Vous êtes ici : Formations en Ligne Gratuites » Catalogue » workbooks » DOF600 - Prérequis » DOE600 - Course Presentation » DOF607 - Docker Security Management

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Prochaine révision		Révision précédente
elearning:workbooks:docker3:en:dre06 [2023/12/17 05:26] – created adminelearning:workbooks:docker3:en:dre06 [2024/12/17 13:46] (Version actuelle) admin
Ligne 1: Ligne 1:
 ~~PDF:LANDSCAPE~~ ~~PDF:LANDSCAPE~~
  
-Version : **2023.01**+Version : **2024.01**
  
 Last update : ~~LASTMOD~~ Last update : ~~LASTMOD~~
 +
  
 ======DOF607 - Docker Security Management====== ======DOF607 - Docker Security Management======
Ligne 15: Ligne 16:
     * LAB #3 - The docker-bench-security.sh script     * LAB #3 - The docker-bench-security.sh script
     * LAB #4 - Securing the Docker Host Configuration     * LAB #4 - Securing the Docker Host Configuration
-      * 4.1 - [WARN] 1.2.1 - Ensure a separate partition for containers has been created 
-      * 4.2 - [WARN] 1.2.3 - Ensure auditing is configured for the Docker daemon 
     * LAB #5 - Securing the Docker daemon configuration     * LAB #5 - Securing the Docker daemon configuration
-      * 5.1 - [WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge +      * 5.1 - The /etc/docker/daemon.json file
-      * 5.2 - [WARN] 2.8 - Enable user namespace support +
-      * 5.3 - [WARN] 2.11 - Ensure that authorization for Docker client commands is enabled +
-      * 5.4 - [WARN] 2.12 - Ensure centralized and remote logging is configured +
-      * 5.5 - [WARN] 2.14 - Ensure Userland Proxy is Disabled +
-      * 5.6 - [WARN] 2.17 - Ensure containers are restricted from acquiring new privileges +
-      * 5.7 - The /etc/docker/daemon.json file+
     * LAB #6 - Securing Images and Build Files     * LAB #6 - Securing Images and Build Files
-      * 6.1 - [WARN] 4.1 - Ensure a user for the container has been created 
-      * 6.2 - [WARN] 4.5 - Ensure Content trust for Docker is Enabled 
-      * 6.3 - [WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images 
     * LAB #7 - Securing the Container Runtime     * LAB #7 - Securing the Container Runtime
-      * 7.1 - [WARN] 5.1 - Ensure AppArmor Profile is Enabled 
-      * 7.2 - [WARN] 5.2 - Ensure SELinux security options are set, if applicable 
-      * 7.3 - [WARN] 5.10 - Ensure memory usage for container is limited 
-      * 7.4 - [WARN] 5.11 - Ensure CPU priority is set appropriately on the container 
-      * 7.5 - [WARN] 5.12 - Ensure the container's root filesystem is mounted as read only 
-      * 7.6 - [WARN] 5.14 - Ensure 'on-failure' container restart policy is set to '5' 
-      * 7.7 - [WARN] 5.25 - Ensure the container is restricted from acquiring additional privileges 
-      * 7.8 - [WARN] 5.26 - Ensure container health is checked at runtime 
-      * 7.9 - [WARN] 5.28 - Ensure PIDs cgroup limit is used 
     * LAB #8 - Securing Images with Docker Content Trust     * LAB #8 - Securing Images with Docker Content Trust
       * 8.1 - DOCKER_CONTENT_TRUST       * 8.1 - DOCKER_CONTENT_TRUST
Ligne 78: Ligne 59:
 </file> </file>
  
-You can see in this file the presence of sensitive information in non-secure :+You can see in this file the presence of non-secure sensitive information:
  
   * POSTGRES_USER   * POSTGRES_USER
Ligne 98: Ligne 79:
 </code> </code>
  
-<WRAP center round important 60%>+<WRAP center round important 50%>
 **Important**: Note the use of the **-** character at the end of the line. This tells the **docker secret** command to read the contents of the pg_user secret from standard input. **Important**: Note the use of the **-** character at the end of the line. This tells the **docker secret** command to read the contents of the pg_user secret from standard input.
 </WRAP> </WRAP>
Ligne 105: Ligne 86:
  
 <code> <code>
-root@manager:~/postgres# docker secrets ls +root@manager:~/postgres# docker secret ls 
-ID NAME DRIVER CREATED UPDATED +ID                          NAME                DRIVER              CREATED              UPDATED 
-lpk8eq80qvfiqw7z1686fmj5t pg_user About a minute ago About a minute ago+lpk8eq80qvfiqw7z1686fmj5t   pg_user                                 About a minute ago   About a minute ago
 </code> </code>
  
-<WRAP center round important 60%> +<WRAP center round important 50%> 
-**Important**: Note that the **DRIVER** column is empty. This indicates that secret management is accomplished by Docker itself instead of being delegated to a third-party plugin.+**Important**: Note that the **DRIVER** column is empty. This indicates that the secret is managed by Docker itself instead of being delegated to a third-party plugin.
 </WRAP> </WRAP>
  
Ligne 119: Ligne 100:
 root@manager:~/postgres# echo "postgres" | docker secret create pg_password - root@manager:~/postgres# echo "postgres" | docker secret create pg_password -
 h9tsfbfwz6o0sd35roklwpopi h9tsfbfwz6o0sd35roklwpopi
 +
 root@manager:~/postgres# echo "database" | docker secret create pg_database - root@manager:~/postgres# echo "database" | docker secret create pg_database -
 5lx4zydpfocwgpdto0yy1jod9 5lx4zydpfocwgpdto0yy1jod9
 </code> </code>
  
-<WRAP center round important 60%>+<WRAP center round important 50%>
 **Important**: Note that a Docker secret is immutable. **Important**: Note that a Docker secret is immutable.
 </WRAP> </WRAP>
Ligne 131: Ligne 113:
 <code> <code>
 root@manager:~/postgres# docker secret ls root@manager:~/postgres# docker secret ls
-ID NAME DRIVER CREATED UPDATED +ID                          NAME                DRIVER              CREATED             UPDATED 
-5lx4zydpfocwgpdto0yy1jod9 pg_database 2 minutes ago 2 minutes ago +5lx4zydpfocwgpdto0yy1jod9   pg_database                             2 minutes ago       2 minutes ago 
-h9tsfbfwz6o0sd35roklwpopi pg_password 3 minutes ago 3 minutes ago +h9tsfbfwz6o0sd35roklwpopi   pg_password                             3 minutes ago       3 minutes ago 
-lpk8eq80qvfiqw7z1686fmj5t pg_user 5 minutes ago 5 minutes ago+lpk8eq80qvfiqw7z1686fmj5t   pg_user                                 5 minutes ago       5 minutes ago
 </code> </code>
  
Ligne 157: Ligne 139:
 </code> </code>
  
-<WRAP center round important 60%>+<WRAP center round important 50%>
 **Important**: You can see in the output of this command the value **CreatedAt** which corresponds to the date the secret was created as well as **UpdatedAt** which corresponds to the date the secret was modified. **Important**: You can see in the output of this command the value **CreatedAt** which corresponds to the date the secret was created as well as **UpdatedAt** which corresponds to the date the secret was modified.
 </WRAP> </WRAP>
Ligne 165: Ligne 147:
 <code> <code>
 root@manager:~/postgres# docker secret inspect --pretty pg_database root@manager:~/postgres# docker secret inspect --pretty pg_database
-ID: 5lx4zydpfocwgpdto0yy1jod9 +ID:              5lx4zydpfocwgpdto0yy1jod9 
-Name: pg_database+Name:              pg_database
 Driver:             Driver:            
-Created at: 2021-04-15 03:49:36.344367554 +0000 utc +Created at:        2021-04-15 03:49:36.344367554 +0000 utc 
-Updated at: 2021-04-15 03:49:36.344367554 +0000 utc+Updated at:        2021-04-15 03:49:36.344367554 +0000 utc
 </code> </code>
  
Ligne 230: Ligne 212:
 </file> </file>
  
-<WRAP center round important 60%> +<WRAP center round important 50%> 
-**Important** : The term **external** indicates that the secrets will not be stored in the built image but **only** in the created container.+**Important** : The term **external** indicates that the secrets will not be stored in the image but **only** in the container.
 </WRAP> </WRAP>
  
Ligne 245: Ligne 227:
 </code> </code>
  
-<WRAP center round important 60%>+<WRAP center round important 50%>
 **Important** : Note a presence of the **Ignoring unsupported options: restart** error. This is due to the fact that the **restart** directive is compatible with the **docker-compose** command but not with the **docker stack** command. The directive that should have been used in the file is **restart_policy:**. **Important** : Note a presence of the **Ignoring unsupported options: restart** error. This is due to the fact that the **restart** directive is compatible with the **docker-compose** command but not with the **docker stack** command. The directive that should have been used in the file is **restart_policy:**.
 </WRAP> </WRAP>
  
-Now connect to Apache Guacamole and open a web browser in the virtual machine. Then navigate to the Manager address on port **8080** and fill in the secret values:+Now connect to Apache Guacamole and open a web browser in the **Debian11_10.0.2.46_VNC** virtual machine. Then navigate to the Manager address on port **8080** and fill in the secret values:
  
 {{ :elearning:workbooks:docker2:2021-04-15.png?direct&600 |}} {{ :elearning:workbooks:docker2:2021-04-15.png?direct&600 |}}
Ligne 261: Ligne 243:
 <code> <code>
 root@manager:~/postgres# docker stack ls root@manager:~/postgres# docker stack ls
-NAME SERVICES ORCHESTRATOR +NAME                SERVICES            ORCHESTRATOR 
-postgres 2 Swarm+postgres                              Swarm 
 root@manager:~/postgres# docker stack rm postgres root@manager:~/postgres# docker stack rm postgres
 Removing service postgres_adminer Removing service postgres_adminer
Ligne 276: Ligne 259:
 root@manager:~# cat /etc/group | grep docker root@manager:~# cat /etc/group | grep docker
 docker:x:999: docker:x:999:
 +
 root@manager:~# usermod -aG docker trainee root@manager:~# usermod -aG docker trainee
 +
 root@manager:~# exit root@manager:~# exit
-logout+déconnexion 
 trainee@manager:~$ docker ps trainee@manager:~$ docker ps
 Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json: dial unix /var/run/docker.sock: connect: permission denied Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json: dial unix /var/run/docker.sock: connect: permission denied
 +
 trainee@manager:~$ newgrp docker trainee@manager:~$ newgrp docker
 +
 trainee@manager:~$ docker ps -a trainee@manager:~$ docker ps -a
-CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                        PORTS                 NAMES 
-d02c6115724c alpine "/bin/sh" 6 days ago Exited (0) 6 days ago alpine1+d02c6115724c        alpine              "/bin/sh"                6 days ago          Exited (0) 6 days ago                               alpine1 
 trainee@manager:~$ docker rm alpine1 trainee@manager:~$ docker rm alpine1
 alpine1 alpine1
 +
 trainee@manager:~$ docker run -d --name alpine1 alpine sleep 99999 trainee@manager:~$ docker run -d --name alpine1 alpine sleep 99999
 a214e2df0499c97e8da25a6c9ea751ac75344c9bcd7d238f8cb8d5c777510ab9 a214e2df0499c97e8da25a6c9ea751ac75344c9bcd7d238f8cb8d5c777510ab9
 +
 trainee@manager:~$ docker ps -a trainee@manager:~$ docker ps -a
-CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES 
-a214e2df0499 alpine "/bin/sh" 6 seconds ago Up 5 seconds alpine1+a214e2df0499        alpine              "/bin/sh"           6 seconds ago       Up 5 seconds                            alpine1
 </code> </code>
  
-=====LAB #3 - The docker-bench-security.sh===== script+=====LAB #3 - The docker-bench-security.sh script=====
  
