bachelor-thesis/measurements/docker-bench/hybrid_cleaned.log.json

{
  "dockerbenchsecurity": "1.6.0",
  "start": 1747569606,
  "tests": [
    {
      "id": "1",
      "desc": "Host Configuration",
      "results": [
        {
          "id": "1.1.1",
          "desc": "Ensure a separate partition for containers has been created (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.2",
          "desc": "Ensure only trusted users are allowed to control Docker daemon (Automated)",
          "result": "INFO",
          "details": "doubtfulusers: vagrant,git",
          "items": [
            "vagrant,git"
          ]
        },
        {
          "id": "1.1.3",
          "desc": "Ensure auditing is configured for the Docker daemon (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.4",
          "desc": "Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.5",
          "desc": "Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.6",
          "desc": "Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.7",
          "desc": "Ensure auditing is configured for Docker files and directories - docker.service (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.8",
          "desc": "Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.9",
          "desc": "Ensure auditing is configured for Docker files and directories - docker.socket (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.10",
          "desc": "Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.11",
          "desc": "Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)",
          "result": "INFO",
          "details": "File not found"
        },
        {
          "id": "1.1.12",
          "desc": "1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.13",
          "desc": "Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)",
          "result": "INFO",
          "details": "File not found"
        },
        {
          "id": "1.1.14",
          "desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.15",
          "desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.16",
          "desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.17",
          "desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.1.18",
          "desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)",
          "result": "WARN"
        },
        {
          "id": "1.2.1",
          "desc": "Ensure the container host has been Hardened (Manual)",
          "result": "INFO"
        },
        {
          "id": "1.2.2",
          "desc": "Ensure that the version of Docker is up to date (Manual)",
          "result": "PASS",
          "details": "Using 28.1.1"
        }
      ]
    },
    {
      "id": "2",
      "desc": "Docker daemon configuration",
      "results": [
        {
          "id": "2.1",
          "desc": "Run the Docker daemon as a non-root user, if possible (Manual)",
          "result": "INFO"
        },
        {
          "id": "2.2",
          "desc": "Ensure network traffic is restricted between containers on the default bridge (Scored)",
          "result": "WARN"
        },
        {
          "id": "2.3",
          "desc": "Ensure the logging level is set to 'info' (Scored)",
          "result": "PASS"
        },
        {
          "id": "2.4",
          "desc": "Ensure Docker is allowed to make changes to iptables (Scored)",
          "result": "PASS"
        },
        {
          "id": "2.5",
          "desc": "Ensure insecure registries are not used (Scored)",
          "result": "PASS"
        },
        {
          "id": "2.6",
          "desc": "Ensure aufs storage driver is not used (Scored)",
          "result": "PASS"
        },
        {
          "id": "2.7",
          "desc": "Ensure TLS authentication for Docker daemon is configured (Scored)",
          "result": "INFO",
          "details": "Docker daemon not listening on TCP"
        },
        {
          "id": "2.8",
          "desc": "Ensure the default ulimit is configured appropriately (Manual)",
          "result": "INFO",
          "details": "Default ulimit doesn't appear to be set"
        },
        {
          "id": "2.9",
          "desc": "Enable user namespace support (Scored)",
          "result": "WARN"
        },
        {
          "id": "2.10",
          "desc": "Ensure the default cgroup usage has been confirmed (Scored)",
          "result": "PASS"
        },
        {
          "id": "2.11",
          "desc": "Ensure base device size is not changed until needed (Scored)",
          "result": "PASS"
        },
        {
          "id": "2.12",
          "desc": "Ensure that authorization for Docker client commands is enabled (Scored)",
          "result": "WARN"
        },
        {
          "id": "2.13",
          "desc": "Ensure centralized and remote logging is configured (Scored)",
          "result": "WARN"
        },
        {
          "id": "2.14",
          "desc": "Ensure containers are restricted from acquiring new privileges (Scored)",
          "result": "WARN"
        },
        {
          "id": "2.15",
          "desc": "Ensure live restore is enabled (Scored)",
          "result": "WARN"
        },
        {
          "id": "2.16",
          "desc": "Ensure Userland Proxy is Disabled (Scored)",
          "result": "WARN"
        },
        {
          "id": "2.17",
