{ "dockerbenchsecurity": "1.6.0", "start": 1747568555, "tests": [ { "id": "1", "desc": "Host Configuration", "results": [ { "id": "1.1.1", "desc": "Ensure a separate partition for containers has been created (Automated)", "result": "WARN" }, { "id": "1.1.2", "desc": "Ensure only trusted users are allowed to control Docker daemon (Automated)", "result": "INFO", "details": "doubtfulusers: vagrant,git", "items": [ "vagrant,git" ] }, { "id": "1.1.3", "desc": "Ensure auditing is configured for the Docker daemon (Automated)", "result": "WARN" }, { "id": "1.1.4", "desc": "Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)", "result": "WARN" }, { "id": "1.1.5", "desc": "Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)", "result": "WARN" }, { "id": "1.1.6", "desc": "Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)", "result": "WARN" }, { "id": "1.1.7", "desc": "Ensure auditing is configured for Docker files and directories - docker.service (Automated)", "result": "WARN" }, { "id": "1.1.8", "desc": "Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)", "result": "WARN" }, { "id": "1.1.9", "desc": "Ensure auditing is configured for Docker files and directories - docker.socket (Automated)", "result": "WARN" }, { "id": "1.1.10", "desc": "Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)", "result": "WARN" }, { "id": "1.1.11", "desc": "Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)", "result": "INFO", "details": "File not found" }, { "id": "1.1.12", "desc": "1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)", "result": "WARN" }, { "id": "1.1.13", "desc": "Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)", "result": "INFO", "details": "File not found" }, { "id": "1.1.14", "desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)", "result": "WARN" }, { "id": "1.1.15", "desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)", "result": "WARN" }, { "id": "1.1.16", "desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)", "result": "WARN" }, { "id": "1.1.17", "desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)", "result": "WARN" }, { "id": "1.1.18", "desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)", "result": "WARN" }, { "id": "1.2.1", "desc": "Ensure the container host has been Hardened (Manual)", "result": "INFO" }, { "id": "1.2.2", "desc": "Ensure that the version of Docker is up to date (Manual)", "result": "PASS", "details": "Using 28.1.1" } ] }, { "id": "2", "desc": "Docker daemon configuration", "results": [ { "id": "2.1", "desc": "Run the Docker daemon as a non-root user, if possible (Manual)", "result": "INFO" }, { "id": "2.2", "desc": "Ensure network traffic is restricted between containers on the default bridge (Scored)", "result": "WARN" }, { "id": "2.3", "desc": "Ensure the logging level is set to 'info' (Scored)", "result": "PASS" }, { "id": "2.4", "desc": "Ensure Docker is allowed to make changes to iptables (Scored)", "result": "PASS" }, { "id": "2.5", "desc": "Ensure insecure registries are not used (Scored)", "result": "PASS" }, { "id": "2.6", "desc": "Ensure aufs storage driver is not used (Scored)", "result": "PASS" }, { "id": "2.7", "desc": "Ensure TLS authentication for Docker daemon is configured (Scored)", "result": "INFO", "details": "Docker daemon not listening on TCP" }, { "id": "2.8", "desc": "Ensure the default ulimit is configured appropriately (Manual)", "result": "INFO", "details": "Default ulimit doesn't appear to be set" }, { "id": "2.9", "desc": "Enable user namespace support (Scored)", "result": "WARN" }, { "id": "2.10", "desc": "Ensure the default cgroup usage has been confirmed (Scored)", "result": "PASS" }, { "id": "2.11", "desc": "Ensure base device size is not changed until needed (Scored)", "result": "PASS" }, { "id": "2.12", "desc": "Ensure that authorization for Docker client commands is enabled (Scored)", "result": "WARN" }, { "id": "2.13", "desc": "Ensure centralized and remote logging is configured (Scored)", "result": "WARN" }, { "id": "2.14", "desc": "Ensure containers are restricted from acquiring new privileges (Scored)", "result": "WARN" }, { "id": "2.15", "desc": "Ensure live restore is enabled (Scored)", "result": "WARN" }, { "id": "2.16", "desc": "Ensure Userland Proxy is Disabled (Scored)", "result": "WARN" }, { "id": "2.17", "desc": "Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)", "result": "INFO" }, { "id": "2.18", "desc": "Ensure that experimental features are not implemented in production (Scored)", "result": "INFO" } ] }, { "id": "3", "desc": "Docker daemon configuration files", "results": [ { "id": "3.1", "desc": "Ensure that the docker.service file ownership is set to root:root (Automated)", "result": "PASS" }, { "id": "3.2", "desc": "Ensure that docker.service file permissions are appropriately set (Automated)", "result": "PASS" }, { "id": "3.3", "desc": "Ensure that docker.socket file ownership is set to root:root (Automated)", "result": "PASS" }, { "id": "3.4", "desc": "Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)", "result": "PASS" }, { "id": "3.5", "desc": "Ensure that the /etc/docker directory ownership is set to root:root (Automated)", "result": "PASS" }, { "id": "3.6", "desc": "Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)", "result": "PASS" }, { "id": "3.7", "desc": "Ensure that registry certificate file ownership is set to root:root (Automated)", "result": "INFO", "details": "Directory not found" }, { "id": "3.8", "desc": "Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)", "result": "INFO", "details": "Directory not found" }, { "id": "3.9", "desc": "Ensure that TLS CA certificate file ownership is set to root:root (Automated)", "result": "INFO", "details": "No TLS CA certificate found" }, { "id": "3.10", "desc": "Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)", "result": "INFO", "details": "No TLS CA certificate found" }, { "id": "3.11", "desc": "Ensure that Docker server certificate file ownership is set to root:root (Automated)", "result": "INFO", "details": "No TLS Server certificate found" }, { "id": "3.12", "desc": "Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)", "result": "INFO", "details": "No TLS Server certificate found" }, { "id": "3.13", "desc": "Ensure that the Docker server certificate key file ownership is set to root:root (Automated)", "result": "INFO", "details": "No TLS Key found" }, { "id": "3.14", "desc": "Ensure that the Docker server certificate key file permissions are set to 400 (Automated)", "result": "INFO", "details": "No TLS Key found" }, { "id": "3.15", "desc": "Ensure that the Docker socket file ownership is set to root:docker (Automated)", "result": "PASS" }, { "id": "3.16", "desc": "Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)", "result": "PASS" }, { "id": "3.17", "desc": "Ensure that the daemon.json file ownership is set to root:root (Automated)", "result": "INFO", "details": "File not found" }, { "id": "3.18", "desc": "Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)", "result": "INFO", "details": "File not found" }, { "id": "3.19", "desc": "Ensure that the /etc/default/docker file ownership is set to root:root (Automated)", "result": "PASS" }, { "id": "3.20", "desc": "Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)", "result": "PASS" }, { "id": "3.21", "desc": "Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)", "result": "INFO", "details": "File not found" }, { "id": "3.22", "desc": "Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)", "result": "INFO", "details": "File not found" }, { "id": "3.23", "desc": "Ensure that the Containerd socket file ownership is set to root:root (Automated)", "result": "PASS" }, { "id": "3.24", "desc": "Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)", "result": "PASS" } ] }, { "id": "4", "desc": "Container Images and Build File", "results": [ { "id": "4.1", "desc": "Ensure that a user for the container has been created (Automated)", "result": "WARN", "details": "running as root: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea", "items": [ "vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea" ] }, { "id": "4.2", "desc": "Ensure that containers use only trusted base images (Manual)", "result": "NOTE" }, { "id": "4.3", "desc": "Ensure that unnecessary packages are not installed in the container (Manual)", "result": "NOTE" }, { "id": "4.4", "desc": "Ensure images are scanned and rebuilt to include security patches (Manual)", "result": "NOTE" }, { "id": "4.5", "desc": "Ensure Content trust for Docker is Enabled (Automated)", "result": "WARN" }, { "id": "4.6", "desc": "Ensure that HEALTHCHECK instructions