProd: true , runModeIsProd: true ,
customEmojis: {"codeberg":":codeberg:","git":":git:","gitea":":gitea:","github":":github:","gitlab":":gitlab:","gogs":":gogs:"}, customEmojis: {...},
csrfToken: 'THIb1Sld2E0x3ATc2YnDIH_HXIc6MTc0NTA2MzY0NzU2NzQzMzUyNA', csrfToken: '...',
pageData: {}, pageData: {},
notificationSettings: {"EventSourceUpdateTime":10000,"MaxTimeout":60000,"MinTimeout":10000,"TimeoutStep":10000}, notificationSettings: {"EventSourceUpdateTime":10000,"MaxTimeout":60000,"MinTimeout":10000,"TimeoutStep":10000},
enableTimeTracking: true , enableTimeTracking: true ,
@ -930,21 +923,728 @@ Connection: keep-alive
\end{minted} \end{minted}
\end{code} \end{code}
%\begin{code} \begin{code}
%\captionof{listing}{\texttt{metasplout}\footnote{Metasploit commands are entered into the metasploit console after starting it using the command \texttt{msfconsole}}} \captionof{listing}{\texttt{msf6 > use auxiliary/scanner/ssh/ssh\_login} on the base system (client)}
%\label{log:base:metasploit:test} \label{log:base:metasploit:ssh_login}
%\begin{minted}[breaklines]{text} \begin{minted}[breaklines,fontsize=\footnotesize]{shell}
%Hello, World! msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.56.10
%\end{minted} msf6 auxiliary(scanner/ssh/ssh_login) > set rport 2222
%\end{code} msf6 auxiliary(scanner/ssh/ssh_login) > set username root
% msf6 auxiliary(scanner/ssh/ssh_login) > set password root
msf6 auxiliary(scanner/ssh/ssh_login) > exploit
[*] 192.168.56.10:2222 - Starting bruteforce
[+] 192.168.56.10:2222 - Success: 'root:root' 'uid=0(root) gid=0(root) groups=0(root) Linux 0e6d64e04e9d 5.15.0-136-generic #147-Ubuntu SMP Sat Mar 15 15:53:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux '
[*] SSH session 1 opened (192.168.56.28:34687 -> 192.168.56.10:2222) at 2025-05-12 13:47:23 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
\end{minted}
\end{code}
\begin{code}
\captionof{listing}{\texttt{dig gitea} on the base system (vulnerable container via ssh)}
\label{log:base:vuln:dig_gitea}
\begin{minted}[breaklines,fontsize=\footnotesize]{shell}
; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> gitea
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35068
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;gitea. IN A
;; ANSWER SECTION:
gitea. 600 IN A 172.18.0.4
;; Query time: 0 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Mon May 12 18:14:57 UTC 2025
;; MSG SIZE rcvd: 44
\end{minted}
\end{code}
\begin{code}
\captionof{listing}{\texttt{dig bitwarden} on the base system (vulnerable container via ssh)}
\label{log:base:vuln:dig_bitwarden}
\begin{minted}[breaklines,fontsize=\footnotesize]{shell}
; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> bitwarden
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12038
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;bitwarden. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Mon May 12 18:15:05 UTC 2025
;; MSG SIZE rcvd: 27
\end{minted}
\end{code}
\begin{code}
\captionof{listing}{\texttt{dig vaultwarden} on the base system (vulnerable container via ssh)}
\label{log:base:vuln:dig_vaultwarden}
\begin{minted}[breaklines,fontsize=\footnotesize]{shell}
; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> vaultwarden
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21853
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;vaultwarden. IN A
;; ANSWER SECTION:
vaultwarden. 600 IN A 172.18.0.2
;; Query time: 0 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Mon May 12 18:27:21 UTC 2025
;; MSG SIZE rcvd: 56
\end{minted}
\end{code}
\begin{code}
\captionof{listing}{\texttt{nmap -sS 172.18.0.0/16} on the base system (vulnerable container via ssh)}
\label{log:base:vuln:nmap}
\begin{minted}[breaklines,fontsize=\footnotesize]{shell}
Starting Nmap 7.80 ( https://nmap.org ) at 2025-05-17 16:31 UTC
Nmap scan report for sandbox (172.18.0.1)
Host is up (0.0000050s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
2222/tcp open EtherNetIP-1
MAC Address: FA:B1:5A:9D:C7:A5 (Unknown)
Nmap scan report for vaultwarden.vagrant_nginx (172.18.0.2)
Host is up (0.0000050s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: BE:9D:68:8A:B6:B6 (Unknown)
Nmap scan report for nginx.vagrant_nginx (172.18.0.3)
Host is up (0.0000050s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
MAC Address: D6:71:74:1E:27:A2 (Unknown)
Nmap scan report for gitea.vagrant_nginx (172.18.0.5)
Host is up (0.0000050s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
MAC Address: 9A:E8:19:FC:FF:25 (Unknown)
\end{minted}
\end{code}
\begin{code}
\captionof{listing}{\texttt{nmap -sS 172.18.0.0/16} on the hybrid system (vulnerable container via ssh)}
\label{log:hybrid:vuln:nmap}
\begin{minted}[breaklines,fontsize=\footnotesize]{shell}
Starting Nmap 7.80 ( https://nmap.org ) at 2025-05-18 13:11 UTC
Nmap scan report for postgres (172.18.0.1)
Host is up (0.000012s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
2222/tcp open EtherNetIP-1
5432/tcp open postgresql
MAC Address: 26:54:2A:8A:53:02 (Unknown)
Nmap scan report for nginx.vagrant_internal (172.18.0.2)
Host is up (0.000012s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
MAC Address: CE:E7:60:35:0E:C1 (Unknown)
Nmap scan report for gitea.vagrant_internal (172.18.0.4)
Host is up (0.000012s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
MAC Address: 7E:05:23:CA:55:6D (Unknown)
Nmap scan report for vaultwarden.vagrant_internal (172.18.0.5)
Host is up (0.000012s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 12:EB:C9:6D:07:4B (Unknown)
\end{minted}
\end{code}
\begin{code}
\captionof{listing}{Establishing a port forward from a metasploit session; shown on the hybrid system (client), functionaly independent of system}
\label{log:hybrid:meterpreter:fwd}
\begin{minted}[breaklines,fontsize=\footnotesize]{shell}
msf6 > sessions -u 1
msf6 > sessions -i 2
meterpreter > portfwd add -l 5432 -p 5432 -r 172.18.0.1
[*] Forward TCP relay created: (local) :5432 -> (remote) 172.18.0.1:5432
\end{minted}
\end{code}
\begin{code}
\captionof{listing}{metasploit auxiliary/scanner/postgres/postgres\_version modules; shown on the hybrid system (client)}
\label{log:hybrid:portfwd:postgres_version}
\begin{minted}[breaklines,fontsize=\footnotesize]{shell}
msf6 auxiliary(server/capture/postgresql) > use auxiliary/scanner/postgres/postgres_version
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(scanner/postgres/postgres_version) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_version) > run
[*] 127.0.0.1:5432 Postgres - Version Unknown (Pre-Auth)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
\end{minted}
\end{code}
\begin{code}
\captionof{listing}{metasploit auxiliary/scanner/postgres/postgres\_version modules; shown on the hybrid system (client)}
\label{log:hybrid:portfwd:postgres_bruteforce}
\begin{minted}[breaklines,fontsize=\footnotesize]{shell}
msf6 auxiliary(scanner/postgres/postgres_login) > use auxiliary/scanner/postgres/postgres_login
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session
msf6 auxiliary(scanner/postgres/postgres_login) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_login) > set BLANK_PASSWORDS true
BLANK_PASSWORDS => true
msf6 auxiliary(scanner/postgres/postgres_login) > run
[!] No active DB -- Credential data will not be saved!
[-] 127.0.0.1:5432 - LOGIN FAILED: :@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L2273 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L2273 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :tiger@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L2273 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :postgres@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L2273 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :password@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L2273 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: :admin@template1 (Incorrect: FATAL VFATAL C28000 Mno PostgreSQL user name specified in startup packet Fpostmaster.c L2273 RProcessStartupPacket)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:tiger@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:password@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:tiger@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:postgres@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:password@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: scott:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "scott" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:tiger@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:postgres@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:password@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: postgres:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "postgres" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[-] 127.0.0.1:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: FATAL VFATAL C28P01 Mpassword authentication failed for user "admin" Fauth.c L335 Rauth_failed)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 0 credentials were successful.
