CIS基准测试没有通过主机配置测试。
CIS基准测试没有通过主机配置测试。
提问于 2019-09-12 07:53:37
在添加了下面对坞工件的审计规则之后:
$ sudo auditctl -l
-w /usr/bin/dockerd -p rwxa -k docker
-w /var/lib/docker -p rwxa -k docker
-w /etc/docker -p rwxa -k docker
-w /lib/systemd/system/docker.service -p rwxa -k docker
-w /lib/systemd/system/docker.socket -p rwxa -k docker
-w /etc/default/docker -p rwxa -k docker
-w /etc/docker/daemon.json -p rwxa -k docker
-w /usr/bin/docker-containerd -p rwxa -k docker
-w /usr/bin/docker-runc -p rwxa -k docker
$ CIS实用程序(https://github.com/docker/docker-bench-security)不传递:
$ sudo ./docker-bench-security.sh -c tests/1_host_configuration.sh
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------
Initializing Wed Sep 11 15:21:04 CST 2019
[INFO] Checks: 0
[INFO] Score: 0
$ 如何通过以下审核?
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2 - Ensure only trusted users are allowed to control Docker daemon
[INFO] * docker:x:130:mohet01-ubuntu
[WARN] 1.2.3 - Ensure auditing is configured for the Docker daemon
[WARN] 1.2.4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[WARN] 1.2.5 - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.2.6 - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.2.7 - Ensure auditing is configured for Docker files and directories - docker.socket
[WARN] 1.2.8 - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] 1.2.9 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[INFO] * File not found
[INFO] 1.2.10 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO] * File not found
[WARN] 1.2.11 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[WARN] 1.2.12 - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc回答 1
Unix & Linux用户
发布于 2020-03-21 14:09:10
我使用的是Ubuntu 18.04,我已经在/etc/audit/rules.d/audit.rules文件中添加了所有规则,并且运行良好。
对于CentOS 6,文件位于/etc/audit/audit.rules。
[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2 - Ensure only trusted users are allowed to control Docker daemon
[INFO] * docker:x:999:delta
[PASS] 1.2.3 - Ensure auditing is configured for the Docker daemon
[PASS] 1.2.4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[PASS] 1.2.5 - Ensure auditing is configured for Docker files and directories - /etc/docker
[PASS] 1.2.6 - Ensure auditing is configured for Docker files and directories - docker.service
[PASS] 1.2.7 - Ensure auditing is configured for Docker files and directories - docker.socket
[PASS] 1.2.8 - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] 1.2.9 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[INFO] * File not found
[INFO] 1.2.10 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO] * File not found
[WARN] 1.2.11 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[INFO] 1.2.12 - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
[INFO] * File not found页面原文内容由Unix & Linux提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://unix.stackexchange.com/questions/541319
复制相关文章
相似问题
腾讯云开发者
