Facebook Google Plus Twitter LinkedIn YouTube RSS 功能表 搜尋 資源 - 部落格資源 - 網路研討會資源 - 報告資源 - 活動icons_066 icons_067icons_068icons_069icons_070

Auditing Docker with Nessus 6.6

“It worked in Dev, it works in Dev. Don’t know why it’s not working in production. It’s an Ops problem now.”

Many of us have lived through a failed production deployment of an application at least once. And unfortunately for some, the memories from such failed deployments can haunt for the rest of our lives. But thanks to a relatively old technology (but gaining traction recently), such things could quickly become a thing of the past. Welcome containerization—or as most people know it—Docker containers.

Why Docker?

Developers have long sought a system with which they could build a piece of software once, package it, and then run it anywhere—without having to worry about dependencies, library versions, host OS, underlying hardware etc. Docker containers are the perfect solution.

And on the other hand, Operations folks have sought a system for setting up dev/lab environments in a consistent and repeatable way (ideally in a scripted fashion) in an environment that closely resembles the production environment. So when the code gets deployed into production, they can be assured it won’t blow up; and even if it does, developers can quickly reproduce the issue and issue patches. Docker containers address that need as well.

But that’s not all. Docker containers are built from stripped down versions of the base operating systems, and contain only a bare minimum of system libraries and supporting programs. That means that they are a lot more efficient than virtual machines (VMs), without the overhead associated with VMs. Therefore, it’s possible to pack more containers than virtual machines on the same physical host.

Plus, Docker supports UnionFS file system, which enables the combination of multiple file systems into a single file system. So remember that dream of a LAMP base image you always wanted to build? Yeah, that’s a breeze now.

Given the benefits of using Docker, it’s easy to see why developers are flocking towards “dockerizing” their applications. But before they get too far ahead, there is one pesky little thing to take care of—security.

Securing Docker

By leveraging some kernel-level features such as namespaces and cgroups, Docker containers already provide some basic level of security right out the box. But that’s not sufficient. Users need to take additional steps to lock down the kernel, reduce the attack surface of the docker daemon and harden the container configuration to have a truly secure setup.

How can Tenable help?

Along with Nessus 6.6, Tenable released several updates in the Nessus plugin feed to audit Docker host(s) and containers. Here are some simple steps you can take to secure Docker installs.

Docker service detection and container enumeration

The first step towards securing Docker installs is to actually find them in your organization. Tenable recently released a Docker Service Detection plugin (#93561), which detects Docker installs and, if available, enumerates all the active containers on that host. Here’s a sample result:

Docker Detection

Patch Docker host vulnerabilities

Docker containers share the kernel with the host OS, which means that kernel-level vulnerabilities now gain a whole new level of significance on Docker hosts.

It is therefore important to run a comprehensive credentialed patch audit against Docker hosts to ensure they are up to date with the latest patches and aren’t missing any security fixes. Nessus supports local security checks for a variety of Linux distributions. So regardless of which base OS you pick for a Docker host, there is a good chance Nessus already has support for it.

CIS audit for Docker

The next step is to harden the Docker host itself. For example, have strict file and directory permissions, limit the number of services running other than the docker daemon, limit user access to the docker daemon, keep an eye on container sprawl, etc.

CIS released an excellent benchmark for Docker v1.6+, which covers everything I just referred to and a lot more. Tenable added support for a CIS Docker v1.6 audit in Nessus 6.6. Here’s a sample result:

Docker CIS

Audit Docker containers

Nessus can audit the configuration of the Docker containers as well. Just select an audit and run a scan against the Docker host, and Nessus will automatically identify applicable containers and audit the configuration of those containers. For example if you ran a scan with application audit such as Apache or MySQL, Nessus will automatically identify containers running Apache or MySQL and only audit those.

Keep in mind, though, that containers are stripped down versions of the base OS. So if you ran a scan against a container with an audit that was meant for the complete base OS, you may find some results that are not applicable. For example, files or binaries that don’t exist. So we encourage you to customize your audits for Docker containers and strip out irrelevant pieces.

Once the scan finishes, Nessus will list containers under the Hosts tab in a special format: container-name.docker.container. Here’s an example:

Docker Containers


In our world, new technologies come and go all the time. Yesterday it was virtualization, today it is containerization, and tomorrow it will be something else. Tenable will adapt, evolve and align with your needs as new technologies come online. Support for auditing Docker is just one more new technology that we have added to your arsenal.

訂閱 Tenable 部落格

免費試用 立即購買

選擇 Tenable.io

免費試用 60 天

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即註冊並在 60 秒內進行第一次掃描。

立即購買 Tenable.io

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

65 資產
免費試用 立即購買

免費試用 Nessus Professional

免費試用 7 天

Nessus® 是現今市場上功能最全面的弱點掃描器。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊互動。

購買 Nessus Professional

Nessus® 是現今市場上功能最全面的弱點掃描器。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊互動。


免費試用 立即購買

試用 Tenable.io Web Application Scanning

免費試用 60 天

享受我們專為現代應用程式而設計,屬於 Tenable.io 平台一部分的最新 Web 應用程式掃描產品的所有功能。不需耗費大量人力或中斷重要 Web 應用程式,即可高度準確且安全地掃描您整個線上產品系列中是否含有任何弱點。 立即註冊並在 60 秒內進行第一次掃描。

購買 Tenable.io Web Application Scanning

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

免費試用 聯絡業務人員

試用 Tenable.io Container Security

免費試用 60 天

享受整合至弱點管理平台中的唯一容器安全產品的完整功能。監控容器映像中是否有弱點、惡意軟體及政策違規的情形。與持續整合和持續部署 (CI/CD) 系統整合,以支援 DevOps 作法、加強安全性並支援企業政策合規性。

購買 Tenable.io Container Security

Tenable.io Container Security 整合了建置程序,能提供包含弱點、惡意軟體和政策違規等容器影像安全性的能見度,讓您無縫並安全地啟用 DevOps 流程。

深入瞭解 Industrial Security