[*] You can open a Postgres session with these credentials and CreateSession set to true
[*] Auxiliary module execution completed
\end{minted}
\end{code}
\begin{code}
\captionof{listing}{\texttt{metasploit}}
\label{log:base:metasploit:test}
\begin{minted}[breaklines,fontsize=\footnotesize]{text}
Hello, World!
\end{minted}
\end{code}
%\begin{code} %\begin{code}
%\captionof{listing}{\texttt{metasplou123t}\footnote{Metasploit commands are entered into the metasploit console after starting it using the command \texttt{msfconsole}}} %\captionof{listing}{\texttt{metasplou123t}\footnote{Metasploit commands are entered into the metasploit console after starting it using the command \texttt{msfconsole}}}
%\label{log:base:metasploit:test2} %\label{log:base:metasploit:test2}
%\begin{minted}[breaklines]{text} %\begin{minted}[breaklines,fontsize=\footnotesize]{text}
%Hello, World! %Hello, World!
%\end{minted} %\end{minted}
%\end{code} %\end{code}
\section{Docker Bench Results}\label{appendix_docker_bench}
Docker Bench for Security is a tool based in the CIS Docker benchmark\footnote{\url{https://www.cisecurity.org/benchmark/docker}}. Docker Bench generates a \texttt{.log} file and a \texttt{.log.json} file; only the raw log files have been included, as they show the same data in a more compact format.
\begin{code}
\captionof{listing}{Base configuration}
\label{docker_bench:base}
\begin{minted}[breaklines,tabsize=2,breakanywhere,fontsize=\footnotesize]{text}
Initializing 2025-05-18T11:42:35+00:00
Section A - Check results[0m
[INFO][0m 1 - Host Configuration
[INFO][0m 1.1 - Linux Hosts Specific Configuration
[WARN][0m 1.1.1 - Ensure a separate partition for containers has been created (Automated)
[INFO][0m 1.1.2 - Ensure only trusted users are allowed to control Docker daemon (Automated)
[INFO][0m * Users: vagrant,git
[WARN][0m 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated)
[WARN][0m 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)
[WARN][0m 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)
[WARN][0m 1.1.6 - Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)
[WARN][0m 1.1.7 - Ensure auditing is configured for Docker files and directories - docker.service (Automated)
[WARN][0m 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)
[WARN][0m 1.1.9 - Ensure auditing is configured for Docker files and directories - docker.socket (Automated)
[WARN][0m 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)
[INFO][0m 1.1.11 - Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)
[INFO][0m * File not found
[WARN][0m 1.1.12 - 1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)
[INFO][0m 1.1.13 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)
[INFO][0m * File not found
[WARN][0m 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)
[WARN][0m 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)
[WARN][0m 1.1.16 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)
[WARN][0m 1.1.17 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)
[WARN][0m 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)
[INFO][0m 1.2 - General Configuration
[NOTE][0m 1.2.1 - Ensure the container host has been Hardened (Manual)
[PASS][0m 1.2.2 - Ensure that the version of Docker is up to date (Manual)
[INFO][0m * Using 28.1.1 which is current
[INFO][0m * Check with your operating system vendor for support and security maintenance for Docker
[INFO][0m 2 - Docker daemon configuration
[NOTE][0m 2.1 - Run the Docker daemon as a non-root user, if possible (Manual)
[WARN][0m 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[PASS][0m 2.3 - Ensure the logging level is set to 'info' (Scored)
[PASS][0m 2.4 - Ensure Docker is allowed to make changes to iptables (Scored)
[PASS][0m 2.5 - Ensure insecure registries are not used (Scored)
[PASS][0m 2.6 - Ensure aufs storage driver is not used (Scored)
[INFO][0m 2.7 - Ensure TLS authentication for Docker daemon is configured (Scored)
[INFO][0m * Docker daemon not listening on TCP
[INFO][0m 2.8 - Ensure the default ulimit is configured appropriately (Manual)
[INFO][0m * Default ulimit doesn't appear to be set
[WARN][0m 2.9 - Enable user namespace support (Scored)
[PASS][0m 2.10 - Ensure the default cgroup usage has been confirmed (Scored)
[PASS][0m 2.11 - Ensure base device size is not changed until needed (Scored)
[WARN][0m 2.12 - Ensure that authorization for Docker client commands is enabled (Scored)
[WARN][0m 2.13 - Ensure centralized and remote logging is configured (Scored)
[WARN][0m 2.14 - Ensure containers are restricted from acquiring new privileges (Scored)
[WARN][0m 2.15 - Ensure live restore is enabled (Scored)
[WARN][0m 2.16 - Ensure Userland Proxy is Disabled (Scored)
[INFO][0m 2.17 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)
[INFO][0m Ensure that experimental features are not implemented in production (Scored) (Deprecated)
[INFO][0m 3 - Docker daemon configuration files
[PASS][0m 3.1 - Ensure that the docker.service file ownership is set to root:root (Automated)
[PASS][0m 3.2 - Ensure that docker.service file permissions are appropriately set (Automated)
[PASS][0m 3.3 - Ensure that docker.socket file ownership is set to root:root (Automated)
[PASS][0m 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)
[PASS][0m 3.5 - Ensure that the /etc/docker directory ownership is set to root:root (Automated)
[PASS][0m 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)
[INFO][0m 3.7 - Ensure that registry certificate file ownership is set to root:root (Automated)
[INFO][0m * Directory not found
[INFO][0m 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)
[INFO][0m * Directory not found
[INFO][0m 3.9 - Ensure that TLS CA certificate file ownership is set to root:root (Automated)
[INFO][0m * No TLS CA certificate found
[INFO][0m 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)
[INFO][0m * No TLS CA certificate found
[INFO][0m 3.11 - Ensure that Docker server certificate file ownership is set to root:root (Automated)
[INFO][0m * No TLS Server certificate found
[INFO][0m 3.12 - Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)
[INFO][0m * No TLS Server certificate found
[INFO][0m 3.13 - Ensure that the Docker server certificate key file ownership is set to root:root (Automated)
[INFO][0m * No TLS Key found
[INFO][0m 3.14 - Ensure that the Docker server certificate key file permissions are set to 400 (Automated)
[INFO][0m * No TLS Key found
[PASS][0m 3.15 - Ensure that the Docker socket file ownership is set to root:docker (Automated)
[PASS][0m 3.16 - Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)
[INFO][0m 3.17 - Ensure that the daemon.json file ownership is set to root:root (Automated)
[INFO][0m * File not found
[INFO][0m 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)
[INFO][0m * File not found
[PASS][0m 3.19 - Ensure that the /etc/default/docker file ownership is set to root:root (Automated)
[PASS][0m 3.20 - Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)
[INFO][0m 3.21 - Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)
[INFO][0m * File not found
[INFO][0m 3.22 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)
[INFO][0m * File not found
[PASS][0m 3.23 - Ensure that the Containerd socket file ownership is set to root:root (Automated)
[PASS][0m 3.24 - Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)
[INFO][0m 4 - Container Images and Build File
[WARN][0m 4.1 - Ensure that a user for the container has been created (Automated)
[WARN][0m * Running as root: vaultwarden-db
[WARN][0m * Running as root: nginx
[WARN][0m * Running as root: vaultwarden
[WARN][0m * Running as root: vagrant-vulnerable-1
[WARN][0m * Running as root: gitea-db
[WARN][0m * Running as root: gitea
[NOTE][0m 4.2 - Ensure that containers use only trusted base images (Manual)
[NOTE][0m 4.3 - Ensure that unnecessary packages are not installed in the container (Manual)
[NOTE][0m 4.4 - Ensure images are scanned and rebuilt to include security patches (Manual)
[WARN][0m 4.5 - Ensure Content trust for Docker is Enabled (Automated)
[WARN][0m 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated)
[WARN][0m * No Healthcheck found: [vagrant-vulnerable:latest]
