Instalando Docker en Kali Linux y echando un vistazo a su seguridad por defecto (Docker Bench for Security)

Docker nació en 2013 y básicamente es una plataforma para crear, distribuir y administrar aplicaciones Linux en contenedores. Utiliza la capacidad del kernel de Linux de crear entornos aislados como si fuera un "chroot con esteroides" y lo hace principalmente mediante:

- cgroups (desde la versión 2.6.29) que limita, controla y aísla el uso de los recursos (CPU, memoria, disco E/S, red, etc.) de un conjunto de procesos.
- namespaces que "envuelve" los procesos de una instancia aislada en espacios de nombres para abstraerlos de los recursos globales.

Las últimas versiones han introducido drivers y una librería llamada libcontainer, que ayuda a que Docker sea totalmente multiplataforma, teniendo compatibilidad con Windows y Mac OS X e incluso distintos servicios en la nube:


https://docs.docker.com/installation/

¿Por qué Docker mola tanto?

Piensa ¿para qué levantar una máquina virtual para ejecutar una determinada aplicación si podemos hacerlo simplemente desde un contenedor en nuestro sistema operativo de una forma mucho más transparente, rápida y liviana?

Docker además simplifica el despliegue y distribución de aplicaciones. Imagina la posibilidad de tener todo el entorno para la aplicación y publicar los cambios que se realicen fácilmente, además de hacer todo el despliegue en producción de una manera bastante fácil y profesional.

Las ventajas son claras y por eso Docker es tan popular. El uso de contenedores se está extendiendo poco a poco y cada vez más entre la comunidad TI así que nosotros también vamos a empezar a usar Docker y algunos contenedores interesantes...


Instalando y calentando motores... 

Empezamos instalándolo en Kali x64. Un comando y listo:

curl -sSL https://get.docker.io/ubuntu/ | sudo sh

Ahora comprobamos que se ha instalado correctamente:

# docker version
Client version: 1.7.1
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 786b29d
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 786b29d
OS/Arch (server): linux/amd64


Y lanzamos Docker Bench Security, un script que comprueba una docena de buenas prácticas para desplegar contenedores Docker en producción.  Las pruebas están automatizadas y están inspiradas en el Benchmark CIS Docker 1.6:

root@kali:~/docker-bench-security# docker run -it --net host --pid host --cap-add audit_control \
>     -v /var/lib:/var/lib \
>     -v /var/run/docker.sock:/var/run/docker.sock \
>     -v /usr/lib/systemd:/usr/lib/systemd \
>     -v /etc:/etc --label docker-bench-security \
>     docker-bench-security
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.0.0
#
# Docker, Inc. (c) 2015
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker 1.6 Benchmark:
# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
# ------------------------------------------------------------------------------

Initializing Thu Jul 23 01:52:16 CEST 2015


[INFO] 1 - Host Configuration
[WARN] 1.1  - Create a separate partition for containers
[PASS] 1.2  - Use an updated Linux Kernel
[PASS] 1.5  - Remove all non-essential services from the host - Network
[PASS] 1.6  - Keep Docker up to date
[INFO] 1.7  - Only allow trusted users to control Docker daemon
[INFO]      * docker:x:999:
[WARN] 1.8  - Failed to inspect: auditctl command not found.
[WARN] 1.9  - Failed to inspect: auditctl command not found.
[WARN] 1.10 - Failed to inspect: auditctl command not found.
[INFO] 1.11 - Audit Docker files and directories - docker-registry.service
[INFO]      * File not found
[INFO] 1.12 - Audit Docker files and directories - docker.service
[INFO]      * File not found
[WARN] 1.13 - Failed to inspect: auditctl command not found.
[INFO] 1.14 - Audit Docker files and directories - /etc/sysconfig/docker
[INFO]      * File not found
[INFO] 1.15 - Audit Docker files and directories - /etc/sysconfig/docker-network
[INFO]      * File not found
[INFO] 1.16 - Audit Docker files and directories - /etc/sysconfig/docker-registry
[INFO]      * File not found
[INFO] 1.17 - Audit Docker files and directories - /etc/sysconfig/docker-storage
[INFO]      * File not found
[WARN] 1.18 - Failed to inspect: auditctl command not found.


[INFO] 2 - Docker Daemon Configuration
[PASS] 2.1  - Do not use lxc execution driver
[WARN] 2.2  - Restrict network traffic between containers
[PASS] 2.3  - Set the logging level
[PASS] 2.4  - Allow Docker to make changes to iptables
[PASS] 2.5  - Do not use insecure registries
[INFO] 2.6  - Setup a local registry mirror
[INFO]      * No local registry currently configured
[WARN] 2.7  - Do not use the aufs storage driver
[PASS] 2.8  - Do not bind Docker to another IP/Port or a Unix socket
[INFO] 2.9  - Configure TLS authentication for Docker daemon
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.10 - Set default ulimit as appropriate
[INFO]      * Default ulimit doesn't appear to be set


