CIS Benchmark In Behavox: Part 2 - Docker

Hi, I'm Cesar Augusto Sanchez, a Senior SRE at Behavox. Some time ago, we explained how we achieved CIS benchmark compliance for Linux OS.

Today, I will describe our approach to securing our containerized systems in compliance with the CIS Benchmark guidelines for Docker.

In today's cloud-native landscape, Docker has become an essential tool for containerization. However, its widespread adoption creates a critical need for security. The CIS Docker Benchmark provides comprehensive guidelines to secure Docker containers.

In this post, I'll walk you through an application I developed to automate the validation of Docker instances against these benchmarks using the docker-bench GO tool.

Why Secure Docker?

Securing Docker environments is crucial for several reasons:

1. Isolation: Containers share the host OS kernel and, in some cases, filesystem - making them less isolated than virtual machines.
2. Vulnerabilities: Misconfigurations and vulnerabilities can expose containers to security risks, including breaking out of container isolation.
3. Compliance: Many industries have compliance requirements that mandate secure configurations.

The solution comprises a GO daemon that executes the docker-bench tool, analyzes the results, and reports metrics. This approach ensures continuous monitoring and real-time reporting of Docker security compliance.

Architecture

1. Docker Hosts: Machines running Docker to be scanned.
2. Docker Bench application: Aquasecurity docker-bench go application
3. CIS Docker Scanner Application: Behavox cis-docker-scanner go application
   • Invokes the docker-bench tool on docker hosts
   • Processes docker-bench JSON output for test results
   • Generates metrics
4. Vmagent: metrics scrapper
5. Grafana: to visualize results

How It Works

1. cis-docker-scanner service starts and initializes the metrics
2. cis-docker-scanner executes the docker-bench tool on specified hosts
3. cis-docker-scanner captures JSON output containing test results and parses its output to categorize tests as pass, fail, warn, info or skipped
4. cis-docker-scanner generates metrics based on test outcomes
5. vmagent collects metrics and sends them to Behavox's central observability service
6. Grafana dashboards are updated, and alerts are generated if needed

Benefits

1. Automation: Eliminates the need for manual compliance checks.
2. Continuous Monitoring: Provides real-time visibility into Docker security status.
3. Scalability: This can be easily deployed across multiple Docker hosts.

Grafana Dashboard

The dashboard presents panels with information and visualization that show the tests in different states: failed, success, warning, informational, and ignored.

In addition to our dashboard, we configured our monitoring system to fire an alert depending on the criticality of the related issue, so that our on-call team could react as soon as possible to a potential problem.

Automating the security validation of Docker environments using an in-house tolling and the docker-bench tool is a robust approach to ensuring continuous compliance with CIS benchmarks. This solution automates the scanning process and provides real-time metrics for proactive security management.

By adopting this automated approach, our organization significantly enhanced the security posture of our Docker environments and ensured they remained compliant with industry standards.

🛠️ Behavox is looking for talented engineers to join us in building the world’s leading AI-powered Archiving, Compliance and Security solutions. If you're interested, check out our careers page.