Penetration Testing

Docker for Pentester: Image Vulnerability Assessment

We are moving from virtualization to containerization and we are all familiar with the container services such as docking or quay.io. You can pick a dock image for a particular application by selecting several choices. As you know, when a developer works with a container, it not only packs the program but is part of the OS, and we do not know whether the connect libraries have been patched or vulnerable.

So, we will show “how to perform a container audit and vulnerability assessment” in any infrastructure in this role.

Table of Contents

Prerequisites

Clair

  • Installation
  • Docker Image Vulnerability Scanning

Bench-security

  • Installation
  • Container Hardening

Prerequisites

At your host machine, Install docker and pull an image, you want to scan.

Clair: Vulnerability

Installation

CoreOS has created an awesome container scan tool called Clair. Clair is an open-source project for the static analysis of vulnerabilities in apps and Docker containers. You can clone the package with the help of git, using the following command

git clone https://github.com/arminc/clair-scanner.git

The scanner is developed in go language, therefore golang on your local machine over which is docker is running.

apt install golang

Build the library to install all dependencies of the Clair.

cd clair-scanner
make build

make cross

As you can see, we have the following file in the bucket list.

If in your host machine, you don’t have a docker image, you can pull a new image, as we did here to illustrate vulnerability assessment.

docker pull ubuntu:16.04

Now, run the docker image of the Clair that will listen at local port 5432.

docker run -d -p 5432:5432 --name db arminc/clair-db:latest

Also, run the docker image for postgres to link Clair scan with the help of the following command.

docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:latest

Now, let’s use the Clair for scanning the vulnerability of a container or docker image, with the help of the following command.

Syntax: ./clair-scanner -ip <docker ip> -r output.jason <docker-image>

./clair-scanner --ip 172.17.0.1 -r report.json ubuntu:16.04

Booom!!!! And we got the scanning output which is showing 50 unapproved vulnerabilities.

Bench-Security: Container Hardening

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated and are inspired by the CIS Docker Benchmark v1.2.0.

So, as you can see, we have a few docker images on our host.

Let’s start docker audit for container hardening by executing a set of command as shown here.

docker run -it --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /etc:/etc:ro \
    -v /usr/bin/containerd:/usr/bin/containerd:ro \
    -v /usr/bin/runc:/usr/bin/runc:ro \
    -v /usr/lib/systemd:/usr/lib/systemd:ro \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
    docker/docker-bench-security

The output results as Info, Warning, Pass and Notes for each of the configuration recommendations as mention below:

  1. Host Configuration
  2. Docker Daemon Configuration
  3. Docker Daemon Configuration Files
  4. Container Images and Build Files
  5. Container Runtime
  6. Docker Security Operations

Let me explain this in a better way: You can observe in the highlighted session that it has created alert against root privilege for running the docker image.

To fix such type of misconfiguration, stop the running process for docker and then again, run the docker image with low privilege user access as shown below.

docker stop $(docker ps -aq)
docker rm $(docker ps -aq)
docker run -itd --user 1001:1001 ubuntu
docker exec -it <container-id> /bin/bash

If the loophole is closed, use the bench again for cross-validation and this time ensure you have passed the warning. As you can see, this time we got the Green sign that shows we got the loopholes patched.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here