Compliance with CIS Benchmark for Docker

Qualys Container Security adheres to the CIS Benchmark for Docker for our Sensor image. This section provides guidance on how to use the Sensor image in a way that complies with the CIS Benchmark for Docker. We’ve provided instructions below for a number of controls so you can operate the Sensor in a compliant manner.

CIS Docker Benchmark

5.9 Ensure that the host’s network namespace is not shared (Automated)

Qualys Control

CID 10811 “Status of the network mode set for the Docker containers on the host system”

Resolution

To meet compliance with this control, Qualys Container Sensor should run without the command line argument
--net=host.

 

However, it should be noted that when sensor is launched without --net=host, sensor will not be able to detect its host IP address. By default, the sensor container will be assigned a default IP from the pool assigned to the network. All the containers on the host will be mapped to the IP assigned to the sensor container and each container’s host IP association will be missing. Hence, not to lose the asset/host association we recommend the sensor to be launched with the argument.

Installsensor.sh Command

Remove --net=host from the installsensor.sh script to run sensor without this command.

Docker Run Command

Do not specify --net=host as part of the Docker run command when deploying a sensor.

sudo docker run -d --restart on-failure   -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<Customer id> -e POD_URL=<POD URL> --name qualys-container-sensor qualys/qcs-sensor:latest

Kubernetes DaemonSet

For deployments in Kubernetes with Docker Runtime, remove hostNetwork: true from cssensor-ds.yml.

CIS Docker Benchmark

5.10 Ensure that the memory usage for containers is limited (Automated)

Qualys Control

CID 10812 “Status of the memory usage limitation for the Docker containers on the host system”

Resolution

To meet compliance with this control, Qualys Container Sensor should run with the command line argument MemoryUsageLimit for the installsensor.sh script or -m as part of Docker run command when deploying a sensor. The value should be formatted as <digit><unit> where unit can be any of the following: b (bytes), k (kilobytes), m (megabytes), g (gigabytes). The recommended value is 500m for 500 megabytes.

Installsensor.sh Command

Specify MemoryUsageLimit as a command line argument for installsensor.sh script.

 

sudo ./installsensor.sh ActivationId=<Activation id> CustomerId=<Customer id> Storage=/tmp/qualys/sensor/data MemoryUsageLimit=500m -s

Docker Run Command

Specify -m as part of the Docker run command when deploying a sensor.

 

sudo docker run -d --restart on-failure  -m 500m -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<CustomerId> -e POD_URL=<POD URL> --net=host --name qualys-container-sensor qualys/qcs-sensor:latest

Kubernetes DaemonSet

For deployments in Kubernetes with Docker Runtime, add the memory usage limit to the resources section in the cssensor-ds.yml file, as shown below.

 

resources:

 limits:

   memory: "500M"

CIS Docker Benchmark

5.11 Ensure that CPU priority is set appropriately on containers (Automated)

Qualys Control

CID 10813 “Status of the CPU share weighting set for the Docker containers on the host system”

Resolution

To meet compliance with this control, Qualys Container Sensor should run with the command line argument CpuShares for the installsensor.sh script or --cpu-shares as part of Docker run command when deploying a sensor. This defines the CPU shares for the sensor container. A valid value is a non-zero, positive integer other than 1024.

Installsensor.sh Command

Specify CpuShares as a command line argument for installsensor.sh script.

 

sudo ./installsensor.sh ActivationId=<Activation id> CustomerId=<Customer id> Storage=/tmp/qualys/sensor/data CpuShares=1023 -s

Docker Run Command

Specify --cpu-shares as part of the Docker run command when deploying a sensor.