          "desc": "Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)",
          "result": "INFO"
        },
        {
          "id": "2.18",
          "desc": "Ensure that experimental features are not implemented in production (Scored)",
          "result": "INFO"
        }
      ]
    },
    {
      "id": "3",
      "desc": "Docker daemon configuration files",
      "results": [
        {
          "id": "3.1",
          "desc": "Ensure that the docker.service file ownership is set to root:root (Automated)",
          "result": "PASS"
        },
        {
          "id": "3.2",
          "desc": "Ensure that docker.service file permissions are appropriately set (Automated)",
          "result": "PASS"
        },
        {
          "id": "3.3",
          "desc": "Ensure that docker.socket file ownership is set to root:root (Automated)",
          "result": "PASS"
        },
        {
          "id": "3.4",
          "desc": "Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)",
          "result": "PASS"
        },
        {
          "id": "3.5",
          "desc": "Ensure that the /etc/docker directory ownership is set to root:root (Automated)",
          "result": "PASS"
        },
        {
          "id": "3.6",
          "desc": "Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)",
          "result": "PASS"
        },
        {
          "id": "3.7",
          "desc": "Ensure that registry certificate file ownership is set to root:root (Automated)",
          "result": "INFO",
          "details": "Directory not found"
        },
        {
          "id": "3.8",
          "desc": "Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)",
          "result": "INFO",
          "details": "Directory not found"
        },
        {
          "id": "3.9",
          "desc": "Ensure that TLS CA certificate file ownership is set to root:root (Automated)",
          "result": "INFO",
          "details": "No TLS CA certificate found"
        },
        {
          "id": "3.10",
          "desc": "Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)",
          "result": "INFO",
          "details": "No TLS CA certificate found"
        },
        {
          "id": "3.11",
          "desc": "Ensure that Docker server certificate file ownership is set to root:root (Automated)",
          "result": "INFO",
          "details": "No TLS Server certificate found"
        },
        {
          "id": "3.12",
          "desc": "Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)",
          "result": "INFO",
          "details": "No TLS Server certificate found"
        },
        {
          "id": "3.13",
          "desc": "Ensure that the Docker server certificate key file ownership is set to root:root (Automated)",
          "result": "INFO",
          "details": "No TLS Key found"
        },
        {
          "id": "3.14",
          "desc": "Ensure that the Docker server certificate key file permissions are set to 400 (Automated)",
          "result": "INFO",
          "details": "No TLS Key found"
        },
        {
          "id": "3.15",
          "desc": "Ensure that the Docker socket file ownership is set to root:docker (Automated)",
          "result": "PASS"
        },
        {
          "id": "3.16",
          "desc": "Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)",
          "result": "PASS"
        },
        {
          "id": "3.17",
          "desc": "Ensure that the daemon.json file ownership is set to root:root (Automated)",
          "result": "INFO",
          "details": "File not found"
        },
        {
          "id": "3.18",
          "desc": "Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)",
          "result": "INFO",
          "details": "File not found"
        },
        {
          "id": "3.19",
          "desc": "Ensure that the /etc/default/docker file ownership is set to root:root (Automated)",
          "result": "PASS"
        },
        {
          "id": "3.20",
          "desc": "Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)",
          "result": "PASS"
        },
        {
          "id": "3.21",
          "desc": "Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)",
          "result": "INFO",
          "details": "File not found"
        },
        {
          "id": "3.22",
          "desc": "Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)",
          "result": "INFO",
          "details": "File not found"
        },
        {
          "id": "3.23",
          "desc": "Ensure that the Containerd socket file ownership is set to root:root (Automated)",
          "result": "PASS"
        },
        {
          "id": "3.24",
          "desc": "Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)",
          "result": "PASS"
        }
      ]
    },
    {
      "id": "4",
      "desc": "Container Images and Build File",
      "results": [
        {
          "id": "4.1",
          "desc": "Ensure that a user for the container has been created (Automated)",
          "result": "WARN",
          "details": "running as root:  gitea vaultwarden nginx vagrant-vulnerable-1",
          "items": [
            "gitea",
            "vaultwarden",
            "nginx",
            "vagrant-vulnerable-1"
          ]
        },
        {
          "id": "4.5",
          "desc": "Ensure Content trust for Docker is Enabled (Automated)",
