As more of VMware’s customers look to run containerized applications, some have raised the question of securing containers in their environments. In partnership with the Center for Internet Security (CIS), Docker and others, VMware has developed a security configuration benchmark for Docker containers that you can download from here.
In all, six parties came together to develop the benchmark -- covering 84 recommendations -- in just 12 weeks. The aim of this security benchmark, like any other hardening guide or security documentation for any other vendor or product, is to highlight configuration parameters and other secure deployment considerations. It is designed as a definitive reference guide for customers wanting to understand how to securely provision containers to Linux OSes in production.
CIS is an independent organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. At CIS, security configuration benchmarks are created using a consensus review process comprised of subject matter experts. The benchmark is a result of collaboration between various industry experts, a team of enthusiastic folks who worked closely to develop and corral a consensus set of guidance as well as leveraging resources such as blog posts, articles, internet resources, and Docker documentation. CIS facilitated the development efforts and guided us throughout the benchmark development process. Each recommendation was thoroughly vetted, tested and endorsed by the consensus team consisting of folks from CIS, VMware, Docker, Cognitive Scale, International Securities Exchange and Rakuten.
Assessing your Dockerized environments using VMware
However, having just a security benchmark is not enough. Customers also need a mechanism to evaluate containerized workloads against the benchmark and provide compliance visibility and reporting. The solution should also be able to assess diverse workloads hosted on heterogeneous Linux distributions.
VMware has developed such a solution within VMware vRealize Configuration Manager. It is designed as a compliance toolkit, and is the FIRST of its kind to assess containerized workloads against the CIS benchmark. The tool provides compliance health status for each Docker container, image, container host, Docker daemon, etc., against each automatable recommendation from CIS benchmark.
vRealize Configuration Manager covers 100% of the automatable recommendations in the benchmark – addressed here in depth - and even some that are not directly automatable. You can get a detailed listing of the rules available in the VMware solution in the product sheet attached here.
Let’s dive into a comprehensive overview of the solution.