 

sudo docker run -d --restart on-failure --cpu-shares 1023 -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<Customer id> -e POD_URL=<POD URL> --name qualys-container-sensor qualys/qcs-sensor:latest

CIS Docker Benchmark

5.12 Ensure that the container’s root filesystem is mounted as read only (Automated)

Qualys Control

CID 10825 “Status of the read-only filesystem for the Docker containers on the host system”

Resolution

To meet compliance with this control, Qualys Container Sensor should run with the command line argument --read-only for the installsensor.sh script or as part of Docker run command when deploying a sensor.

Installsensor.sh Command

Specify --read-only as a command line argument for installsensor.sh script.

 

sudo ./installsensor.sh ActivationId=<Activation id> CustomerId=<Customer id> Storage=/tmp/qualys/sensor/data --read-only -s

Docker Run Command

Specify --read-only as part of the Docker run command when deploying a sensor.

 

sudo docker run -d --restart on-failure --read-only -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<Customer id> -e POD_URL=<POD URL> --name qualys-container-sensor qualys/qcs-sensor:latest

Kubernetes DaemonSet

For deployments in Kubernetes with Docker Runtime, add readOnlyRootFilesystem: true in the securityContext section of the cssensor-ds.yml file.

 

securityContext:

 readOnlyRootFilesystem: true

CIS Docker Benchmark

5.25 Ensure that the container is restricted from acquiring addi­tional privileges (Automated)

Qualys Control

CID 10855 “Status of the 'no-new-privileges' security option set for the Docker containers on the host system”

Resolution

To meet compliance with this control, Qualys Container Sensor should run with the command line argument
--security-opt=no-new-privileges as part of the Docker run command when deploying a sensor.

Installsensor.sh Command

There is no new option for the installsensor.sh script. Support for installer script for this argument will be added in a future release. Alternatively, you can use docker run command as specified below to meet this control.

Docker Run Command

Specify --security-opt=no-new-privileges as part of the Docker run command when deploying a sensor.

 

sudo docker run -d --restart on-failure --security-opt=no-new-privileges -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<Customer id> -e POD_URL=<POD URL> --name qualys-container-sensor qualys/qcs-sensor:latest

CIS Docker Benchmark

5.28 Ensure that the PIDs cgroup limit is used (Automated)

Qualys Control

CID 10829 “Status of the Process ID (PID) cgroup limit for Docker containers”

Resolution

To meet compliance with this control, Qualys Container Sensor should run with the command line argument PidLimit for installsensor.sh script or --pids-limit as part of Docker run command when deploying a sensor. This defines the Pid limit for the sensor container. The value provided must be a positive integer.

Installsensor.sh Command

Specify PidLimit as a command line argument for installsensor.sh script.

 

sudo ./installsensor.sh ActivationId=<Activation id> CustomerId=<Customer id> Storage=/tmp/qualys/sensor/data PidLimit=100 -s

Docker Run Command

Specify --pids-limit as part of the Docker run command when deploying a sensor.

 

sudo docker run -d --restart on-failure --pids-limit 100 -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<Customer id> -e POD_URL=<POD URL> --name qualys-container-sensor qualys/qcs-sensor:latest

CIS Docker Benchmark

Multiple Controls

Installsensor.sh Command

This sample includes all the command line arguments for installsensor.sh for meeting compliance, including MemoryUsageLimit, CpuShares, PidLimit, and --read-only. Note that --net=host is excluded.

 

sudo ./installsensor.sh ActivationId=<Activation id> CustomerId=<Customer id> Storage=/tmp/qualys/sensor/data MemoryUsageLimit=500m CpuShares=1023 PidLimit=100 -s --read-only

Docker Run Command

This sample includes all the command line arguments for the Docker run command for meeting compliance, including
--security-opt=no-new-privileges, --cpu-shares, --pids-limit,
-m, and --read-only. Note that --net=host is excluded.

 

sudo docker run -d --restart on-failure --read-only --security-opt=no-new-privileges --cpu-shares 1023 --pids-limit 100  -m 500m -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<Customer id> -e POD_URL=<POD URL> --name qualys-container-sensor qualys/qcs-sensor:latest