          "result": "WARN"
        },
        {
          "id": "4.6",
          "desc": "Ensure that HEALTHCHECK instructions have been added to container images (Automated)",
          "result": "WARN",
          "details": "Images w/o HEALTHCHECK:  [vagrant-vulnerable:latest] [docker.gitea.com/gitea:latest] [nginx:latest]",
          "items": [
            "[vagrant-vulnerable:latest]",
            "[docker.gitea.com/gitea:latest]",
            "[nginx:latest]"
          ]
        },
        {
          "id": "4.7",
          "desc": "Ensure update instructions are not used alone in the Dockerfile (Manual)",
          "result": "INFO",
          "details": "Update instructions found:  [vagrant-vulnerable:latest]",
          "items": [
            "[vagrant-vulnerable:latest]"
          ]
        },
        {
          "id": "4.9",
          "desc": "Ensure that COPY is used instead of ADD in Dockerfiles (Manual)",
          "result": "INFO",
          "details": "Images using ADD:  [vagrant-vulnerable:latest] [vaultwarden/server:latest]",
          "items": [
            "[vagrant-vulnerable:latest]",
            "[vaultwarden/server:latest]"
          ]
        }
      ]
    },
    {
      "id": "5",
      "desc": "Container Runtime",
      "results": [
        {
          "id": "5.1",
          "desc": "Ensure swarm mode is not Enabled, if not needed (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.2",
          "desc": "Ensure that, if applicable, an AppArmor Profile is enabled (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.3",
          "desc": "Ensure that, if applicable, SELinux security options are set (Automated)",
          "result": "WARN",
          "details": "Containers with no SecurityOptions:  gitea vaultwarden nginx vagrant-vulnerable-1",
          "items": [
            "gitea",
            "vaultwarden",
            "nginx",
            "vagrant-vulnerable-1"
          ]
        },
        {
          "id": "5.4",
          "desc": "Ensure that Linux kernel capabilities are restricted within containers (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.5",
          "desc": "Ensure that privileged containers are not used (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.6",
          "desc": "Ensure sensitive host system directories are not mounted on containers (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.7",
          "desc": "Ensure sshd is not run within containers (Automated)",
          "result": "WARN",
          "details": "Containers with sshd/docker exec failures:  gitea vagrant-vulnerable-1",
          "items": [
            "gitea",
            "vagrant-vulnerable-1"
          ]
        },
        {
          "id": "5.8",
          "desc": "Ensure privileged ports are not mapped within containers (Automated)",
          "result": "WARN",
          "details": "Containers using privileged ports:  nginx:80 nginx:443",
          "items": [
            "nginx:80",
            "nginx:443"
          ]
        },
        {
          "id": "5.9",
          "desc": "Ensure that only needed ports are open on the container (Manual)",
          "result": "WARN",
          "details": "Containers with open ports:  nginx:80 nginx:443 vagrant-vulnerable-1:2222",
          "items": [
            "nginx:80",
            "nginx:443",
            "vagrant-vulnerable-1:2222"
          ]
        },
        {
          "id": "5.10",
          "desc": "Ensure that the host's network namespace is not shared (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.11",
          "desc": "Ensure that the memory usage for containers is limited (Automated)",
          "result": "WARN",
          "details": "Container running without memory restrictions:  gitea vaultwarden nginx vagrant-vulnerable-1",
          "items": [
            "gitea",
            "vaultwarden",
            "nginx",
            "vagrant-vulnerable-1"
          ]
        },
        {
          "id": "5.12",
          "desc": "Ensure that CPU priority is set appropriately on containers (Automated)",
          "result": "WARN",
          "details": "Containers running without CPU restrictions:  gitea vaultwarden nginx vagrant-vulnerable-1",
          "items": [
            "gitea",
            "vaultwarden",
            "nginx",
            "vagrant-vulnerable-1"
          ]
        },
        {
          "id": "5.13",
          "desc": "Ensure that the container's root filesystem is mounted as read only (Automated)",
          "result": "WARN",
          "details": "Containers running with root FS mounted R/W:  gitea vaultwarden nginx vagrant-vulnerable-1",
          "items": [
            "gitea",
            "vaultwarden",
            "nginx",
            "vagrant-vulnerable-1"
          ]
        },
        {
          "id": "5.14",
          "desc": "Ensure that incoming container traffic is bound to a specific host interface (Automated)",
          "result": "WARN",
          "details": "Containers with port bound to wildcard IP:  nginx:0.0.0.0 nginx:0.0.0.0 vagrant-vulnerable-1:0.0.0.0",
          "items": [
            "nginx:0.0.0.0",
            "nginx:0.0.0.0",
            "vagrant-vulnerable-1:0.0.0.0"
          ]
        },
        {
          "id": "5.15",
