> For the complete documentation index, see [llms.txt](https://sysnet4admin.gitbook.io/cncf/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sysnet4admin.gitbook.io/cncf/cloud-native/security/node/docker-bench.md). # docker-bench ## run docker-bench on ### 1. VM ubuntu k8s cluster(v1.22) ``` root@bk8s-m:~/docker-bench-security# k get node NAME STATUS ROLES AGE VERSION bk8s-m Ready control-plane,master 20d v1.22.1 bk8s-w1 Ready 20d v1.22.1 bk8s-w2 Ready 20d v1.22.1 ``` ``` oot@bk8s-m:~/docker-bench-security# ./docker-bench-security.sh # -------------------------------------------------------------------------------------------- # Docker Bench for Security v1.3.6 # # Docker, Inc. (c) 2015-2021 # # Checks for dozens of common best-practices around deploying Docker containers in production. # Based on the CIS Docker Benchmark 1.3.1. # -------------------------------------------------------------------------------------------- Initializing 2021-12-07T04:47:32+00:00 Section A - Check results [INFO] 1 - Host Configuration [INFO] 1.1 - Linux Hosts Specific Configuration WARNING: No swap limit support [WARN] 1.1.1 - Ensure a separate partition for containers has been created (Automated) [INFO] 1.1.2 - Ensure only trusted users are allowed to control Docker daemon (Automated) [INFO] * Users: [WARN] 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated) [WARN] 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated) [WARN] 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated) [WARN] 1.1.6 - Ensure auditing is configured for Docker files and directories - /etc/docker (Automated) [WARN] 1.1.7 - Ensure auditing is configured for Docker files and directories - docker.service (Automated) [INFO] 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated) [INFO] * File not found [WARN] 1.1.9 - Ensure auditing is configured for Docker files and directories - docker.socket (Automated) [WARN] 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated) [WARN] 1.1.11 - Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated) [WARN] 1.1.12 - 1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated) [INFO] 1.1.13 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated) [INFO] * File not found [WARN] 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated) [WARN] 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated) [WARN] 1.1.16 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated) [WARN] 1.1.17 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated) [WARN] 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated) [INFO] 1.2 - General Configuration [NOTE] 1.2.1 - Ensure the container host has been Hardened (Manual) [PASS] 1.2.2 - Ensure that the version of Docker is up to date (Manual) [INFO] * Using 20.10.8, verify is it up to date as deemed necessary [INFO] 2 - Docker daemon configuration [NOTE] 2.1 - Run the Docker daemon as a non-root user, if possible (Manual) [WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored) [PASS] 2.3 - Ensure the logging level is set to 'info' (Scored) [PASS] 2.4 - Ensure Docker is allowed to make changes to iptables (Scored) [PASS] 2.5 - Ensure insecure registries are not used (Scored) [PASS] 2.6 - Ensure aufs storage driver is not used (Scored) [INFO] 2.7 - Ensure TLS authentication for Docker daemon is configured (Scored) [INFO] * Docker daemon not listening on TCP [INFO] 2.8 - Ensure the default ulimit is configured appropriately (Manual) [INFO] * Default ulimit doesn't appear to be set [WARN] 2.9 - Enable user namespace support (Scored) [PASS] 2.10 - Ensure the default cgroup usage has been confirmed (Scored) [PASS] 2.11 - Ensure base device size is not changed until needed (Scored) [WARN] 2.12 - Ensure that authorization for Docker client commands is enabled (Scored) [WARN] 2.13 - Ensure centralized and remote logging is configured (Scored) [WARN] 2.14 - Ensure containers are restricted from acquiring new privileges (Scored) [WARN] 2.15 - Ensure live restore is enabled (Scored) [WARN] 2.16 - Ensure Userland Proxy is Disabled (Scored) [PASS] 2.17 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual) [INFO] Ensure that experimental features are not implemented in production (Scored) (Deprecated) [INFO] 3 - Docker daemon configuration files [PASS] 3.1 - Ensure that the docker.service file ownership is set to root:root (Automated) [PASS] 3.2 - Ensure that docker.service file permissions are appropriately set (Automated) [PASS] 3.3 - Ensure that docker.socket file ownership is set to root:root (Automated) [PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated) [PASS] 3.5 - Ensure that the /etc/docker directory ownership is set to root:root (Automated) [PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated) [INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root (Automated) [INFO] * Directory not found [INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated) [INFO] * Directory not found [INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root (Automated) [INFO] * No TLS CA certificate found [INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated) [INFO] * No TLS CA certificate found [INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root (Automated) [INFO] * No TLS Server certificate found [INFO] 3.12 - Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated) [INFO] * No TLS Server certificate found [INFO] 3.13 - Ensure that the Docker server certificate key file ownership is set to root:root (Automated) [INFO] * No TLS Key found [INFO] 3.14 - Ensure that the Docker server certificate key file permissions are set to 400 (Automated) [INFO] * No TLS Key found [PASS] 3.15 - Ensure that the Docker socket file ownership is set to root:docker (Automated) [PASS] 3.16 - Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated) [PASS] 3.17 - Ensure that the daemon.json file ownership is set to root:root (Automated) [PASS] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated) [PASS] 3.19 - Ensure that the /etc/default/docker file ownership is set to root:root (Automated) [INFO] 3.20 - Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated) [INFO] * File not found [INFO] 3.21 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated) [INFO] * File not found [PASS] 3.22 - Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated) [PASS] 3.23 - Ensure that the Containerd socket file ownership is set to root:root (Automated) [PASS] 3.24 - Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated) [INFO] 4 - Container Images and Build File [WARN] 4.1 - Ensure that a user for the container has been created (Automated) [WARN] * Running as root: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1 [WARN] * Running as root: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1 [WARN] * Running as root: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Running as