[WARN][0m * No Healthcheck found: [docker.gitea.com/gitea:latest]
[WARN][0m * No Healthcheck found: [postgres:latest]
[WARN][0m * No Healthcheck found: [nginx:latest]
[INFO][0m 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual)
[INFO][0m * Update instruction found: [vagrant-vulnerable:latest]
[INFO][0m * Update instruction found: [postgres:latest]
[NOTE][0m 4.8 - Ensure setuid and setgid permissions are removed (Manual)
[INFO][0m 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Manual)
[INFO][0m * ADD in image history: [vagrant-vulnerable:latest]
[INFO][0m * ADD in image history: [vaultwarden/server:latest]
[NOTE][0m 4.10 - Ensure secrets are not stored in Dockerfiles (Manual)
[NOTE][0m 4.11 - Ensure only verified packages are installed (Manual)
[NOTE][0m 4.12 - Ensure all signed artifacts are validated (Manual)
[INFO][0m 5 - Container Runtime
[PASS][0m 5.1 - Ensure swarm mode is not Enabled, if not needed (Automated)
[PASS][0m 5.2 - Ensure that, if applicable, an AppArmor Profile is enabled (Automated)
[WARN][0m 5.3 - Ensure that, if applicable, SELinux security options are set (Automated)
[WARN][0m * No SecurityOptions Found: vaultwarden-db
[WARN][0m * No SecurityOptions Found: nginx
[WARN][0m * No SecurityOptions Found: vaultwarden
[WARN][0m * No SecurityOptions Found: vagrant-vulnerable-1
[WARN][0m * No SecurityOptions Found: gitea-db
[WARN][0m * No SecurityOptions Found: gitea
[PASS][0m 5.4 - Ensure that Linux kernel capabilities are restricted within containers (Automated)
[PASS][0m 5.5 - Ensure that privileged containers are not used (Automated)
[PASS][0m 5.6 - Ensure sensitive host system directories are not mounted on containers (Automated)
[WARN][0m 5.7 - Ensure sshd is not run within containers (Automated)
[WARN][0m * Container running sshd: vagrant-vulnerable-1
[WARN][0m * Container running sshd: gitea
[WARN][0m 5.8 - Ensure privileged ports are not mapped within containers (Automated)
[WARN][0m * Privileged Port in use: 80 in nginx
[WARN][0m * Privileged Port in use: 443 in nginx
[WARN][0m 5.9 - Ensure that only needed ports are open on the container (Manual)
[WARN][0m * Port in use: 80 in nginx
[WARN][0m * Port in use: 443 in nginx
[WARN][0m * Port in use: 2222 in vagrant-vulnerable-1
[PASS][0m 5.10 - Ensure that the host's network namespace is not shared (Automated)
[WARN][0m 5.11 - Ensure that the memory usage for containers is limited (Automated)
[WARN][0m * Container running without memory restrictions: vaultwarden-db
[WARN][0m * Container running without memory restrictions: nginx
[WARN][0m * Container running without memory restrictions: vaultwarden
[WARN][0m * Container running without memory restrictions: vagrant-vulnerable-1
[WARN][0m * Container running without memory restrictions: gitea-db
[WARN][0m * Container running without memory restrictions: gitea
[WARN][0m 5.12 - Ensure that CPU priority is set appropriately on containers (Automated)
[WARN][0m * Container running without CPU restrictions: vaultwarden-db
[WARN][0m * Container running without CPU restrictions: nginx
[WARN][0m * Container running without CPU restrictions: vaultwarden
[WARN][0m * Container running without CPU restrictions: vagrant-vulnerable-1
[WARN][0m * Container running without CPU restrictions: gitea-db
[WARN][0m * Container running without CPU restrictions: gitea
[WARN][0m 5.13 - Ensure that the container's root filesystem is mounted as read only (Automated)
[WARN][0m * Container running with root FS mounted R/W: vaultwarden-db
[WARN][0m * Container running with root FS mounted R/W: nginx
[WARN][0m * Container running with root FS mounted R/W: vaultwarden
[WARN][0m * Container running with root FS mounted R/W: vagrant-vulnerable-1
[WARN][0m * Container running with root FS mounted R/W: gitea-db
[WARN][0m * Container running with root FS mounted R/W: gitea
[WARN][0m 5.14 - Ensure that incoming container traffic is bound to a specific host interface (Automated)
[WARN][0m * Port being bound to wildcard IP: 0.0.0.0 in nginx
[WARN][0m * Port being bound to wildcard IP: 0.0.0.0 in nginx
[WARN][0m * Port being bound to wildcard IP: 0.0.0.0 in vagrant-vulnerable-1
[PASS][0m 5.15 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated)
[PASS][0m 5.16 - Ensure that the host's process namespace is not shared (Automated)
[PASS][0m 5.17 - Ensure that the host's IPC namespace is not shared (Automated)
[PASS][0m 5.18 - Ensure that host devices are not directly exposed to containers (Manual)
[INFO][0m 5.19 - Ensure that the default ulimit is overwritten at runtime if needed (Manual)
[INFO][0m * Container no default ulimit override: vaultwarden-db
[INFO][0m * Container no default ulimit override: nginx
[INFO][0m * Container no default ulimit override: vaultwarden
[INFO][0m * Container no default ulimit override: vagrant-vulnerable-1
[INFO][0m * Container no default ulimit override: gitea-db
[INFO][0m * Container no default ulimit override: gitea
[PASS][0m 5.20 - Ensure mount propagation mode is not set to shared (Automated)
[PASS][0m 5.21 - Ensure that the host's UTS namespace is not shared (Automated)
[PASS][0m 5.22 - Ensure the default seccomp profile is not Disabled (Automated)
[NOTE][0m 5.23 - Ensure that docker exec commands are not used with the privileged option (Automated)
[NOTE][0m 5.24 - Ensure that docker exec commands are not used with the user=root option (Manual)
[PASS][0m 5.25 - Ensure that cgroup usage is confirmed (Automated)
[WARN][0m 5.26 - Ensure that the container is restricted from acquiring additional privileges (Automated)
[WARN][0m * Privileges not restricted: vaultwarden-db
[WARN][0m * Privileges not restricted: nginx
[WARN][0m * Privileges not restricted: vaultwarden
[WARN][0m * Privileges not restricted: vagrant-vulnerable-1
[WARN][0m * Privileges not restricted: gitea-db
[WARN][0m * Privileges not restricted: gitea
[WARN][0m 5.27 - Ensure that container health is checked at runtime (Automated)
[WARN][0m * Health check not set: vaultwarden-db
[WARN][0m * Health check not set: nginx
[WARN][0m * Health check not set: vagrant-vulnerable-1
[WARN][0m * Health check not set: gitea-db
[WARN][0m * Health check not set: gitea
[INFO][0m 5.28 - Ensure that Docker commands always make use of the latest version of their image (Manual)
[WARN][0m 5.29 - Ensure that the PIDs cgroup limit is used (Automated)
[WARN][0m * PIDs limit not set: vaultwarden-db
[WARN][0m * PIDs limit not set: nginx
[WARN][0m * PIDs limit not set: vaultwarden
[WARN][0m * PIDs limit not set: vagrant-vulnerable-1
[WARN][0m * PIDs limit not set: gitea-db
[WARN][0m * PIDs limit not set: gitea
[PASS][0m 5.30 - Ensure that Docker's default bridge 'docker0' is not used (Manual)
[PASS][0m 5.31 - Ensure that the host's user namespaces are not shared (Automated)
[PASS][0m 5.32 - Ensure that the Docker socket is not mounted inside any containers (Automated)
[INFO][0m 6 - Docker Security Operations
[INFO][0m 6.1 - Ensure that image sprawl is avoided (Manual)
[INFO][0m * There are currently: 6 images
[INFO][0m 6.2 - Ensure that container sprawl is avoided (Manual)
[INFO][0m * There are currently a total of 6 containers, with 6 of them currently running
[INFO][0m 7 - Docker Swarm Configuration
[PASS][0m 7.1 - Ensure that the minimum number of manager nodes have been created in a swarm (Automated) (Swarm mode not enabled)
[PASS][0m 7.2 - Ensure that swarm services are bound to a specific host interface (Automated) (Swarm mode not enabled)
[PASS][0m 7.3 - Ensure that all Docker swarm overlay networks are encrypted (Automated)
[PASS][0m 7.4 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual) (Swarm mode not enabled)
[PASS][0m 7.5 - Ensure that swarm manager is run in auto-lock mode (Automated) (Swarm mode not enabled)
[PASS][0m 7.6 - Ensure that the swarm manager auto-lock key is rotated periodically (Manual) (Swarm mode not enabled)
[PASS][0m 7.7 - Ensure that node certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS][0m 7.8 - Ensure that CA certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS][0m 7.9 - Ensure that management plane traffic is separated from data plane traffic (Manual) (Swarm mode not enabled)
