By default all containers have to use --cap-drop=all, have a --security-opt and not permitted to use --privileged=true.
---
syslog_ident: docker-covenant // (1)
debug: yes // (2)
docker-covenant:
privileged: no
cap_drop_required: yes
docker-bench-security:
privileged: yes // (3)
cap_drop_required: no // (4)
privoxy:
cap_drop_required: yes
security_opt_required: no // (5)
...-
Syslog identifier, default
docker-covenant. -
Enable debug logging, default yes.
-
Allow container to use
--privileged=true, default no. -
Don’t force
--cap-drop=all, default yes. -
Require security options, default yes.
docker build --no-cache -t docker-covenant -f Dockerfile .
docker run --name docker-covenant --cap-drop=all -v /var/run/docker.sock:/var/run/docker.sock:rw docker-covenant
All container actions is written to syslog and debug: yes writes to console as well.
sudo journalctl SYSLOG_IDENTIFIER=docker-covenant
$ sudo journalctl -r SYSLOG_IDENTIFIER=docker-covenant
-- Logs begin at Thu 2020-11-05 08:10:16 UTC, end at Thu 2020-11-05 08:30:44 UTC. --
Nov 05 08:29:38 ubuntu-focal docker-covenant[21897]: nginx: stopping container
Nov 05 08:29:38 ubuntu-focal docker-covenant[21897]: nginx: all capabilities not dropped
Nov 05 08:29:38 ubuntu-focal docker-covenant[21897]: nginx: no security options has been set('container_name: ', 'nginx')
('containerStatus: ', 'restart')
('container_event_id: ', 'aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6')
('container_inspect: ', {'Id': 'aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6', 'Created': '2020-11-05T08:17:23.005343333Z', 'Path': '/usr/sbin/nginx', 'Args': ['-g', 'daemon off;'], 'State': {'Status': 'exited', 'Running': False, 'Paused': False, 'Restarting': False, 'OOMKilled': False, 'Dead': False, 'Pid': 0, 'ExitCode': 0, 'Error': '', 'StartedAt': '2020-11-05T08:29:38.162316239Z', 'FinishedAt': '2020-11-05T08:29:38.235187974Z', 'Health': {'Status': 'unhealthy', 'FailingStreak': 0, 'Log': []}}, 'Image': 'sha256:4200c10e8acb59be1b13508c1aafcec482929e3b096512a7881c0519211d86d6', 'ResolvConfPath': '/var/lib/docker/containers/aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6/resolv.conf', 'HostnamePath': '/var/lib/docker/containers/aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6/hostname', 'HostsPath': '/var/lib/docker/containers/aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6/hosts', 'LogPath': '/var/lib/docker/containers/aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6/aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6-json.log', 'Name': '/nginx', 'RestartCount': 0, 'Driver': 'overlay2', 'Platform': 'linux', 'MountLabel': '', 'ProcessLabel': '', 'AppArmorProfile': 'docker-default', 'ExecIDs': None, 'HostConfig': {'Binds': None, 'ContainerIDFile': '', 'LogConfig': {'Type': 'json-file', 'Config': {}}, 'NetworkMode': 'default', 'PortBindings': {}, 'RestartPolicy': {'Name': 'no', 'MaximumRetryCount': 0}, 'AutoRemove': False, 'VolumeDriver': '', 'VolumesFrom': None, 'CapAdd': None, 'CapDrop': None, 'Capabilities': None, 'Dns': [], 'DnsOptions': [], 'DnsSearch': [], 'ExtraHosts': None, 'GroupAdd': None, 'IpcMode': 'private', 'Cgroup': '', 'Links': None, 'OomScoreAdj': 0, 'PidMode': '', 'Privileged': False, 'PublishAllPorts': False, 'ReadonlyRootfs': False, 'SecurityOpt': None, 'UTSMode': '', 'UsernsMode': '', 'ShmSize': 67108864, 'Runtime': 'runc', 'ConsoleSize': [0, 0], 'Isolation': '', 'CpuShares': 0, 'Memory': 0, 'NanoCpus': 0, 'CgroupParent': '', 'BlkioWeight': 0, 'BlkioWeightDevice': [], 'BlkioDeviceReadBps': None, 'BlkioDeviceWriteBps': None, 