nanopenguin/bachelor-thesis
Archived
1
0
Fork 0
Code Actions
This repository has been archived on 2025-09-29. You can view files and clone it, but cannot push or open issues or pull requests.
bachelor-thesis/measurements/docker-bench/base_cleaned.log.json
Benedikt Galbavy cd112d132f Added more data
2025-05-18 17:34:11 +02:00

733 lines
24 KiB
JSON
Raw Blame History

{
"dockerbenchsecurity": "1.6.0",
"start": 1747568555,
"tests": [
{
"id": "1",
"desc": "Host Configuration",
"results": [
{
"id": "1.1.1",
"desc": "Ensure a separate partition for containers has been created (Automated)",
"result": "WARN"
},
{
"id": "1.1.2",
"desc": "Ensure only trusted users are allowed to control Docker daemon (Automated)",
"result": "INFO",
"details": "doubtfulusers: vagrant,git",
"items": [
"vagrant,git"
]
},
{
"id": "1.1.3",
"desc": "Ensure auditing is configured for the Docker daemon (Automated)",
"result": "WARN"
},
{
"id": "1.1.4",
"desc": "Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)",
"result": "WARN"
},
{
"id": "1.1.5",
"desc": "Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.6",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.7",
"desc": "Ensure auditing is configured for Docker files and directories - docker.service (Automated)",
"result": "WARN"
},
{
"id": "1.1.8",
"desc": "Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)",
"result": "WARN"
},
{
"id": "1.1.9",
"desc": "Ensure auditing is configured for Docker files and directories - docker.socket (Automated)",
"result": "WARN"
},
{
"id": "1.1.10",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)",
"result": "WARN"
},
{
"id": "1.1.11",
"desc": "Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "1.1.12",
"desc": "1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)",
"result": "WARN"
},
{
"id": "1.1.13",
"desc": "Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "1.1.14",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)",
"result": "WARN"
},
{
"id": "1.1.15",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)",
"result": "WARN"
},
{
"id": "1.1.16",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)",
"result": "WARN"
},
{
"id": "1.1.17",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)",
"result": "WARN"
},
{
"id": "1.1.18",
"desc": "Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)",
"result": "WARN"
},
{
"id": "1.2.1",
"desc": "Ensure the container host has been Hardened (Manual)",
"result": "INFO"
},
{
"id": "1.2.2",
"desc": "Ensure that the version of Docker is up to date (Manual)",
"result": "PASS",
"details": "Using 28.1.1"
}
]
},
{
"id": "2",
"desc": "Docker daemon configuration",
"results": [
{
"id": "2.1",
"desc": "Run the Docker daemon as a non-root user, if possible (Manual)",
"result": "INFO"
},
{
"id": "2.2",
"desc": "Ensure network traffic is restricted between containers on the default bridge (Scored)",
"result": "WARN"
},
{
"id": "2.3",
"desc": "Ensure the logging level is set to 'info' (Scored)",
"result": "PASS"
},
{
"id": "2.4",
"desc": "Ensure Docker is allowed to make changes to iptables (Scored)",
"result": "PASS"
},
{
"id": "2.5",
"desc": "Ensure insecure registries are not used (Scored)",
"result": "PASS"
},
{
"id": "2.6",
"desc": "Ensure aufs storage driver is not used (Scored)",
"result": "PASS"
},
{
"id": "2.7",
"desc": "Ensure TLS authentication for Docker daemon is configured (Scored)",
"result": "INFO",
"details": "Docker daemon not listening on TCP"
},
{
"id": "2.8",
"desc": "Ensure the default ulimit is configured appropriately (Manual)",
"result": "INFO",
"details": "Default ulimit doesn't appear to be set"
},
{
"id": "2.9",
"desc": "Enable user namespace support (Scored)",
"result": "WARN"
},
{
"id": "2.10",
"desc": "Ensure the default cgroup usage has been confirmed (Scored)",
"result": "PASS"
},
{
"id": "2.11",
"desc": "Ensure base device size is not changed until needed (Scored)",
"result": "PASS"
},
{
"id": "2.12",
"desc": "Ensure that authorization for Docker client commands is enabled (Scored)",
"result": "WARN"
},
{
"id": "2.13",
"desc": "Ensure centralized and remote logging is configured (Scored)",
"result": "WARN"
},
{
"id": "2.14",
"desc": "Ensure containers are restricted from acquiring new privileges (Scored)",
"result": "WARN"
},
{
"id": "2.15",
"desc": "Ensure live restore is enabled (Scored)",
"result": "WARN"
},
{
"id": "2.16",
"desc": "Ensure Userland Proxy is Disabled (Scored)",
"result": "WARN"
},
{
"id": "2.17",
"desc": "Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)",
"result": "INFO"
},
{
"id": "2.18",
"desc": "Ensure that experimental features are not implemented in production (Scored)",
"result": "INFO"
}
]
},
{
"id": "3",
"desc": "Docker daemon configuration files",
"results": [
{
"id": "3.1",
"desc": "Ensure that the docker.service file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.2",
"desc": "Ensure that docker.service file permissions are appropriately set (Automated)",
"result": "PASS"
},
{
"id": "3.3",
"desc": "Ensure that docker.socket file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.4",
