Compliance with CIS Benchmark for Docker
Qualys Container Security adheres to the CIS Benchmark for Docker for our Sensor image. This section provides guidance on how to use the Sensor image in a way that complies with the CIS Benchmark for Docker. We’ve provided instructions below for a number of controls so you can operate the Sensor in a compliant manner.
CIS Docker Benchmark |
5.9 Ensure that the host’s network namespace is not shared (Automated) |
Qualys Control |
CID 10811 “Status of the network mode set for the Docker containers on the host system” |
Resolution |
To meet compliance with this control, Qualys Container Sensor should run without the command line argument
However, it should be noted that when sensor is launched without --net=host, sensor will not be able to detect its host IP address. By default, the sensor container will be assigned a default IP from the pool assigned to the network. All the containers on the host will be mapped to the IP assigned to the sensor container and each container’s host IP association will be missing. Hence, not to lose the asset/host association we recommend the sensor to be launched with the argument. |
Installsensor.sh Command |
Remove --net=host from the installsensor.sh script to run sensor without this command. |
Docker Run Command |
Do not specify --net=host as part of the Docker run command when deploying a sensor.
|
Kubernetes DaemonSet |
For deployments in Kubernetes with Docker Runtime, remove hostNetwork: true from cssensor-ds.yml. |
CIS Docker Benchmark |
5.10 Ensure that the memory usage for containers is limited (Automated) |
Qualys Control |
CID 10812 “Status of the memory usage limitation for the Docker containers on the host system” |
Resolution |
To meet compliance with this control, Qualys Container Sensor should run with the command line argument MemoryUsageLimit for the installsensor.sh script or -m as part of Docker run command when deploying a sensor. The value should be formatted as <digit><unit> where unit can be any of the following: b (bytes), k (kilobytes), m (megabytes), g (gigabytes). The recommended value is 500m for 500 megabytes. |
Installsensor.sh Command |
Specify MemoryUsageLimit as a command line argument for installsensor.sh script.
sudo ./installsensor.sh ActivationId=<Activation id> CustomerId=<Customer id> Storage=/tmp/qualys/sensor/data MemoryUsageLimit=500m -s |
Docker Run Command |
Specify -m as part of the Docker run command when deploying a sensor.
sudo docker run -d --restart on-failure -m 500m -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<CustomerId> -e POD_URL=<POD URL> --net=host --name qualys-container-sensor qualys/qcs-sensor:latest |
Kubernetes DaemonSet |
For deployments in Kubernetes with Docker Runtime, add the memory usage limit to the resources section in the cssensor-ds.yml file, as shown below.
resources: limits: memory: "500M" |
CIS Docker Benchmark |
5.11 Ensure that CPU priority is set appropriately on containers (Automated) |
Qualys Control |
CID 10813 “Status of the CPU share weighting set for the Docker containers on the host system” |
Resolution |
To meet compliance with this control, Qualys Container Sensor should run with the command line argument CpuShares for the installsensor.sh script or --cpu-shares as part of Docker run command when deploying a sensor. This defines the CPU shares for the sensor container. A valid value is a non-zero, positive integer other than 1024. |
Installsensor.sh Command |
Specify CpuShares as a command line argument for installsensor.sh script.
sudo ./installsensor.sh ActivationId=<Activation id> CustomerId=<Customer id> Storage=/tmp/qualys/sensor/data CpuShares=1023 -s |
Docker Run Command |
Specify --cpu-shares as part of the Docker run command when deploying a sensor.
sudo docker run -d --restart on-failure --cpu-shares 1023 -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<Customer id> -e POD_URL=<POD URL> --name qualys-container-sensor qualys/qcs-sensor:latest |
CIS Docker Benchmark |
5.12 Ensure that the container’s root filesystem is mounted as read only (Automated) |
Qualys Control |
CID 10825 “Status of the read-only filesystem for the Docker containers on the host system” |
Resolution |
To meet compliance with this control, Qualys Container Sensor should run with the command line argument --read-only for the installsensor.sh script or as part of Docker run command when deploying a sensor. |
Installsensor.sh Command |
Specify --read-only as a command line argument for installsensor.sh script.
sudo ./installsensor.sh ActivationId=<Activation id> CustomerId=<Customer id> Storage=/tmp/qualys/sensor/data --read-only -s |
Docker Run Command |
Specify --read-only as part of the Docker run command when deploying a sensor.
sudo docker run -d --restart on-failure --read-only -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<Customer id> -e POD_URL=<POD URL> --name qualys-container-sensor qualys/qcs-sensor:latest |
Kubernetes DaemonSet |
For deployments in Kubernetes with Docker Runtime, add readOnlyRootFilesystem: true in the securityContext section of the cssensor-ds.yml file.
securityContext: readOnlyRootFilesystem: true |
CIS Docker Benchmark |
5.25 Ensure that the container is restricted from acquiring additional privileges (Automated) |
Qualys Control |
CID 10855 “Status of the 'no-new-privileges' security option set for the Docker containers on the host system” |
Resolution |
To meet compliance with this control, Qualys Container Sensor should run with the command line argument |
Installsensor.sh Command |
There is no new option for the installsensor.sh script. Support for installer script for this argument will be added in a future release. Alternatively, you can use docker run command as specified below to meet this control. |
Docker Run Command |
Specify --security-opt=no-new-privileges as part of the Docker run command when deploying a sensor.
sudo docker run -d --restart on-failure --security-opt=no-new-privileges -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<Customer id> -e POD_URL=<POD URL> --name qualys-container-sensor qualys/qcs-sensor:latest |
CIS Docker Benchmark |
5.28 Ensure that the PIDs cgroup limit is used (Automated) |
Qualys Control |
CID 10829 “Status of the Process ID (PID) cgroup limit for Docker containers” |
Resolution |
To meet compliance with this control, Qualys Container Sensor should run with the command line argument PidLimit for installsensor.sh script or --pids-limit as part of Docker run command when deploying a sensor. This defines the Pid limit for the sensor container. The value provided must be a positive integer. |
Installsensor.sh Command |
Specify PidLimit as a command line argument for installsensor.sh script.
sudo ./installsensor.sh ActivationId=<Activation id> CustomerId=<Customer id> Storage=/tmp/qualys/sensor/data PidLimit=100 -s |
Docker Run Command |
Specify --pids-limit as part of the Docker run command when deploying a sensor.
sudo docker run -d --restart on-failure --pids-limit 100 -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<Customer id> -e POD_URL=<POD URL> --name qualys-container-sensor qualys/qcs-sensor:latest |
CIS Docker Benchmark |
Multiple Controls |
Installsensor.sh Command |
This sample includes all the command line arguments for installsensor.sh for meeting compliance, including MemoryUsageLimit, CpuShares, PidLimit, and --read-only. Note that --net=host is excluded.
sudo ./installsensor.sh ActivationId=<Activation id> CustomerId=<Customer id> Storage=/tmp/qualys/sensor/data MemoryUsageLimit=500m CpuShares=1023 PidLimit=100 -s --read-only |
Docker Run Command |
This sample includes all the command line arguments for the Docker run command for meeting compliance, including
sudo docker run -d --restart on-failure --read-only --security-opt=no-new-privileges --cpu-shares 1023 --pids-limit 100 -m 500m -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<Customer id> -e POD_URL=<POD URL> --name qualys-container-sensor qualys/qcs-sensor:latest |