 The **Center for Internet Security (CIS)** is an independent non-profit organisation that publishes best practices in many areas of IT. The guide for Docker can be downloaded from https://www.cisecurity.org/benchmark/docker/. The **Center for Internet Security (CIS)** is an independent non-profit organisation that publishes best practices in many areas of IT. The guide for Docker can be downloaded from https://www.cisecurity.org/benchmark/docker/.
Ligne 315: Ligne 306:
 trainee@manager:~$ su - trainee@manager:~$ su -
 Password: fenestros Password: fenestros
 +
 root@manager:~# git clone https://github.com/docker/docker-bench-security.git root@manager:~# git clone https://github.com/docker/docker-bench-security.git
 Cloning in 'docker-bench-security'... Cloning in 'docker-bench-security'...
Ligne 329: Ligne 321:
 <code> <code>
 root@manager:~# cd docker-bench-security/ root@manager:~# cd docker-bench-security/
 +
 root@manager:~/docker-bench-security# ./docker-bench-security.sh root@manager:~/docker-bench-security# ./docker-bench-security.sh
-# ------------------------------------------------------------------------------ +-------------------------------------------------------------------------------------------- 
-# Docker Bench for Security v1.3.5+# Docker Bench for Security v1.6.0
 # #
-# Docker, Inc (c) 2015-+# Docker, Inc(c) 2015-2023
 # #
 # Checks for dozens of common best-practices around deploying Docker containers in production. # Checks for dozens of common best-practices around deploying Docker containers in production.
-Inspired by the CIS Docker Benchmark v1.2.0. +Based on the CIS Docker Benchmark 1.6.0. 
-# ------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------
  
-Initializing Friday 8 November 2019, 12:12:03 (UTC+0100)+Initializing 2023-12-17T14:22:08+01:00
  
 +
 +Section A - Check results
  
 [INFO] 1 - Host Configuration [INFO] 1 - Host Configuration
 +[INFO] 1.1 - Linux Hosts Specific Configuration
 +[WARN] 1.1.1 - Ensure a separate partition for containers has been created (Automated)
 +[INFO] 1.1.2 - Ensure only trusted users are allowed to control Docker daemon (Automated)
 +[INFO]       * Users: trainee
 +[WARN] 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated)
 +[WARN] 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)
 +[WARN] 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)
 +[WARN] 1.1.6 - Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)
 +[WARN] 1.1.7 - Ensure auditing is configured for Docker files and directories - docker.service (Automated)
 +[INFO] 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)
 +[INFO]        * File not found
 +[WARN] 1.1.9 - Ensure auditing is configured for Docker files and directories - docker.socket (Automated)
 +[WARN] 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)
 +[INFO] 1.1.11 - Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)
 +[INFO]        * File not found
 +[WARN] 1.1.12 - 1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)
 +[INFO] 1.1.13 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)
 +[INFO]        * File not found
 +[WARN] 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)
 +[WARN] 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)
 +[INFO] 1.1.16 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)
 +[INFO]         * File not found
 +[INFO] 1.1.17 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)
 +[INFO]         * File not found
 +[WARN] 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)
 +[INFO] 1.2 - General Configuration
 +[NOTE] 1.2.1 - Ensure the container host has been Hardened (Manual)
 +[PASS] 1.2.2 - Ensure that the version of Docker is up to date (Manual)
 +[INFO]        * Using 19.03.4, verify is it up to date as deemed necessary
  
-[INFO] 1.1 General Configuration +[INFO] Docker daemon configuration 
-[NOTE] 1.1.- Ensure the container host has been Hardened +[NOTE] 2.1 - Run the Docker daemon as a non-root user, if possible (Manual) 
-[INFO1.1.2 - Ensure Docker is up to date +[WARN] 2.- Ensure network traffic is restricted between containers on the default bridge (Scored) 
-[INFO] * Using 19.03.4, verify is it up to date as deemed necessary +[PASS2.3 - Ensure the logging level is set to 'info' (Scored) 
-[INFO] * Your operating system vendor may provide support and security maintenance for Docker+[PASS] 2.4 - Ensure Docker is allowed to make changes to iptables (Scored) 
 +[PASS] 2.5 - Ensure insecure registries are not used (Scored) 
 +[PASS] 2.6 - Ensure aufs storage driver is not used (Scored) 
 +[INFO] 2.7 - Ensure TLS authentication for Docker daemon is configured (Scored) 
 +[INFO]      Docker daemon not listening on TCP 
 +[INFO] 2.8 - Ensure the default ulimit is configured appropriately (Manual) 
 +[INFO]      Default ulimit doesn't appear to be set 
 +[WARN] 2.9 - Enable user namespace support (Scored) 
 +[PASS] 2.10 - Ensure the default cgroup usage has been confirmed (Scored) 
 +[PASS] 2.11 - Ensure base device size is not changed until needed (Scored) 
 +[WARN] 2.12 - Ensure that authorization for Docker client commands is enabled (Scored) 
 +[WARN] 2.13 - Ensure centralized and remote logging is configured (Scored) 
 +[WARN] 2.14 - Ensure containers are restricted from acquiring new privileges (Scored) 
 +[WARN] 2.15 - Ensure live restore is enabled (Scored) 
 +[WARN] 2.16 - Ensure Userland Proxy is Disabled (Scored) 
 +[PASS] 2.17 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual) 
 +[PASS] 2.18 - Ensure that experimental features are not implemented in production (Scored)
  
-[INFO] 1.2 - Linux Hosts Specific Configuration +[INFO] 3 - Docker daemon configuration files 
-[WARN] 1.2.1 - Ensure a separate partition for containers has been created +[PASS] 3.- Ensure that the docker.service file ownership is set to root:root (Automated) 
-...+[PASS] 3.2 - Ensure that docker.service file permissions are appropriately set (Automated) 
 +[PASS3.3 - Ensure that docker.socket file ownership is set to root:root (Automated) 
 +[PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated) 
 +[PASS] 3.5 - Ensure that the /etc/docker directory ownership is set to root:root (Automated) 
 +[PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated) 
 +[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root (Automated) 
 +[INFO]      * Directory not found 
 +[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated) 
 +[INFO]      * Directory not found 
 +[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root (Automated) 
 +[INFO]      * No TLS CA certificate found 
 +[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated) 
 +[INFO]       * No TLS CA certificate found 
 +[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root (Automated) 
 +[INFO]       * No TLS Server certificate found 
 +[INFO] 3.12 - Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated) 
 +[INFO]       * No TLS Server certificate found 
 +[INFO] 3.13 - Ensure that the Docker server certificate key file ownership is set to root:root (Automated) 
 +[INFO]       * No TLS Key found 
 +[INFO] 3.14 - Ensure that the Docker server certificate key file permissions are set to 400 (Automated) 
 +[INFO]       * No TLS Key found 
 +[PASS] 3.15 - Ensure that the Docker socket file ownership is set to root:docker (Automated) 
 +[PASS] 3.16 - Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated) 
 +[INFO] 3.17 - Ensure that the daemon.json file ownership is set to root:root (Automated) 
 +[INFO]       * File not found 
 +[INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated) 
 +[INFO]       * File not found 
 +[PASS] 3.19 - Ensure that the /etc/default/docker file ownership is set to root:root (Automated) 
 +[PASS] 3.20 - Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated) 
 +[INFO] 3.21 - Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated) 
 +[INFO]       * File not found 
 +[INFO] 3.22 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated) 
 +[INFO]       * File not found 
 +[PASS] 3.23 - Ensure that the Containerd socket file ownership is set to root:root (Automated) 
 +[PASS] 3.24 - Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated) 
 + 
 +[INFO] 4 - Container Images and Build File 
 +[INFO] 4.- Ensure that a user for the container has been created (Automated) 
 +[INFO]      * No containers running 
 +[NOTE] 4.2 - Ensure that containers use only trusted base images (Manual) 
 +[NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container (Manual) 
 +[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches (Manual) 
 +[WARN] 4.5 - Ensure Content trust for Docker is Enabled (Automated) 
 +[WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated) 
 +[WARN]      * No Healthcheck found: [nginx:latest] 
 +[WARN]      * No Healthcheck found: [alpine:latest] 
 +[WARN]      * No Healthcheck found: [ubuntu:latest] 
 +[WARN]      * No Healthcheck found: [centos:latest] 
 +[PASS] 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual) 
 +[NOTE] 4.8 - Ensure setuid and setgid permissions are removed (Manual) 
 +[PASS] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Manual) 
 +[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles (Manual) 
 +[NOTE] 4.11 - Ensure only verified packages are installed (Manual) 
 +[NOTE] 4.12 - Ensure all signed artifacts are validated (Manual) 
 + 
 +[INFO] 5 - Container Runtime 
 +[INFO]   * No containers running, skipping Section 5 
 + 
 +[INFO] 6 - Docker Security Operations 
 +[INFO] 6.1 - Ensure that image sprawl is avoided (Manual) 
 +[INFO]      * There are currently: 4 images 
 +[INFO]      * Only 0 out of 4 are in use 
 +[INFO] 6.2 - Ensure that container sprawl is avoided (Manual) 
 +[INFO]      * There are currently total of 0 containers, with 0 of them currently running 
 + 
 +[INFO] 7 - Docker Swarm Configuration 
 +[WARN] 7.1 - Ensure swarm mode is not Enabled, if not needed (Automated) 
 +[PASS] 7.2 - Ensure that the minimum number of manager nodes have been created in a swarm (Automated) (Swarm mode not enabled) 
 +[PASS] 7.3 - Ensure that swarm services are bound to a specific host interface (Automated) (Swarm mode not enabled) 
 +[PASS] 7.4 - Ensure that all Docker swarm overlay networks are encrypted (Automated) 
 +[PASS] 7.5 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual) (Swarm mode not enabled) 
 +[PASS] 7.6 - Ensure that swarm manager is run in auto-lock mode (Automated) (Swarm mode not enabled) 
 +[PASS] 7.7 - Ensure that the swarm manager auto-lock key is rotated periodically (Manual) (Swarm mode not enabled) 
 +[PASS] 7.8 - Ensure that node certificates are rotated as appropriate (Manual) (Swarm mode not enabled) 
 +[PASS] 7.9 - Ensure that CA certificates are rotated as appropriate (Manual) (Swarm mode not enabled) 
 +[PASS] 7.10 - Ensure that management plane traffic is separated from data plane traffic (Manual) (Swarm mode not enabled) 
 + 
 + 
 +Section C - Score 
 + 
 +[INFO] Checks: 86 
 +[INFO] Score: 1
 </code> </code>
  
Ligne 358: Ligne 479:
  
   * **[PASS]**: Concerns points that do not need to be modified,   * **[PASS]**: Concerns points that do not need to be modified,
-  * WARN]**: Refers to items that **need** to be modified, +  * **[WARN]**: Refers to items that **need** to be modified, 
-  * INFO]**: Refers to points that need to be reviewed according to the needs of your configuration, +  * **[INFO]**: Refers to points that need to be reviewed according to the needs of your configuration, 
-  * NOTE]**: Informs you of **best practice**.+  * **[NOTE]**: Informs you of **best practice**.
  
 =====LAB #4 - Securing the Docker Host Configuration===== =====LAB #4 - Securing the Docker Host Configuration=====
Ligne 369: Ligne 490:
 ... ...
 [INFO] 1 - Host Configuration [INFO] 1 - Host Configuration
- +[INFO] 1.1 - Linux Hosts Specific Configuration 
-[INFO] 1.1 - General Configuration +[WARN] 1.1.1 - Ensure a separate partition for containers has been created (Automated) 
-[NOTE] 1.1.1 - Ensure the container host has been Hardened +[INFO] 1.1.2 - Ensure only trusted users are allowed to control Docker daemon (Automated) 
-[INFO] 1.1.2 - Ensure Docker is up to date +[INFO]       Users: trainee 
-[INFO] * Using 19.03.4, verify is it up to date as deemed necessary +[WARN] 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated) 
-[INFO] * Your operating system vendor may provide support and security maintenance for Docker +[WARN] 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated) 
- +[WARN] 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated) 
-[INFO] 1.2 - Linux Hosts Specific Configuration +[WARN] 1.1.- Ensure auditing is configured for Docker files and directories - /etc/docker (Automated) 
-[WARN] 1.2.1 - Ensure a separate partition for containers has been created +[WARN] 1.1.- Ensure auditing is configured for Docker files and directories - docker.service (Automated) 
-[INFO] 1.2.2 - Ensure only trusted users are allowed to control Docker daemon +[INFO] 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated) 
-[INFO] * docker:x:999:trainee +[INFO]        * File not found 
-[WARN] 1.2.3 - Ensure auditing is configured for the Docker daemon +[WARN] 1.1.- Ensure auditing is configured for Docker files and directories - docker.socket (Automated) 
-[WARN] 1.2.4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker +[WARN] 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated) 
-[WARN] 1.2.- Ensure auditing is configured for Docker files and directories - /etc/docker +[INFO] 1.1.11 - Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated) 
-[WARN] 1.2.- Ensure auditing is configured for Docker files and directories - docker.service +[INFO]        * File not found 
-[WARN] 1.2.- Ensure auditing is configured for Docker files and directories - docker.socket +[WARN] 1.1.12 - 1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated) 
-[WARN] 1.2.- Ensure auditing is configured for Docker files and directories - /etc/default/docker +[INFO] 1.1.13 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated) 
-[INFO] 1.2.- Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker +[INFO]        * File not found 
-[INFO] * File not found +[WARN] 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated) 
-[INFO] 1.2.10 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json +[WARN] 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated) 
-[INFO] * File not found +[INFO] 1.1.16 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated) 
-[WARN] 1.2.11 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd +[INFO]         * File not found 
-[INFO] 1.2.12 - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc +[INFO] 1.1.17 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated) 
-[INFO] * File not found+[INFO]         * File not found 
 +[WARN] 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated) 
 +[INFO] 1.2 - General Configuration 
 +[NOTE] 1.2.1 - Ensure the container host has been Hardened (Manual) 
 +[PASS] 1.2.2 - Ensure that the version of Docker is up to date (Manual) 
 +[INFO]        * Using 19.03.4, verify is it up to date as deemed necessary
 ... ...
 </file> </file>
Ligne 398: Ligne 524:
 Security issues that should be addressed are indicated by **[WARN]** annotations. Security issues that should be addressed are indicated by **[WARN]** annotations.
  