root: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * Running as root: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * Running as root: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * Running as root: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * Running as root: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [NOTE] 4.2 - Ensure that containers use only trusted base images (Manual) [NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container (Manual) [NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches (Manual) [WARN] 4.5 - Ensure Content trust for Docker is Enabled (Automated) [WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated) [WARN] * No Healthcheck found: [k8s.gcr.io/kube-apiserver:v1.22.3] [WARN] * No Healthcheck found: [k8s.gcr.io/kube-scheduler:v1.22.3] [WARN] * No Healthcheck found: [k8s.gcr.io/kube-controller-manager:v1.22.3] [WARN] * No Healthcheck found: [k8s.gcr.io/kube-proxy:v1.22.3] [WARN] * No Healthcheck found: [k8s.gcr.io/etcd:3.5.0-0] [WARN] * No Healthcheck found: [k8s.gcr.io/coredns/coredns:v1.8.4] [WARN] * No Healthcheck found: [k8s.gcr.io/pause:3.5] [WARN] * No Healthcheck found: [calico/pod2daemon-flexvol:v3.17.1] [WARN] * No Healthcheck found: [calico/cni:v3.17.1] [WARN] * No Healthcheck found: [calico/node:v3.17.1] [WARN] * No Healthcheck found: [calico/kube-controllers:v3.17.1] [PASS] 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual) [NOTE] 4.8 - Ensure setuid and setgid permissions are removed (Manual) [INFO] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Manual) [INFO] * ADD in image history: [k8s.gcr.io/coredns/coredns:v1.8.4] [INFO] * ADD in image history: [k8s.gcr.io/pause:3.5] [INFO] * ADD in image history: [calico/pod2daemon-flexvol:v3.17.1] [INFO] * ADD in image history: [calico/cni:v3.17.1] [INFO] * ADD in image history: [calico/kube-controllers:v3.17.1] [NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles (Manual) [NOTE] 4.11 - Ensure only verified packages are installed (Manual) [INFO] 5 - Container Runtime [WARN] 5.1 - Ensure that, if applicable, an AppArmor Profile is enabled (Automated) [WARN] * No AppArmorProfile Found: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * No AppArmorProfile Found: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * No AppArmorProfile Found: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * No AppArmorProfile Found: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] 5.2 - Ensure that, if applicable, SELinux security options are set (Automated) [WARN] * No SecurityOptions Found: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * No SecurityOptions Found: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * No SecurityOptions Found: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * No SecurityOptions Found: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [PASS] 5.3 - Ensure that Linux kernel capabilities are restricted within containers (Automated) [WARN] 5.4 - Ensure that privileged containers are not used (Automated) [WARN] * Container running in Privileged mode: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Container running in Privileged mode: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Container running in Privileged mode: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * Container running in Privileged mode: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers (Automated) [PASS] 5.6 - Ensure sshd is not run within containers (Automated) [PASS] 5.7 - Ensure privileged ports are not mapped within containers (Automated) [PASS] 5.8 - Ensure that only needed ports are open on the container (Manual) [WARN] 5.9 - Ensure that the host's network namespace is not shared (Automated) [WARN] * Container running with networking mode 'host': k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Container running with networking mode 'host': k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * Container running with networking mode 'host': k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * Container running with networking mode 'host': k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * Container running with networking mode 'host': k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * Container running with networking mode 'host': k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [WARN] 5.10 - Ensure that the memory usage for containers is limited (Automated) [WARN] * Container running without memory restrictions: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1 [WARN] * Container running without memory restrictions: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12 [WARN] * Container running without memory restrictions: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12 [WARN] * Container running without memory restrictions: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12 [WARN] * Container running without memory restrictions: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Container running without memory restrictions: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Container running without memory restrictions: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * Container running without memory restrictions: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * Container running without memory restrictions: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * Container running without memory restrictions: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * Container running without memory restrictions: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * Container running without memory restrictions: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [WARN] * Container running without memory restrictions: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * Container running without memory restrictions: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * Container running without memory restrictions: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * Container running without memory restrictions: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [PASS] 5.11 - Ensure that CPU priority is set appropriately on containers (Automated) [WARN] 5.12 - Ensure that the container's root filesystem is mounted as read only (Automated) [WARN] * Container running with root FS mounted R/W: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1 [WARN] * Container running with root FS mounted R/W: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12 [WARN] * Container running with root FS mounted R/W: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12 [WARN] * Container running with root FS mounted R/W: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12 [WARN] * Container running with root FS mounted R/W: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Container running with root FS mounted