Benchmark: 2 Docker daemon configuration
Overview
This section lists the recommendations that alter and secure the behavior of the Docker daemon. The settings that are under this section affect ALL container instances.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-docker-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 2 Docker daemon configuration.
Run this benchmark in your terminal:
powerpipe benchmark run docker_compliance.benchmark.cis_v160_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run docker_compliance.benchmark.cis_v160_2 --share
Controls
- 2.1 Run the Docker daemon as a non-root user, if possible
- 2.2 Ensure network traffic is restricted between containers on the default bridge
- 2.3 Ensure the logging level is set to 'info'
- 2.4 Ensure Docker is allowed to make changes to iptables'
- 2.5 Ensure insecure registries are not used
- 2.6 Ensure aufs storage driver is not used
- 2.7 Ensure TLS authentication for Docker daemon is configured
- 2.8 Ensure the default ulimit is configured appropriately
- 2.9 Enable user namespace support
- 2.11 Ensure base device size is not changed until needed
- 2.12 Ensure that authorization for Docker client commands is enabled
- 2.13 Ensure centralized and remote logging is configured
- 2.14 Ensure containers are restricted from acquiring new privileges
- 2.15 Ensure live restore is enabled
- 2.16 Ensure Userland Proxy is Disabled
- 2.17 Ensure that a daemon-wide custom seccomp profile is applied if appropriate