'BlkioDeviceReadIOps': None, 'BlkioDeviceWriteIOps': None, 'CpuPeriod': 0, 'CpuQuota': 0, 'CpuRealtimePeriod': 0, 'CpuRealtimeRuntime': 0, 'CpusetCpus': '', 'CpusetMems': '', 'Devices': [], 'DeviceCgroupRules': None, 'DeviceRequests': None, 'KernelMemory': 0, 'KernelMemoryTCP': 0, 'MemoryReservation': 0, 'MemorySwap': 0, 'MemorySwappiness': None, 'OomKillDisable': False, 'PidsLimit': None, 'Ulimits': None, 'CpuCount': 0, 'CpuPercent': 0, 'IOMaximumIOps': 0, 'IOMaximumBandwidth': 0, 'MaskedPaths': ['/proc/asound', '/proc/acpi', '/proc/kcore', '/proc/keys', '/proc/latency_stats', '/proc/timer_list', '/proc/timer_stats', '/proc/sched_debug', '/proc/scsi', '/sys/firmware'], 'ReadonlyPaths': ['/proc/bus', '/proc/fs', '/proc/irq', '/proc/sys', '/proc/sysrq-trigger']}, 'GraphDriver': {'Data': {'LowerDir': '/var/lib/docker/overlay2/62b4baa1a17bf78b74ab8d253b0572bf2d52c93a3bb759cb6fbb752004906901-init/diff:/var/lib/docker/overlay2/86bc68389322e5432131496208c8122774eba319ab79c959604d5ac7c0745938/diff:/var/lib/docker/overlay2/b2c9cbc84fd80c40c4bcc99b15431a54308d9f2d61645ce1a3fdfe8e83572504/diff:/var/lib/docker/overlay2/3c9f46b7bf4c295370b15ea16437e1666b6c6061f93479c5d3432f9b9371011a/diff:/var/lib/docker/overlay2/0dc6004bd594ad280bde8a703be09a5882ad53c00653fea715a554af79156fc3/diff', 'MergedDir': '/var/lib/docker/overlay2/62b4baa1a17bf78b74ab8d253b0572bf2d52c93a3bb759cb6fbb752004906901/merged', 'UpperDir': '/var/lib/docker/overlay2/62b4baa1a17bf78b74ab8d253b0572bf2d52c93a3bb759cb6fbb752004906901/diff', 'WorkDir': '/var/lib/docker/overlay2/62b4baa1a17bf78b74ab8d253b0572bf2d52c93a3bb759cb6fbb752004906901/work'}, 'Name': 'overlay2'}, 'Mounts': [], 'Config': {'Hostname': 'aecf471c3575', 'Domainname': '', 'User': '', 'AttachStdin': False, 'AttachStdout': False, 'AttachStderr': False, 'ExposedPorts': {'443/tcp': {}, '80/tcp': {}}, 'Tty': False, 'OpenStdin': False, 'StdinOnce': False, 'Env': ['PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'], 'Cmd': ['-g', 'daemon off;'], 'Healthcheck': {'Test': ['CMD-SHELL', 'curl -f http://127.0.0.1/ || exit 1'], 'Interval': 300000000000, 'Timeout': 3000000000}, 'Image': 'konstruktoid/nginx', 'Volumes': None, 'WorkingDir': '', 'Entrypoint': ['/usr/sbin/nginx'], 'OnBuild': None, 'Labels': {'org.label-schema.name': 'nginx', 'org.label-schema.vcs-url': 'git@github.com:konstruktoid/Nginx_Build.git'}, 'StopSignal': 'SIGQUIT'}, 'NetworkSettings': {'Bridge': '', 'SandboxID': '4ae1e0a7540fb5f7d3ebfb675d5a716002d96cd82d6a38d814b555929eeeb8f0', 'HairpinMode': False, 'LinkLocalIPv6Address': '', 'LinkLocalIPv6PrefixLen': 0, 'Ports': {}, 'SandboxKey': '/var/run/docker/netns/4ae1e0a7540f', 'SecondaryIPAddresses': None, 'SecondaryIPv6Addresses': None, 'EndpointID': '', 'Gateway': '', 'GlobalIPv6Address': '', 'GlobalIPv6PrefixLen': 0, 'IPAddress': '', 'IPPrefixLen': 0, 'IPv6Gateway': '', 'MacAddress': '', 'Networks': {'bridge': {'IPAMConfig': None, 'Links': None, 'Aliases': None, 'NetworkID': '29f523fef3aab49826d775873be4edfa86c56f86a02ecd24af84a6195fddc236', 'EndpointID': '', 'Gateway': '', 'IPAddress': '', 'IPPrefixLen': 0, 'IPv6Gateway': '', 'GlobalIPv6Address': '', 'GlobalIPv6PrefixLen': 0, 'MacAddress': '', 'DriverOpts': None}}}})
('containerID: ', 'aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6')
('container_cap_drop: ', None)
('container_cap_add: ', None)
('container_security_opt: ', None)
('container_privileged: ', False)
('container_stop: ', False)
('container_stop: ', True)
('CLIENT.stop sent to ', 'aecf471c3575c26c8246c96facf0bcc471971b74dd5e6bb11648f1e822954cc6')