"desc": "Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)",
"result": "PASS"
},
{
"id": "3.5",
"desc": "Ensure that the /etc/docker directory ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.6",
"desc": "Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.7",
"desc": "Ensure that registry certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "Directory not found"
},
{
"id": "3.8",
"desc": "Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "Directory not found"
},
{
"id": "3.9",
"desc": "Ensure that TLS CA certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS CA certificate found"
},
{
"id": "3.10",
"desc": "Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "No TLS CA certificate found"
},
{
"id": "3.11",
"desc": "Ensure that Docker server certificate file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS Server certificate found"
},
{
"id": "3.12",
"desc": "Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)",
"result": "INFO",
"details": "No TLS Server certificate found"
},
{
"id": "3.13",
"desc": "Ensure that the Docker server certificate key file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "No TLS Key found"
},
{
"id": "3.14",
"desc": "Ensure that the Docker server certificate key file permissions are set to 400 (Automated)",
"result": "INFO",
"details": "No TLS Key found"
},
{
"id": "3.15",
"desc": "Ensure that the Docker socket file ownership is set to root:docker (Automated)",
"result": "PASS"
},
{
"id": "3.16",
"desc": "Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.17",
"desc": "Ensure that the daemon.json file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.18",
"desc": "Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.19",
"desc": "Ensure that the /etc/default/docker file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.20",
"desc": "Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)",
"result": "PASS"
},
{
"id": "3.21",
"desc": "Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.22",
"desc": "Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)",
"result": "INFO",
"details": "File not found"
},
{
"id": "3.23",
"desc": "Ensure that the Containerd socket file ownership is set to root:root (Automated)",
"result": "PASS"
},
{
"id": "3.24",
"desc": "Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)",
"result": "PASS"
}
]
},
{
"id": "4",
"desc": "Container Images and Build File",
"results": [
{
"id": "4.1",
"desc": "Ensure that a user for the container has been created (Automated)",
"result": "WARN",
"details": "running as root: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "4.5",
"desc": "Ensure Content trust for Docker is Enabled (Automated)",
"result": "WARN"
},
{
"id": "4.6",
"desc": "Ensure that HEALTHCHECK instructions have been added to container images (Automated)",
"result": "WARN",
"details": "Images w/o HEALTHCHECK: [vagrant-vulnerable:latest] [docker.gitea.com/gitea:latest] [postgres:latest] [nginx:latest]",
"items": [
"[vagrant-vulnerable:latest]",
"[docker.gitea.com/gitea:latest]",
"[postgres:latest]",
"[nginx:latest]"
]
},
{
"id": "4.7",
"desc": "Ensure update instructions are not used alone in the Dockerfile (Manual)",
"result": "INFO",
"details": "Update instructions found: [vagrant-vulnerable:latest] [postgres:latest]",
"items": [
"[vagrant-vulnerable:latest]",
"[postgres:latest]"
]
},
{
"id": "4.9",
"desc": "Ensure that COPY is used instead of ADD in Dockerfiles (Manual)",
"result": "INFO",
"details": "Images using ADD: [vagrant-vulnerable:latest] [vaultwarden/server:latest]",
"items": [
"[vagrant-vulnerable:latest]",
"[vaultwarden/server:latest]"
]
}
]
},
{
"id": "5",
"desc": "Container Runtime",
"results": [
{
"id": "5.1",
"desc": "Ensure swarm mode is not Enabled, if not needed (Automated)",
"result": "PASS"
},
{
"id": "5.2",
"desc": "Ensure that, if applicable, an AppArmor Profile is enabled (Automated)",
"result": "PASS"
},
{
"id": "5.3",
"desc": "Ensure that, if applicable, SELinux security options are set (Automated)",
"result": "WARN",
"details": "Containers with no SecurityOptions: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.4",
"desc": "Ensure that Linux kernel capabilities are restricted within containers (Automated)",
"result": "PASS"
},
{
"id": "5.5",
"desc": "Ensure that privileged containers are not used (Automated)",
"result": "PASS"
},
{
"id": "5.6",
"desc": "Ensure sensitive host system directories are not mounted on containers (Automated)",
"result": "PASS"
},
{
"id": "5.7",
"desc": "Ensure sshd is not run within containers (Automated)",
"result": "WARN",
"details": "Containers with sshd/docker exec failures: vagrant-vulnerable-1 gitea",
"items": [
"vagrant-vulnerable-1",
"gitea"
]
},
{
"id": "5.8",
"desc": "Ensure privileged ports are not mapped within containers (Automated)",
"result": "WARN",
"details": "Containers using privileged ports: nginx:80 nginx:443",
"items": [
"nginx:80",
"nginx:443"
]
},
{
"id": "5.9",
"desc": "Ensure that only needed ports are open on the container (Manual)",
"result": "WARN",
"details": "Containers with open ports: nginx:80 nginx:443 vagrant-vulnerable-1:2222",
