Initializing 2025-05-18T12:00:06+00:00 Section A - Check results [INFO] 1 - Host Configuration [INFO] 1.1 - Linux Hosts Specific Configuration [WARN] 1.1.1 - Ensure a separate partition for containers has been created (Automated) [INFO] 1.1.2 - Ensure only trusted users are allowed to control Docker daemon (Automated) [INFO] * Users: vagrant,git [WARN] 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated) [WARN] 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated) [WARN] 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated) [WARN] 1.1.6 - Ensure auditing is configured for Docker files and directories - /etc/docker (Automated) [WARN] 1.1.7 - Ensure auditing is configured for Docker files and directories - docker.service (Automated) [WARN] 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated) [WARN] 1.1.9 - Ensure auditing is configured for Docker files and directories - docker.socket (Automated) [WARN] 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated) [INFO] 1.1.11 - Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated) [INFO] * File not found [WARN] 1.1.12 - 1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated) [INFO] 1.1.13 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated) [INFO] * File not found [WARN] 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated) [WARN] 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated) [WARN] 1.1.16 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated) [WARN] 1.1.17 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated) [WARN] 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated) [INFO] 1.2 - General Configuration [NOTE] 1.2.1 - Ensure the container host has been Hardened (Manual) [PASS] 1.2.2 - Ensure that the version of Docker is up to date (Manual) [INFO] * Using 28.1.1 which is current [INFO] * Check with your operating system vendor for support and security maintenance for Docker [INFO] 2 - Docker daemon configuration [NOTE] 2.1 - Run the Docker daemon as a non-root user, if possible (Manual) [WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored) [PASS] 2.3 - Ensure the logging level is set to 'info' (Scored) [PASS] 2.4 - Ensure Docker is allowed to make changes to iptables (Scored) [PASS] 2.5 - Ensure insecure registries are not used (Scored) [PASS] 2.6 - Ensure aufs storage driver is not used (Scored) [INFO] 2.7 - Ensure TLS authentication for Docker daemon is configured (Scored) [INFO] * Docker daemon not listening on TCP [INFO] 2.8 - Ensure the default ulimit is configured appropriately (Manual) [INFO] * Default ulimit doesn't appear to be set [WARN] 2.9 - Enable user namespace support (Scored) [PASS] 2.10 - Ensure the default cgroup usage has been confirmed (Scored) [PASS] 2.11 - Ensure base device size is not changed until needed (Scored) [WARN] 2.12 - Ensure that authorization for Docker client commands is enabled (Scored) [WARN] 2.13 - Ensure centralized and remote logging is configured (Scored) [WARN] 2.14 - Ensure containers are restricted from acquiring new privileges (Scored) [WARN] 2.15 - Ensure live restore is enabled (Scored) [WARN] 2.16 - Ensure Userland Proxy is Disabled (Scored) [INFO] 2.17 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual) [INFO] Ensure that experimental features are not implemented in production (Scored) (Deprecated) [INFO] 3 - Docker daemon configuration files [PASS] 3.1 - Ensure that the docker.service file ownership is set to root:root (Automated) [PASS] 3.2 - Ensure that docker.service file permissions are appropriately set (Automated) [PASS] 3.3 - Ensure that docker.socket file ownership is set to root:root (Automated) [PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated) [PASS] 3.5 - Ensure that the /etc/docker directory ownership is set to root:root (Automated) [PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated) [INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root (Automated) [INFO] * Directory not found [INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated) [INFO] * Directory not found [INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root (Automated) [INFO] * No TLS CA certificate found [INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated) [INFO] * No TLS CA certificate found [INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root (Automated) [INFO] * No TLS Server certificate found [INFO] 3.12 - Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated) [INFO] * No TLS Server certificate found [INFO] 3.13 - Ensure that the Docker server certificate key file ownership is set to root:root (Automated) [INFO] * No TLS Key found [INFO] 3.14 - Ensure that the Docker server certificate key file permissions are set to 400 (Automated) [INFO] * No TLS Key found [PASS] 3.15 - Ensure that the Docker socket file ownership is set to root:docker (Automated) [PASS] 3.16 - Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated) [INFO] 3.17 - Ensure that the daemon.json file ownership is set to root:root (Automated) [INFO] * File not found [INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated) [INFO] * File not found [PASS] 3.19 - Ensure that the /etc/default/docker file ownership is set to root:root (Automated) [PASS] 3.20 - Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated) [INFO] 3.21 - Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated) [INFO] * File not found [INFO] 3.22 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated) [INFO] * File not found [PASS] 3.23 - Ensure that the Containerd socket file ownership is set to root:root (Automated) [PASS] 3.24 - Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated) [INFO] 4 - Container Images and Build File [WARN] 4.1 - Ensure that a user for the container has been created (Automated) [WARN] * Running as root: gitea [WARN] * Running as root: vaultwarden [WARN] * Running as root: nginx [WARN] * Running as root: vagrant-vulnerable-1 [NOTE] 4.2 - Ensure that containers use only trusted base images (Manual) [NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container (Manual) [NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches (Manual) [WARN] 4.5 - Ensure Content trust for Docker is Enabled (Automated) [WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated) [WARN] * No Healthcheck found: [vagrant-vulnerable:latest] [WARN] * No Healthcheck found: [docker.gitea.com/gitea:latest] [WARN] * No Healthcheck found: [nginx:latest] [INFO] 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual) [INFO] * Update instruction found: [vagrant-vulnerable:latest] [NOTE] 4.8 - Ensure setuid and setgid permissions are removed (Manual) [INFO] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Manual) [INFO] * ADD in image history: [vagrant-vulnerable:latest] [INFO] * ADD in image history: [vaultwarden/server:latest] [NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles (Manual) [NOTE] 4.11 - Ensure only verified packages are installed (Manual) [NOTE] 4.12 - Ensure all signed artifacts are validated (Manual) [INFO] 5 - Container Runtime [PASS] 5.1 - Ensure swarm mode is not Enabled, if not needed (Automated) [PASS] 5.2 - Ensure that, if applicable, an AppArmor Profile is enabled (Automated) [WARN] 5.3 - Ensure that, if applicable, SELinux security options are set (Automated) [WARN] * No SecurityOptions Found: gitea [WARN] * No SecurityOptions Found: vaultwarden [WARN] * No SecurityOptions Found: nginx [WARN] * No SecurityOptions Found: vagrant-vulnerable-1 [PASS] 5.4 - Ensure that Linux kernel capabilities are restricted within containers (Automated) [PASS] 5.5 - Ensure that privileged containers are not used (Automated) [PASS] 5.6 - Ensure sensitive host system directories are not mounted on containers (Automated) [WARN] 5.7 - Ensure sshd is not run within containers (Automated) [WARN] * Container running sshd: gitea [WARN] * Container running sshd: vagrant-vulnerable-1 [WARN] 5.8 - Ensure privileged ports are not mapped within containers (Automated) [WARN] * Privileged Port in use: 80 in nginx [WARN] * Privileged Port in use: 443 in nginx [WARN] 5.9 - Ensure that only needed ports are open on the container (Manual) [WARN] * Port in use: 80 in nginx [WARN] * Port in use: 443 in nginx [WARN] * Port in use: 2222 in vagrant-vulnerable-1 [PASS] 5.10 - Ensure that the host's network namespace is not shared (Automated) [WARN] 5.11 - Ensure that the memory usage for containers is limited (Automated) [WARN] * Container running without memory restrictions: gitea [WARN] * Container running without memory restrictions: vaultwarden [WARN] * Container running without memory restrictions: nginx [WARN] * Container running without memory restrictions: vagrant-vulnerable-1 [WARN] 5.12 - Ensure that CPU priority is set appropriately on containers (Automated) [WARN] * Container running without CPU