Section C - Score[0m
[INFO][0m Checks: 117
[INFO][0m Score: 1
\end{minted}
\end{code}
\begin{code}
\captionof{listing}{Hybrid configuration}
\label{docker_bench:hybrid}
\begin{minted}[breaklines,tabsize=2,breakanywhere,fontsize=\footnotesize]{text}
Initializing 2025-05-18T12:00:06+00:00
Section A - Check results[0m
[INFO][0m 1 - Host Configuration
[INFO][0m 1.1 - Linux Hosts Specific Configuration
[WARN][0m 1.1.1 - Ensure a separate partition for containers has been created (Automated)
[INFO][0m 1.1.2 - Ensure only trusted users are allowed to control Docker daemon (Automated)
[INFO][0m * Users: vagrant,git
[WARN][0m 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated)
[WARN][0m 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)
[WARN][0m 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)
[WARN][0m 1.1.6 - Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)
[WARN][0m 1.1.7 - Ensure auditing is configured for Docker files and directories - docker.service (Automated)
[WARN][0m 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)
[WARN][0m 1.1.9 - Ensure auditing is configured for Docker files and directories - docker.socket (Automated)
[WARN][0m 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)
[INFO][0m 1.1.11 - Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)
[INFO][0m * File not found
[WARN][0m 1.1.12 - 1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)
[INFO][0m 1.1.13 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)
[INFO][0m * File not found
[WARN][0m 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)
[WARN][0m 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)
[WARN][0m 1.1.16 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)
[WARN][0m 1.1.17 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)
[WARN][0m 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)
[INFO][0m 1.2 - General Configuration
[NOTE][0m 1.2.1 - Ensure the container host has been Hardened (Manual)
[PASS][0m 1.2.2 - Ensure that the version of Docker is up to date (Manual)
[INFO][0m * Using 28.1.1 which is current
[INFO][0m * Check with your operating system vendor for support and security maintenance for Docker
[INFO][0m 2 - Docker daemon configuration
[NOTE][0m 2.1 - Run the Docker daemon as a non-root user, if possible (Manual)
[WARN][0m 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[PASS][0m 2.3 - Ensure the logging level is set to 'info' (Scored)
[PASS][0m 2.4 - Ensure Docker is allowed to make changes to iptables (Scored)
[PASS][0m 2.5 - Ensure insecure registries are not used (Scored)
[PASS][0m 2.6 - Ensure aufs storage driver is not used (Scored)
[INFO][0m 2.7 - Ensure TLS authentication for Docker daemon is configured (Scored)
[INFO][0m * Docker daemon not listening on TCP
[INFO][0m 2.8 - Ensure the default ulimit is configured appropriately (Manual)
[INFO][0m * Default ulimit doesn't appear to be set
[WARN][0m 2.9 - Enable user namespace support (Scored)
[PASS][0m 2.10 - Ensure the default cgroup usage has been confirmed (Scored)
[PASS][0m 2.11 - Ensure base device size is not changed until needed (Scored)
[WARN][0m 2.12 - Ensure that authorization for Docker client commands is enabled (Scored)
[WARN][0m 2.13 - Ensure centralized and remote logging is configured (Scored)
[WARN][0m 2.14 - Ensure containers are restricted from acquiring new privileges (Scored)
[WARN][0m 2.15 - Ensure live restore is enabled (Scored)
[WARN][0m 2.16 - Ensure Userland Proxy is Disabled (Scored)
[INFO][0m 2.17 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)
[INFO][0m Ensure that experimental features are not implemented in production (Scored) (Deprecated)
[INFO][0m 3 - Docker daemon configuration files
[PASS][0m 3.1 - Ensure that the docker.service file ownership is set to root:root (Automated)
[PASS][0m 3.2 - Ensure that docker.service file permissions are appropriately set (Automated)
[PASS][0m 3.3 - Ensure that docker.socket file ownership is set to root:root (Automated)
[PASS][0m 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)
[PASS][0m 3.5 - Ensure that the /etc/docker directory ownership is set to root:root (Automated)
[PASS][0m 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)
[INFO][0m 3.7 - Ensure that registry certificate file ownership is set to root:root (Automated)
[INFO][0m * Directory not found
[INFO][0m 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)
[INFO][0m * Directory not found
[INFO][0m 3.9 - Ensure that TLS CA certificate file ownership is set to root:root (Automated)
[INFO][0m * No TLS CA certificate found
[INFO][0m 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)
[INFO][0m * No TLS CA certificate found
[INFO][0m 3.11 - Ensure that Docker server certificate file ownership is set to root:root (Automated)
[INFO][0m * No TLS Server certificate found
[INFO][0m 3.12 - Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)
[INFO][0m * No TLS Server certificate found
[INFO][0m 3.13 - Ensure that the Docker server certificate key file ownership is set to root:root (Automated)
[INFO][0m * No TLS Key found
[INFO][0m 3.14 - Ensure that the Docker server certificate key file permissions are set to 400 (Automated)
[INFO][0m * No TLS Key found
[PASS][0m 3.15 - Ensure that the Docker socket file ownership is set to root:docker (Automated)
[PASS][0m 3.16 - Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)
[INFO][0m 3.17 - Ensure that the daemon.json file ownership is set to root:root (Automated)
[INFO][0m * File not found
[INFO][0m 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)
[INFO][0m * File not found
[PASS][0m 3.19 - Ensure that the /etc/default/docker file ownership is set to root:root (Automated)
[PASS][0m 3.20 - Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)
[INFO][0m 3.21 - Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)
[INFO][0m * File not found
[INFO][0m 3.22 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)
[INFO][0m * File not found
[PASS][0m 3.23 - Ensure that the Containerd socket file ownership is set to root:root (Automated)
[PASS][0m 3.24 - Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)
[INFO][0m 4 - Container Images and Build File
[WARN][0m 4.1 - Ensure that a user for the container has been created (Automated)
[WARN][0m * Running as root: gitea
[WARN][0m * Running as root: vaultwarden
[WARN][0m * Running as root: nginx
[WARN][0m * Running as root: vagrant-vulnerable-1
[NOTE][0m 4.2 - Ensure that containers use only trusted base images (Manual)
[NOTE][0m 4.3 - Ensure that unnecessary packages are not installed in the container (Manual)
[NOTE][0m 4.4 - Ensure images are scanned and rebuilt to include security patches (Manual)
[WARN][0m 4.5 - Ensure Content trust for Docker is Enabled (Automated)
[WARN][0m 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated)
[WARN][0m * No Healthcheck found: [vagrant-vulnerable:latest]
[WARN][0m * No Healthcheck found: [docker.gitea.com/gitea:latest]
[WARN][0m * No Healthcheck found: [nginx:latest]
[INFO][0m 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual)
[INFO][0m * Update instruction found: [vagrant-vulnerable:latest]
[NOTE][0m 4.8 - Ensure setuid and setgid permissions are removed (Manual)
[INFO][0m 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Manual)
[INFO][0m * ADD in image history: [vagrant-vulnerable:latest]
[INFO][0m * ADD in image history: [vaultwarden/server:latest]
[NOTE][0m 4.10 - Ensure secrets are not stored in Dockerfiles (Manual)
[NOTE][0m 4.11 - Ensure only verified packages are installed (Manual)
[NOTE][0m 4.12 - Ensure all signed artifacts are validated (Manual)
[INFO][0m 5 - Container Runtime
[PASS][0m 5.1 - Ensure swarm mode is not Enabled, if not needed (Automated)
[PASS][0m 5.2 - Ensure that, if applicable, an AppArmor Profile is enabled (Automated)
[WARN][0m 5.3 - Ensure that, if applicable, SELinux security options are set (Automated)
[WARN][0m * No SecurityOptions Found: gitea
[WARN][0m * No SecurityOptions Found: vaultwarden
[WARN][0m * No SecurityOptions Found: nginx
[WARN][0m * No SecurityOptions Found: vagrant-vulnerable-1
[PASS][0m 5.4 - Ensure that Linux kernel capabilities are restricted within containers (Automated)