-====4.1 - [WARN] 1.2.1 - Ensure a separate partition for containers has been created====+====[WARN] 1.1.1 - Ensure a separate partition for containers has been created (Automated)====
  
 By default, all Docker files are stored in the **/var/lib/docker** directory, including all images, all containers and all volumes. On a host system with only one partition there is a risk, just like the risk associated with the **/var/log/** directory, that the disk will become saturated. By default, all Docker files are stored in the **/var/lib/docker** directory, including all images, all containers and all volumes. On a host system with only one partition there is a risk, just like the risk associated with the **/var/log/** directory, that the disk will become saturated.
  
-====4.2 - [WARN] 1.2.3 - Ensure auditing is configured for the Docker daemon====+====[WARN] 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated)====
  
 <file> <file>
-[WARN] 1.2.4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker +[WARN] 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated) 
-[WARN] 1.2.- Ensure auditing is configured for Docker files and directories - /etc/docker +[WARN] 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated) 
-[WARN] 1.2.- Ensure auditing is configured for Docker files and directories - docker.service +[WARN] 1.1.- Ensure auditing is configured for Docker files and directories - /etc/docker (Automated) 
-[WARN] 1.2.- Ensure auditing is configured for Docker files and directories - docker.socket +[WARN] 1.1.- Ensure auditing is configured for Docker files and directories - docker.service (Automated) 
-[WARN] 1.2.- Ensure auditing is configured for Docker files and directories - /etc/default/docker +[WARN] 1.1.- Ensure auditing is configured for Docker files and directories - docker.socket (Automated) 
-[WARN] 1.2.11 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd+[WARN] 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated) 
 +[WARN] 1.1.12 - Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated) 
 +[WARN] 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated) 
 +[WARN] 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated) 
 +[WARN] 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)
 </file> </file>
  
 These warnings are present because **auditd** is not installed and because there are no rules specific to the Docker daemon and its associated directories and files.  These warnings are present because **auditd** is not installed and because there are no rules specific to the Docker daemon and its associated directories and files. 
 +
 +Edit the **/etc/apt/sources.list** file as follows:
 +
 +<code>
 +root@manager:~/docker-bench-security# vi /etc/apt/sources.list
 +
 +root@manager:~/docker-bench-security# cat /etc/apt/sources.list
 +deb http://archive.debian.org/debian/ stretch main
 +deb-src http://archive.debian.org/debian/ stretch main
 +deb http://archive.debian.org/debian-security stretch/updates main
 +deb-src http://archive.debian.org/debian-security stretch/updates main
 +deb [arch=amd64] https://download.docker.com/linux/debian stretch stable
 +</code>
 +
 +Execute the **apt-update** command:
 +
 +<code>
 +root@manager:~/docker-bench-security# apt update
 +Ign:1 http://archive.debian.org/debian stretch InRelease
 +Atteint:2 http://archive.debian.org/debian-security stretch/updates InRelease
 +Atteint:3 http://archive.debian.org/debian stretch Release
 +Réception de:4 https://download.docker.com/linux/debian stretch InRelease [44,8 kB]
 +44,8 ko réceptionnés en 0s (107 ko/s)                     
 +Lecture des listes de paquets... Fait
 +Construction de l'arbre des dépendances       
 +Lecture des informations d'état... Fait
 +254 packages can be upgraded. Run 'apt list --upgradable' to see them.
 +</code>
  
 To install auditd, use **apt-get** :  To install auditd, use **apt-get** : 
  
 <code> <code>
-root@manager:~/docker-bench-security# apt-get install auditd+root@manager:~/docker-bench-security# apt-get install auditd -y
 </code> </code>
  
Ligne 425: Ligne 583:
 <code> <code>
 root@manager:~/docker-bench-security# vi /etc/audit/rules.d/audit.rules root@manager:~/docker-bench-security# vi /etc/audit/rules.d/audit.rules
 +
 root@manager:~/docker-bench-security# cat /etc/audit/rules.d/audit.rules root@manager:~/docker-bench-security# cat /etc/audit/rules.d/audit.rules
 ## First rule - delete all ## First rule - delete all
Ligne 450: Ligne 609:
 -w /usr/bin/docker-runc -p wa -w /usr/bin/docker-runc -p wa
 -w /usr/bin/containerd -p wa -w /usr/bin/containerd -p wa
 +-w /run/containerd -p wa
 +-w /etc/containerd/config.toml -p wa
 +-w /usr/bin/containerd-shim -p wa
 +-w /usr/bin/runc -p wa
 </code> </code>
  
-<WRAP center round important 60%>+<WRAP center round important 50%>
 **Important**: The **-w** option indicates **watch** and concerns the file that follows. The **-p** option logs any changes. **Important**: The **-w** option indicates **watch** and concerns the file that follows. The **-p** option logs any changes.
 </WRAP> </WRAP>
Ligne 481: Ligne 644:
 -w /usr/bin/docker-runc -p wa -w /usr/bin/docker-runc -p wa
 -w /usr/bin/containerd -p wa -w /usr/bin/containerd -p wa
 +-w /run/containerd -p wa
 +-w /etc/containerd/config.toml -p wa
 +-w /usr/bin/containerd-shim -p wa
 +-w /usr/bin/runc -p wa
 </code> </code>
  
-<WRAP center round important 60%>+<WRAP center round important 50%>
 **Important** - For more information about creating custom rules with auditd, see this **[[https://www.linux.com/tutorials/customized-file-monitoring-auditd/|page]]**. **Important** - For more information about creating custom rules with auditd, see this **[[https://www.linux.com/tutorials/customized-file-monitoring-auditd/|page]]**.
 </WRAP> </WRAP>
Ligne 492: Ligne 659:
 root@manager:~/docker-bench-security# ./docker-bench-security.sh  root@manager:~/docker-bench-security# ./docker-bench-security.sh 
 ... ...
-[PASS] 1.2.4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker +[PASS] 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated) 
-[PASS] 1.2.- Ensure auditing is configured for Docker files and directories - /etc/docker +[PASS] 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated) 
-[PASS] 1.2.- Ensure auditing is configured for Docker files and directories - docker.service +[PASS] 1.1.- Ensure auditing is configured for Docker files and directories - /etc/docker (Automated) 
-[PASS] 1.2.- Ensure auditing is configured for Docker files and directories - docker.socket +[PASS] 1.1.- Ensure auditing is configured for Docker files and directories - docker.service (Automated) 
-[PASS] 1.2.- Ensure auditing is configured for Docker files and directories - /etc/default/docker +[PASS] 1.1.- Ensure auditing is configured for Docker files and directories - docker.socket (Automated) 
-... +[PASS] 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated) 
-[PASS] 1.2.11 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd+[PASS] 1.1.12 - Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated) 
 +[PASS] 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated) 
 +[PASS] 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated) 
 +[PASS] 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)
 ... ...
 </code> </code>
Ligne 509: Ligne 679:
 ... ...
 [INFO] 2 - Docker daemon configuration [INFO] 2 - Docker daemon configuration
-[WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge +[NOTE] 2.1 - Run the Docker daemon as a non-root user, if possible (Manual) 
-[PASS] 2.- Ensure the logging level is set to 'info' +[WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored) 
-[PASS] 2.- Ensure Docker is allowed to make changes to iptables +[PASS] 2.- Ensure the logging level is set to 'info' (Scored) 
-[PASS] 2.- Ensure insecure registries are not used +[PASS] 2.- Ensure Docker is allowed to make changes to iptables (Scored) 
-[PASS] 2.- Ensure aufs storage driver is not used +[PASS] 2.- Ensure insecure registries are not used (Scored) 
-[INFO] 2.- Ensure TLS authentication for Docker daemon is configured +[PASS] 2.- Ensure aufs storage driver is not used (Scored) 
-[INFO] * Docker daemon not listening on TCP +[INFO] 2.- Ensure TLS authentication for Docker daemon is configured (Scored) 
-[INFO] 2.- Ensure the default ulimit is configured appropriately +[INFO]      * Docker daemon not listening on TCP 
-[INFO] * Default ulimit doesn't appear to be set +[INFO] 2.- Ensure the default ulimit is configured appropriately (Manual) 
-[WARN] 2.- Enable user namespace support +[INFO]      * Default ulimit doesn't appear to be set 
-[PASS] 2.- Ensure the default cgroup usage has been confirmed +[WARN] 2.- Enable user namespace support (Scored) 
-[PASS] 2.10 - Ensure base device size is not changed until needed +[PASS] 2.10 - Ensure the default cgroup usage has been confirmed (Scored) 
-[WARN] 2.11 - Ensure that authorization for Docker client commands is enabled +[PASS] 2.11 - Ensure base device size is not changed until needed (Scored) 
-[WARN] 2.12 - Ensure centralized and remote logging is configured +[WARN] 2.12 - Ensure that authorization for Docker client commands is enabled (Scored) 
-[PASS] 2.13 - Ensure live restore is Enabled (Incompatible with swarm mode+[WARN] 2.13 - Ensure centralized and remote logging is configured (Scored) 
-[WARN] 2.14 - Ensure Userland Proxy is Disabled +[WARN] 2.14 - Ensure containers are restricted from acquiring new privileges (Scored) 
-[PASS] 2.15 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate +[WARN] 2.15 - Ensure live restore is enabled (Scored
-[PASS] 2.16 - Ensure that experimental features are not implemented in production +[WARN] 2.16 - Ensure Userland Proxy is Disabled (Scored) 
-[WARN] 2.17 - Ensure containers are restricted from acquiring new privileges+[PASS] 2.17 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual) 
 +[PASS] 2.18 - Ensure that experimental features are not implemented in production (Scored)
 ... ...
 </file> </file>
Ligne 533: Ligne 704:
 Security issues that should be addressed are indicated by the **[WARN]** annotations. Security issues that should be addressed are indicated by the **[WARN]** annotations.
  
-====5.1 - [WARN] 2.- Ensure network traffic is restricted between containers on the default bridge====+====[WARN] 2.- Ensure network traffic is restricted between containers on the default bridge (Scored)====
  
 By default, Docker allows unrestricted network traffic between containers on the same host. However, it is possible to change the default configuration. To prevent this, set the value of **icc** to **false**. In this way, docker creates containers that can communicate with each other **only** if there is a link. By default, Docker allows unrestricted network traffic between containers on the same host. However, it is possible to change the default configuration. To prevent this, set the value of **icc** to **false**. In this way, docker creates containers that can communicate with each other **only** if there is a link.
Ligne 539: Ligne 710:
 For more information, see this **[[https://docs.docker.com/engine/userguide/networking/|page]]**. For more information, see this **[[https://docs.docker.com/engine/userguide/networking/|page]]**.
  
