Docker-bench-security check 2.2 icc issue

[fbinliu]

Docker Desktop (windows) version: Docker 20.10.7, build f0df350
Docker Bench Security: Docker Bench for Security v1.3.4
Execution enviornment: WSL2 Ubuntu 20.0.4
Issue:
From the scan, I've got the following warning:
[WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge

I have then added the following into my daemon.json file:
"icc": false
And then restarted my Docker Desktop (Windows) and then verified it is in effect (following CIS steps):
docker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}'
got this result: "com.docker.network.bridge.enable_icc:false"

But when i re-run Docker Bench Security container, I still got the same warning of 2.1 which is not expected considering i've set "icc" to false.

Also, according to CIS Docker Benchmark v1.3.1, this network traffic control should be control 2.2 instead of the current 2.1, so please correct.

Appreciate your check and feedback on this.

[konstruktoid]

Thanks @fbinliu for reporting this.
Will check ASAP.

[konstruktoid]

Hi again, the icc test is 2.2 (https://github.com/docker/docker-bench-security/blob/master/tests/2_docker_daemon_configuration.sh#L24-L44).
Are you using the Docker container or running the script?

[konstruktoid]

Ah, I just noticed that you're using 1.3.4 which is an obsolete version.

See #405 and please try using the shell script instead.

[fbinliu]

Hi, i have downloaded the latest version (v1.3.6), and used the shell script (sh docker-bench-security.sh) and also verified that icc is set to false via "docker network ls --quiet |xargs docker network inspect --format '{{ .Name }}: {{ .Options }}'", but still get [WARN] at check_2_2, shown as "Ensure network traffic is restricted between containers on the default bridge (Scored)", appreciate your further check on this very much.

[konstruktoid]

I can't reproduce this.
Could you repeat the same steps and paste the output?

$ cat /etc/docker/daemon.json
{
        "icc": false
}
$ docker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}'
bridge: map[com.docker.network.bridge.default_bridge:true com.docker.network.bridge.enable_icc:false com.docker.network.bridge.enable_ip_masquerade:true com.docker.network.bridge.host_binding_ipv4:0.0.0.0 com.docker.network.bridge.name:docker0 com.docker.network.driver.mtu:1500]
host: map[]
none: map[]
$ sudo bash docker-bench-security.sh -c check_2_1,check_2_2,check_2_3
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.3.6
#
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.3.1.
# --------------------------------------------------------------------------------------------

Initializing 2021-08-05T22:57:30+00:00


Section A - Check results
[NOTE] 2.1 - Run the Docker daemon as a non-root user, if possible (Manual)
[PASS] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[PASS] 2.3 - Ensure the logging level is set to 'info' (Scored)


Section C - Score

[INFO] Checks: 3
[INFO] Score: 2

$ sudo rm /etc/docker/daemon.json
$ sudo systemctl restart docker.service
$ cat /etc/docker/daemon.json
cat: /etc/docker/daemon.json: No such file or directory
$ docker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}'
bridge: map[com.docker.network.bridge.default_bridge:true com.docker.network.bridge.enable_icc:true com.docker.network.bridge.enable_ip_masquerade:true com.docker.network.bridge.host_binding_ipv4:0.0.0.0 com.docker.network.bridge.name:docker0 com.docker.network.driver.mtu:1500]
host: map[]
none: map[]
$ sudo bash docker-bench-security.sh -c check_2_1,check_2_2,check_2_3
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.3.6
#
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.3.1.
# --------------------------------------------------------------------------------------------

Initializing 2021-08-05T22:59:25+00:00


Section A - Check results
[NOTE] 2.1 - Run the Docker daemon as a non-root user, if possible (Manual)
[WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[PASS] 2.3 - Ensure the logging level is set to 'info' (Scored)


Section C - Score

[INFO] Checks: 3
[INFO] Score: 0

[fbinliu]

Hi, sure, here is the output for conducting the same steps. I am now wondering if this error comes due to my running docker bench security on my WSL2 Ubuntu distro?

$ cat daemon.json | grep icc 
"icc": false,
$ sudo sh docker-bench-security.sh -c check_2_2
[sudo] password for fliu:
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.3.6
#
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.3.1.
# --------------------------------------------------------------------------------------------
$ cat daemon.json | grep icc 
"icc": false,
$ sudo sh docker-bench-security.sh -c check_2_2
[sudo] password for fliu:
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.3.6
#
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.3.1.
# --------------------------------------------------------------------------------------------

Initializing 2021-08-06T10:39:38+02:00


Section A - Check results
[WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)


Section C - Score

[INFO] Checks: 1
[INFO] Score: -1
$ docker network ls --quiet |xargs docker network inspect --format '{{ .Name }}: {{ .Options }}'
bridge: map[com.docker.network.bridge.default_bridge:true com.docker.network.bridge.enable_icc:false com.docker.network.bridge.enable_ip_masquerade:true com.docker.network.bridge.host_binding_ipv4:0.0.0.0 com.docker.network.bridge.name:docker0 com.docker.network.driver.mtu:1500]
clair-analyze-local-images_default: map[]
host: map[]
none: map[]
play-with-kubernetesgithubio_default: map[]

[konstruktoid]

$ cat daemon.json | grep icc
"icc": false,

It shouldn't really matter if it's on WSL since the daemon.json is a basic JSON file.

Can you run the actual code and share the output?

grep "icc" "/etc/docker/daemon.json" | sed 's/.*://g' | tr -d '" ',

[fbinliu]

hi, i don't have daemon.json in /etc/docker because my machine is a Windows machine and I've installed Docker Desktop. The daemon.json is located in my case in .docker folder in my home directory. Here is the result of running the actual code:

.docker$ grep "icc" "daemon.json" | sed 's/.*://g' | tr -d '" ',
false

[konstruktoid]

That might be the issue, since https://github.com/docker/docker-bench-security/blob/master/functions/helper_lib.sh#L100 only checks the config file if defined using --config-file or the default /etc/docker/daemon.json.

[fbinliu]

ok, i see, so is there so far any way to run docker-bench-security for a docker server running on a Windows machine?

[konstruktoid]

If the only issue is that the config file is in the "wrong" place, I can add the path(s) for those as well.

[fbinliu]

Oh, that would be awesome indeed if it could be done, so that docker-bench-security can also be executed for docker runtime in WSL2 on a Windows machine. My path for config file (daemon.json) is as follows, not sure for other people:

$ pwd
/mnt/c/Users/<user-login-name>/.docker
$ ls -a | grep daemon
daemon.json

[konstruktoid]

I'll try too find some universal logic regarding WSL paths.

If you find any other issues, please report them as well (separately).

[fbinliu]

Ya, sure, appreciate your effort on this very much. Together we go further! No other issue so far. Feel free to close this issue if necessary for your administration and looking forward to the update on this (with a new version eventually :).

[konstruktoid]

Related: #446