Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardening Docker Images following CIS Benchmark #1728

Closed
MikeHorn-git opened this issue Jan 6, 2025 · 2 comments
Closed

Hardening Docker Images following CIS Benchmark #1728

MikeHorn-git opened this issue Jan 6, 2025 · 2 comments
Labels
no basic support info Please follow the guidelines so we can help

Comments

@MikeHorn-git
Copy link

Is your feature request related to a problem? Please describe.

I using docker-bench-security to secure my Tpot OS.
The tool follow CIS Benchmark, and some Section failed. Here are some snippets :

4.1 - Ensure that a user for the container has been created (Automated)
[WARN]      * Running as root

4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated)
[WARN]      * No Healthcheck found

5.3 - Ensure that, if applicable, SELinux security options are set (Automated)
[WARN]      * No SecurityOptions Found

5.4 - Ensure that Linux kernel capabilities are restricted within containers (Automated)
[WARN]      * Capabilities added:

etc.

Describe the solution you'd like

Hardening Docker Images with certain CIS Docker Benchmark guideline if possible.

Describe alternatives you've considered

Maybe :

  • List all failed section related to Docker Images conception.
  • List section that can be applied to Honeypot Dockerfile.

Additional context

I guess that some of these cannot be corrected due to technical or conception constraint.
But maybe some of them can be considered.
@github-actions github-actions bot added the no basic support info Please follow the guidelines so we can help label Jan 6, 2025
@t3chn0m4g3
Copy link
Member

t3chn0m4g3 commented Jan 6, 2025
edited
Loading

Thanks, we are building T-Pot with the best effort / practice for security and technical functionality in mind, however, while docker bench is being used ... :

  • Some of the images are requiring root, while most of them are running with a dedicated user.
  • Adding healthchecks to the honeypots (to really check if the service is running) is desirable, but sadly counterproductive as it mostly results in false positive honeypot logs.
  • Enabling SELinux is not in the cards as it tends to be too invasive on the host. It is possible however, if so required, to adjust the host accordingly.
  • We have looked into dropping all caps and subsequently only adding the ones needed for each honeypot and it resulted to be impractical. During the tests honeypots and tool features changed, some of which resulting in different cap requirements. Thus not only the docker image needed to be updated / pushed, but also the docker compose file, which resulted in interrupted services as the user was required to update the docker compose file as well.

With that in mind, docker bench will always have some failed sections, and thus needs to be looked at with a practical approach to security while maintaining technical functionality and user convenience.

@MikeHorn-git
Copy link
Author

Ok, thanks for your reply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
no basic support info Please follow the guidelines so we can help
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t3chn0m4g3 @MikeHorn-git