-====5.2 - [WARN] 2.- Enable user namespace support====+====[WARN] 2.- Enable user namespace support (Scored)====
  
 This warning indicates that the use of **user namespaces** is not enabled. The Linux kernel's **user namespaces** support allows a unique range of UIDs and GIDs to be assigned to a process and therefore to a container, outside the traditional range used by the Docker host. The advantage here is that processes with the root UID in the container will be mapped to an unprivileged UID in the Docker host. To use user namespace, you need to set the value of **userns-remap** to **default**. In this case Docker creates a user called **dockremap**. Note that it is also possible to set your own values with **"userns-remap": "user:group "**. This warning indicates that the use of **user namespaces** is not enabled. The Linux kernel's **user namespaces** support allows a unique range of UIDs and GIDs to be assigned to a process and therefore to a container, outside the traditional range used by the Docker host. The advantage here is that processes with the root UID in the container will be mapped to an unprivileged UID in the Docker host. To use user namespace, you need to set the value of **userns-remap** to **default**. In this case Docker creates a user called **dockremap**. Note that it is also possible to set your own values with **"userns-remap": "user:group "**.
Ligne 545: Ligne 716:
 For more information, see this **[[https://docs.docker.com/engine/security/userns-remap/|page]]**. For more information, see this **[[https://docs.docker.com/engine/security/userns-remap/|page]]**.
  
-====5.3 - [WARN] 2.11 - Ensure that authorization for Docker client commands is enabled====+====[WARN] 2.12 - Ensure that authorization for Docker client commands is enabled (Scored)====
  
-By default, Docker allows unrestricted access to Docker daemons. It is possible to restrict access to authenticated users using a plug-in. This line is not important because access to the local Docker socket is restricted to members of the **docker** group (see DOF202 - Docker Host Configuration Security).+By default, Docker allows unrestricted access to Docker daemons. It is possible to restrict access to authenticated users using a plug-in. This line is not important because access to the local Docker socket is restricted to members of the **docker** group.
  
 For more information, see this **[[https://docs.docker.com/engine/extend/plugins_authorization/|page]]**. For more information, see this **[[https://docs.docker.com/engine/extend/plugins_authorization/|page]]**.
  
-====5.4 - [WARN] 2.12 - Ensure centralized and remote logging is configured====+====[WARN] 2.13 - Ensure centralized and remote logging is configured (Scored)====
  
 This warning indicates that the rsyslog configuration does not allow traces to be sent to a remote logging server. It also indicates that the **log-driver** value has not been specified. To enable this configuration, you need to set the **log-driver** value to **syslog** and then configure **syslog** and the **log-opts** value correctly. This warning indicates that the rsyslog configuration does not allow traces to be sent to a remote logging server. It also indicates that the **log-driver** value has not been specified. To enable this configuration, you need to set the **log-driver** value to **syslog** and then configure **syslog** and the **log-opts** value correctly.
Ligne 557: Ligne 728:
 For more information, see this **[[https://docs.docker.com/engine/admin/logging/overview/|page]]**. For more information, see this **[[https://docs.docker.com/engine/admin/logging/overview/|page]]**.
  
-====5.- [WARN] 2.14 - Ensure Userland Proxy is Disabled====+====[WARN] 2.14 Ensure containers are restricted from acquiring new privileges (Scored)==== 
 + 
 +By default, a container can escalate privileges using the setuid or setgid binaries. To prevent this, set the **no-new-privileges** value to **true**. 
 + 
 +For more information, see this **[[https://docs.docker.com/engine/userguide/networking/default_network/binding/|page]]**. 
 + 
 +====[WARN] 2.15 - Ensure live restore is enabled (Scored)==== 
 + 
 +The --live-restore option enables full support of daemon-less containers within Docker. It ensures that Docker does not stop containers on shutdown or restore and that it properly reconnects to the container when restarted. 
 + 
 +====[WARN] 2.16 - Ensure Userland Proxy is Disabled (Scored)====
  
 There are two ways for a container to route to the outside world: There are two ways for a container to route to the outside world:
  
   * **Hairpin NAT** mode,   * **Hairpin NAT** mode,
-  * Userland Proxy**.+  * **Userland Proxy**.
  
 It is preferable to use Hairpin NAT mode, which can use iptables and has better performance. Most modern operating systems can use Hairpin NAT mode. To disable Userland Proxy, set **userland-proxy** to **false**. It is preferable to use Hairpin NAT mode, which can use iptables and has better performance. Most modern operating systems can use Hairpin NAT mode. To disable Userland Proxy, set **userland-proxy** to **false**.
Ligne 568: Ligne 749:
 For more information, see this **[[https://docs.docker.com/engine/userguide/networking/default_network/binding/|page]]**. For more information, see this **[[https://docs.docker.com/engine/userguide/networking/default_network/binding/|page]]**.
  
-====5.6 - [WARN] 2.17 - Ensure containers are restricted from acquiring new privileges==== +====5.- The /etc/docker/daemon.json file ====
- +
-By default, a container can escalate privileges using the setuid or setgid binaries. To prevent this, set the **no-new-privileges** value to **true**. +
- +
-For more information, see this **[[https://docs.docker.com/engine/userguide/networking/default_network/binding/|page]]**. +
- +
-====5.7 - The /etc/docker/daemon.json file ====+
  
 Create the **/etc/docker/daemon.json** file:  Create the **/etc/docker/daemon.json** file: 
Ligne 580: Ligne 755:
 <code> <code>
 root@manager:~/docker-bench-security# vi /etc/docker/daemon.json root@manager:~/docker-bench-security# vi /etc/docker/daemon.json
 +
 root@manager:~/docker-bench-security# cat /etc/docker/daemon.json root@manager:~/docker-bench-security# cat /etc/docker/daemon.json
 { {
Ligne 590: Ligne 766:
 } }
 </code> </code>
- 
-Note here that **live-restore** is set to **true**. This allows containers to continue running even when the Docker daemon is not running. This is useful during a Docker upgrade. 
  
 Restart the Docker service: Restart the Docker service:
Ligne 609: Ligne 783:
  
 <code> <code>
-root@manager:~# cd docker-bench-security/ 
 root@manager:~/docker-bench-security# ./docker-bench-security.sh  root@manager:~/docker-bench-security# ./docker-bench-security.sh 
 ... ...
-[PASS] 2.- Ensure network traffic is restricted between containers on the default bridge +[PASS] 2.- Ensure network traffic is restricted between containers on the default bridge (Scored) 
-... +[PASS] 2.3 - Ensure the logging level is set to 'info' (Scored) 
-[PASS] 2.- Enable user namespace support +[PASS] 2.4 - Ensure Docker is allowed to make changes to iptables (Scored) 
-... +[PASS] 2.5 - Ensure insecure registries are not used (Scored) 
-[WARN] 2.11 - Ensure that authorization for Docker client commands is enabled +[PASS] 2.6 - Ensure aufs storage driver is not used (Scored) 
-[PASS] 2.12 - Ensure centralized and remote logging is configured +[PASS] 2.- Enable user namespace support (Scored) 
-... +[PASS] 2.10 - Ensure the default cgroup usage has been confirmed (Scored) 
-[PASS] 2.14 - Ensure Userland Proxy is Disabled +[PASS] 2.11 - Ensure base device size is not changed until needed (Scored) 
-... +[PASS] 2.13 - Ensure centralized and remote logging is configured (Scored) 
-[PASS] 2.17 - Ensure containers are restricted from acquiring new privileges+[PASS] 2.14 - Ensure containers are restricted from acquiring new privileges (Scored) 
 +[PASS] 2.15 - Ensure live restore is enabled (Scored) 
 +[PASS] 2.16 - Ensure Userland Proxy is Disabled (Scored) 
 +[PASS] 2.17 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual) 
 +[PASS] 2.18 - Ensure that experimental features are not implemented in production (Scored)
 ... ...
 </code> </code>
Ligne 629: Ligne 806:
 =====LAB #6 - Securing Images and Construction Files===== =====LAB #6 - Securing Images and Construction Files=====
  
-Create the mysql container:+Create mysql container:
  
 <code> <code>
 +root@manager:~/docker-bench-security# apt install  --only-upgrade docker-ce
 +Lecture des listes de paquets... Fait
 +Construction de l'arbre des dépendances       
 +Lecture des informations d'état... Fait
 +Le paquet suivant a été installé automatiquement et n'est plus nécessaire :
 +  libsasl2-modules
 +Veuillez utiliser « apt autoremove » pour le supprimer.
 +Les paquets suivants seront mis à jour :
 +  docker-ce
 +1 mis à jour, 0 nouvellement installés, 0 à enlever et 252 non mis à jour.
 +Il est nécessaire de prendre 22,7 Mo dans les archives.
 +Après cette opération, 497 ko d'espace disque supplémentaires seront utilisés.
 +Réception de:1 https://download.docker.com/linux/debian stretch/stable amd64 docker-ce amd64 5:19.03.15~3-0~debian-stretch [22,7 MB]
 +22,7 Mo réceptionnés en 0s (26,0 Mo/s)
 +Lecture des fichiers de modifications (« changelog »)... Terminé
 +(Lecture de la base de données... 112865 fichiers et répertoires déjà installés.)
 +Préparation du dépaquetage de .../docker-ce_5%3a19.03.15~3-0~debian-stretch_amd64.deb ...
 +Dépaquetage de docker-ce (5:19.03.15~3-0~debian-stretch) sur (5:19.03.4~3-0~debian-stretch) ...
 +Paramétrage de docker-ce (5:19.03.15~3-0~debian-stretch) ...
 +Traitement des actions différées (« triggers ») pour systemd (232-25+deb9u14) ...
 +
 root@manager:~/docker-bench-security# docker container run -d --name mysql -e MYSQL_ROOT_PASSWORD=password mysql root@manager:~/docker-bench-security# docker container run -d --name mysql -e MYSQL_ROOT_PASSWORD=password mysql
 Unable to find image 'mysql:latest' locally Unable to find image 'mysql:latest' locally
 latest: Pulling from library/mysql latest: Pulling from library/mysql
-80369df48736: Pull complete  +e9f2695d7e5b: Pull complete  
-e8f52315cb10: Pull complete  +80c6055edb33: Pull complete  
-cf2189b391fc: Pull complete  +c646ab461d8b: Pull complete  
-cc98f645c682: Pull complete  +012006c6a591: Pull complete  
-27a27ac83f74: Pull complete  +929d5fa34b95: Pull complete  
-fa1f04453414: Pull complete  +17e0243877fa: Pull complete  
-d45bf7d22d33: Pull complete  +1850b459cd2f: Pull complete  
-3dbac26e409c: Pull complete  +8dceaed53baf: Pull complete  
-9017140fb8c1: Pull complete  +197b834ea1cd: Pull complete  
-b76dda2673ae: Pull complete  +8df78c25b227: Pull complete  
-bea9eb46d12a: Pull complete  +Digest: sha256:ceb98918916bd5261b3e9866ac8271d75d276b8a4db56f1dc190770342a77a9b
-e1f050a38d0f: Pull complete  +
-Digest: sha256:7345ce4ce6f0c1771d01fa333b8edb2c606ca59d385f69575f8e3e2ec6695eee+
 Status: Downloaded newer image for mysql:latest Status: Downloaded newer image for mysql:latest
-54606c03c52c5e3ec0328029d69b869d4b285fb433015576dedc8b8dd4ad0494+e503dd98f88992ae6ed5ec4dcaa2e18982ade8ec74966869515a120763418f74 
 root@manager:~/docker-bench-security# docker ps -a root@manager:~/docker-bench-security# docker ps -a
-CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                 NAMES 
-54606c03c52c mysql "docker-entrypoint.s...5 seconds ago Up 4 seconds 3306/tcp, 33060/tcp mysql+e503dd98f889        mysql               "docker-entrypoint.s  2 minutes ago       Up 2 minutes        3306/tcp, 33060/tcp   mysql
 </code> </code>
  
Ligne 661: Ligne 858:
 ... ...
 [INFO] 4 - Container Images and Build File [INFO] 4 - Container Images and Build File
-[WARN] 4.1 - Ensure a user for the container has been created +[WARN] 4.1 - Ensure that a user for the container has been created (Automated) 
-[WARN] * Running as root: mysql +[WARN]      * Running as root: mysql 
-[NOTE] 4.2 - Ensure that containers use only trusted base images +[NOTE] 4.2 - Ensure that containers use only trusted base images (Manual) 
-[NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container +[NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container (Manual) 
-[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches +[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches (Manual) 
-[WARN] 4.5 - Ensure Content trust for Docker is Enabled +[WARN] 4.5 - Ensure Content trust for Docker is Enabled (Automated) 
-[WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images +[WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated) 
-[WARN] * No Healthcheck found: [alpine:latest] +[WARN]      * No Healthcheck found: [mysql:latest] 
-[WARN] * No Healthcheck found: [mysql:latest] +[PASS] 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual) 
-[INFO] 4.7 - Ensure update instructions are not use alone in the Dockerfile +[NOTE] 4.8 - Ensure setuid and setgid permissions are removed (Manual) 
-[INFO] * Update instruction found: [mysql:latest] +[PASS] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Manual) 
-[NOTE] 4.8 - Ensure setuid and setgid permissions are removed +[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles (Manual) 
-[PASS] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles +[NOTE] 4.11 - Ensure only verified packages are installed (Manual) 
-[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles +[NOTE] 4.12 - Ensure all signed artifacts are validated (Manual)
-[NOTE] 4.11 - Ensure only verified packages are installed+
 ... ...
 </code> </code>
  
-====6.1 - [WARN] 4.1 - Ensure a user for the container has been created====+====[WARN] 4.1 - Ensure that a user for the container has been created (Automated)====
  
 The processes in the **mysql** container run under the root UID. This is the default Docker action. The processes in the **mysql** container run under the root UID. This is the default Docker action.
Ligne 685: Ligne 881:
 For more information, see this **[[https://docs.docker.com/engine/security/security/|page]]**. For more information, see this **[[https://docs.docker.com/engine/security/security/|page]]**.
  