restrictions: gitea [WARN] * Container running without CPU restrictions: vaultwarden [WARN] * Container running without CPU restrictions: nginx [WARN] * Container running without CPU restrictions: vagrant-vulnerable-1 [WARN] 5.13 - Ensure that the container's root filesystem is mounted as read only (Automated) [WARN] * Container running with root FS mounted R/W: gitea [WARN] * Container running with root FS mounted R/W: vaultwarden [WARN] * Container running with root FS mounted R/W: nginx [WARN] * Container running with root FS mounted R/W: vagrant-vulnerable-1 [WARN] 5.14 - Ensure that incoming container traffic is bound to a specific host interface (Automated) [WARN] * Port being bound to wildcard IP: 0.0.0.0 in nginx [WARN] * Port being bound to wildcard IP: 0.0.0.0 in nginx [WARN] * Port being bound to wildcard IP: 0.0.0.0 in vagrant-vulnerable-1 [PASS] 5.15 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated) [PASS] 5.16 - Ensure that the host's process namespace is not shared (Automated) [PASS] 5.17 - Ensure that the host's IPC namespace is not shared (Automated) [PASS] 5.18 - Ensure that host devices are not directly exposed to containers (Manual) [INFO] 5.19 - Ensure that the default ulimit is overwritten at runtime if needed (Manual) [INFO] * Container no default ulimit override: gitea [INFO] * Container no default ulimit override: vaultwarden [INFO] * Container no default ulimit override: nginx [INFO] * Container no default ulimit override: vagrant-vulnerable-1 [PASS] 5.20 - Ensure mount propagation mode is not set to shared (Automated) [PASS] 5.21 - Ensure that the host's UTS namespace is not shared (Automated) [PASS] 5.22 - Ensure the default seccomp profile is not Disabled (Automated) [NOTE] 5.23 - Ensure that docker exec commands are not used with the privileged option (Automated) [NOTE] 5.24 - Ensure that docker exec commands are not used with the user=root option (Manual) [PASS] 5.25 - Ensure that cgroup usage is confirmed (Automated) [WARN] 5.26 - Ensure that the container is restricted from acquiring additional privileges (Automated) [WARN] * Privileges not restricted: gitea [WARN] * Privileges not restricted: vaultwarden [WARN] * Privileges not restricted: nginx [WARN] * Privileges not restricted: vagrant-vulnerable-1 [WARN] 5.27 - Ensure that container health is checked at runtime (Automated) [WARN] * Health check not set: gitea [WARN] * Health check not set: nginx [WARN] * Health check not set: vagrant-vulnerable-1 [INFO] 5.28 - Ensure that Docker commands always make use of the latest version of their image (Manual) [WARN] 5.29 - Ensure that the PIDs cgroup limit is used (Automated) [WARN] * PIDs limit not set: gitea [WARN] * PIDs limit not set: vaultwarden [WARN] * PIDs limit not set: nginx [WARN] * PIDs limit not set: vagrant-vulnerable-1 [PASS] 5.30 - Ensure that Docker's default bridge 'docker0' is not used (Manual) [PASS] 5.31 - Ensure that the host's user namespaces are not shared (Automated) [PASS] 5.32 - Ensure that the Docker socket is not mounted inside any containers (Automated) [INFO] 6 - Docker Security Operations [INFO] 6.1 - Ensure that image sprawl is avoided (Manual) [INFO] * There are currently: 4 images [INFO] 6.2 - Ensure that container sprawl is avoided (Manual) [INFO] * There are currently a total of 4 containers, with 4 of them currently running [INFO] 7 - Docker Swarm Configuration [PASS] 7.1 - Ensure that the minimum number of manager nodes have been created in a swarm (Automated) (Swarm mode not enabled) [PASS] 7.2 - Ensure that swarm services are bound to a specific host interface (Automated) (Swarm mode not enabled) [PASS] 7.3 - Ensure that all Docker swarm overlay networks are encrypted (Automated) [PASS] 7.4 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual) (Swarm mode not enabled) [PASS] 7.5 - Ensure that swarm manager is run in auto-lock mode (Automated) (Swarm mode not enabled) [PASS] 7.6 - Ensure that the swarm manager auto-lock key is rotated periodically (Manual) (Swarm mode not enabled) [PASS] 7.7 - Ensure that node certificates are rotated as appropriate (Manual) (Swarm mode not enabled) [PASS] 7.8 - Ensure that CA certificates are rotated as appropriate (Manual) (Swarm mode not enabled) [PASS] 7.9 - Ensure that management plane traffic is separated from data plane traffic (Manual) (Swarm mode not enabled) Section C - Score [INFO] Checks: 117 [INFO] Score: 1