[PASS][0m 5.5 - Ensure that privileged containers are not used (Automated)
[PASS][0m 5.6 - Ensure sensitive host system directories are not mounted on containers (Automated)
[WARN][0m 5.7 - Ensure sshd is not run within containers (Automated)
[WARN][0m * Container running sshd: gitea
[WARN][0m * Container running sshd: vagrant-vulnerable-1
[WARN][0m 5.8 - Ensure privileged ports are not mapped within containers (Automated)
[WARN][0m * Privileged Port in use: 80 in nginx
[WARN][0m * Privileged Port in use: 443 in nginx
[WARN][0m 5.9 - Ensure that only needed ports are open on the container (Manual)
[WARN][0m * Port in use: 80 in nginx
[WARN][0m * Port in use: 443 in nginx
[WARN][0m * Port in use: 2222 in vagrant-vulnerable-1
[PASS][0m 5.10 - Ensure that the host's network namespace is not shared (Automated)
[WARN][0m 5.11 - Ensure that the memory usage for containers is limited (Automated)
[WARN][0m * Container running without memory restrictions: gitea
[WARN][0m * Container running without memory restrictions: vaultwarden
[WARN][0m * Container running without memory restrictions: nginx
[WARN][0m * Container running without memory restrictions: vagrant-vulnerable-1
[WARN][0m 5.12 - Ensure that CPU priority is set appropriately on containers (Automated)
[WARN][0m * Container running without CPU restrictions: gitea
[WARN][0m * Container running without CPU restrictions: vaultwarden
[WARN][0m * Container running without CPU restrictions: nginx
[WARN][0m * Container running without CPU restrictions: vagrant-vulnerable-1
[WARN][0m 5.13 - Ensure that the container's root filesystem is mounted as read only (Automated)
[WARN][0m * Container running with root FS mounted R/W: gitea
[WARN][0m * Container running with root FS mounted R/W: vaultwarden
[WARN][0m * Container running with root FS mounted R/W: nginx
[WARN][0m * Container running with root FS mounted R/W: vagrant-vulnerable-1
[WARN][0m 5.14 - Ensure that incoming container traffic is bound to a specific host interface (Automated)
[WARN][0m * Port being bound to wildcard IP: 0.0.0.0 in nginx
[WARN][0m * Port being bound to wildcard IP: 0.0.0.0 in nginx
[WARN][0m * Port being bound to wildcard IP: 0.0.0.0 in vagrant-vulnerable-1
[PASS][0m 5.15 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated)
[PASS][0m 5.16 - Ensure that the host's process namespace is not shared (Automated)
[PASS][0m 5.17 - Ensure that the host's IPC namespace is not shared (Automated)
[PASS][0m 5.18 - Ensure that host devices are not directly exposed to containers (Manual)
[INFO][0m 5.19 - Ensure that the default ulimit is overwritten at runtime if needed (Manual)
[INFO][0m * Container no default ulimit override: gitea
[INFO][0m * Container no default ulimit override: vaultwarden
[INFO][0m * Container no default ulimit override: nginx
[INFO][0m * Container no default ulimit override: vagrant-vulnerable-1
[PASS][0m 5.20 - Ensure mount propagation mode is not set to shared (Automated)
[PASS][0m 5.21 - Ensure that the host's UTS namespace is not shared (Automated)
[PASS][0m 5.22 - Ensure the default seccomp profile is not Disabled (Automated)
[NOTE][0m 5.23 - Ensure that docker exec commands are not used with the privileged option (Automated)
[NOTE][0m 5.24 - Ensure that docker exec commands are not used with the user=root option (Manual)
[PASS][0m 5.25 - Ensure that cgroup usage is confirmed (Automated)
[WARN][0m 5.26 - Ensure that the container is restricted from acquiring additional privileges (Automated)
[WARN][0m * Privileges not restricted: gitea
[WARN][0m * Privileges not restricted: vaultwarden
[WARN][0m * Privileges not restricted: nginx
[WARN][0m * Privileges not restricted: vagrant-vulnerable-1
[WARN][0m 5.27 - Ensure that container health is checked at runtime (Automated)
[WARN][0m * Health check not set: gitea
[WARN][0m * Health check not set: nginx
[WARN][0m * Health check not set: vagrant-vulnerable-1
[INFO][0m 5.28 - Ensure that Docker commands always make use of the latest version of their image (Manual)
[WARN][0m 5.29 - Ensure that the PIDs cgroup limit is used (Automated)
[WARN][0m * PIDs limit not set: gitea
[WARN][0m * PIDs limit not set: vaultwarden
[WARN][0m * PIDs limit not set: nginx
[WARN][0m * PIDs limit not set: vagrant-vulnerable-1
[PASS][0m 5.30 - Ensure that Docker's default bridge 'docker0' is not used (Manual)
[PASS][0m 5.31 - Ensure that the host's user namespaces are not shared (Automated)
[PASS][0m 5.32 - Ensure that the Docker socket is not mounted inside any containers (Automated)
[INFO][0m 6 - Docker Security Operations
[INFO][0m 6.1 - Ensure that image sprawl is avoided (Manual)
[INFO][0m * There are currently: 4 images
[INFO][0m 6.2 - Ensure that container sprawl is avoided (Manual)
[INFO][0m * There are currently a total of 4 containers, with 4 of them currently running
[INFO][0m 7 - Docker Swarm Configuration
[PASS][0m 7.1 - Ensure that the minimum number of manager nodes have been created in a swarm (Automated) (Swarm mode not enabled)
[PASS][0m 7.2 - Ensure that swarm services are bound to a specific host interface (Automated) (Swarm mode not enabled)
[PASS][0m 7.3 - Ensure that all Docker swarm overlay networks are encrypted (Automated)
[PASS][0m 7.4 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual) (Swarm mode not enabled)
[PASS][0m 7.5 - Ensure that swarm manager is run in auto-lock mode (Automated) (Swarm mode not enabled)
[PASS][0m 7.6 - Ensure that the swarm manager auto-lock key is rotated periodically (Manual) (Swarm mode not enabled)
[PASS][0m 7.7 - Ensure that node certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS][0m 7.8 - Ensure that CA certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS][0m 7.9 - Ensure that management plane traffic is separated from data plane traffic (Manual) (Swarm mode not enabled)
Section C - Score[0m
[INFO][0m Checks: 117
[INFO][0m Score: 1
\end{minted}
\end{code}
\end{document} \end{document}

2
webserver/base/Vagrantfile vendored
View File

@ -27,6 +27,8 @@ Vagrant.configure("2") do |config|
sandbox.vm.provision "ansible_local" do |ansible| sandbox.vm.provision "ansible_local" do |ansible|
ansible.playbook = "/vagrant/sandbox/playbook.yml" ansible.playbook = "/vagrant/sandbox/playbook.yml"
end end
sandbox.vm.provision "file", source: "../idle_measurement.sh", destination: "$HOME/idle_measurement.sh"
end end
config.vm.define "client" do |client| config.vm.define "client" do |client|

2
webserver/base/sandbox/playbook.yml
View File

@ -15,6 +15,8 @@
- curl - curl
- software-properties-common - software-properties-common
- virtualenv - virtualenv
- bc
- sysstat
state: latest state: latest
update_cache: true update_cache: true

304
webserver/hybrid.patch
View File

@ -1,17 +1,22 @@
diff --color -ruN base/sandbox/docker-compose.yml hybrid/sandbox/docker-compose.yml diff --color -ruN base/sandbox/docker-compose.yml hybrid/sandbox/docker-compose.yml
--- base/sandbox/docker-compose.yml 2025-05-16 14:24:23.205442568 +0200 --- base/sandbox/docker-compose.yml 2025-05-16 19:46:23.713755709 +0200
+++ hybrid/sandbox/docker-compose.yml 2025-05-16 18:50:42.770649909 +0200 +++ hybrid/sandbox/docker-compose.yml 2025-05-16 20:37:19.376016608 +0200
@@ -7,25 +7,12 @@ @@ -4,28 +4,16 @@
- internal container_name: vaultwarden
restart: unless-stopped
networks:
- - nginx
- - vaultwarden
+ - internal
environment: environment:
DOMAIN: "https://bitwarden.vm.local" DOMAIN: "https://bitwarden.vm.local"
- DATABASE_URL: "postgres://vaultwarden:vaultwarden@vaultwarden-db/vaultwarden" - DATABASE_URL: "postgres://vaultwarden:vaultwarden@vaultwarden-db:5432/vaultwarden"
+ DATABASE_URL: "postgres://vaultwarden:vaultwarden@localhost/vaultwarden" + DATABASE_URL: "postgres://vaultwarden:vaultwarden@postgres:5432/vaultwarden"
volumes: volumes:
- ./vw-data/:/data/ - ./vw-data/:/data/
expose: expose:
- 80 - 80
-
- vaultwarden-db: - vaultwarden-db:
- image: docker.io/library/postgres:latest - image: docker.io/library/postgres:latest
- container_name: vaultwarden-db - container_name: vaultwarden-db
@ -23,24 +28,35 @@ diff --color -ruN base/sandbox/docker-compose.yml hybrid/sandbox/docker-compose.