have been added to container images (Automated)", "result": "WARN", "details": "Images w/o HEALTHCHECK: [vagrant-vulnerable:latest] [docker.gitea.com/gitea:latest] [postgres:latest] [nginx:latest]", "items": [ "[vagrant-vulnerable:latest]","[docker.gitea.com/gitea:latest]","[postgres:latest]","[nginx:latest]" ] }, { "id": "4.7", "desc": "Ensure update instructions are not used alone in the Dockerfile (Manual)", "result": "INFO", "details": "Update instructions found: [vagrant-vulnerable:latest] [postgres:latest]", "items": [ "[vagrant-vulnerable:latest]","[postgres:latest]" ] }, { "id": "4.8", "desc": "Ensure setuid and setgid permissions are removed (Manual)", "result": "NOTE" }, { "id": "4.9", "desc": "Ensure that COPY is used instead of ADD in Dockerfiles (Manual)", "result": "INFO", "details": "Images using ADD: [vagrant-vulnerable:latest] [vaultwarden/server:latest]", "items": [ "[vagrant-vulnerable:latest]","[vaultwarden/server:latest]" ] }, { "id": "4.10", "desc": "Ensure secrets are not stored in Dockerfiles (Manual)", "result": "NOTE" }, { "id": "4.11", "desc": "Ensure only verified packages are installed (Manual)", "result": "NOTE" }, { "id": "4.12", "desc": "Ensure all signed artifacts are validated (Manual)", "result": "NOTE" } ] }, { "id": "5", "desc": "Container Runtime", "results": [ { "id": "5.1", "desc": "Ensure swarm mode is not Enabled, if not needed (Automated)", "result": "PASS" }, { "id": "5.2", "desc": "Ensure that, if applicable, an AppArmor Profile is enabled (Automated)", "result": "PASS" }, { "id": "5.3", "desc": "Ensure that, if applicable, SELinux security options are set (Automated)", "result": "WARN", "details": "Containers with no SecurityOptions: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea", "items": [ "vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea" ] }, { "id": "5.4", "desc": "Ensure that Linux kernel capabilities are restricted within containers (Automated)", "result": "PASS" }, { "id": "5.5", "desc": "Ensure that privileged containers are not used (Automated)", "result": "PASS" }, { "id": "5.6", "desc": "Ensure sensitive host system directories are not mounted on containers (Automated)", "result": "PASS" }, { "id": "5.7", "desc": "Ensure sshd is not run within containers (Automated)", "result": "WARN", "details": "Containers with sshd/docker exec failures: vagrant-vulnerable-1 gitea", "items": [ "vagrant-vulnerable-1","gitea" ] }, { "id": "5.8", "desc": "Ensure privileged ports are not mapped within containers (Automated)", "result": "WARN", "details": "Containers using privileged ports: nginx:80 nginx:443", "items": [ "nginx:80","nginx:443" ] }, { "id": "5.9", "desc": "Ensure that only needed ports are open on the container (Manual)", "result": "WARN", "details": "Containers with open ports: nginx:80 nginx:443 vagrant-vulnerable-1:2222", "items": [ "nginx:80","nginx:443","vagrant-vulnerable-1:2222" ] }, { "id": "5.10", "desc": "Ensure that the host's network namespace is not shared (Automated)", "result": "PASS" }, { "id": "5.11", "desc": "Ensure that the memory usage for containers is limited (Automated)", "result": "WARN", "details": "Container running without memory restrictions: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea", "items": [ "vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea" ] }, { "id": "5.12", "desc": "Ensure that CPU priority is set appropriately on containers (Automated)", "result": "WARN", "details": "Containers running without CPU restrictions: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea", "items": [ "vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea" ] }, { "id": "5.13", "desc": "Ensure that the container's root filesystem is mounted as read only (Automated)", "result": "WARN", "details": "Containers running with root FS mounted R/W: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea", "items": [ "vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea" ] }, { "id": "5.14", "desc": "Ensure that incoming container traffic is bound to a specific host interface (Automated)", "result": "WARN", "details": "Containers with port bound to wildcard IP: nginx:0.0.0.0 nginx:0.0.0.0 vagrant-vulnerable-1:0.0.0.0", "items": [ "nginx:0.0.0.0","nginx:0.0.0.0","vagrant-vulnerable-1:0.0.0.0" ] }, { "id": "5.15", "desc": "Ensure that the 