Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

/usr/bin not mounted inside container #371

Closed
src7 opened this issue Apr 9, 2019 · 5 comments

Comments

Projects
None yet
2 participants
@src7
Copy link

commented Apr 9, 2019

Hello,

surely because there was no very nice ways to do this, /usr/bin is not mounted inside the container. So files tested in this directory are always not found (docker-containerd and docker-runc) and no warnings are ever displayed for 1.12 and 1.13.

Actually, to solve the issue I run the container with :

    -v /usr/bin/docker-containerd:/usr/bin/docker-containerd \
    -v /usr/bin/docker-runc:/usr/bin/docker-runc \

PS : I know using default large auditing (especially on something like /var/lib/docker) will generate so much logs it won't really be taken seriously by admins.

@konstruktoid

This comment has been minimized.

Copy link
Member

commented Apr 9, 2019

Hi @src7,
do you have any examples when docker-containerd and docker-runc aren't found but does have valid audit rules?

@src7

This comment has been minimized.

Copy link
Author

commented Apr 9, 2019

Hi @konstruktoid,

in fact the script checks the rules only if the file is found (and it works perfectly if it is).

if [ -f "$file" ]; then

if [ -f "$file" ]; then

So the output is always [INFO] Not Found (even if rule is set)

[PASS] 1.11  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO] 1.12  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd
[INFO]      * File not found
[INFO] 1.13  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc
[INFO]      * File not found

Should be

[PASS] 1.11  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[PASS] 1.12  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd
[PASS] 1.13  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc

or if no rules are set :

[WARN] 1.11  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[WARN] 1.12  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd
[WARN] 1.13  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc
@src7

This comment has been minimized.

Copy link
Author

commented Apr 9, 2019

Well, I was a bit confusing. Here is the actual readme version of the docker run command :

docker run -it --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /var/lib:/var/lib \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /usr/lib/systemd:/usr/lib/systemd \
    -v /etc:/etc --label docker_bench_security \
    docker/docker-bench-security

To solve the issue I added :

    -v /usr/bin/docker-containerd:/usr/bin/docker-containerd \
    -v /usr/bin/docker-runc:/usr/bin/docker-runc \
@konstruktoid

This comment has been minimized.

Copy link
Member

commented Apr 10, 2019

Thanks @src7, I'll update the readme.

konstruktoid added a commit to konstruktoid/docker-bench-security that referenced this issue Apr 10, 2019

add binaries as volumes docker#371
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

konstruktoid added a commit that referenced this issue Apr 10, 2019

@src7

This comment has been minimized.

Copy link
Author

commented Apr 10, 2019

No problem

@src7 src7 closed this Apr 10, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.