-====6.2 - [WARN] 4.5 - Ensure Content trust for Docker is Enabled====+====[WARN] 4.5 - Ensure Content trust for Docker is Enabled (Automated)====
  
 This line indicates that Content trust support has not been enabled. Content trust ensures that the images used are signed. This line indicates that Content trust support has not been enabled. Content trust ensures that the images used are signed.
Ligne 694: Ligne 890:
 root@manager:~/docker-bench-security# echo "DOCKER_CONTENT_TRUST=1" | sudo tee -a /etc/environment root@manager:~/docker-bench-security# echo "DOCKER_CONTENT_TRUST=1" | sudo tee -a /etc/environment
 DOCKER_CONTENT_TRUST=1 DOCKER_CONTENT_TRUST=1
 +
 root@manager:~/docker-bench-security# source /etc/environment root@manager:~/docker-bench-security# source /etc/environment
 </code> </code>
Ligne 700: Ligne 897:
  
 <code> <code>
-root@manager:~/docker-bench-security# docker container start mysql+root@manager:~/docker-bench-security# reboot 
 +Connection to 10.0.2.62 closed by remote host. 
 +Connection to 10.0.2.62 closed. 
 + 
 +root@debian11:~# ssh -l trainee 10.0.2.62 
 +trainee@10.0.2.62's password: trainee 
 +Linux manager.i2tch.loc 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 
 + 
 +The programs included with the Debian GNU/Linux system are free software; 
 +the exact distribution terms for each program are described in the 
 +individual files in /usr/share/doc/*/copyright. 
 + 
 +Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent 
 +permitted by applicable law. 
 +Last login: Sun Dec 17 18:39:07 2023 from 10.0.2.46 
 + 
 +trainee@manager:~$ su - 
 +Mot de passe : fenestros 
 + 
 +root@manager:~# cd docker-bench-security/ 
 + 
 +root@manager:~/docker-bench-security# 
 + 
 +root@manager:~/docker-bench-security# docker start mysql
 mysql mysql
-root@manager:~/docker-bench-security# docker ps -a 
-CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 
-54606c03c52c mysql "docker-entrypoint.s..."   10 minutes ago Up 2 seconds 3306/tcp, 33060/tcp mysql 
 </code> </code>
  
Ligne 713: Ligne 930:
 ... ...
 [INFO] 4 - Container Images and Build File [INFO] 4 - Container Images and Build File
-[WARN] 4.1 - Ensure a user for the container has been created +[WARN] 4.1 - Ensure that a user for the container has been created (Automated) 
-[WARN] * Running as root: mysql +[WARN]      * Running as root: mysql 
-[NOTE] 4.2 - Ensure that containers use only trusted base images +[NOTE] 4.2 - Ensure that containers use only trusted base images (Manual) 
-[NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container +[NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container (Manual) 
-[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches +[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches (Manual) 
-[PASS] 4.5 - Ensure Content trust for Docker is Enabled +[PASS] 4.5 - Ensure Content trust for Docker is Enabled (Automated) 
-[WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images +[WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated) 
-[WARN] * No Healthcheck found: [alpine:latest] +[WARN]      * No Healthcheck found: [mysql:latest] 
-[WARN] * No Healthcheck found: [mysql:latest] +[PASS] 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual) 
-[INFO] 4.7 - Ensure update instructions are not use alone in the Dockerfile +[NOTE] 4.8 - Ensure setuid and setgid permissions are removed (Manual) 
-[INFO] * Update instruction found: [mysql:latest] +[PASS] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Manual) 
-[NOTE] 4.8 - Ensure setuid and setgid permissions are removed +[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles (Manual) 
-[PASS] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles +[NOTE] 4.11 - Ensure only verified packages are installed (Manual) 
-[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles +[NOTE] 4.12 - Ensure all signed artifacts are validated (Manual)
-[NOTE] 4.11 - Ensure only verified packages are installed+
 ... ...
 </code> </code>
Ligne 733: Ligne 949:
 For more information, see this **[[https://docs.docker.com/engine/security/trust/content_trust/|page]]**. For more information, see this **[[https://docs.docker.com/engine/security/trust/content_trust/|page]]**.
  
-====6.3 - [WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images====+====[WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images====
  
 When an image is built, it is possible to add a **HEALTHCHECK** whose status can be checked by Docker in order to restart the container if necessary.  When an image is built, it is possible to add a **HEALTHCHECK** whose status can be checked by Docker in order to restart the container if necessary. 
Ligne 755: Ligne 971:
 ... ...
 [INFO] 5 - Container Runtime [INFO] 5 - Container Runtime
-[WARN] 5.1 - Ensure that, if applicable, an AppArmor Profile is enabled  +[WARN] 5.1 - Ensure that, if applicable, an AppArmor Profile is enabled (Automated) 
-[WARN] * No AppArmorProfile Found: mysql +[WARN]      * No AppArmorProfile Found: mysql 
-[WARN] 5.2 - Ensure that, if applicable, SELinux security options are set +[WARN] 5.2 - Ensure that, if applicable, SELinux security options are set (Automated) 
-[WARN] * No SecurityOptions Found: mysql +[WARN]      * No SecurityOptions Found: mysql 
-[PASS] 5.3 - Ensure Linux Kernel Capabilities are restricted within containers +[PASS] 5.3 - Ensure that Linux kernel capabilities are restricted within containers (Automated) 
-[PASS] 5.4 - Ensure that privileged containers are not used +[PASS] 5.4 - Ensure that privileged containers are not used (Automated) 
-[PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers +[PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers (Automated) 
-[PASS] 5.6 - Ensure sshd is not run within containers +[PASS] 5.6 - Ensure sshd is not run within containers (Automated) 
-[PASS] 5.7 - Ensure privileged ports are not mapped within containers +[PASS] 5.7 - Ensure privileged ports are not mapped within containers (Automated) 
-[NOTE] 5.8 - Ensure that only needed ports are open on the container +[PASS] 5.8 - Ensure that only needed ports are open on the container (Manual) 
-[PASS] 5.9 - Ensure the host's network namespace is not shared +[PASS] 5.9 - Ensure that the host's network namespace is not shared (Automated) 
-[WARN] 5.10 - Ensure that the memory usage for containers is limited +[WARN] 5.10 - Ensure that the memory usage for containers is limited (Automated) 
-[WARN] * Container running without memory restrictions: mysql +[WARN]       * Container running without memory restrictions: mysql 
-[WARN] 5.11 - Ensure CPU priority is set appropriately on the container +[WARN] 5.11 - Ensure that CPU priority is set appropriately on containers (Automated) 
-[WARN] * Container running without CPU restrictions: mysql +[WARN]       * Container running without CPU restrictions: mysql 
-[WARN] 5.12 - Ensure that the container's root filesystem is mounted as read only +[WARN] 5.12 - Ensure that the container's root filesystem is mounted as read only (Automated) 
-[WARN] * Container running with root FS mounted R/W: mysql +[WARN]       * Container running with root FS mounted R/W: mysql 
-[PASS] 5.13 - Ensure that incoming container traffic is bound to a specific host interface +[PASS] 5.13 - Ensure that incoming container traffic is bound to a specific host interface (Automated) 
-[WARN] 5.14 - Ensure that the 'on-failure' container restart policy is set to '5' +[WARN] 5.14 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated) 
-[WARN] * MaximumRetryCount is not set to 5: mysql +[WARN]       * MaximumRetryCount is not set to 5: mysql 
-[PASS] 5.15 - Ensure the host's process namespace is not shared +[PASS] 5.15 - Ensure that the host's process namespace is not shared (Automated) 
-[PASS] 5.16 - Ensure the host's IPC namespace is not shared +[PASS] 5.16 - Ensure that the host's IPC namespace is not shared (Automated) 
-[PASS] 5.17 - Ensure that host devices are not directly exposed to containers +[PASS] 5.17 - Ensure that host devices are not directly exposed to containers (Manual) 
-[INFO] 5.18 - Ensure that the default ulimit is overwritten at runtime if needed +[INFO] 5.18 - Ensure that the default ulimit is overwritten at runtime if needed (Manual) 
-[INFO] * Container no default ulimit override: mysql +[INFO]       * Container no default ulimit override: mysql 
-[PASS] 5.19 - Ensure mount propagation mode is not set to shared +[PASS] 5.19 - Ensure mount propagation mode is not set to shared (Automated) 
-[PASS] 5.20 - Ensure the host's UTS namespace is not shared +[PASS] 5.20 - Ensure that the host's UTS namespace is not shared (Automated) 
-[PASS] 5.21 - Ensure the default seccomp profile is not Disabled +[PASS] 5.21 - Ensure the default seccomp profile is not Disabled (Automated) 
-[NOTE] 5.22 - Ensure docker exec commands are not used with privileged option +[NOTE] 5.22 - Ensure that docker exec commands are not used with the privileged option (Automated) 
-[NOTE] 5.23 - Ensure that docker exec commands are not used with the user=root option +[NOTE] 5.23 - Ensure that docker exec commands are not used with the user=root option (Manual) 
-[PASS] 5.24 - Ensure that cgroup usage is confirmed +[PASS] 5.24 - Ensure that cgroup usage is confirmed (Automated) 
-[WARN] 5.25 - Ensure that the container is restricted from acquiring additional privileges +[PASS] 5.25 - Ensure that the container is restricted from acquiring additional privileges (Automated) 
-[WARN] * Privileges not restricted: mysql +[WARN] 5.26 - Ensure that container health is checked at runtime (Automated) 
-[WARN] 5.26 - Ensure that container health is checked at runtime +[WARN]       * Health check not set: mysql 
-[WARN] * Health check not set: mysql +[INFO] 5.27 - Ensure that Docker commands always make use of the latest version of their image (Manual) 
-[INFO] 5.27 - Ensure that Docker commands always make use of the latest version of their image +[WARN] 5.28 - Ensure that the PIDs cgroup limit is used (Automated) 
-[WARN] 5.28 - Ensure that the PIDs cgroup limit is used +[WARN]       * PIDs limit not set: mysql 
-[WARN] * PIDs limit not set: mysql +[INFO] 5.29 - Ensure that Docker's default bridge 'docker0' is not used (Manual) 
-[INFO] 5.29 - Ensure that Docker's default bridge 'docker0' is not used +[INFO]       * Container in docker0 network: mysql 
-[INFO] * Container in docker0 network: mysql +[PASS] 5.30 - Ensure that the host's user namespaces are not shared (Automated) 
-[PASS] 5.30 - Ensure that the host's user namespaces are not shared +[PASS] 5.31 - Ensure that the Docker socket is not mounted inside any containers (Automated)
-[PASS] 5.31 - Ensure that the Docker socket is not mounted inside any containers+
 ... ...
 </code> </code>
Ligne 802: Ligne 1017:
 Security issues that should be addressed are indicated by **[WARN]** annotations. Security issues that should be addressed are indicated by **[WARN]** annotations.
  
-====7.1 - [WARN] 5.1 - Ensure AppArmor Profile is Enabled====+====[WARN] 5.1 - Ensure that, if applicable, an AppArmor Profile is enabled (Automated)====
  
 This warning is present because the container does not use AppArmor. This warning is present because the container does not use AppArmor.
Ligne 808: Ligne 1023:
 For more information, see this **[[https://cloud.google.com/container-optimized-os/docs/how-to/secure-apparmor|page]]**. For more information, see this **[[https://cloud.google.com/container-optimized-os/docs/how-to/secure-apparmor|page]]**.
  