          "desc": "Ensure that the 'on-failure' container restart policy is set to '5' (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.16",
          "desc": "Ensure that the host's process namespace is not shared (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.17",
          "desc": "Ensure that the host's IPC namespace is not shared (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.18",
          "desc": "Ensure that host devices are not directly exposed to containers (Manual)",
          "result": "PASS"
        },
        {
          "id": "5.19",
          "desc": "Ensure that the default ulimit is overwritten at runtime if needed (Manual)",
          "result": "INFO",
          "details": "Containers with no default ulimit override:  gitea vaultwarden nginx vagrant-vulnerable-1",
          "items": [
            "gitea",
            "vaultwarden",
            "nginx",
            "vagrant-vulnerable-1"
          ]
        },
        {
          "id": "5.20",
          "desc": "Ensure mount propagation mode is not set to shared (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.21",
          "desc": "Ensure that the host's UTS namespace is not shared (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.22",
          "desc": "Ensure the default seccomp profile is not Disabled (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.25",
          "desc": "Ensure that cgroup usage is confirmed (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.26",
          "desc": "Ensure that the container is restricted from acquiring additional privileges (Automated)",
          "result": "WARN",
          "details": "Containers without restricted privileges:  gitea vaultwarden nginx vagrant-vulnerable-1",
          "items": [
            "gitea",
            "vaultwarden",
            "nginx",
            "vagrant-vulnerable-1"
          ]
        },
        {
          "id": "5.27",
          "desc": "Ensure that container health is checked at runtime (Automated)",
          "result": "WARN",
          "details": "Containers without health check:  gitea nginx vagrant-vulnerable-1",
          "items": [
            "gitea",
            "nginx",
            "vagrant-vulnerable-1"
          ]
        },
        {
          "id": "5.28",
          "desc": "Ensure that Docker commands always make use of the latest version of their image (Manual)",
          "result": "INFO"
        },
        {
          "id": "5.29",
          "desc": "Ensure that the PIDs cgroup limit is used (Automated)",
          "result": "WARN",
          "details": "Containers without PIDs cgroup limit:  gitea vaultwarden nginx vagrant-vulnerable-1",
          "items": [
            "gitea",
            "vaultwarden",
            "nginx",
            "vagrant-vulnerable-1"
          ]
        },
        {
          "id": "5.30",
          "desc": "Ensure that Docker's default bridge 'docker0' is not used (Manual)",
          "result": "PASS"
        },
        {
          "id": "5.31",
          "desc": "Ensure that the host's user namespaces are not shared (Automated)",
          "result": "PASS"
        },
        {
          "id": "5.32",
          "desc": "Ensure that the Docker socket is not mounted inside any containers (Automated)",
          "result": "PASS"
        }
      ]
    },
    {
      "id": "6",
      "desc": "Docker Security Operations",
      "results": [
        {
          "id": "6.1",
          "desc": "Ensure that image sprawl is avoided (Manual)",
          "result": "INFO",
          "details": "4 active/4 in use"
        },
        {
          "id": "6.2",
          "desc": "Ensure that container sprawl is avoided (Manual)",
          "result": "INFO",
          "details": "4 total/4 running"
        }
      ]
    },
    {
      "id": "7",
      "desc": "Docker Swarm Configuration",
      "results": [
        {
          "id": "7.1",
          "desc": "Ensure that the minimum number of manager nodes have been created in a swarm (Automated)",
          "result": "PASS"
        },
        {
          "id": "7.2",
          "desc": "Ensure that swarm services are bound to a specific host interface (Automated)",
          "result": "PASS"
        },
        {
          "id": "7.3",
          "desc": "Ensure that all Docker swarm overlay networks are encrypted (Automated)",
          "result": "PASS"
        },
        {
          "id": "7.4",
          "desc": "Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual)",
          "result": "PASS"
        },
        {
          "id": "7.5",
          "desc": "Ensure that swarm manager is run in auto-lock mode (Automated)",
          "result": "PASS"
        },
        {
          "id": "7.6",
          "desc": "Ensure that the swarm manager auto-lock key is rotated periodically (Manual)",
          "result": "PASS"
        },
        {
          "id": "7.7",
          "desc": "Ensure that node certificates are rotated as appropriate (Manual)",
          "result": "PASS"
        },
        {
          "id": "7.8",
          "desc": "Ensure that CA certificates are rotated as appropriate (Manual)",
          "result": "PASS"
        },
        {
          "id": "7.9",
          "desc": "Ensure that management plane traffic is separated from data plane traffic (Manual)",
          "result": "PASS"
        }
      ]
    }
  ],
  "checks": 117,
  "score": 1,
  "end": 1747569613
}