[INFO] 3 - Docker Daemon Configuration Files
[INFO] 3.1  - Verify that docker.service file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.2  - Verify that docker.service file permissions are set to 644
[INFO]      * File not found
[INFO] 3.3  - Verify that docker-registry.service file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.4  - Verify that docker-registry.service file permissions are set to 644
[INFO]      * File not found
[INFO] 3.5  - Verify that docker.socket file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.6  - Verify that docker.socket file permissions are set to 644
[INFO]      * File not found
[INFO] 3.7  - Verify that Docker environment file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.8  - Verify that Docker environment file permissions are set to 644
[INFO]      * File not found
[INFO] 3.9  - Verify that docker-network environment file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.10 - Verify that docker-network environment file permissions are set to 644
[INFO]      * File not found
[INFO] 3.11 - Verify that docker-registry environment file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.12 - Verify that docker-registry environment file permissions are set to 644
[INFO]      * File not found
[INFO] 3.13 - Verify that docker-storage environment file ownership is set to root:root
[INFO]      * File not found
[INFO] 3.14 - Verify that docker-storage environment file permissions are set to 644
[INFO]      * File not found
[PASS] 3.15 - Verify that /etc/docker directory ownership is set to root:root
[PASS] 3.16 - Verify that /etc/docker directory permissions are set to 755
[INFO] 3.17 - Verify that registry certificate file ownership is set to root:root
[INFO]      * Directory not found
[INFO] 3.18 - Verify that registry certificate file permissions are set to 444
[INFO]      * Directory not found
[INFO] 3.19 - Verify that TLS CA certificate file ownership is set to root:root
[INFO]      * No TLS CA certificate found
[INFO] 3.20 - Verify that TLS CA certificate file permissions are set to 444
[INFO]      * No TLS CA certificate found
[INFO] 3.21 - Verify that Docker server certificate file ownership is set to root:root
[INFO]      * No TLS Server certificate found
[INFO] 3.22 - Verify that Docker server certificate file permissions are set to 444
[INFO]      * No TLS Server certificate found
[INFO] 3.23 - Verify that Docker server key file ownership is set to root:root
[INFO]      * No TLS Key found
[INFO] 3.24 - Verify that Docker server key file permissions are set to 400
[INFO]      * No TLS Key found
[INFO] 3.25 - Verify that Docker socket file ownership is set to root:docker
[INFO]      * File not found
[INFO] 3.26 - Verify that Docker socket file permissions are set to 660
[INFO]      * File not found


[INFO] 4 - Container Images and Build Files
[WARN] 4.1  - Create a user for the container
[WARN]      * Running as root: 26aa8d74b869


[INFO] 5  - Container Runtime
[WARN] 5.1  - Verify AppArmor Profile, if applicable
[WARN]      * No AppArmorProfile Found: 26aa8d74b869
[WARN] 5.2  - Verify SELinux security options, if applicable
[WARN]      * No SecurityOptions Found: 26aa8d74b869
[WARN] 5.3  - Verify that containers are running only a single main process
[WARN]      * Too many proccesses running: 26aa8d74b869
[PASS] 5.4  - Restrict Linux Kernel Capabilities within containers
[PASS] 5.5  - Do not use privileged containers
[PASS] 5.6  - Do not mount sensitive host system directories on containers
[PASS] 5.7  - Do not run ssh within containers
[PASS] 5.8  - Do not map privileged ports within containers
[PASS] 5.10 - Do not use host network mode on container
[WARN] 5.11 - Limit memory usage for container
[WARN]      * Container running without memory restrictions: 26aa8d74b869
[WARN] 5.12 - Set container CPU priority appropriately
[WARN]      * Container running without CPU restrictions: 26aa8d74b869
[WARN] 5.13 - Mount container's root filesystem as read only
[WARN]      * Container running with root FS mounted R/W: 26aa8d74b869
[WARN] 5.14 - Bind incoming container traffic to a specific host interface
[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in 26aa8d74b869
[PASS] 5.15 - Do not set the 'on-failure' container restart policy to always
[PASS] 5.16 - Do not share the host's process namespace
[PASS] 5.17 - Do not share the host's IPC namespace
[PASS] 5.18 - Do not directly expose host devices to containers
[INFO] 5.19 - Override default ulimit at runtime only if needed
[INFO]      * Container no default ulimit override: 26aa8d74b869


[INFO] 6  - Docker Security Operations
[INFO] 6.5 - Use a centralized and remote log collection service
[INFO]      * Container has no volumes, ensure centralized logging is enabled : 26aa8d74b869
[INFO] 6.6 - Avoid image sprawl
[INFO]      * There are currently: 3 images
[INFO] 6.7 - Avoid container sprawl
[INFO]      * There are currently a total of 2 containers, with 2 of them currently running


Cómo véis algunas cosas que mejorar, esto no ha hecho más que empezar...

2 comentarios :

  1. Grandes!
    Hacía tiempo que quería echarle un vistazo a docker pero no había encontrado aún el momento.. Y una cosilla; el script docker-bench-security no se instala por defecto, o si?¿ Yo es que lo he sacado del enlace que habéis puesto ejecutando "docker pull diogomonica/docker-bench-security" ahí, a lo loco! Y después he tenido que buscarlo con un "locate" porque en menuda ruta lo ha metido.. :S
    En cualquier caso, genial, espero con ansia las próximas entradas ;)

    ResponderEliminar
    Respuestas
    1. gracias! a mi me pasaba igual con Docker, lo había visto por encima pero tenía ganas de empezar a usarlo y viendo el repositorio hay algunas aplicaciones que muy interesantes...
      El script docker-bench-security yo lo bajé primero desde Github :)

      Eliminar