-====7.2 - [WARN] 5.2 - Ensure SELinux security options are set, if applicable====+====[WARN] 5.2 - Ensure that, if applicable, SELinux security options are set (Automated)====
  
 This warning is present because the container does not use SELinux. This warning is present because the container does not use SELinux.
Ligne 814: Ligne 1029:
 For more information, see this **[[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy|page]]**. For more information, see this **[[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy|page]]**.
  
-====7.3 - [WARN] 5.10 - Ensure memory usage for container is limited====+====[WARN] 5.10 - Ensure that the memory usage for containers is limited (Automated)====
  
 This warning is due to the fact that containers automatically have access to the entire RAM of the Docker host : This warning is due to the fact that containers automatically have access to the entire RAM of the Docker host :
  
 <code> <code>
-root@manager:~# docker run -d -p 8081:80 nginx +root@manager:~/docker-bench-security# docker run -d -p 8081:80 nginx 
-b04b2a6f0dd93da21a8b7640afc319406e42868a141f90936dbcf52ab5bffb0d +Unable to find image 'nginx:latest' locally 
-root@manager:~# docker stats +sha256:10d1f5b58f74683ad34eb29287e07dab1e90f10af243f151bb50aa5dbb4d62ee: Pulling from library/nginx 
-CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS +1f7ce2fa46ab: Pull complete  
-b04b2a6f0dd9 dazzling_blackburn 0.00% 1.789MiB / 1.957GiB 0.09% 2.38kB / 0B 0B / 0B 2+9b16c94bb686: Pull complete  
 +9a59d19f9c5b: Pull complete  
 +9ea27b074f71: Pull complete  
 +c6edf33e2524: Pull complete  
 +84b1ff10387b: Pull complete  
 +517357831967: Pull complete  
 +Digest: sha256:10d1f5b58f74683ad34eb29287e07dab1e90f10af243f151bb50aa5dbb4d62ee 
 +Status: Downloaded newer image for nginx@sha256:10d1f5b58f74683ad34eb29287e07dab1e90f10af243f151bb50aa5dbb4d62ee 
 +Tagging nginx@sha256:10d1f5b58f74683ad34eb29287e07dab1e90f10af243f151bb50aa5dbb4d62ee as nginx:latest 
 +e14d5112c2feb71e6f37252bcf99d03603d6b7a3e200bff0d55611a0e9a25e2b 
 + 
 +root@manager:~/docker-bench-security# docker stats 
 +CONTAINER ID        NAME                CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O           PIDS 
 +e14d5112c2fe        strange_bassi       0.00%               2.215MiB / 1.957GiB   0.11              2.16kB / 0B         0B / 0B             2 
 +e503dd98f889        mysql               0.51%               351.3MiB / 1.957GiB   17.53%              5.54kB / 0B         167MB / 118MB       37
 ^C ^C
 </code> </code>
Ligne 830: Ligne 1059:
  
 <code> <code>
-root@manager:~# docker ps -a +root@manager:~/docker-bench-security# docker ps -a 
-CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS                  NAMES 
-b04b2a6f0dd9 nginx "nginx -g 'daemon of..."   About a minute ago Up About a minute 0.0.0.0:8081->80/tcp dazzling_blackburn +e14d5112c2fe        nginx               "/docker-entrypoint.  About a minute ago   Up About a minute   0.0.0.0:8081->80/tcp   strange_bassi 
-5b31fe1e13bc ubuntu "bash -c ':() { : | ..."   14 minutes ago Exited (254) 13 minutes ago pensive_fermat +e503dd98f889        mysql               "docker-entrypoint.s  18 minutes ago       Up 7 minutes        3306/tcp, 33060/tcp    mysql 
-7788c67c3b69 mysql "docker-entrypoint.s...  About an hour ago Exited (255) 18 minutes ago 3306/tcp, 33060/tcp mysql + 
-root@manager:~# docker rm -f b0 +root@manager:~/docker-bench-security# docker rm -f e14 
-b0 +e14 
-root@manager:~# docker run -d -p 8081:80 --memory="256m" nginx + 
-095472e5096a57277230ff94822d9bd0ad479ad26a33cbf83ec381cdb02910e1 +root@manager:~/docker-bench-security# docker run -d -p 8081:80 --memory="256m" nginx 
-root@manager:~# docker stats +38e91e096c83f7cbe78089617a4d70110bd273f53339f8fed8df2503d3cd65ca 
-CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS + 
-095472e5096a affectionate_goldstine 0.00% 1.805MiB / 256MiB 0.70% 2.38kB / 0B 0B / 0B 2+root@manager:~/docker-bench-security# docker stats 
 +CONTAINER ID        NAME                CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O           PIDS 
 +38e91e096c83        sweet_vaughan       0.00%               2.223MiB / 256MiB     0.87              2.16kB / 0B         0B / 0B             2 
 +e503dd98f889        mysql               0.49%               351.3MiB / 1.957GiB   17.53%              5.61kB / 0B         167MB / 118MB       37
 ^C ^C
 </code> </code>
Ligne 847: Ligne 1079:
 For more information, see this **[[https://docs.docker.com/config/containers/resource_constraints/|page]]**. For more information, see this **[[https://docs.docker.com/config/containers/resource_constraints/|page]]**.
  
-====7.4 - [WARN] 5.11 - Ensure CPU priority is set appropriately on the container====+====[WARN] 5.11 - Ensure that CPU priority is set appropriately on containers (Automated)====
  
 This warning is due to the fact that containers automatically have access to all CPUs on the Docker host. To limit this access, several options are available, the most commonly used of which is **--cpu-shares**. This warning is due to the fact that containers automatically have access to all CPUs on the Docker host. To limit this access, several options are available, the most commonly used of which is **--cpu-shares**.
Ligne 855: Ligne 1087:
 For more information, see this **[[https://docs.docker.com/config/containers/resource_constraints/|page]]**. For more information, see this **[[https://docs.docker.com/config/containers/resource_constraints/|page]]**.
  
-====7.5 - [WARN] 5.12 - Ensure the container's root filesystem is mounted as read only====+====[WARN] 5.12 - Ensure that the container's root filesystem is mounted as read only (Automated)====
  
 To minimise the risk of a container being compromised by the presence of malicious code, it is advisable to start containers as read-only, except for volumes that require read/write access. To minimise the risk of a container being compromised by the presence of malicious code, it is advisable to start containers as read-only, except for volumes that require read/write access.
Ligne 862: Ligne 1094:
  
 <code> <code>
-root@manager:~/docker-bench-security# docker container exec mysql touch /write_a_file+root@manager:~/docker-bench-security# docker exec mysql touch /write_a_file
 </code> </code>
  
Ligne 868: Ligne 1100:
  
 <code> <code>
-root@manager:~/docker-bench-security# docker container diff mysql +root@manager:~/docker-bench-security# docker diff mysql
-A /write_a_file+
 C /run C /run
 C /run/mysqld C /run/mysqld
 +A /run/mysqld/mysqld.pid
 A /run/mysqld/mysqld.sock A /run/mysqld/mysqld.sock
 A /run/mysqld/mysqld.sock.lock A /run/mysqld/mysqld.sock.lock
 A /run/mysqld/mysqlx.sock A /run/mysqld/mysqlx.sock
 A /run/mysqld/mysqlx.sock.lock A /run/mysqld/mysqlx.sock.lock
-A /run/mysqld/mysqld.pid+A /write_a_file
 </code> </code>
  
-<WRAP center round important 60%>+<WRAP center round important 50%>
 **Important**: Note that the output shows changes made to the container. **Important**: Note that the output shows changes made to the container.
 </WRAP> </WRAP>
Ligne 886: Ligne 1118:
  
 <code> <code>
-root@manager:~/docker-bench-security# docker container stop mysql+root@manager:~/docker-bench-security# docker stop mysql
 mysql mysql
-root@manager:~/docker-bench-security# docker container rm mysql+ 
 +root@manager:~/docker-bench-security# docker rm  mysql
 mysql mysql
 </code> </code>
Ligne 895: Ligne 1128:
  
 <code> <code>
-root@manager:~/docker-bench-security# docker container run -d --name mysql --read-only -v /var/lib/mysql -v /tmp -v /var/run/mysqld -e MYSQL_ROOT_PASSWORD=password mysql +root@manager:~/docker-bench-security# docker run -d --name mysql --read-only -v /var/lib/mysql -v /tmp -v /var/run/mysqld -e MYSQL_ROOT_PASSWORD=password mysql 
-7788c67c3b692515f63f4659a8f40af397bfbde97485e2e40c500c16b158045b +711ab28bdfb41220c84246c1658bcde398681a78291bbbe7d3bbfd9bc317d41b
-root@manager:~/docker-bench-security# docker ps -a +
-CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +
-7788c67c3b69 mysql "docker-entrypoint.s..." 5 seconds ago Up 5 seconds 3306/tcp, 33060/tcp mysql+
 </code> </code>
  
Ligne 905: Ligne 1135:
  
 <code> <code>
-root@manager:~/docker-bench-security# docker container exec mysql touch /write_a_file+root@manager:~/docker-bench-security# docker exec mysql touch /write_a_file
 touch: cannot touch '/write_a_file': Read-only file system touch: cannot touch '/write_a_file': Read-only file system
 </code> </code>
  
-<WRAP center round important 60%>+<WRAP center round important 50%>
 **Important** : Note the error **touch: cannot touch '/write_a_file': Read-only file system**. **Important** : Note the error **touch: cannot touch '/write_a_file': Read-only file system**.
 </WRAP> </WRAP>
  
-Run the **docker container diff** command: +Run the **docker diff** command: 
  
 <code> <code>
-root@manager:~/docker-bench-security# docker container diff mysql+root@manager:~/docker-bench-security# docker diff mysql
 root@manager:~/docker-bench-security#  root@manager:~/docker-bench-security# 
 </code> </code>
  
-<WRAP center round important 60%>+<WRAP center round important 50%>
 **Important**: Note that the command returns no output. This is because the container is read-only, so no changes can be made. **Important**: Note that the command returns no output. This is because the container is read-only, so no changes can be made.
 </WRAP> </WRAP>
  
-====7.6 - [WARN] 5.14 - Ensure 'on-failure' container restart policy is set to '5'====+====[WARN] 5.14 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated)====
  
-This warning concerns the container restart policy. The **on-failure[:max-retries]** policy implies that the container is restarted in the event of a shutdown due to an error that manifests itself as a non-zero return code. The value of **max-retries** is the number of times Docker will try to restart the container. This policy can be set at container startup, for example:+This warning concerns the container restart policy. The **on-failure[:max-retries]** policy implies that the container is restarted in the event of a shutdown due to an error that manifests itself as a non-zero return code. The value of **max-retries** is the number of times Docker will try to restart the container. This policy can be set at container startup, **for example**:
  
-  # docker container run -d --name mysql --read-only --restart on-failure:5 -v /var/lib/mysql -v /tmp -v /var/run/mysqld -e MYSQL_ROOT_PASSWORD=password mysql+  # docker run -d --name mysql --read-only --restart on-failure:5 -v /var/lib/mysql -v /tmp -v /var/run/mysqld -e MYSQL_ROOT_PASSWORD=password mysql
  
 For more information, see this **[[https://docs.docker.com/config/containers/start-containers-automatically/|page]]**. For more information, see this **[[https://docs.docker.com/config/containers/start-containers-automatically/|page]]**.
  
-====7.7 - [WARN] 5.25 - Ensure the container is restricted from acquiring additional privileges==== +====[WARN] 5.26 - Ensure that container health is checked at runtime (Automated)====
- +
-To complete the configuration you have already set up, you need to run the container using the **--security-opt** option: +
- +
-  # docker container run -d --name mysql --read-only --restart on-failure:5 --security-opt="no-new-privileges:true" -v /var/lib/mysql -v /tmp -v /var/run/mysqld -e MYSQL_ROOT_PASSWORD=password mysql +
- +
-For more information, see this **[[https://docs.docker.com/engine/reference/run/|page]]**. +
- +
-====7.8 - [WARN] 5.26 - Ensure container health is checked at runtime====+
  
 See Warning 4.6. See Warning 4.6.
  