- volumes: - volumes:
- - ./vw-postgres:/var/lib/postgresql/data - - ./vw-postgres:/var/lib/postgresql/data
- networks: - networks:
- - internal - - vaultwarden
- + extra_hosts:
+ - "postgres:172.18.0.1"
gitea: gitea:
image: docker.gitea.com/gitea:latest image: docker.gitea.com/gitea:latest
container_name: gitea @@ -34,15 +22,14 @@
@@ -33,7 +20,7 @@
- USER_UID=1000 - USER_UID=1000
- USER_GID=1000 - USER_GID=1000
- GITEA__database__DB_TYPE=postgres - GITEA__database__DB_TYPE=postgres
- - GITEA__database__HOST=gitea-db:5432 - - GITEA__database__HOST=gitea-db:5432
+ - GITEA__database__HOST=localhost:5432 + - GITEA__database__HOST=postgres:5432
- GITEA__database__NAME=gitea - GITEA__database__NAME=gitea
- GITEA__database__USER=gitea - GITEA__database__USER=gitea
- GITEA__database__PASSWD=gitea - GITEA__database__PASSWD=gitea
@@ -49,19 +36,6 @@ - GITEA__security__INSTALL_LOCK=true
restart: unless-stopped
networks:
- - nginx
- - gitea
+ - internal
volumes:
- ./gitea:/data
- /etc/timezone:/etc/timezone:ro
@@ -50,33 +37,24 @@
expose:
- 3000 - 3000
- 22 - 22
-
- gitea-db: - gitea-db:
- image: docker.io/library/postgres:latest - image: docker.io/library/postgres:latest
- container_name: gitea-db - container_name: gitea-db
@ -52,23 +68,61 @@ diff --color -ruN base/sandbox/docker-compose.yml hybrid/sandbox/docker-compose.
- volumes: - volumes:
- - ./postgres:/var/lib/postgresql/data - - ./postgres:/var/lib/postgresql/data
- networks: - networks:
- - internal - - gitea
- + extra_hosts:
+ - "postgres:172.18.0.1"
vulnerable: vulnerable:
build: /vagrant/sandbox/vuln build: /vagrant/sandbox/vuln
ports: ports:
- 2222:22
networks:
- - nginx
+ - default
+ extra_hosts:
+ - "postgres:172.18.0.1"
nginx:
image: nginx:latest
container_name: nginx
restart: unless-stopped
networks:
- - nginx
+ - internal
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf
- ./nginx/certs:/etc/nginx/certs
@@ -85,9 +63,9 @@
- 443:443
networks:
- nginx:
- driver: bridge
- gitea:
+ internal:
driver: bridge
- vaultwarden:
- driver: bridge
\ No newline at end of file
+ ipam:
+ config:
+ - subnet: 172.18.0.0/16
+ gateway: 172.18.0.1
\ No newline at end of file
diff --color -ruN base/sandbox/playbook.yml hybrid/sandbox/playbook.yml diff --color -ruN base/sandbox/playbook.yml hybrid/sandbox/playbook.yml
--- base/sandbox/playbook.yml 2025-05-16 14:24:38.114525247 +0200 --- base/sandbox/playbook.yml 2025-05-16 14:24:38.114525247 +0200
+++ hybrid/sandbox/playbook.yml 2025-05-16 18:54:14.467644981 +0200 +++ hybrid/sandbox/playbook.yml 2025-05-16 20:46:03.184604976 +0200
@@ -15,6 +15,7 @@ @@ -15,6 +15,9 @@
- curl - curl
- software-properties-common - software-properties-common
- virtualenv - virtualenv
+ - python3-psycopg2
+ - postgresql + - postgresql
+ - acl
state: latest state: latest
update_cache: true update_cache: true
@@ -148,6 +149,40 @@ @@ -148,6 +151,62 @@
name: ssh name: ssh
state: restarted state: restarted
@ -79,6 +133,7 @@ diff --color -ruN base/sandbox/playbook.yml hybrid/sandbox/playbook.yml
+ enabled: yes + enabled: yes
+ +
+ - name: Create PostgreSQL user for gitea + - name: Create PostgreSQL user for gitea
+ become: true
+ become_user: postgres + become_user: postgres
+ postgresql_user: + postgresql_user:
+ name: gitea + name: gitea
@ -86,6 +141,7 @@ diff --color -ruN base/sandbox/playbook.yml hybrid/sandbox/playbook.yml
+ state: present + state: present
+ +
+ - name: Create PostgreSQL database for gitea + - name: Create PostgreSQL database for gitea
+ become: true
+ become_user: postgres + become_user: postgres
+ postgresql_db: + postgresql_db:
+ name: gitea + name: gitea
@ -93,6 +149,7 @@ diff --color -ruN base/sandbox/playbook.yml hybrid/sandbox/playbook.yml
+ state: present + state: present
+ +
+ - name: Create PostgreSQL user for vaultwarden + - name: Create PostgreSQL user for vaultwarden
+ become: true
+ become_user: postgres + become_user: postgres
+ postgresql_user: + postgresql_user:
+ name: vaultwarden + name: vaultwarden
@ -100,12 +157,221 @@ diff --color -ruN base/sandbox/playbook.yml hybrid/sandbox/playbook.yml
+ state: present + state: present
+ +
+ - name: Create PostgreSQL database for vaultwarden + - name: Create PostgreSQL database for vaultwarden
+ become: true
+ become_user: postgres + become_user: postgres
+ postgresql_db: + postgresql_db:
+ name: vaultwarden + name: vaultwarden
+ owner: vaultwarden + owner: vaultwarden
+ state: present + state: present
+
+ - name: Set PostgreSQL to listen on localhost and Docker bridge IP
+ become: yes
+ lineinfile:
+ path: /etc/postgresql/14/main/postgresql.conf
+ regexp: '^#?listen_addresses\s*='
+ line: "listen_addresses = 'localhost,172.18.0.1'"
+ notify: Restart PostgreSQL
+
+ - name: Allow connections from Docker subnet in pg_hba.conf
+ become: yes
+ lineinfile:
+ path: /etc/postgresql/14/main/pg_hba.conf
+ line: 'host all all 172.18.0.0/16 md5'
+ create: yes
+ insertafter: EOF
+ state: present
+ notify: Restart PostgreSQL
+ +
- name: Ensure Docker service is running - name: Ensure Docker service is running
service: service:
name: docker name: docker
@@ -157,4 +216,12 @@
- name: Run docker compose up -d
command: docker compose up -d
args:
- chdir: /home/vagrant
\ No newline at end of file
+ chdir: /home/vagrant
+
+
+ handlers:
+ - name: Restart PostgreSQL
+ become: yes
+ service:
+ name: postgresql
+ state: restarted
\ No newline at end of file
diff --color -ruN base/shared/ca/rootCA.pem hybrid/shared/ca/rootCA.pem
--- base/shared/ca/rootCA.pem 2025-05-16 14:13:52.000000000 +0200
+++ hybrid/shared/ca/rootCA.pem 2025-05-16 20:48:56.000000000 +0200
@@ -1,26 +1,26 @@
-----BEGIN CERTIFICATE-----
-MIIEeTCCAuGgAwIBAgIQCbH+Liv4sQVPc8WF+RDDnTANBgkqhkiG9w0BAQsFADBV
-MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExFTATBgNVBAsMDHJvb3RA
-c2FuZGJveDEcMBoGA1UEAwwTbWtjZXJ0IHJvb3RAc2FuZGJveDAeFw0yNTA1MTYx
-MjEzNTJaFw0zNTA1MTYxMjEzNTJaMFUxHjAcBgNVBAoTFW1rY2VydCBkZXZlbG9w
