Docker-контейнеры
Образы контейнера ClickHouse
Компания «Инфомаксимум» не добавляет неиспользуемые библиотеки или пакеты.
Образы контейнеров, контейнеры, параметры запуска контейнера, конфигурационные файлы контейнеров не хранят критичную информацию (пароли в файлах, hard-coded пароли, ключи, логины). Логины и хеш паролей приходят через Docker Secrets.
Образ контейнера был подписан компанией «Инфомаксимум».
Логирование ClickHouse
Контейнер с ClickHouse записывает логи в отдельный volume: infomaximumclickhouse-log. Для просмотра логов подключите и запустите контейнер с необходимым volume, например:
docker run -it --rm -v=infomaximum-clickhouselog:/ mnt/volume ubuntu bash
Внутри контейнера выполните:
tail -n 200 -f /mnt/volume/clickhouseserver.log
Логи хост машины не кастомизируются и располагаются по умолчанию в /var/log/….
Работа Docker Secrets
Применение секретов позволяет не передавать пароли и приватные ключи в открытом виде (в docker-контейнеры).
В настоящий момент через секреты передаются следующие значения:
- логин для подключения к clickhouse
- хеш-пароля для подключения к clickhouse
- сертификат (для https)
- приватный ключ (для https)
- Diffie Hellman ключ (для https)
Доступ к секретам предоставляется в момент создания сервиса и впоследствии не может быть изменен. Чтобы внести изменения, удалите сервис и создайте его повторно.
Все секреты хранятся в зашифрованном в виде в Docker Swarm.
При запуске контейнера Docker Swarm монтирует секреты в виде файлов в каталог /run/secrets/….
Разворачивание ClickHouse в Docker-контейнере
Разворачивание происходит в соответствии с установкой БД ClickHouse.
Benchmark result
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.4
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
# ------------------------------------------------------------------------------
Initializing Fri Nov 29 08:32:47 UTC 2019
[INFO] 1 - Host Configuration
[WARN] 1.1 - Ensure a separate partition for containers has been created
[NOTE] 1.2 - Ensure the container host has been Hardened
[INFO] 1.3 - Ensure Docker is up to date
[INFO] * Using 19.03.5, verify is it up to date as deemed necessary
[INFO] * Your operating system vendor may provide support and security maintenance for Docker
[INFO] 1.4 - Ensure only trusted users are allowed to control Docker daemon
[INFO] * docker:x:999
[WARN] 1.5 - Ensure auditing is configured for the Docker daemon
[WARN] 1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[WARN] 1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker
[INFO] 1.8 - Ensure auditing is configured for Docker files and directories - docker.service
[INFO] * File not found
[INFO] 1.9 - Ensure auditing is configured for Docker files and directories - docker.socket
[INFO] * File not found
[WARN] 1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] 1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO] * File not found
[INFO] 1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/dockercontainerd
[INFO] * File not found
[INFO] 1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc
[INFO] * File not found
[INFO] 2 - Docker daemon configuration
[WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2 - Ensure the logging level is set to 'info'
[PASS] 2.3 - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4 - Ensure insecure registries are not used
[PASS] 2.5 - Ensure aufs storage driver is not used
[INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured
[INFO] * Docker daemon not listening on TCP
[INFO] 2.7 - Ensure the default ulimit is configured appropriately
[INFO] * Default ulimit doesn't appear to be set
[WARN] 2.8 - Enable user namespace support
[PASS] 2.9 - Ensure the default cgroup usage has been confirmed
[PASS] 2.10 - Ensure base device size is not changed until needed
[WARN] 2.11 - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12 - Ensure centralized and remote logging is configured
[INFO] 2.13 - Ensure operations on legacy registry (v1) are Disabled (Deprecated)
[PASS] 2.14 - Ensure live restore is Enabled (Incompatible with swarm mode)
[WARN] 2.15 - Ensure Userland Proxy is Disabled
[PASS] 2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed
[PASS] 2.17 - Ensure experimental features are avoided in production
[WARN] 2.18 - Ensure containers are restricted from acquiring new privileges
[INFO] 3 - Docker daemon configuration files
[INFO] 3.1 - Ensure that docker.service file ownership is set to root:root
[INFO] * File not found
[INFO] 3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive
[INFO] * File not found
[INFO] 3.3 - Ensure that docker.socket file ownership is set to root:root
[INFO] * File not found
[INFO] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive
[INFO] * File not found
[PASS] 3.5 - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root
[INFO] * Directory not found
[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO] * Directory not found
[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root
[INFO] * No TLS CA certificate found
[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO] * No TLS CA certificate found
[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root
[INFO] * No TLS Server certificate found
[INFO] 3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
[INFO] * No TLS Server certificate found
[INFO] 3.13 - Ensure that Docker server certificate key file ownership is set to root:root
[INFO] * No TLS Key found
[INFO] 3.14 - Ensure that Docker server certificate key file permissions are set to 400
