⎈ Docker CIS benchmarks analysis

🙌 Overview

This scenario is very useful in performing container security audits and assessments. Here we will learn to run the popular CIS benchmark audit for the docker containers and use the results for the further exploitation or fixing of the misconfigurations and vulnerabilities. This is very important if you are coming from an audit and compliance background in the modern world of containers and cloud native ecosystems.

By the end of the scenario, we will understand and learn the following

To perform CIS benchmark audit for Docker containers
Working with Daemonset, Pods in Kubernetes, and other resources in the cluster
Gain visibility of the entire Container security posture and understand the risks

⚡️ The story

This scenario is mainly to perform the Docker CIS benchmarks analysis on top of Kubernetes nodes to identify the possible security vulnerabilities.

To get started with this scenario you can either access the node and perform by following docker bench security or run the following command to deploy docker bench security as a DaemonSet in the Kubernetes cluster

info

To get started with the scenario, you can deploy the Docker CIS benchmarks DaemonSet using the following command

kubectl apply -f scenarios/docker-bench-security/deployment.yaml

To exec into the pod, we can run the following command. Make sure to replace the pod name

kubectl exec -it docker-bench-security-xxxxx -- sh

🎯 Goal

tip

The goal of this scenario is to perform the Docker CIS benchmark audit and obtain the results from the audit.

🪄 Hints & Spoilers

✨ Not sure how to run the audit?

Refer to docker-bench-security directory inside the container. Also docs can be found here https://github.com/docker/docker-bench-security 🙌

🎉 Solution & Walkthrough

🎲 Method 1

We can deploy the Docker CIS benchmarks by running the following command

kubectl apply -f scenarios/docker-bench-security/deployment.yaml

Then we can list the running pods from the DaemonSet by running the following command

kubectl get pods

Scenario 5 Docker bench DS

Now we can see pods are running with docker-bench-security-xxxxx and we can use one of the pods and exec into it for performing the audit
Access the docker-bench-security-xxxxx pod by running the following command

kubectl exec -it docker-bench-security-xxxxx -- sh

The docker-bench-security is already installed inside the container and you can navigate to the respective directory for performing the scan

cd docker-bench-security

We can run the following command to start the Docker CIS benchmarks script for audit

sh docker-bench-security.sh

Scenario 5 Run Docker bench

Now based on the vulnerabilities you see from the Docker CIS benchmarks, you can proceed with further exploitation
Hooray 🥳 , now we can see that it returns the all security issues/misconfigurations from the system

🙌 Overview​

⚡️ The story​

🎯 Goal​

🪄 Hints & Spoilers​

🎉 Solution & Walkthrough​

🎲 Method 1​

🔖 References​