-bWVudCBDQTEVMBMGA1UECwwMcm9vdEBzYW5kYm94MRwwGgYDVQQDDBNta2NlcnQg
-cm9vdEBzYW5kYm94MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA6oue
-J4Wg4kPEewbZOg6fw+so6rcP8wfsBSiZYlJfe8RpTZe4UzUFKpairLrs0ghqgwSN
-GoTn3UlolEilXm3nhuwhQZ2FUluO42RyQJcxXlOKMd3yhSyf3WgsC/8WktgqsjHY
-n1msUZ3YdFKc6SSnZVLQRj1/Eoj8N/b/sBqpkTFp5A/TpMizzmzx8k8rOhQVxvLy
-ZbXJt2jXxM66+7tnSXFyZFp0SGTniJfGP6QhpBTtHyUEGU/IbmTOEOUHydKkBADH
-r+/e6P3bb8hGmW66ksLiytzBiJuY3N+Rps1a7t+0+ZBHQxW5o2ZwmvbsWuqYpbB4
-y/xM/IuK60kM8WTFJm83ggAk2Lf4DY75OqMhw0SBEU095fJnMMnmWLtqvDdDtZaR
-jZ9X1NuXRTk2WuwVVIiBwJ946qH5SUdsxfyOF2QeeX73snX8fKFmQ4Eoq0c+CnbB
-FXh/gWNmlSpTN7x3j/Jnr/15HcAZeB2fA09ZVmXKbzat+mELUb/CQgrIYgGpAgMB
-AAGjRTBDMA4GA1UdDwEB/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
-DgQWBBSSDE7+6Nbyr0SAytNA8cqlQbckPzANBgkqhkiG9w0BAQsFAAOCAYEA2s0z
-ijDpyTdNviZZhxcHydGkSEJkOwJVsN5DVVksKrWKlcDR9f0NCYLxA1IGhaNYVg3Y
-ipeAqAgqjauM71z/UvC3BrIOJhXa5lXqi36Syw9BFlUF0KH48BnklJpJfmdcRQ+T
-mQf52TNFr39pBTrCjvlIGm6aMvGy+TWyuwo+GO1GyBRVT9fiD988uPNIFSNCFJWp
-87xNfl+qdZxDIdYr4qh12t4y7IKziklAC+P0oAnNXcVGomACW7p+VqeLineYOaNJ
-1NfEiZZ+SJ6U9KmEOuFIwPx8cSVzmbfA6V+kE6ZL4KQjRGwAJr3uQmgEvA9LTz+L
-U4aYk/Nsue2xXRN72XG42FARZ68DftqH6Csi+BNWX0BpB4ph5Ue8rdrYt+97nVX7
-iRN1+lXx3xjxv80gh20iCOAEyq6Z+gblgCf19x1K7hVSFI/iuTXq0TYLdLM36mhi
-pIa3uAsYU9lPn5Vig1GptLN7dg9cXmBkkZnShrNsAGi2G6qJYMQ+50So3Btk
+MIIEejCCAuKgAwIBAgIRAK9Fw1j5+aJLyagdMqeXZ4YwDQYJKoZIhvcNAQELBQAw
+VTEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMRUwEwYDVQQLDAxyb290
+QHNhbmRib3gxHDAaBgNVBAMME21rY2VydCByb290QHNhbmRib3gwHhcNMjUwNTE2
+MTg0ODU2WhcNMzUwNTE2MTg0ODU2WjBVMR4wHAYDVQQKExVta2NlcnQgZGV2ZWxv
+cG1lbnQgQ0ExFTATBgNVBAsMDHJvb3RAc2FuZGJveDEcMBoGA1UEAwwTbWtjZXJ0
+IHJvb3RAc2FuZGJveDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJy3
+m1f1srCfFhP6gB0Ov6jXev/B9YJeAbFZxafprUVRIUVwepAlteYTq5fcYtpOUKhR
+SW8aYuHi6nVuOSJhXgrDvp+eVm0cgyiklO063a/XCU5hmFPvULqkKvSaGl3hF/2A
+Ya51fsO/P9IqruaBJEKsBovVPCa/GMpnF8EbGbL3lWLMWeQZLCpoFoT1gAmJOyWd
+TUX9MBuxVMJxwyugliUjPPWOrvuH3u5vaDKB2LBkHUmG2cGDRfKzf1Q5Z6vT4DNL
+EstSD3T2DDIVYtnHr42HKMC/kYK1SKaiH+8lvTtEjKMR1T4L4Bv6AkEKuLdiy20Q
++5SPiUqCq8+EpDOrbJM8RKR+K7Y3g52iZDyTNoz+j99oBB+Kovnj7sn9OH2ZyjBb
++9pKjzx5l/d6EbobVvZwhXIkd/zF3Nhifm9v0WTN+yuCaznLzoqufSFhFZ3yOvPN
+iW1FhisLIGaE33HQgfSG8P/RGMx//37eDRjZ5pvr78pS5N265SzkXneHD/i0fQID
+AQABo0UwQzAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
+HQ4EFgQUN7MwujcQvMi1b6VUfCip3TiLwBcwDQYJKoZIhvcNAQELBQADggGBAGHv
+XUwADq1UdY6mz3+4zk823Hd45BqDX0GHX4mamGkck0n+6f4dhEHsKsvp/ULzY2/E
+wW5jVCEs/qNGY2U8iqpV/B7ldne5/nugF0rXFfKcVNRi9qLr2KJYZxeKFnbUgDeJ
+VNrf7hCp8hrwSlwmF8DxdST+ZdtJk2optf5CJ+6pj+k67o7em/4pRgCQX9oy/n/4
+NHORnypwVOsEjh4j7qFSxJ44fDpSO3EzOmTdnIxeNVnb5IaY40qkCwCUlQXwjBYh
+Ws0ryqRsaENbBtlZh3ZrJxRDBQhzi145xXujkaDs83vAc5QVoGYXrlF/1uHFUBNc
+Suk++hOA1Y32dwOAkZZhzheZGOu8Jq0+dTsXDqM7aGeu/MfBVLBgZTUz7DumAzLT
+Mfr6h9069fi50G3cqzAkhmUDSUwwJsGyGCHzulJyt5rEk9mxogPT2L5bVHmt2L8K
+kLiPaz2BOiSLJCxlhChBKxSQB8gSHLUR6NS4A+3L8sBA7tU0xwmq5Y7AgdTY2Q==
-----END CERTIFICATE-----
diff --color -ruN base/.vagrant/machines/client/virtualbox/action_provision hybrid/.vagrant/machines/client/virtualbox/action_provision
--- base/.vagrant/machines/client/virtualbox/action_provision 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/client/virtualbox/action_provision 2025-05-16 19:37:10.086762165 +0200
@@ -0,0 +1 @@
+1.5:e88dc80c-9521-4f90-95d5-4fb243f94f47
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/client/virtualbox/action_set_name hybrid/.vagrant/machines/client/virtualbox/action_set_name
--- base/.vagrant/machines/client/virtualbox/action_set_name 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/client/virtualbox/action_set_name 2025-05-16 19:35:00.996251945 +0200
@@ -0,0 +1 @@
+1747416900
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/client/virtualbox/box_meta hybrid/.vagrant/machines/client/virtualbox/box_meta
--- base/.vagrant/machines/client/virtualbox/box_meta 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/client/virtualbox/box_meta 2025-05-16 19:37:05.102859035 +0200
@@ -0,0 +1 @@
+{"name":"kalilinux/rolling","version":"2025.1.0","provider":"virtualbox","directory":"boxes/kalilinux-VAGRANTSLASH-rolling/2025.1.0/amd64/virtualbox"}
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/client/virtualbox/creator_uid hybrid/.vagrant/machines/client/virtualbox/creator_uid
--- base/.vagrant/machines/client/virtualbox/creator_uid 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/client/virtualbox/creator_uid 2025-05-16 19:35:00.360264104 +0200
@@ -0,0 +1 @@
+1000
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/client/virtualbox/id hybrid/.vagrant/machines/client/virtualbox/id
--- base/.vagrant/machines/client/virtualbox/id 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/client/virtualbox/id 2025-05-16 19:35:00.360264104 +0200
@@ -0,0 +1 @@
+e88dc80c-9521-4f90-95d5-4fb243f94f47
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/client/virtualbox/index_uuid hybrid/.vagrant/machines/client/virtualbox/index_uuid
--- base/.vagrant/machines/client/virtualbox/index_uuid 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/client/virtualbox/index_uuid 2025-05-16 19:35:00.365264008 +0200
@@ -0,0 +1 @@
+7c7ce4783d7f48b28436a1de850ba957
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/client/virtualbox/private_key hybrid/.vagrant/machines/client/virtualbox/private_key
--- base/.vagrant/machines/client/virtualbox/private_key 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/client/virtualbox/private_key 2025-05-16 19:35:28.005734548 +0200
@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAA
+AAtzc2gtZWQyNTUxOQAAACCDja7QoNOjkzrCeE3ghwFsylAHTdTrCFWoRVso
+r87iMwAAAJCuEJUOrhCVDgAAAAtzc2gtZWQyNTUxOQAAACCDja7QoNOjkzrC
+eE3ghwFsylAHTdTrCFWoRVsor87iMwAAAEC0o0rgBdsIVpUoatFV67Dw4ZyG
+PT5Q/3Sfiy88ShdsYYONrtCg06OTOsJ4TeCHAWzKUAdN1OsIVahFWyivzuIz
+AAAAB3ZhZ3JhbnQBAgMEBQY=
+-----END OPENSSH PRIVATE KEY-----
