ansible/infra-automation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e28d1633a1a46766020002aa0ea4a6777403a56
infra-automation/templates/docker_audit_report.j2
ansible da1da34d25 Add comprehensive Docker security audit playbook 
Implement production-ready Docker security audit framework with
CIS Docker Benchmark and NIST SP 800-190 alignment.

Features:
- Comprehensive container security checks (privileges, network, resources)
- Daemon configuration audit
- Image and network analysis
- Security findings categorization (CRITICAL/HIGH/MEDIUM/LOW)
- Automated report generation (JSON + detailed text)
- Support for multiple hosts via dynamic inventory

Audit Checks:
- Privileged container detection (CRITICAL)
- Host network mode usage (HIGH)
- User namespace remapping status (MEDIUM)
- Resource limits enforcement (MEDIUM)
- Container capabilities audit
- Security profiles (AppArmor/SELinux)
- Image tag analysis (:latest usage)
- Exposed ports inventory

Report Outputs:
- Detailed text report with recommendations
- Machine-readable JSON report
- CIS Benchmark compliance mapping
- NIST SP 800-190 alignment
- Actionable remediation roadmap

Files:
- playbooks/audit_docker.yml (300+ lines)
- templates/docker_audit_report.j2 (comprehensive report template)

Usage:
  ansible-playbook playbooks/audit_docker.yml
  ansible-playbook playbooks/audit_docker.yml --limit hostname

