Skip to content

Latest commit

 

History

History
198 lines (127 loc) · 6.22 KB

CHECKPOINT.md

File metadata and controls

198 lines (127 loc) · 6.22 KB

Checkpoint Details

Docker Image Checkpoints

These checkpoints refered to CIS Docker 1.13.0 Benchmark v1.0.0.

CIS-DI-0001

Create a user for the container

Create a non-root user for the container in the Dockerfile for the container image.

It is a good practice to run the container as a non-root user, if possible.

# Dockerfile
RUN useradd -d /home/dockle -m -s /bin/bash dockle
USER dockle

or

RUN addgroup -S dockle && adduser -S -G dockle dockle
USER dockle

CIS-DI-0002

Use trusted base images for containers

Dockle checks Content Trust.

CIS-DI-0003

Do not install unnecessary packages in the container

Not supported.

CIS-DI-0004

Scan and rebuild the images to include security patches

Not supported. Please check with Trivy.

CIS-DI-0005

Enable Content trust for Docker

Content trust is disabled by default. You should enable it.

$ export DOCKER_CONTENT_TRUST=1

CIS-DI-0006

Add HEALTHCHECK instruction to the container image

Add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
Based on the reported health status, the docker engine could then exit non-working containers and instantiate new ones.

# Dockerfile
HEALTHCHECK --interval=5m --timeout=3s \
  CMD curl -f http://localhost/ || exit 1

CIS-DI-0007

Do not use update instructions alone in the Dockerfile

Do not use update instructions such as apt-get update alone or in a single line in the Dockerfile.
Adding the update instructions in a single line on the Dockerfile will cache the update layer.

RUN apt-get update && apt-get install -y package-a

CIS-DI-0008

Confirm safety of setuid and setgid files

Removing setuid and setgid permissions in the images would prevent privilege escalation attacks in the containers.
setuid and setgid permissions could be used for elevating privileges.

chmod u-s setuid-file
chmod u-g setgid-file

CIS-DI-0009

Use COPY instead of ADD in Dockerfile

Use COPY instruction instead of ADD instruction in the Dockerfile.
ADD instruction introduces risks such as adding malicious files from URLs without scanning and unpacking procedure vulnerabilities.

# Dockerfile
ADD test.json /app/test.json
↓
COPY test.json /app/test.json

CIS-DI-0010

Do not store secrets in Dockerfiles

Do not store any secrets in Dockerfiles.
the secrets within these Dockerfiles could be easily exposed and potentially be exploited.

Dockle checks ENVIRONMENT variables and credential files.

CIS-DI-0011

Install verified packages only

Not supported. It's better to use Trivy.

Dockle Checkpoints for Docker

These checkpoints referred to Docker Best Practice and so on.

DKL-DI-0001

Avoid sudo command

DKL-DI-0002

Avoid sensitive directory mounting

A volume mount makes weak points. This depends on mounting volumes.

Currently, Dockle checks following directories:

  • /dev, /proc, /sys

dockle only checks VOLUME statements, since we can't check docker run -v /lib:/lib ....

DKL-DI-0003

Avoid apt-get dist-upgrade

docker/docs#12571

https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get Avoid RUN apt-get upgrade and dist-upgrade, as many of the “essential” packages from the parent images cannot upgrade inside an unprivileged container.

DKL-DI-0004

Use apk add with --no-cache

DKL-DI-0005

Clear apt-get caches

Use apt-get clean && rm -rf /var/lib/apt/lists/* after apt-get install.

DKL-DI-0006

Avoid latest tag

Dockle Checkpoints for Linux

These checkpoints referred to Linux Best Practices and so on.

DKL-LI-0001

Avoid empty password

DKL-LI-0002

Be unique UID/GROUPs

  • http://www.linfo.org/uid.html

    Contrary to popular belief, it is not necessary that each entry in the UID field be unique. However, non-unique UIDs can cause security problems, and thus UIDs should be kept unique across the entire organization.

DKL-LI-0003

Only put necessary files

Check .cache, tmp and so on directories.