As more of VMware’s customers look to run containerized applications, some have raised the question of securing containers in their environments. In partnership with the Center for Internet Security (CIS), Docker and others, VMware has developed a security configuration benchmark for Docker containers that you can download from here.
In all, six parties came together to develop the benchmark — covering 84 recommendations — in just 12 weeks. The aim of this security benchmark, like any other hardening guide or security documentation for any other vendor or product, is to highlight configuration parameters and other secure deployment considerations. It is designed as a definitive reference guide for customers wanting to understand how to securely provision containers to Linux OSes in production.
CIS is an independent organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. At CIS, security configuration benchmarks are created using a consensus review process comprised of subject matter experts. The benchmark is a result of collaboration between various industry experts, a team of enthusiastic folks who worked closely to develop and corral a consensus set of guidance as well as leveraging resources such as blog posts, articles, internet resources, and Docker documentation. CIS facilitated the development efforts and guided us throughout the benchmark development process. Each recommendation was thoroughly vetted, tested and endorsed by the consensus team consisting of folks from CIS, VMware, Docker, Cognitive Scale, International Securities Exchange and Rakuten.
Assessing your Dockerized environments using VMware
However, having just a security benchmark is not enough. Customers also need a mechanism to evaluate containerized workloads against the benchmark and provide compliance visibility and reporting. The solution should also be able to assess diverse workloads hosted on heterogeneous Linux distributions.
VMware has developed such a solution within VMware vRealize Configuration Manager. It is designed as a compliance toolkit, and is the FIRST of its kind to assess containerized workloads against the CIS benchmark. The tool provides compliance health status for each Docker container, image, container host, Docker daemon, etc., against each automatable recommendation from CIS benchmark.
vRealize Configuration Manager covers 100% of the automatable recommendations in the benchmark – addressed here in depth – and even some that are not directly automatable. You can get a detailed listing of the rules available in the VMware solution in the product sheet attached here.
Let’s dive into a comprehensive overview of the solution.
Host Configuration Recommendations
This section covers security recommendations that you should follow to prepare the host machine that you plan to use for executing containerized workloads. These recommendations apply to the Linux host. The table below summarizes what recommendations are covered in VMware’s solution:
This is what the implemented rules look like:
The detailed compliance assessment results are seen in the template. You can group-by your choice to see by rule name, compliance status, machine, data class or anything else.
Docker Daemon Configuration Recommendations
The recommendations here are evaluated using Docker daemon process arguments. The list of arguments passed on to the Docker daemon are captured to determine compliance status. The table below summarizes what recommendations are covered in VMware’s solution:
You can even view these arguments before assessing compliance status:
Corresponding rules are shown as below:
The detailed template results are as below:
Scrolling to the right we can see what the “Value Expected” was and what the actual “Value Found” was on the system that resulted in non-compliant or compliant status:
Docker Daemon Configuration Files Recommendations
Securing the files and directories that may contain sensitive parameters is important for correct and secure functioning of the Docker daemon. The recommendations here are assessed on files and directories that are related to the execution of the Docker daemon. These files and directories are inspected for their permissions and ownerships. VMware’s solution covers 100% of these recommendations as outlined in the table below:
You can navigate through directories to look for specific files as you do on the system.
The rules for this section are as below:
If you notice these rules have an enforceable icon as shown below:
That means that if you find non-compliant results in this sections, those infringements can be automatically corrected by the tool to compliant conditions on the system. You would not require any administrator’s help to fix non-compliant results.
Additionally, the solution is flexible enough to allow the user to provide values for specific rules based on their environment. Such rules are highlighted by a asterisk, “*”, in front of them and must be edited to suit the customer’s specific needs before they can be assessed.
The template results provide both – deep insight into values set and whether infringements are enforcible if they are discovered:
Container Images and Build File Recommendations
Container base images and build files govern the fundamentals of how a container instance from a particular image would behave. Ensuring that you are using correct base images and appropriate build files is very important for building your containerized infrastructure. Recommendations here are mostly best practices that you should follow for container base images and build files to ensure that your containerized infrastructure is secure.
This is where you first start inspecting container instances. I will cover more on that in the next section.
Container Runtime Recommendations
This is the core of the solution. There are a lot of security considerations implicit in the ways in which a container is started. It is possible to provide potentially dangerous runtime parameters that might compromise the host and other containers on the host. Verifying a container runtime is thus very important. Inspecting many container instances for numerous properties across multiple Linux hosts could be very tiresome – but not with VMware’s solution. It inspects your container instances across multiple hosts in a single pass while just checking the properties needed for compliance. We score a 100 in this section as well.
The various ‘interesting’ settings are inspected from all the container instances and can be seen as a stack of parameters from one console:
By default, only properties needed for compliance assessment with respect to the security benchmark are collected. But, you can customize the inspection and collection process for any data points that you desire.
The property names shown above are the actual container instances found across the Linux hosts. Property value consists of the actual container runtime properties that we are inspecting. Now, we can use the data from these container instances and their respective properties to write compliance rules:
The simple UI based rule shows that we want to inspect container capabilities and we don’t want any Linux capabilities to be added to the containers on top of the defaults. That’s it.
The various rules in this section are as below:
The template results are detailed as usual and provide correlation with container instance ID and the property to help you go back and fix the containers:
When you scroll to the right you will see container instance ID and what was looked for and what was actually found:
You can also see results vertically if you want to read more into the row cells:
So, this shows how easy and quick it is with VMware’s solution to inspect your containers and find compliant and non-compliant settings on each of them without logging into multiple Linux systems and typing commands tirelessly.
Docker Security Operations Recommendations
The recommendations here are mostly high-level operations best practices. This section serves as a reminder to enterprises that they should extend their information security policy and other best practices to include containers. Using VMware’s solution you can find a count of un-instantiated images and inactive containers on the system.
You can view both these counts on the console and as well as have compliance rules for them.
So, having walked you through, you can now see how simple and effective it is to do compliance assessments on your containers. Not only that, there is also a dashboard summarizing the findings and various other reporting capabilities to satisfy management requirements.
Additionally, you can use canned reports or create your own. The three canned reports that we produced for you are:
- Container Status
- Container Uptime
- Unused images
Just run the desired report and it would do the job for you. You can then export the report in the desired format.
VMware vRealize Configuration Manager is not limited to just Docker containers. This solution supports configuration and compliance assessment of your *NIX, Windows and Virtualized environments along with patching, change management and various other asset management and reporting capabilities. Please check out the product brochure and download your free 60-day trial software here. If you have any questions about this solution, please post them here. If you already have a VCM instance, please download the content pack from content wizard and begin to use it.
Looking forward to hear from you!
Thanks and regards,
CISSP | TOGAF | CCSK | CWSP
RHCE | HP-UX CSA | VCP4-DCV | MBA | GISP | CloudU | CompTIA CE | ITIL-F | ITSM-F | CWNA | Mobility+ | VSP 2015