diff --color -ruN base/.vagrant/machines/client/virtualbox/synced_folders hybrid/.vagrant/machines/client/virtualbox/synced_folders
--- base/.vagrant/machines/client/virtualbox/synced_folders 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/client/virtualbox/synced_folders 2025-05-16 19:37:09.104781255 +0200
@@ -0,0 +1 @@
+{"virtualbox":{"/vagrant":{"guestpath":"/vagrant","hostpath":"/home/nano/Documents/bachthesis/setup/webserver/hybrid","disabled":false,"__vagrantfile":true}}}
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/client/virtualbox/vagrant_cwd hybrid/.vagrant/machines/client/virtualbox/vagrant_cwd
--- base/.vagrant/machines/client/virtualbox/vagrant_cwd 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/client/virtualbox/vagrant_cwd 2025-05-16 19:34:14.358140414 +0200
@@ -0,0 +1 @@
+/home/nano/Documents/bachthesis/setup/webserver/hybrid
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/sandbox/virtualbox/action_provision hybrid/.vagrant/machines/sandbox/virtualbox/action_provision
--- base/.vagrant/machines/sandbox/virtualbox/action_provision 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/sandbox/virtualbox/action_provision 2025-05-16 20:47:43.933737193 +0200
@@ -0,0 +1 @@
+1.5:c759b140-fa01-4cb9-9e78-1bbbb473e28b
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/sandbox/virtualbox/action_set_name hybrid/.vagrant/machines/sandbox/virtualbox/action_set_name
--- base/.vagrant/machines/sandbox/virtualbox/action_set_name 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/sandbox/virtualbox/action_set_name 2025-05-16 20:47:16.586245129 +0200
@@ -0,0 +1 @@
+1747421236
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/sandbox/virtualbox/box_meta hybrid/.vagrant/machines/sandbox/virtualbox/box_meta
--- base/.vagrant/machines/sandbox/virtualbox/box_meta 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/sandbox/virtualbox/box_meta 2025-05-16 20:47:39.050827934 +0200
@@ -0,0 +1 @@
+{"name":"ubuntu/jammy64","version":"20241002.0.0","provider":"virtualbox","directory":"boxes/ubuntu-VAGRANTSLASH-jammy64/20241002.0.0/virtualbox"}
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/sandbox/virtualbox/creator_uid hybrid/.vagrant/machines/sandbox/virtualbox/creator_uid
--- base/.vagrant/machines/sandbox/virtualbox/creator_uid 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/sandbox/virtualbox/creator_uid 2025-05-16 20:47:15.934257231 +0200
@@ -0,0 +1 @@
+1000
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/sandbox/virtualbox/id hybrid/.vagrant/machines/sandbox/virtualbox/id
--- base/.vagrant/machines/sandbox/virtualbox/id 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/sandbox/virtualbox/id 2025-05-16 20:47:15.934257231 +0200
@@ -0,0 +1 @@
+c759b140-fa01-4cb9-9e78-1bbbb473e28b
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/sandbox/virtualbox/index_uuid hybrid/.vagrant/machines/sandbox/virtualbox/index_uuid
--- base/.vagrant/machines/sandbox/virtualbox/index_uuid 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/sandbox/virtualbox/index_uuid 2025-05-16 20:47:15.941257101 +0200
@@ -0,0 +1 @@
+a2ce833661ec4d9ebcd90af9f8d9d658
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/sandbox/virtualbox/private_key hybrid/.vagrant/machines/sandbox/virtualbox/private_key
--- base/.vagrant/machines/sandbox/virtualbox/private_key 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/sandbox/virtualbox/private_key 2025-05-16 20:47:36.529874774 +0200
@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAA
+AAtzc2gtZWQyNTUxOQAAACCoHi4Q+gsoRdbgU6yQJUpj6kOm8/oIzTJC9uaU
+O8VkWgAAAJCfxk0Yn8ZNGAAAAAtzc2gtZWQyNTUxOQAAACCoHi4Q+gsoRdbg
+U6yQJUpj6kOm8/oIzTJC9uaUO8VkWgAAAEAR2S8XEN4rdFqnz7eKsrzkvU01
+aWQNxaNVNcNGrOilrqgeLhD6CyhF1uBTrJAlSmPqQ6bz+gjNMkL25pQ7xWRa
+AAAAB3ZhZ3JhbnQBAgMEBQY=
+-----END OPENSSH PRIVATE KEY-----
diff --color -ruN base/.vagrant/machines/sandbox/virtualbox/synced_folders hybrid/.vagrant/machines/sandbox/virtualbox/synced_folders
--- base/.vagrant/machines/sandbox/virtualbox/synced_folders 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/sandbox/virtualbox/synced_folders 2025-05-16 20:47:43.000754532 +0200
@@ -0,0 +1 @@
+{"virtualbox":{"/vagrant":{"guestpath":"/vagrant","hostpath":"/home/nano/Documents/bachthesis/setup/webserver/hybrid","disabled":false,"__vagrantfile":true}}}
\ No newline at end of file
diff --color -ruN base/.vagrant/machines/sandbox/virtualbox/vagrant_cwd hybrid/.vagrant/machines/sandbox/virtualbox/vagrant_cwd
--- base/.vagrant/machines/sandbox/virtualbox/vagrant_cwd 1970-01-01 01:00:00.000000000 +0100
+++ hybrid/.vagrant/machines/sandbox/virtualbox/vagrant_cwd 2025-05-16 20:47:11.366181414 +0200
@@ -0,0 +1 @@
+/home/nano/Documents/bachthesis/setup/webserver/hybrid
\ No newline at end of file

39
webserver/idle_measurement.sh Executable file
View File

@ -0,0 +1,39 @@
#!/bin/bash
# idle_measurement.sh
# Usage: ./idle_measurement.sh output.csv
OUTPUT_FILE="$1"
if [[ -z "$OUTPUT_FILE" ]]; then
echo "Usage: $0 output_file.csv"
exit 1
fi
echo "Sample,CPU_idle_percent,Mem_available_MB" > "$OUTPUT_FILE"
echo "Starting idle measurement for 60 samples (1 per second)"
echo ""
CPU_TOTAL=0
MEM_TOTAL=0
SAMPLES=60
for i in $(seq 1 $SAMPLES); do
# mpstat waits 1 second and returns average for that interval
CPU_IDLE=$(mpstat 1 1 | awk '/Average/ && $NF ~ /[0-9.]+/ {print $NF}')
MEM_AVAILABLE=$(free -m | awk '/^Mem:/ {print $7}')
CPU_TOTAL=$(echo "$CPU_TOTAL + $CPU_IDLE" | bc)
MEM_TOTAL=$(echo "$MEM_TOTAL + $MEM_AVAILABLE" | bc)
echo "$i,$CPU_IDLE,$MEM_AVAILABLE" >> "$OUTPUT_FILE"
printf "Sample %2d: CPU idle = %5.1f%% | Available memory = %6d MB\n" "$i" "$CPU_IDLE" "$MEM_AVAILABLE"
done
CPU_AVG=$(echo "scale=2; $CPU_TOTAL / $SAMPLES" | bc)
MEM_AVG=$(echo "scale=2; $MEM_TOTAL / $SAMPLES" | bc)
echo ""
echo "Results saved to: $OUTPUT_FILE"
echo "Average CPU idle: $CPU_AVG%"
echo "Average Free Memory: $MEM_AVG MB"