================================================================================ DOCKER SECURITY AUDIT REPORT ================================================================================ Host: {{ inventory_hostname }} Date: {{ ansible_date_time.iso8601 }} Auditor: Ansible Automation Platform Report ID: {{ audit_timestamp }} ================================================================================ SYSTEM INFORMATION ---------------------------------------- Hostname: {{ ansible_hostname }} FQDN: {{ ansible_fqdn | default('N/A') }} OS: {{ ansible_distribution }} {{ ansible_distribution_version }} Kernel: {{ ansible_kernel }} Architecture: {{ ansible_architecture }} DOCKER INFORMATION ---------------------------------------- Version: {{ docker_version.stdout }} Storage Driver: {{ storage_driver }} Security Options: {{ docker_security_options | join(', ') if docker_security_options else 'None configured' }} Daemon Config File: {{ 'Exists' if daemon_config_stat.stat.exists else 'Not found' }} {% if daemon_config_stat.stat.exists and docker_daemon_config.content is defined %} Daemon Configuration: {{ docker_daemon_config.content | b64decode | indent(2) }} {% endif %} CONTAINER INVENTORY ---------------------------------------- Running Containers: {{ container_ids.stdout_lines | length }} {% if container_ids.stdout_lines | length > 0 %} Container List: {{ running_containers | map(attribute='Names') | join('\n') | indent(2) }} {% else %} No containers running {% endif %} SECURITY AUDIT RESULTS ======================================== PRIVILEGE AUDIT ---------------------------------------- {% if container_privileges.stdout is defined %} {{ container_privileges.stdout }} {% else %} No containers to audit {% endif %} USER NAMESPACE REMAPPING ---------------------------------------- Status: {{ userns_check.stdout }} SECURITY PROFILES (AppArmor/SELinux) ---------------------------------------- {% if security_profiles.stdout is defined %} {{ security_profiles.stdout }} {% else %} No containers to audit {% endif %} NETWORK CONFIGURATION ---------------------------------------- {% if network_modes.stdout is defined %} {{ network_modes.stdout }} {% else %} No containers to audit {% endif %} RESOURCE LIMITS ---------------------------------------- {% if resource_limits.stdout is defined %} {{ resource_limits.stdout }} {% else %} No containers to audit {% endif %} CONTAINER CAPABILITIES ---------------------------------------- {% if container_capabilities.stdout is defined %} {{ container_capabilities.stdout }} {% else %} No containers to audit {% endif %} RESTART POLICIES ---------------------------------------- {% if restart_policies.stdout is defined %} {{ restart_policies.stdout }} {% else %} No containers to audit {% endif %} EXPOSED PORTS ---------------------------------------- {{ exposed_ports.stdout }} IMAGE ANALYSIS ---------------------------------------- Total Images: {{ docker_images_raw.stdout_lines | length }} Images using :latest tag: {{ latest_tag_count.stdout }} WARNING: Using :latest tag is not recommended for production as it makes deployments non-reproducible and can lead to unexpected updates. NETWORK ANALYSIS ---------------------------------------- Networks: {{ docker_networks_raw.stdout_lines | length }} SECURITY FINDINGS ======================================== {% if security_findings.critical | length > 0 %} 🔴 CRITICAL FINDINGS ({{ security_findings.critical | length }}) ---------------------------------------- {% for finding in security_findings.critical %} - {{ finding }} {% endfor %} {% endif %} {% if security_findings.high | length > 0 %} 🟠 HIGH SEVERITY FINDINGS ({{ security_findings.high | length }}) ---------------------------------------- {% for finding in security_findings.high %} - {{ finding }} {% endfor %} {% endif %} {% if security_findings.medium | length > 0 %} 🟡 MEDIUM SEVERITY FINDINGS ({{ security_findings.medium | length }}) ---------------------------------------- {% for finding in security_findings.medium %} - {{ finding }} {% endfor %} {% endif %} {% if security_findings.low | length > 0 %} 🟢 LOW SEVERITY FINDINGS ({{ security_findings.low | length }}) ---------------------------------------- {% for finding in security_findings.low %} - {{ finding }} {% endfor %} {% endif %} {% if security_findings.critical | length == 0 and security_findings.high | length == 0 and security_findings.medium | length == 0 and security_findings.low | length == 0 %} ✅ NO SECURITY FINDINGS ---------------------------------------- No significant security issues detected. {% endif %} RECOMMENDATIONS ======================================== CRITICAL PRIORITY ---------------------------------------- {% if container_privileges.stdout is defined and 'Privileged=true' in container_privileges.stdout %} 1. ⚠️ DISABLE PRIVILEGED MODE - Privileged containers have full access