Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Specification] 4.9 Consistency with CIS specification #362

Open
anthony-roger opened this Issue Feb 26, 2019 · 4 comments

Comments

Projects
None yet
2 participants
@anthony-roger
Copy link

anthony-roger commented Feb 26, 2019

The CIS specification paragraph 4.9 discourage to use ADD, and docker bench security check it.

1. The CIS specification indicates this check is not scored, but the actual implementation scores it.

2. The use of ADD is discouraged for security purpose in the specification (and scored in docker bench security). However, the security aspect is not mentioned in docker documentation.

3. Several base image use ADD, such as Debian or Alpine. Then, all of images based on them are scored. How to make it consistent? Should we not check base image layer ? Or should we insist to not use ADD, even at this level. Indeed RHEL images do not use it for the time being.

Please let me know if I am missing something,
Best regards.

@konstruktoid

This comment has been minimized.

Copy link
Member

konstruktoid commented Mar 12, 2019

Hi @anthony-roger and I'm so sorry for the late reply.
https://github.com/docker/docker-bench-security/blob/master/tests/4_container_images.sh#L216-L248 doesn't not score but labels 4.9 as INFO.

Do you get a different result?

@anthony-roger

This comment has been minimized.

Copy link
Author

anthony-roger commented Mar 13, 2019

Hi @konstruktoid,
Thanks for the reply.

1. The failure doesn't decrease the score but the success increase it.
Code here
Thus, in a CI process, the expected score is different in case of failure or success.

2. Shouldn't be the security aspect mentioned in docker documentation?

3. What should we think about the use of ADD by scratch images such as Debian or Alpine?

Best regards,
Anthony.

konstruktoid added a commit to konstruktoid/docker-bench-security that referenced this issue Mar 14, 2019

INFO shouldnt increase score docker#362
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
@konstruktoid

This comment has been minimized.

Copy link
Member

konstruktoid commented Mar 14, 2019

Thanks @anthony-roger, I see what you mean and I'll merge a fix.

The COPY vs ADD isn't an obvious security issue, since it's valid and got it's uses.

https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy

Although ADD and COPY are functionally similar, generally speaking, COPY is preferred. That’s because it’s more transparent than ADD. COPY only supports the basic copying of local files into the container, while ADD has some features (like local-only tar extraction and remote URL support) that are not immediately obvious. Consequently, the best use for ADD is local tar file auto-extraction into the image, as in ADD rootfs.tar.xz /.

From CIS guide:

Thus, ADD instruction introduces risks such as adding malicious files from URLs without scanning and unpacking procedure vulnerabilities.

Running something like docker history --format "{{ .CreatedBy }}" --no-trunc <IMAGE> | sed '$d' | grep 'ADD' would exclude any ADD commands used to add the initial image base layer.

konstruktoid added a commit that referenced this issue Mar 14, 2019

Merge pull request #364 from konstruktoid/ISSUE362
INFO shouldnt increase score #362

konstruktoid added a commit to konstruktoid/docker-bench-security that referenced this issue Mar 19, 2019

exclude first ADD since its most often the base docker#362
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

konstruktoid added a commit that referenced this issue Mar 19, 2019

Merge pull request #366 from konstruktoid/ISSUE362b
exclude first ADD since its most often the base #362
@konstruktoid

This comment has been minimized.

Copy link
Member

konstruktoid commented Mar 19, 2019

@anthony-roger, code updated.

konstruktoid added a commit to konstruktoid/docker-bench-security that referenced this issue Mar 19, 2019

accept only if ADD in / docker#362
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

konstruktoid added a commit that referenced this issue Mar 19, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.