This Lynis plugin is your comprehensive toolkit for Docker security automation. It performs a wide range of checks to ensure your Docker environment adheres to best practices and security standards.
-
Download the Plugin:
wget https://raw.githubusercontent.com/AphroBytes/Lynis-Plugins/refs/heads/main/dockers-001.sh
-
Make it Executable and Move it to the Lynis Plugins Directory:
chmod +x dockers-001.sh sudo mv dockers-001.sh /usr/local/lynis/include/plugins/
-
Run Lynis with the Plugin:
sudo lynis audit system --plugins
Docker simplifies containerization, but it introduces unique security challenges. This plugin acts as your security-conscious assistant, performing thorough checks on your Docker setup to identify potential vulnerabilities and misconfigurations.
- Verifies Docker Installation: Ensures Docker is installed on the system.
- Alerts if Docker is Missing: Warns if Docker is not installed.
- Examines
/etc/docker/daemon.json: Checks for iptables support and JSON file logging.
- Analyzes Running Containers: Checks for root user execution and read-only filesystem usage.
- Health Checks: Verifies configured health checks in containers.
- Utilizes Trivy: Scans container images for vulnerabilities.
- Focuses on High and Critical Vulnerabilities: Identifies critical security issues.
- Checks Various Daemon Settings: Includes user namespace remapping, socket permissions, and experimental features.
- Verifies Docker Compose Version: Recommends upgrades if necessary.
- Identifies Use of Host Network and MacVLAN Driver: Warns about potential security risks.
- Examines Docker Volume Permissions: Alerts on overly permissive settings.
- Verifies Docker Content Trust: Encourages use of image signing for enhanced security.
- Checks for Docker Secrets Usage: Recommends using secrets for sensitive data.
- Identifies Current Logging Driver: Warns about potential disk space issues with unbounded JSON file logging.
After installation, run Lynis with plugins enabled:
sudo lynis audit system --pluginsLook for "DOCKERS" in the output for our specific checks.
The script is written in Bash and is highly customizable. Feel free to review and adjust as needed, ensuring to test your changes thoroughly.
We welcome contributions! Here's how to get involved:
- Fork the Repo
- Create a New Branch:
git checkout -b my-new-feature - Make Your Changes
- Commit Them:
git commit -am 'Added a new feature' - Push to the Branch:
git push origin my-new-feature - Create a New Pull Request
Your ideas and improvements are valuable to us!
- Compatible with Lynis 3.0.0 and Later
- Tested on Major Linux Distributions: Ubuntu, CentOS, Debian, Alpine
- Requires Bash 4.0+ (Standard on Most Systems)
- Works with Docker 19.03 and Later
This plugin is released under the MIT License. Use, modify, and share freely – just keep the license intact.
If you encounter issues or have questions:
- Consult the Lynis Documentation First
- For Plugin-Specific Queries, Use github issues
Security in containerized environments is crucial and ever-evolving. This plugin is a tool in your Docker security arsenal, but it's not a silver bullet. Use it as part of a comprehensive security strategy, stay updated with the latest Docker security best practices, and always be proactive in securing your containerized infrastructure.
Good luck and stay safe,
-AphroBytes Team