to host resources - Remove --privileged flag unless absolutely necessary - Use specific capabilities (--cap-add) instead - Document justification for any privileged containers {% endif %} {% if network_modes.stdout is defined and 'NetworkMode=host' in network_modes.stdout %} 2. ⚠️ AVOID HOST NETWORK MODE - Host network mode bypasses Docker network isolation - Use bridge mode and explicit port mappings - Consider using macvlan for performance-critical applications {% endif %} HIGH PRIORITY ---------------------------------------- 3. IMPLEMENT USER NAMESPACE REMAPPING - Add to /etc/docker/daemon.json: { "userns-remap": "default" } - Restart Docker daemon after configuration change - Note: Existing containers will need to be recreated 4. ENFORCE RESOURCE LIMITS - Set memory limits: --memory="512m" - Set CPU limits: --cpus="1.0" - Prevents container resource exhaustion attacks - Example: docker run --memory="512m" --cpus="1.0" image:tag 5. USE SECURITY PROFILES - Enable AppArmor (Debian/Ubuntu): --security-opt apparmor=docker-default - Enable SELinux (RHEL/CentOS): --security-opt label=type:container_t - Create custom profiles for sensitive containers MEDIUM PRIORITY ---------------------------------------- 6. DROP UNNECESSARY CAPABILITIES - Drop all by default: --cap-drop=ALL - Add only required capabilities: --cap-add=NET_BIND_SERVICE (for ports < 1024) --cap-add=CHOWN (for ownership changes) - Never use --cap-add=ALL 7. USE SPECIFIC IMAGE TAGS - Replace :latest with specific version tags - Ensures reproducible deployments - Facilitates rollback procedures - Example: nginx:1.25.3-alpine instead of nginx:latest 8. MINIMIZE EXPOSED PORTS - Only expose necessary ports - Use internal networks for container-to-container communication - Consider using reverse proxy (Traefik, nginx) for public access 9. IMPLEMENT READ-ONLY ROOT FILESYSTEMS - Use --read-only flag when possible - Mount tmpfs for writable directories: --tmpfs /tmp --tmpfs /var/run 10. ENABLE DOCKER CONTENT TRUST - Set environment variable: export DOCKER_CONTENT_TRUST=1 - Ensures images are signed and verified - Prevents use of tampered images LOW PRIORITY ---------------------------------------- 11. REGULAR IMAGE UPDATES - Schedule regular image pulls and container recreation - Subscribe to security advisories for base images - Consider using automated tools: Watchtower, Renovate 12. IMPLEMENT LOGGING - Configure centralized logging - Use logging drivers: syslog, json-file, etc. - Set log rotation limits to prevent disk exhaustion 13. NETWORK SEGMENTATION - Create separate networks for different application tiers - Use internal networks for backend services - Implement network policies where supported COMPLIANCE CHECKLIST ======================================== CIS Docker Benchmark Alignment: [ ] 2.1 - Run daemon as non-root user (user namespace remapping) [ ] 2.2 - Set default ulimit as appropriate [ ] 2.13 - Enable user namespace support [ ] 5.1 - Do not disable AppArmor/SELinux profile [ ] 5.3 - Do not use privileged containers [ ] 5.7 - Do not map privileged ports within containers [ ] 5.12 - Mount container's root filesystem as read only [ ] 5.15 - Do not share the host's network namespace [ ] 5.25 - Restrict container from acquiring additional privileges [ ] 5.28 - Use PIDs cgroup limit NIST 800-190 Guidelines: [ ] Image security and integrity [ ] Registry security [ ] Container runtime protection [ ] Host OS and multi-tenancy [ ] Network isolation and segmentation NEXT STEPS ======================================== IMMEDIATE ACTIONS (This Week) 1. Review and address all CRITICAL findings 2. Document justification for any privileged containers 3. Implement resource limits on all production containers SHORT TERM (This Month) 1. Enable user namespace remapping 2. Implement security profiles (AppArmor/SELinux) 3. Replace :latest tags with specific versions 4. Set up automated security scanning LONG TERM (This Quarter) 1. Implement comprehensive container monitoring 2. Set up automated vulnerability scanning 3. Create hardened base images 4. Implement network segmentation policies 5. Regular security audits and penetration testing REFERENCES ======================================== - CIS Docker Benchmark: https://www.cisecurity.org/benchmark/docker - NIST SP 800-190: https://csrc.nist.gov/publications/detail/sp/800-190/final - Docker Security Best Practices: https://docs.docker.com/engine/security/ - OWASP Docker Security Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html ================================================================================ END OF REPORT ================================================================================ Report generated: {{ ansible_date_time.iso8601 }} Audit tool: Ansible {{ ansible_version.full }} ================================================================================