-====7.9 - [WARN] 5.28 - Ensure PIDs cgroup limit is used====+====[WARN] 5.28 - Ensure that the PIDs cgroup limit is used (Automated)====
  
-Without using the **--pids-limit** option, a container could fall victim to a **[[https://fr.wikipedia.org/wiki/Fork_bomb|Fork Bomb]]** attack, a specific type of denial of service. This type of attack can cause the Docker host to crash and the only remedy is to restart the host. Here's an example of a Fork Bomb:+Without using the **--pids-limit** option, a container could fall victim to a **[[https://fr.wikipedia.org/wiki/Fork_bomb|Fork Bomb]]** attack, a specific type of denial of service. This type of attack can cause the Docker host to crash and the only remedy is to restart the host. Here'**an example** of a Fork Bomb (do **NOT** execute the following command):
  
 <code> <code>
-root@manager:~/docker-bench-security# docker run -u 1000 ubuntu bash -c ":() { : | : & }; :; while [[ true ]]; do sleep 1; done"+# docker run -u 1000 ubuntu bash -c ":() { : | : & }; :; while [[ true ]]; do sleep 1; done"
 </code> </code>
  
-The **manager** Docker host crashes. After restarting the virtual machine, create the container again using the **--pids-limit** option :+The **manager** Docker host crashes.  
 + 
 +To avoid this, create container using the **--pids-limit** option :
  
 <code> <code>
-root@manager:~docker ps -+root@manager:~/docker-bench-security# docker run -u 1000 --pids-limit 100 ubuntu bash -c ":() { : | : & }; :; while [[ true ]]; do sleep 1; done" 
-CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +Unable to find image 'ubuntu:latest' locally 
-05b11e44e595 ubuntu "bash -c ':() { : | ..." 6 minutes ago Exited (255) 3 minutes ago upbeat_turing +sha256:6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b: Pulling from library/ubuntu 
-... +a48641193673: Pull complete  
-root@manager:~# docker rm 05 +Digest: sha256:6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b 
-05 +Status: Downloaded newer image for ubuntu@sha256:6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b 
-root@manager:~# docker run -u 1000 --pids-limit 100 ubuntu bash -c ":() { : | : & }; :; while [[ true ]]; do sleep 1; done"+Tagging ubuntu@sha256:6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b as ubuntu:latest
 environment: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable
 environment: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable
Ligne 968: Ligne 1192:
 environment: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable
 environment: fork: retry: Resource temporarily unavailable environment: fork: retry: Resource temporarily unavailable
-^C+environment: fork: retry: Resource temporarily unavailable 
 +environment: fork: retry: Resource temporarily unavailable 
 +environment: fork: retry: Resource temporarily unavailable 
 +environment: fork: retry: Resource temporarily unavailable 
 +environment: fork: retry: Resource temporarily unavailable 
 +environment: fork: retry: Resource temporarily unavailable 
 +^P^Q
 </code> </code>
  
 For more information, see this **[[https://docs.docker.com/engine/reference/commandline/run/#options|page]]**. For more information, see this **[[https://docs.docker.com/engine/reference/commandline/run/#options|page]]**.
  
-Now delete all containers that have already been created :+Now delete all containers that have been created :
  
 <code> <code>
-root@manager:~docker ps -+root@manager:~/docker-bench-security# docker rm -f `docker ps -aq` 
-CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +db5ae43c3e55 
-095472e5096a nginx "nginx -g 'daemon of..." 13 minutes ago Up 13 minutes 0.0.0.0:8081->80/tcp affectionate_goldstine +f3b2528fbac0 
-5b31fe1e13bc ubuntu "bash -c ':() { : | ..." 28 minutes ago Exited (254) 28 minutes ago pensive_fermat +711ab28bdfb4 
-7788c67c3b69 mysql "docker-entrypoint.s..."   About an hour ago Exited (255) 33 minutes ago 3306/tcp, 33060/tcp mysql + 
-root@manager:~# docker stop 095 +root@manager:~/docker-bench-security# docker ps -a 
-095 +CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
-root@manager:~# docker rm `docker ps -aq` +
-5b31fe1e13bc +
-7788c67c3b69 +
-095472e5096a +
-root@manager:~# docker ps -a +
-CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +
 </code> </code>
  
Ligne 994: Ligne 1218:
  
 <code> <code>
-root@manager:~# cd docker-bench-security/ +root@manager:~/docker-bench-security# docker run -d --name mysql --read-only --restart on-failure:5 --security-opt="no-new-privileges:true" --pids-limit 100 --memory="256m" --cpu-shares 512 -v /var/lib/mysql -v /tmp -v /var/run/mysqld -e MYSQL_ROOT_PASSWORD=password mysql 
-root@manager:~/docker-bench-security# docker container run -d --name mysql --read-only --restart on-failure:5 --security-opt="no-new-privileges:true" --pids-limit 100 --memory="256m" --cpu-shares 512 -v /var/lib/mysql -v /tmp -v /var/run/mysqld -e MYSQL_ROOT_PASSWORD=password mysql +f49d1ffdeae2e83435e8cc3a2e03fb2e0b33e5609d266e5a3403ff8859e5d122 
-df54974ebc11fe357f6e8e9b0f8499aee2658af435e32a45058a1e49fcd3dc24+
 root@manager:~/docker-bench-security# docker ps -a root@manager:~/docker-bench-security# docker ps -a
-CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                 NAMES 
-df54974ebc11 mysql "docker-entrypoint.s...seconds ago Up seconds 3306/tcp, 33060/tcp mysql+f49d1ffdeae2        mysql               "docker-entrypoint.s  16 seconds ago      Up 15 seconds       3306/tcp, 33060/tcp   mysql
 </code> </code>
  
Ligne 1007: Ligne 1231:
 root@manager:~/docker-bench-security# ./docker-bench-security.sh root@manager:~/docker-bench-security# ./docker-bench-security.sh
 ... ...
-[INFO] 5 - Container Runtime +[PASS] 5.2 - Ensure that, if applicable, SELinux security options are set (Automated) 
-[WARN] 5.1 - Ensure that, if applicable, an AppArmor Profile is enabled  +[PASS] 5.10 - Ensure that the memory usage for containers is limited (Automated) 
-[WARN] * No AppArmorProfile Found: mysql +[PASS] 5.11 - Ensure that CPU priority is set appropriately on containers (Automated) 
-[PASS] 5.2 - Ensure that, if applicable, SELinux security options are set +[PASS] 5.12 - Ensure that the container's root filesystem is mounted as read only (Automated) 
-[PASS] 5.3 - Ensure Linux Kernel Capabilities are restricted within containers +[PASS] 5.14 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated) 
-[PASS] 5.4 - Ensure that privileged containers are not used +[PASS] 5.28 - Ensure that the PIDs cgroup limit is used (Automated)
-[PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers +
-[PASS] 5.6 - Ensure sshd is not run within containers +
-[PASS] 5.7 - Ensure privileged ports are not mapped within containers +
-[NOTE] 5.8 - Ensure that only needed ports are open on the container +
-[PASS] 5.9 - Ensure the host's network namespace is not shared +
-[PASS] 5.10 - Ensure that the memory usage for containers is limited +
-[PASS] 5.11 - Ensure CPU priority is set appropriately on the container +
-[PASS] 5.12 - Ensure that the container's root filesystem is mounted as read only +
-[PASS] 5.13 - Ensure that incoming container traffic is bound to a specific host interface +
-[PASS] 5.14 - Ensure that the 'on-failure' container restart policy is set to '5'+
-[PASS] 5.15 - Ensure the host's process namespace is not shared +
-[PASS] 5.16 - Ensure the host's IPC namespace is not shared +
-[PASS] 5.17 - Ensure that host devices are not directly exposed to containers +
-[INFO] 5.18 - Ensure that the default ulimit is overwritten at runtime if needed +
-[INFO] * Container no default ulimit override: mysql +
-[PASS] 5.19 - Ensure mount propagation mode is not set to shared +
-[PASS] 5.20 - Ensure the host's UTS namespace is not shared +
-[PASS] 5.21 - Ensure the default seccomp profile is not Disabled +
-[NOTE] 5.22 - Ensure docker exec commands are not used with privileged option +
-[NOTE] 5.23 - Ensure that docker exec commands are not used with the user=root option +
-[PASS] 5.24 - Ensure that cgroup usage is confirmed +
-[PASS] 5.25 - Ensure that the container is restricted from acquiring additional privileges +
-[WARN] 5.26 - Ensure that container health is checked at runtime +
-[WARN] * Health check not set: mysql +
-[INFO] 5.27 - Ensure that Docker commands always make use of the latest version of their image +
-[PASS] 5.28 - Ensure that the PIDs cgroup limit is used +
-[INFO] 5.29 - Ensure that Docker's default bridge 'docker0' is not used +
-[INFO] * Container in docker0 network: mysql +
-[PASS] 5.30 - Ensure that the host's user namespaces are not shared +
-[PASS] 5.31 - Ensure that the Docker socket is not mounted inside any containers+
 ... ...
 </code> </code>
Ligne 1096: Ligne 1290:
 </code> </code>
  
-<WRAP center round important 60%>+<WRAP center round important 50%>
 **Important**: Note the error **Error: remote trust data does not exist for docker.io/i2tch/docker ...**. This is because Docker Trust prevents the use of unsigned images. **Important**: Note the error **Error: remote trust data does not exist for docker.io/i2tch/docker ...**. This is because Docker Trust prevents the use of unsigned images.
 </WRAP> </WRAP>
Ligne 1118: Ligne 1312:
 <code> <code>
 root@manager:~# docker images root@manager:~# docker images
-REPOSITORY TAG IMAGE ID CREATED SIZE +REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE 
-ubuntu latest 775349758637 9 days ago 64.2MB +ubuntu              latest              775349758637        9 days ago          64.2MB 
-nginx latest 540a289bab6c 2 weeks ago 126MB +nginx               latest              540a289bab6c        2 weeks ago         126MB 
-alpine latest 965ea09ff2eb 2 weeks ago 5.55MB +alpine              latest              965ea09ff2eb        2 weeks ago         5.55MB 
-mysql latest c8ee894bd2bd 3 weeks ago 456MB +mysql               latest              c8ee894bd2bd        3 weeks ago         456MB 
-centos latest 0f3e07c0138f 5 weeks ago 220MB+centos              latest              0f3e07c0138f        5 weeks ago         220MB
 </code> </code>
  
Ligne 1148: Ligne 1342:
  
 root@manager:~# docker image ls root@manager:~# docker image ls
-REPOSITORY TAG IMAGE ID CREATED SIZE +REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE 
-ubuntu latest 775349758637 9 days ago 64.2MB +ubuntu              latest              775349758637        9 days ago          64.2MB 
-nginx latest 540a289bab6c 2 weeks ago 126MB +nginx               latest              540a289bab6c        2 weeks ago         126MB 
-alpine latest 965ea09ff2eb 2 weeks ago 5.55MB +alpine              latest              965ea09ff2eb        2 weeks ago         5.55MB 
-mysql latest c8ee894bd2bd 3 weeks ago 456MB +mysql               latest              c8ee894bd2bd        3 weeks ago         456MB 
-centos latest 0f3e07c0138f 5 weeks ago 220MB +centos              latest              0f3e07c0138f        5 weeks ago         220MB 
-i2tch/docker unsigned 9b915a241e29 3 years ago 212MB+i2tch/docker        unsigned            9b915a241e29        3 years ago         212MB
  
 root@manager:~# docker rmi i2tch/docker:unsigned root@manager:~# docker rmi i2tch/docker:unsigned
Ligne 1192: Ligne 1386:
 <code> <code>
 root@manager:~# docker image ls root@manager:~# docker image ls
-REPOSITORY TAG IMAGE ID CREATED SIZE +REPOSITORY             TAG                 IMAGE ID            CREATED             SIZE 
-ubuntu latest 775349758637 9 days ago 64.2MB +ubuntu                 latest              775349758637        9 days ago          64.2MB 
-nginx latest 540a289bab6c 2 weeks ago 126MB +nginx                  latest              540a289bab6c        2 weeks ago         126MB 
-<your_account>/docker alpine 965ea09ff2eb 2 weeks ago 5.55MB +<votre_compte>/docker  alpine              965ea09ff2eb        2 weeks ago         5.55MB 
-alpine latest 965ea09ff2eb 2 weeks ago 5.55MB +alpine                 latest              965ea09ff2eb        2 weeks ago         5.55MB 
-mysql latest c8ee894bd2bd 3 weeks ago 456MB +mysql                  latest              c8ee894bd2bd        3 weeks ago         456MB 
-centos latest 0f3e07c0138f 5 weeks ago 220MB+centos                 latest              0f3e07c0138f        5 weeks ago         220MB
 </code> </code>
  
