CIS 벤치마크가 호스트 구성 테스트에 실패함

tag-icon tag-icon linux docker linux-audit
CIS 벤치마크가 호스트 구성 테스트에 실패함

Docker 아티팩트에 대해 다음 감사 규칙을 추가한 후:

$ sudo auditctl -l
-w /usr/bin/dockerd -p rwxa -k docker
-w /var/lib/docker -p rwxa -k docker
-w /etc/docker -p rwxa -k docker
-w /lib/systemd/system/docker.service -p rwxa -k docker
-w /lib/systemd/system/docker.socket -p rwxa -k docker
-w /etc/default/docker -p rwxa -k docker
-w /etc/docker/daemon.json -p rwxa -k docker
-w /usr/bin/docker-containerd -p rwxa -k docker
-w /usr/bin/docker-runc -p rwxa -k docker
$

CIS 벤치마크 유틸리티(https://github.com/docker/docker-bench-security)실패하다:

$ sudo ./docker-bench-security.sh -c tests/1_host_configuration.sh 
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------

Initializing Wed Sep 11 15:21:04 CST 2019


[INFO] Checks: 0
[INFO] Score: 0
$

다음 검토를 통과하는 방법은 무엇입니까?

[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2  - Ensure only trusted users are allowed to control Docker daemon
[INFO]        * docker:x:130:mohet01-ubuntu
[WARN] 1.2.3  - Ensure auditing is configured for the Docker daemon
[WARN] 1.2.4  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[WARN] 1.2.5  - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.2.6  - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.2.7  - Ensure auditing is configured for Docker files and directories - docker.socket
[WARN] 1.2.8  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] 1.2.9  - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[INFO]        * File not found
[INFO] 1.2.10  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO]         * File not found
[WARN] 1.2.11  - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[WARN] 1.2.12  - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc

답변1

나는 Ubuntu 18.04파일의 모든 규칙을 사용하고 추가했으며 /etc/audit/rules.d/audit.rules제대로 작동합니다.

의 경우 CentOS 6파일 위치는 입니다 /etc/audit/audit.rules.

[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2  - Ensure only trusted users are allowed to control Docker daemon
[INFO]        * docker:x:999:delta
[PASS] 1.2.3  - Ensure auditing is configured for the Docker daemon
[PASS] 1.2.4  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[PASS] 1.2.5  - Ensure auditing is configured for Docker files and directories - /etc/docker
[PASS] 1.2.6  - Ensure auditing is configured for Docker files and directories - docker.service
[PASS] 1.2.7  - Ensure auditing is configured for Docker files and directories - docker.socket
[PASS] 1.2.8  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] 1.2.9  - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[INFO]        * File not found
[INFO] 1.2.10  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO]         * File not found
[WARN] 1.2.11  - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[INFO] 1.2.12  - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
[INFO]         * File not found

관련 정보