Skip to content

if configured with no-new-privileges, pass check 5.25 #493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 16, 2021
Merged

if configured with no-new-privileges, pass check 5.25 #493

merged 1 commit into from
Dec 16, 2021

Conversation

@konstruktoid
Copy link
Collaborator

If the daemon is configured with "no-new-privileges": true, then pass check 5.25.

Closes #492

$ sudo bash docker-bench-security.sh -c check_2_14,check_5_25 | grep -A3 'Section A'
Section A - Check results
[PASS] 2.14 - Ensure containers are restricted from acquiring new privileges (Scored)
[PASS] 5.25 - Ensure that the container is restricted from acquiring additional privileges (Automated)

$ docker ps
CONTAINER ID   IMAGE                COMMAND                  CREATED          STATUS                            PORTS             NAMES
fbb7b4a1f3b6   konstruktoid/nginx   "/usr/sbin/nginx -g …"   15 minutes ago   Up 5 minutes (health: starting)   80/tcp, 443/tcp   friendly_vaughan
99721b1a8558   konstruktoid/nginx   "/usr/sbin/nginx -g …"   54 minutes ago   Up 5 minutes (health: starting)   80/tcp, 443/tcp   jolly_blackwell
$ docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$(docker ps -qa)" | grep 'no-new-privileges'
Error: No such object: fbb7b4a1f3b6
99721b1a8558
$ sudo rm /etc/docker/daemon.json
$ sudo systemctl restart docker
$ docker start fbb 997
fbb
997
$ sudo bash docker-bench-security.sh -c check_2_14,check_5_25 | grep -A3 'Section A'
Section A - Check results
[WARN] 2.14 - Ensure containers are restricted from acquiring new privileges (Scored)
[WARN] 5.25 - Ensure that the container is restricted from acquiring additional privileges (Automated)
[WARN]       * Privileges not restricted: jolly_blackwell

Signed-off-by: Thomas Sjögren konstruktoid@users.noreply.github.com

@konstruktoid
if the docker daemon is configure with no-new-privileges, pass check …
0d58748 
…5.25

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
@konstruktoid konstruktoid mentioned this pull request Dec 2, 2021
Closed
@konstruktoid konstruktoid merged commit 1ff4a62 into docker:master Dec 16, 2021
@konstruktoid konstruktoid deleted the ISSUE492 branch December 16, 2021 09:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Docker daemon no-new-privileges: true seems to not work

1 participant

@konstruktoid