R/W: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Container running with root FS mounted R/W: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * Container running with root FS mounted R/W: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * Container running with root FS mounted R/W: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * Container running with root FS mounted R/W: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * Container running with root FS mounted R/W: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * Container running with root FS mounted R/W: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [WARN] * Container running with root FS mounted R/W: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * Container running with root FS mounted R/W: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * Container running with root FS mounted R/W: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * Container running with root FS mounted R/W: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [PASS] 5.13 - Ensure that incoming container traffic is bound to a specific host interface (Automated) [WARN] 5.14 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated) [WARN] * MaximumRetryCount is not set to 5: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1 [WARN] * MaximumRetryCount is not set to 5: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1 [WARN] * MaximumRetryCount is not set to 5: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1 [WARN] * MaximumRetryCount is not set to 5: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12 [WARN] * MaximumRetryCount is not set to 5: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12 [WARN] * MaximumRetryCount is not set to 5: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12 [WARN] * MaximumRetryCount is not set to 5: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * MaximumRetryCount is not set to 5: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * MaximumRetryCount is not set to 5: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * MaximumRetryCount is not set to 5: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * MaximumRetryCount is not set to 5: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * MaximumRetryCount is not set to 5: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * MaximumRetryCount is not set to 5: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * MaximumRetryCount is not set to 5: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [WARN] * MaximumRetryCount is not set to 5: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * MaximumRetryCount is not set to 5: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * MaximumRetryCount is not set to 5: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * MaximumRetryCount is not set to 5: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [PASS] 5.15 - Ensure that the host's process namespace is not shared (Automated) [PASS] 5.16 - Ensure that the host's IPC namespace is not shared (Automated) [PASS] 5.17 - Ensure that host devices are not directly exposed to containers (Manual) [INFO] 5.18 - Ensure that the default ulimit is overwritten at runtime if needed (Manual) [INFO] * Container no default ulimit override: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1 [INFO] * Container no default ulimit override: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1 [INFO] * Container no default ulimit override: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1 [INFO] * Container no default ulimit override: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12 [INFO] * Container no default ulimit override: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12 [INFO] * Container no default ulimit override: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12 [INFO] * Container no default ulimit override: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [INFO] * Container no default ulimit override: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [INFO] * Container no default ulimit override: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [INFO] * Container no default ulimit override: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [INFO] * Container no default ulimit override: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [INFO] * Container no default ulimit override: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [INFO] * Container no default ulimit override: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [INFO] * Container no default ulimit override: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [INFO] * Container no default ulimit override: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [INFO] * Container no default ulimit override: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [INFO] * Container no default ulimit override: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [INFO] * Container no default ulimit override: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [WARN] 5.19 - Ensure mount propagation mode is not set to shared (Automated) [WARN] * Mount propagation mode is shared: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] 5.20 - Ensure that the host's UTS namespace is not shared (Automated) [WARN] * Host UTS namespace being shared with: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Host UTS namespace being shared with: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * Host UTS namespace being shared with: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * Host UTS namespace being shared with: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * Host UTS namespace being shared with: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * Host UTS namespace being shared with: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [WARN] 5.21 - Ensure the default seccomp profile is not Disabled (Automated) [WARN] * Default seccomp profile disabled: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1 [WARN] * Default seccomp profile disabled: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1 [WARN] * Default seccomp profile disabled: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1 [WARN] * Default seccomp profile disabled: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Default seccomp profile disabled: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [NOTE] 5.22 - Ensure that docker exec commands are not used with the privileged option (Automated) [NOTE] 5.23 - Ensure that docker exec commands are not used with the user=root option (Manual) [WARN] 5.24 - Ensure that cgroup usage is confirmed (Automated) [WARN] * Confirm cgroup usage: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1 [WARN] * Confirm cgroup usage: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1 [WARN] * Confirm cgroup usage: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1 [WARN] * Confirm