"items": [
"nginx:80",
"nginx:443",
"vagrant-vulnerable-1:2222"
]
},
{
"id": "5.10",
"desc": "Ensure that the host's network namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.11",
"desc": "Ensure that the memory usage for containers is limited (Automated)",
"result": "WARN",
"details": "Container running without memory restrictions: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.12",
"desc": "Ensure that CPU priority is set appropriately on containers (Automated)",
"result": "WARN",
"details": "Containers running without CPU restrictions: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.13",
"desc": "Ensure that the container's root filesystem is mounted as read only (Automated)",
"result": "WARN",
"details": "Containers running with root FS mounted R/W: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.14",
"desc": "Ensure that incoming container traffic is bound to a specific host interface (Automated)",
"result": "WARN",
"details": "Containers with port bound to wildcard IP: nginx:0.0.0.0 nginx:0.0.0.0 vagrant-vulnerable-1:0.0.0.0",
"items": [
"nginx:0.0.0.0",
"nginx:0.0.0.0",
"vagrant-vulnerable-1:0.0.0.0"
]
},
{
"id": "5.15",
"desc": "Ensure that the 'on-failure' container restart policy is set to '5' (Automated)",
"result": "PASS"
},
{
"id": "5.16",
"desc": "Ensure that the host's process namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.17",
"desc": "Ensure that the host's IPC namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.18",
"desc": "Ensure that host devices are not directly exposed to containers (Manual)",
"result": "PASS"
},
{
"id": "5.19",
"desc": "Ensure that the default ulimit is overwritten at runtime if needed (Manual)",
"result": "INFO",
"details": "Containers with no default ulimit override: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.20",
"desc": "Ensure mount propagation mode is not set to shared (Automated)",
"result": "PASS"
},
{
"id": "5.21",
"desc": "Ensure that the host's UTS namespace is not shared (Automated)",
"result": "PASS"
},
{
"id": "5.22",
"desc": "Ensure the default seccomp profile is not Disabled (Automated)",
"result": "PASS"
},
{
"id": "5.25",
"desc": "Ensure that cgroup usage is confirmed (Automated)",
"result": "PASS"
},
{
"id": "5.26",
"desc": "Ensure that the container is restricted from acquiring additional privileges (Automated)",
"result": "WARN",
"details": "Containers without restricted privileges: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.27",
"desc": "Ensure that container health is checked at runtime (Automated)",
"result": "WARN",
"details": "Containers without health check: vaultwarden-db nginx vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.28",
"desc": "Ensure that Docker commands always make use of the latest version of their image (Manual)",
"result": "INFO"
},
{
"id": "5.29",
"desc": "Ensure that the PIDs cgroup limit is used (Automated)",
"result": "WARN",
"details": "Containers without PIDs cgroup limit: vaultwarden-db nginx vaultwarden vagrant-vulnerable-1 gitea-db gitea",
"items": [
"vaultwarden-db",
"nginx",
"vaultwarden",
"vagrant-vulnerable-1",
"gitea-db",
"gitea"
]
},
{
"id": "5.30",
"desc": "Ensure that Docker's default bridge 'docker0' is not used (Manual)",
"result": "PASS"
},
{
"id": "5.31",
"desc": "Ensure that the host's user namespaces are not shared (Automated)",
"result": "PASS"
},
{
"id": "5.32",
"desc": "Ensure that the Docker socket is not mounted inside any containers (Automated)",
"result": "PASS"
}
]
},
{
"id": "6",
"desc": "Docker Security Operations",
"results": [
{
"id": "6.1",
"desc": "Ensure that image sprawl is avoided (Manual)",
"result": "INFO",
"details": "6 active/6 in use"
},
{
"id": "6.2",
"desc": "Ensure that container sprawl is avoided (Manual)",
"result": "INFO",
"details": "6 total/6 running"
}
]
},
{
"id": "7",
"desc": "Docker Swarm Configuration",
"results": [
{
"id": "7.1",
"desc": "Ensure that the minimum number of manager nodes have been created in a swarm (Automated)",
"result": "PASS"
},
{
"id": "7.2",
"desc": "Ensure that swarm services are bound to a specific host interface (Automated)",
"result": "PASS"
},
{
"id": "7.3",
"desc": "Ensure that all Docker swarm overlay networks are encrypted (Automated)",
"result": "PASS"
},
{
"id": "7.4",
"desc": "Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual)",
"result": "PASS"
},
{
"id": "7.5",
"desc": "Ensure that swarm manager is run in auto-lock mode (Automated)",
"result": "PASS"
},
{
"id": "7.6",
"desc": "Ensure that the swarm manager auto-lock key is rotated periodically (Manual)",
"result": "PASS"
},
{
"id": "7.7",
"desc": "Ensure that node certificates are rotated as appropriate (Manual)",
"result": "PASS"
},
{
"id": "7.8",
"desc": "Ensure that CA certificates are rotated as appropriate (Manual)",
"result": "PASS"
},
{
"id": "7.9",
"desc": "Ensure that management plane traffic is separated from data plane traffic (Manual)",
"result": "PASS"
}
]
}
],
"checks": 117,
"score": 1,
"end": 1747568565
}
View Git Blame Copy Permalink