Ligne 1270: Ligne 1464:
 <code> <code>
 root@manager:~# mkdir nottrusted root@manager:~# mkdir nottrusted
 +
 root@manager:~# cd nottrusted/ root@manager:~# cd nottrusted/
 +
 root@manager:~/nottrusted# vi Dockerfile root@manager:~/nottrusted# vi Dockerfile
 +
 root@manager:~/nottrusted# cat Dockerfile root@manager:~/nottrusted# cat Dockerfile
 FROM docker/trusttest:latest FROM docker/trusttest:latest
Ligne 1321: Ligne 1518:
 </code> </code>
  
-<WRAP centre round important 60%>+<WRAP centre round important 50%>
 **Important** : Note the use of the same root key as when pushing the **<your_account>/docker:alpine** image as this is the same repositry.  **Important** : Note the use of the same root key as when pushing the **<your_account>/docker:alpine** image as this is the same repositry. 
 </WRAP> </WRAP>
Ligne 1331: Ligne 1528:
 <code> <code>
 root@manager:~/nottrusted# docker tag <your_account>/docker:nottrusted <your_account>/otherimage:latest root@manager:~/nottrusted# docker tag <your_account>/docker:nottrusted <your_account>/otherimage:latest
 +
 root@manager:~/nottrusted# docker images root@manager:~/nottrusted# docker images
-REPOSITORY TAG IMAGE ID CREATED SIZE +REPOSITORY                   TAG                 IMAGE ID            CREATED             SIZE 
-<your_account>/docker nottrusted 686e85ee76b8 9 minutes ago 5.03MB +<votre_compte>/docker        nottrusted          686e85ee76b8        9 minutes ago       5.03MB 
-<your_account>/otherimage latest 686e85ee76b8 9 minutes ago 5.03MB +<votre_compte>/otherimage    latest              686e85ee76b8        9 minutes ago       5.03MB 
-ubuntu latest 775349758637 9 days ago 64.2MB +ubuntu                       latest              775349758637        9 days ago          64.2MB 
-nginx latest 540a289bab6c 2 weeks ago 126MB +nginx                        latest              540a289bab6c        2 weeks ago         126MB 
-<your_account>/docker alpine 965ea09ff2eb 2 weeks ago 5.55MB +<votre_compte>/docker        alpine              965ea09ff2eb        2 weeks ago         5.55MB 
-alpine latest 965ea09ff2eb 2 weeks ago 5.55MB +alpine                       latest              965ea09ff2eb        2 weeks ago         5.55MB 
-mysql latest c8ee894bd2bd 3 weeks ago 456MB +mysql                        latest              c8ee894bd2bd        3 weeks ago         456MB 
-centos latest 0f3e07c0138f 5 weeks ago 220MB +centos                       latest              0f3e07c0138f        5 weeks ago         220MB 
-docker/trusttest latest cc7629d1331a 4 years ago 5.03MB+docker/trusttest             latest              cc7629d1331a        4 years ago         5.03MB
  
 root@manager:~/nottrusted# docker push docker.io/<your_account>/otherimage:latest root@manager:~/nottrusted# docker push docker.io/<your_account>/otherimage:latest
Ligne 1356: Ligne 1554:
 </code> </code>
  
-<WRAP center round important 60%>+<WRAP center round important 50%>
 **Important**: Note the creation of a second repositry key (ID 7b13d02 instead of ID 168c754) when pushing the **<your_account>/otherimage:latest** image because it is another repositry.  **Important**: Note the creation of a second repositry key (ID 7b13d02 instead of ID 168c754) when pushing the **<your_account>/otherimage:latest** image because it is another repositry. 
 </WRAP> </WRAP>
Ligne 1443: Ligne 1641:
 </code> </code>
  
-<WRAP centre round important 60%>+<WRAP centre round important 50%>
 **Important**: Note that the keys used are the same for both images.  **Important**: Note that the keys used are the same for both images. 
 </WRAP> </WRAP>
Ligne 1484: Ligne 1682:
 </code> </code>
  
-<WRAP centre round important 60%>+<WRAP centre round important 50%>
 **Important** : Note that the keys used are different.  **Important** : Note that the keys used are different. 
 </WRAP> </WRAP>
Ligne 1524: Ligne 1722:
 </code> </code>
  
-<WRAP center round important>+<WRAP center round important 50%>
 **Important**: There is another cryptographic signature mechanism that certifies the content of images made available on a Registry. Called **Notary**, this system was developed by the Docker community and incorporates part of the **[[https://theupdateframework.io/|The Update Framework]]** (TUF) specification. For more information, see this **[[https://blog.octo.com/la-signature-dimages-docker-sur-une-registry-avec-notary/#:~:text=Notary%20is%20a%20m%C3%A9channel%20of,environment%20of%20production%20by%20example|article]]**. **Important**: There is another cryptographic signature mechanism that certifies the content of images made available on a Registry. Called **Notary**, this system was developed by the Docker community and incorporates part of the **[[https://theupdateframework.io/|The Update Framework]]** (TUF) specification. For more information, see this **[[https://blog.octo.com/la-signature-dimages-docker-sur-une-registry-avec-notary/#:~:text=Notary%20is%20a%20m%C3%A9channel%20of,environment%20of%20production%20by%20example|article]]**.
 </WRAP> </WRAP>
Ligne 1643: Ligne 1841:
 </code> </code>
  
-Modify the entry for address 10.0.2.61 in the manager's **/etc/hosts** file:+Modify the entry for address 10.0.2.45 in the manager's **/etc/hosts** file:
  
 <code> <code>
Ligne 1649: Ligne 1847:
 root@manager:~# cat /etc/hosts root@manager:~# cat /etc/hosts
 127.0.0.1 localhost 127.0.0.1 localhost
-10.0.2.60 debian9.i2tch.loc debian9 +10.0.2.46 debian11.i2tch.loc debian11 
-10.0.2.61 myregistry.i2tch.loc myregistry+10.0.2.45 myregistry.i2tch.loc myregistry
 10.0.2.62 manager.i2tch.loc manager 10.0.2.62 manager.i2tch.loc manager
 10.0.2.63 worker1.i2tch.loc worker1 10.0.2.63 worker1.i2tch.loc worker1
Ligne 1807: Ligne 2005:
 ====9.5 - Client configuration==== ====9.5 - Client configuration====
  
-Then transfer the CA certificate and the client certificate and private key to the **debian91** VM :+Then transfer the CA certificate and the client certificate and private key to the **10.0.2.45** VM :
  
 <code> <code>
-root@manager:~# scp ca.pem key.pem cert.pem trainee@10.0.2.61:/home/trainee/ +root@manager:~# scp ca.pem key.pem cert.pem trainee@10.0.2.45:/home/trainee/ 
-The authenticity of host '10.0.2.61 (10.0.2.61)' can't be established.+The authenticity of host '10.0.2.45 (10.0.2.45)' can't be established.
 ECDSA key fingerprint is SHA256:sEfHBv9azmK60cjqF/aJgUc9jg56slNaZQdAUcvBOvE. ECDSA key fingerprint is SHA256:sEfHBv9azmK60cjqF/aJgUc9jg56slNaZQdAUcvBOvE.
 Are you sure you want to continue connecting (yes/no)? yes Are you sure you want to continue connecting (yes/no)? yes
-Warning: Permanently added '10.0.2.61' (ECDSA) to the list of known hosts. +Warning: Permanently added '10.0.2.45' (ECDSA) to the list of known hosts. 
-trainee@10.0.2.61's password:  +trainee@10.0.2.45's password: trainee 
-ca.pem 100% 2163 917.8KB/s 00:00     +ca.pem                                                                                                                                 100% 2163   917.8KB/  00:00     
-key.pem 100% 3243 3.0MB/s 00:00    +key.pem                                                                                                                                100% 3243     3.0MB/  00:00    
-cert.pem 100% 1907 921.7KB/s 00:00 +cert.pem                                                                                                                               100% 1907   921.7KB/  00:00  
 </code> </code>
  
-Run the **docker version** command on the **debian91** VM:+Run the **docker version** command on the **10.0.2.45** VM:
  
 <code> <code>
 trainee@myregistry:~$ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=manager.i2tch.loc:2376 version trainee@myregistry:~$ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=manager.i2tch.loc:2376 version
 Client: Docker Engine - Community Client: Docker Engine - Community
- Version: 19.03.4 + Version:           19.03.4 
- API version: 1.40 + API version:       1.40 
- Go version: go1.12.10+ Go version:        go1.12.10
  Git commit:        9013bf583a  Git commit:        9013bf583a
  Built:             Fri Oct 18 15:52:34 2019  Built:             Fri Oct 18 15:52:34 2019
- OS/Arch: linux/amd64 + OS/Arch:           linux/amd64 
- Experimental: false+ Experimental:      false
  
 Server: Docker Engine - Community Server: Docker Engine - Community
  Engine:  Engine:
-  Version: 19.03.4 +  Version:          19.03.4 
-  API version: 1.40 (minimum version 1.12) +  API version:      1.40 (minimum version 1.12) 
-  Go version: go1.12.10+  Go version:       go1.12.10
   Git commit:       9013bf583a   Git commit:       9013bf583a
   Built:            Fri Oct 18 15:51:05 2019   Built:            Fri Oct 18 15:51:05 2019
-  OS/Arch: linux/amd64 +  OS/Arch:          linux/amd64 
-  Experimental: false+  Experimental:     false
  containerd:  containerd:
-  Version: 1.2.10 +  Version:          1.2.10 
-  GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339+  GitCommit:        b34a5c8af56e510852c35414db4c1f4fa6172339
  runc:  runc:
-  Version: 1.0.0-rc8+dev+  Version:          1.0.0-rc8+dev
   GitCommit:        3e425f80a8c931f88e6d94a8c831b9d5aa481657   GitCommit:        3e425f80a8c931f88e6d94a8c831b9d5aa481657
  docker-init:  docker-init:
-  Version: 0.18.0 +  Version:          0.18.0 
-  GitCommit: fec3683+  GitCommit:        fec3683
 </code> </code>
  
Ligne 1880: Ligne 2078:
 <code> <code>
 trainee@myregistry:~$ docker image ls trainee@myregistry:~$ docker image ls
-REPOSITORY TAG IMAGE ID CREATED SIZE +REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE 
-i2tch/docker nottrusted 686e85ee76b8 19 hours ago 5.03MB +i2tch/docker        nottrusted          686e85ee76b8        19 hours ago        5.03MB 
-i2tch/otherimage latest 686e85ee76b8 19 hours ago 5.03MB +i2tch/otherimage    latest              686e85ee76b8        19 hours ago        5.03MB 
-ubuntu latest 775349758637 10 days ago 64.2MB +ubuntu              latest              775349758637        10 days ago         64.2MB 
-nginx latest 540a289bab6c 2 weeks ago 126MB +nginx               latest              540a289bab6c        2 weeks ago         126MB 
-alpine latest 965ea09ff2eb 2 weeks ago 5.55MB +alpine              latest              965ea09ff2eb        2 weeks ago         5.55MB 
-i2tch/docker alpine 965ea09ff2eb 2 weeks ago 5.55MB +i2tch/docker        alpine              965ea09ff2eb        2 weeks ago         5.55MB 
-mysql latest c8ee894bd2bd 3 weeks ago 456MB +mysql               latest              c8ee894bd2bd        3 weeks ago         456MB 
-centos latest 0f3e07c0138f 5 weeks ago 220MB +centos              latest              0f3e07c0138f        5 weeks ago         220MB 
-docker/trusttest latest cc7629d1331a 4 years ago 5.03MB+docker/trusttest    latest              cc7629d1331a        4 years ago         5.03MB
 </code> </code>
  
 ----- -----
  
-Copyright © 2023 Hugh Norris.+Copyright © 2024 Hugh Norris.

Piste : SER601 - Gestion de Base du Serveur SMB/CIFS Samba Topic 210: Network Client Management LCF303 - Gestion du Réseau TCPv4 VIC604 - Gestion des VMs et KVM LCF203 - Gestion des Droits LCF300 - Gestion du Système X et de l'Accès Universel LCF403 - Aide et Documentation VIC603 - Gestion des Clones, des Snapshots et des Sauvegardes sous KVM LCF306 - Gestion de l'Authentification VIC605 - Validation de la Formation

Menu