'on-failure' container restart policy is set to '5' (Automated)", "result": "PASS" }, { "id": "5.16", "desc": "Ensure that the host's process namespace is not shared (Automated)", "result": "PASS" }, { "id": "5.17", "desc": "Ensure that the host's IPC namespace is not shared (Automated)", "result": "PASS" }, { "id": "5.18", "desc": "Ensure that host devices are not directly exposed to containers (Manual)", "result": "PASS" }, { "id": "5.19", "desc": "Ensure that the default ulimit is overwritten at runtime if needed (Manual)", "result": "INFO", "details": "Containers with no default ulimit override: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea", "items": [ "vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea" ] }, { "id": "5.20", "desc": "Ensure mount propagation mode is not set to shared (Automated)", "result": "PASS" }, { "id": "5.21", "desc": "Ensure that the host's UTS namespace is not shared (Automated)", "result": "PASS" }, { "id": "5.22", "desc": "Ensure the default seccomp profile is not Disabled (Automated)", "result": "PASS" }, { "id": "5.23", "desc": "Ensure that docker exec commands are not used with the privileged option (Automated)", "result": "NOTE" }, { "id": "5.24", "desc": "Ensure that docker exec commands are not used with the user=root option (Manual)", "result": "NOTE" }, { "id": "5.25", "desc": "Ensure that cgroup usage is confirmed (Automated)", "result": "PASS" }, { "id": "5.26", "desc": "Ensure that the container is restricted from acquiring additional privileges (Automated)", "result": "WARN", "details": "Containers without restricted privileges: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea", "items": [ "vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea" ] }, { "id": "5.27", "desc": "Ensure that container health is checked at runtime (Automated)", "result": "WARN", "details": "Containers without health check: vaultwarden-db nginx vagrant-vulnerable-1 gitea-db gitea", "items": [ "vaultwarden-db","nginx","vagrant-vulnerable-1","gitea-db","gitea" ] }, { "id": "5.28", "desc": "Ensure that Docker commands always make use of the latest version of their image (Manual)", "result": "INFO" }, { "id": "5.29", "desc": "Ensure that the PIDs cgroup limit is used (Automated)", "result": "WARN", "details": "Containers without PIDs cgroup limit: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea", "items": [ "vaultwarden-db","nginx","vaultwarden","vagrant-vulnerable-1","gitea-db","gitea" ] }, { "id": "5.30", "desc": "Ensure that Docker's default bridge 'docker0' is not used (Manual)", "result": "PASS" }, { "id": "5.31", "desc": "Ensure that the host's user namespaces are not shared (Automated)", "result": "PASS" }, { "id": "5.32", "desc": "Ensure that the Docker socket is not mounted inside any containers (Automated)", "result": "PASS" } ] }, { "id": "6", "desc": "Docker Security Operations", "results": [ { "id": "6.1", "desc": "Ensure that image sprawl is avoided (Manual)", "result": "INFO", "details": "6 active/6 in use" }, { "id": "6.2", "desc": "Ensure that container sprawl is avoided (Manual)", "result": "INFO", "details": "6 total/6 running" } ] }, { "id": "7", "desc": "Docker Swarm Configuration", "results": [ { "id": "7.1", "desc": "Ensure that the minimum number of manager nodes have been created in a swarm (Automated)", "result": "PASS" }, { "id": "7.2", "desc": "Ensure that swarm services are bound to a specific host interface (Automated)", "result": "PASS" }, { "id": "7.3", "desc": "Ensure that all Docker swarm overlay networks are encrypted (Automated)", "result": "PASS" }, { "id": "7.4", "desc": "Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual)", "result": "PASS" }, { "id": "7.5", "desc": "Ensure that swarm manager is run in auto-lock mode (Automated)", "result": "PASS" }, { "id": "7.6", "desc": "Ensure that the swarm manager auto-lock key is rotated periodically (Manual)", "result": "PASS" }, { "id": "7.7", "desc": "Ensure that node certificates are rotated as appropriate (Manual)", "result": "PASS" }, { "id": "7.8", "desc": "Ensure that CA certificates are rotated as appropriate (Manual)", "result": "PASS" }, { "id": "7.9", "desc": "Ensure that management plane traffic is separated from data plane traffic (Manual)", "result": "PASS" } ] } ], "checks": 117, "score": 1, "end": 1747568565 }