cgroup usage: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12 [WARN] * Confirm cgroup usage: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12 [WARN] * Confirm cgroup usage: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12 [WARN] * Confirm cgroup usage: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Confirm cgroup usage: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Confirm cgroup usage: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * Confirm cgroup usage: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * Confirm cgroup usage: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * Confirm cgroup usage: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * Confirm cgroup usage: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * Confirm cgroup usage: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [WARN] * Confirm cgroup usage: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * Confirm cgroup usage: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * Confirm cgroup usage: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * Confirm cgroup usage: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [WARN] 5.25 - Ensure that the container is restricted from acquiring additional privileges (Automated) [WARN] * Privileges not restricted: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1 [WARN] * Privileges not restricted: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Privileges not restricted: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * Privileges not restricted: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * Privileges not restricted: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * Privileges not restricted: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * Privileges not restricted: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [WARN] 5.26 - Ensure that container health is checked at runtime (Automated) [WARN] * Health check not set: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1 [WARN] * Health check not set: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1 [WARN] * Health check not set: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1 [WARN] * Health check not set: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12 [WARN] * Health check not set: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12 [WARN] * Health check not set: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12 [WARN] * Health check not set: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Health check not set: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * Health check not set: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * Health check not set: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * Health check not set: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * Health check not set: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * Health check not set: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * Health check not set: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [WARN] * Health check not set: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * Health check not set: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * Health check not set: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * Health check not set: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [INFO] 5.27 - Ensure that Docker commands always make use of the latest version of their image (Manual) [WARN] 5.28 - Ensure that the PIDs cgroup limit is used (Automated) [WARN] * PIDs limit not set: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1 [WARN] * PIDs limit not set: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1 [WARN] * PIDs limit not set: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1 [WARN] * PIDs limit not set: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12 [WARN] * PIDs limit not set: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12 [WARN] * PIDs limit not set: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12 [WARN] * PIDs limit not set: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * PIDs limit not set: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1 [WARN] * PIDs limit not set: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * PIDs limit not set: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1 [WARN] * PIDs limit not set: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * PIDs limit not set: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * PIDs limit not set: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * PIDs limit not set: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [WARN] * PIDs limit not set: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1 [WARN] * PIDs limit not set: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1 [WARN] * PIDs limit not set: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1 [WARN] * PIDs limit not set: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1 [PASS] 5.29 - Ensure that Docker's default bridge 'docker0' is not used (Manual) [PASS] 5.30 - Ensure that the host's user namespaces are not shared (Automated) [PASS] 5.31 - Ensure that the Docker socket is not mounted inside any containers (Automated) [INFO] 6 - Docker Security Operations [INFO] 6.1 - Ensure that image sprawl is avoided (Manual) [INFO] * There are currently: 11 images [INFO] * Only 0 out of 11 are in use [INFO] 6.2 - Ensure that container sprawl is avoided (Manual) [INFO] * There are currently a total of 39 containers, with 18 of them currently running [INFO] 7 - Docker Swarm Configuration [PASS] 7.1 - Ensure swarm mode is not Enabled, if not needed (Automated) [PASS] 7.2 - Ensure that the minimum number of manager nodes have been created in a swarm (Automated) (Swarm mode not enabled) [PASS] 7.3 - Ensure that swarm services are bound to a specific host interface (Automated) (Swarm mode not enabled) [PASS] 7.4 - Ensure that all Docker swarm overlay networks are encrypted (Automated) [PASS] 7.5 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual) (Swarm mode not enabled) [PASS] 7.6 - Ensure that swarm manager is run in auto-lock mode (Automated) (Swarm mode not enabled) [PASS] 7.7 - Ensure that the swarm manager auto-lock key is rotated periodically (Manual) (Swarm mode not enabled) [PASS] 7.8 - Ensure that node certificates are rotated as appropriate (Manual) (Swarm mode not enabled) [PASS] 7.9 - Ensure that CA certificates are rotated as appropriate (Manual) (Swarm mode not enabled) [PASS] 7.10 - Ensure that management plane traffic is separated from data plane traffic (Manual) (Swarm mode not enabled) Section C - Score [INFO] Checks: 116 [INFO] Score: -3 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://sysnet4admin.gitbook.io/cncf/cloud-native/security/node/docker-bench.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.