Results: ./stats/docker_audits/{hostname}/docker_audit_{timestamp}.{txt,json}

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 07:47:06 +01:00

304 lines
9.8 KiB
Django/Jinja
Raw Blame History

================================================================================
DOCKER SECURITY AUDIT REPORT
================================================================================
Host: {{ inventory_hostname }}
Date: {{ ansible_date_time.iso8601 }}
Auditor: Ansible Automation Platform
Report ID: {{ audit_timestamp }}
================================================================================
SYSTEM INFORMATION
----------------------------------------
Hostname: {{ ansible_hostname }}
FQDN: {{ ansible_fqdn | default('N/A') }}
OS: {{ ansible_distribution }} {{ ansible_distribution_version }}
Kernel: {{ ansible_kernel }}
Architecture: {{ ansible_architecture }}
DOCKER INFORMATION
----------------------------------------
Version: {{ docker_version.stdout }}
Storage Driver: {{ storage_driver }}
Security Options: {{ docker_security_options | join(', ') if docker_security_options else 'None configured' }}
Daemon Config File: {{ 'Exists' if daemon_config_stat.stat.exists else 'Not found' }}
{% if daemon_config_stat.stat.exists and docker_daemon_config.content is defined %}
Daemon Configuration:
{{ docker_daemon_config.content | b64decode | indent(2) }}
{% endif %}
CONTAINER INVENTORY
----------------------------------------
Running Containers: {{ container_ids.stdout_lines | length }}
{% if container_ids.stdout_lines | length > 0 %}
Container List:
{{ running_containers | map(attribute='Names') | join('\n') | indent(2) }}
{% else %}
No containers running
{% endif %}
SECURITY AUDIT RESULTS
========================================
PRIVILEGE AUDIT
----------------------------------------
{% if container_privileges.stdout is defined %}
{{ container_privileges.stdout }}
{% else %}
No containers to audit
{% endif %}
USER NAMESPACE REMAPPING
----------------------------------------
Status: {{ userns_check.stdout }}
SECURITY PROFILES (AppArmor/SELinux)
----------------------------------------
{% if security_profiles.stdout is defined %}
{{ security_profiles.stdout }}
{% else %}
No containers to audit
{% endif %}
NETWORK CONFIGURATION
----------------------------------------
{% if network_modes.stdout is defined %}
{{ network_modes.stdout }}
{% else %}
No containers to audit
{% endif %}
RESOURCE LIMITS
----------------------------------------
{% if resource_limits.stdout is defined %}
{{ resource_limits.stdout }}
{% else %}
No containers to audit
{% endif %}
CONTAINER CAPABILITIES
----------------------------------------
{% if container_capabilities.stdout is defined %}
{{ container_capabilities.stdout }}
{% else %}
No containers to audit
{% endif %}
RESTART POLICIES
----------------------------------------
{% if restart_policies.stdout is defined %}
{{ restart_policies.stdout }}
{% else %}
No containers to audit
{% endif %}
EXPOSED PORTS
----------------------------------------
{{ exposed_ports.stdout }}
IMAGE ANALYSIS
----------------------------------------
Total Images: {{ docker_images_raw.stdout_lines | length }}
Images using :latest tag: {{ latest_tag_count.stdout }}
WARNING: Using :latest tag is not recommended for production as it makes
deployments non-reproducible and can lead to unexpected updates.
NETWORK ANALYSIS
----------------------------------------
Networks: {{ docker_networks_raw.stdout_lines | length }}
SECURITY FINDINGS
========================================
{% if security_findings.critical | length > 0 %}
🔴 CRITICAL FINDINGS ({{ security_findings.critical | length }})
----------------------------------------
{% for finding in security_findings.critical %}
- {{ finding }}
{% endfor %}
{% endif %}
{% if security_findings.high | length > 0 %}
🟠 HIGH SEVERITY FINDINGS ({{ security_findings.high | length }})
----------------------------------------
{% for finding in security_findings.high %}
- {{ finding }}
{% endfor %}
{% endif %}
{% if security_findings.medium | length > 0 %}
🟡 MEDIUM SEVERITY FINDINGS ({{ security_findings.medium | length }})
----------------------------------------
{% for finding in security_findings.medium %}
- {{ finding }}
{% endfor %}
{% endif %}
{% if security_findings.low | length > 0 %}
🟢 LOW SEVERITY FINDINGS ({{ security_findings.low | length }})
----------------------------------------
{% for finding in security_findings.low %}
- {{ finding }}
{% endfor %}
{% endif %}
{% if security_findings.critical | length == 0 and security_findings.high | length == 0 and security_findings.medium | length == 0 and security_findings.low | length == 0 %}
✅ NO SECURITY FINDINGS
----------------------------------------
No significant security issues detected.
{% endif %}
RECOMMENDATIONS
========================================
CRITICAL PRIORITY
----------------------------------------
{% if container_privileges.stdout is defined and 'Privileged=true' in container_privileges.stdout %}
1. ⚠️ DISABLE PRIVILEGED MODE
- Privileged containers have full access to host resources
- Remove --privileged flag unless absolutely necessary
- Use specific capabilities (--cap-add) instead
- Document justification for any privileged containers
{% endif %}
{% if network_modes.stdout is defined and 'NetworkMode=host' in network_modes.stdout %}
2. ⚠️ AVOID HOST NETWORK MODE
- Host network mode bypasses Docker network isolation
- Use bridge mode and explicit port mappings
- Consider using macvlan for performance-critical applications
{% endif %}
HIGH PRIORITY
----------------------------------------
3. IMPLEMENT USER NAMESPACE REMAPPING
- Add to /etc/docker/daemon.json:
{
"userns-remap": "default"
}
- Restart Docker daemon after configuration change
- Note: Existing containers will need to be recreated
4. ENFORCE RESOURCE LIMITS
- Set memory limits: --memory="512m"
- Set CPU limits: --cpus="1.0"
- Prevents container resource exhaustion attacks
- Example:
docker run --memory="512m" --cpus="1.0" image:tag
5. USE SECURITY PROFILES
- Enable AppArmor (Debian/Ubuntu):
--security-opt apparmor=docker-default
- Enable SELinux (RHEL/CentOS):
--security-opt label=type:container_t
- Create custom profiles for sensitive containers
MEDIUM PRIORITY
----------------------------------------
6. DROP UNNECESSARY CAPABILITIES
- Drop all by default: --cap-drop=ALL
- Add only required capabilities:
--cap-add=NET_BIND_SERVICE (for ports < 1024)
--cap-add=CHOWN (for ownership changes)
- Never use --cap-add=ALL
7. USE SPECIFIC IMAGE TAGS
- Replace :latest with specific version tags
- Ensures reproducible deployments
- Facilitates rollback procedures
- Example: nginx:1.25.3-alpine instead of nginx:latest
8. MINIMIZE EXPOSED PORTS
- Only expose necessary ports
- Use internal networks for container-to-container communication
- Consider using reverse proxy (Traefik, nginx) for public access
9. IMPLEMENT READ-ONLY ROOT FILESYSTEMS
- Use --read-only flag when possible
- Mount tmpfs for writable directories:
--tmpfs /tmp --tmpfs /var/run
10. ENABLE DOCKER CONTENT TRUST
- Set environment variable:
export DOCKER_CONTENT_TRUST=1
- Ensures images are signed and verified
- Prevents use of tampered images
LOW PRIORITY
----------------------------------------
11. REGULAR IMAGE UPDATES
- Schedule regular image pulls and container recreation
- Subscribe to security advisories for base images
- Consider using automated tools: Watchtower, Renovate
12. IMPLEMENT LOGGING
- Configure centralized logging
- Use logging drivers: syslog, json-file, etc.
- Set log rotation limits to prevent disk exhaustion
13. NETWORK SEGMENTATION
- Create separate networks for different application tiers
- Use internal networks for backend services
- Implement network policies where supported
COMPLIANCE CHECKLIST
========================================
CIS Docker Benchmark Alignment:
[ ] 2.1 - Run daemon as non-root user (user namespace remapping)
[ ] 2.2 - Set default ulimit as appropriate
[ ] 2.13 - Enable user namespace support
[ ] 5.1 - Do not disable AppArmor/SELinux profile
[ ] 5.3 - Do not use privileged containers
[ ] 5.7 - Do not map privileged ports within containers
[ ] 5.12 - Mount container's root filesystem as read only
[ ] 5.15 - Do not share the host's network namespace
[ ] 5.25 - Restrict container from acquiring additional privileges
[ ] 5.28 - Use PIDs cgroup limit
NIST 800-190 Guidelines:
[ ] Image security and integrity
[ ] Registry security
[ ] Container runtime protection
[ ] Host OS and multi-tenancy
[ ] Network isolation and segmentation
NEXT STEPS
========================================
IMMEDIATE ACTIONS (This Week)
1. Review and address all CRITICAL findings
2. Document justification for any privileged containers
3. Implement resource limits on all production containers
SHORT TERM (This Month)
1. Enable user namespace remapping
2. Implement security profiles (AppArmor/SELinux)
3. Replace :latest tags with specific versions
4. Set up automated security scanning
LONG TERM (This Quarter)
1. Implement comprehensive container monitoring
2. Set up automated vulnerability scanning
3. Create hardened base images
4. Implement network segmentation policies
5. Regular security audits and penetration testing
REFERENCES
========================================
- CIS Docker Benchmark: https://www.cisecurity.org/benchmark/docker
- NIST SP 800-190: https://csrc.nist.gov/publications/detail/sp/800-190/final
- Docker Security Best Practices: https://docs.docker.com/engine/security/
- OWASP Docker Security Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
================================================================================
END OF REPORT
================================================================================
Report generated: {{ ansible_date_time.iso8601 }}
Audit tool: Ansible {{ ansible_version.full }}
================================================================================
Reference in New Issue View Git Blame Copy Permalink