[INFO] * No TLS Key found
[PASS] 3.15 - Ensure that Docker socket file ownership is set to root:docker
[PASS] 3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive
[INFO] 3.17 - Ensure that daemon.json file ownership is set to root:root
[INFO] * File not found
[INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive
[INFO] * File not found
[PASS] 3.19 - Ensure that /etc/default/docker file ownership is set to root:root
[PASS] 3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
[INFO] 4 - Container Images and Build File
[PASS] 4.1 - Ensure a user for the container has been created
[NOTE] 4.2 - Ensure that containers use trusted base images
[NOTE] 4.3 - Ensure unnecessary packages are not installed in the container
[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches
[WARN] 4.5 - Ensure Content trust for Docker is Enabled
[PASS] 4.6 - Ensure HEALTHCHECK instructions have been added to the container image
[PASS] 4.7 - Ensure update instructions are not use alone in the Dockerfile
[NOTE] 4.8 - Ensure setuid and setgid permissions are removed in the images
[INFO] 4.9 - Ensure COPY is used instead of ADD in Dockerfile
[INFO] * ADD in image history: [infomaximum/infomaximum-clickhouse:19.15.2.2RC2]
[INFO] * ADD in image history: [docker/docker-bench-security:latest]
[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles
[NOTE] 4.11 - Ensure verified packages are only Installed
[INFO] 5 - Container Runtime
[PASS] 5.1 - Ensure AppArmor Profile is Enabled
[WARN] 5.2 - Ensure SELinux security options are set, if applicable
[WARN] * No SecurityOptions Found: infomaximum-clickhouse.1.jo8sqn516v3eua7zi7plufnek
[PASS] 5.3 - Ensure Linux Kernel Capabilities are restricted within containers
[PASS] 5.4 - Ensure privileged containers are not used
[PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers
[PASS] 5.6 - Ensure ssh is not run within containers
[PASS] 5.7 - Ensure privileged ports are not mapped within containers
[NOTE] 5.8 - Ensure only needed ports are open on the container
[PASS] 5.9 - Ensure the host's network namespace is not shared
[PASS] 5.10 - Ensure memory usage for container is limited
[WARN] 5.11 - Ensure CPU priority is set appropriately on the container
[WARN] * Container running without CPU restrictions: infomaximumclickhouse.1.jo8sqn516v3eua7zi7plufnek
[WARN] 5.12 - Ensure the container's root filesystem is mounted as read only
[WARN] * Container running with root FS mounted R/W: infomaximumclickhouse.1.jo8sqn516v3eua7zi7plufnek
[WARN] 5.13 - Ensure incoming container traffic is binded to a specific host interface
[WARN] * Port being bound to wildcard IP: 0.0.0.0 in infomaximumclickhouse.1.jo8sqn516v3eua7zi7plufnek
[WARN] 5.14 - Ensure 'on-failure' container restart policy is set to '5'
[WARN] * MaximumRetryCount is not set to 5: infomaximumclickhouse.1.jo8sqn516v3eua7zi7plufnek
[PASS] 5.15 - Ensure the host's process namespace is not shared
[PASS] 5.16 - Ensure the host's IPC namespace is not shared
[PASS] 5.17 - Ensure host devices are not directly exposed to containers
[INFO] 5.18 - Ensure the default ulimit is overwritten at runtime, only if needed
[INFO] * Container no default ulimit override: infomaximumclickhouse.1.jo8sqn516v3eua7zi7plufnek
[PASS] 5.19 - Ensure mount propagation mode is not set to shared
[PASS] 5.20 - Ensure the host's UTS namespace is not shared
[PASS] 5.21 - Ensure the default seccomp profile is not Disabled
[NOTE] 5.22 - Ensure docker exec commands are not used with privileged option
[NOTE] 5.23 - Ensure docker exec commands are not used with user option
[PASS] 5.24 - Ensure cgroup usage is confirmed
[WARN] 5.25 - Ensure the container is restricted from acquiring additional privileges
[WARN] * Privileges not restricted: infomaximum-clickhouse.1.jo8sqn516v3eua7zi7plufnek
[PASS] 5.26 - Ensure container health is checked at runtime
[INFO] 5.27 - Ensure docker commands always get the latest version of the image
[WARN] 5.28 - Ensure PIDs cgroup limit is used
[WARN] * PIDs limit not set: infomaximum-clickhouse.1.jo8sqn516v3eua7zi7plufnek
[INFO] 5.29 - Ensure Docker's default bridge docker0 is not used
[INFO] * Container in docker0 network: infomaximumclickhouse.1.jo8sqn516v3eua7zi7plufnek
[PASS] 5.30 - Ensure the host's user namespaces is not shared
[PASS] 5.31 - Ensure the Docker socket is not mounted inside any containers
[INFO] 6 - Docker Security Operations
[INFO] 6.1 - Avoid image sprawl
[INFO] * There are currently: 2 images
[INFO] 6.2 - Avoid container sprawl
[INFO] * There are currently a total of 26 containers, with 2 of them currently running
[INFO] 7 - Docker Swarm Configuration
[WARN] 7.1 - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2 - Ensure the minimum number of manager nodes have been created in a swarm
[PASS] 7.3 - Ensure swarm services are binded to a specific host interface
[WARN] 7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network
[WARN] * Unencrypted overlay network: ingress (swarm)
[PASS] 7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster
[WARN] 7.6 - Ensure swarm manager is run in auto-lock mode
[NOTE] 7.7 - Ensure swarm manager auto-lock key is rotated periodically
[INFO] 7.8 - Ensure node certificates are rotated as appropriate
[INFO] 7.9 - Ensure CA certificates are rotated as appropriate
[INFO] 7.10 - Ensure management plane traffic has been separated from data plane traffic
[INFO] Checks: 105
[INFO] Score: 15
Была ли статья полезна?