1 00:00:02,260 --> 00:00:03,534 ‫Number two. Scan your host 2 00:00:05,260 --> 00:00:06,260 ‫for proper Docker config. 3 00:00:06,710 --> 00:00:09,061 ‫Here's a really great tool, free, called Docker Bench. 4 00:00:09,062 --> 00:00:11,762 ‫Made by Docker, this 5 00:00:12,790 --> 00:00:14,529 ‫tool will scan your host. 6 00:00:15,260 --> 00:00:18,100 ‫Basically you run it on the host that has Docker installed. 7 00:00:18,630 --> 00:00:20,140 ‫The output kind of looks like this. 8 00:00:21,420 --> 00:00:24,359 ‫It'll give you blues, greens, yellows, reds, all that 9 00:00:24,360 --> 00:00:27,630 ‫stuff. It's a configuration checker. 10 00:00:27,990 --> 00:00:30,440 ‫It's not scanning for viruses, or vulnerabilities, 11 00:00:31,350 --> 00:00:34,079 ‫or anything like that. It's scanning your configuration. 12 00:00:34,410 --> 00:00:36,210 ‫Did Docker get installed properly? 13 00:00:36,510 --> 00:00:39,779 ‫Does Docker have all the right permissions that it needs? 14 00:00:39,810 --> 00:00:42,780 ‫Does it have all the right kernel capabilities 15 00:00:43,110 --> 00:00:46,259 ‫to perform proper functionality, especially 16 00:00:46,260 --> 00:00:49,229 ‫around security? So, for example, if your 17 00:00:49,290 --> 00:00:51,800 ‫system doesn't have SELinux enabled, or AppArmor 18 00:00:52,410 --> 00:00:55,619 ‫enabled or installed and Docker wants to use those things, 19 00:00:55,710 --> 00:00:57,200 ‫it will note that stuff here. 20 00:00:58,740 --> 00:01:00,749 ‫Before I decide on a proper configuration 21 00:01:01,920 --> 00:01:04,619 ‫for servers that are going to go, you know, even just for 22 00:01:04,620 --> 00:01:07,290 ‫testing, not just production, I'll just run this little 23 00:01:07,380 --> 00:01:10,189 ‫shell script. You can run straight from the website. 24 00:01:10,260 --> 00:01:11,819 ‫They give you instructions here on how to run it. 25 00:01:12,390 --> 00:01:14,069 ‫It'll dump out a bunch of stuff. 26 00:01:14,100 --> 00:01:15,704 ‫It's never going to all be green. 27 00:01:15,705 --> 00:01:18,390 ‫Like most security tools, it's still going 28 00:01:18,780 --> 00:01:21,640 ‫to give you certain things. 29 00:01:21,850 --> 00:01:24,590 ‫You have to look through those and decide, is that OK? 30 00:01:25,000 --> 00:01:26,424 ‫It just kind of makes you a smarter admin. 31 00:01:26,590 --> 00:01:28,648 ‫Makes you aware of certain limitations, or 32 00:01:29,590 --> 00:01:31,659 ‫problems, with your system. You might find out that for a 33 00:01:31,660 --> 00:01:34,355 ‫certain Linux distribution, that's not going to work at 34 00:01:34,510 --> 00:01:36,862 ‫all. That particular thing is just going to have 35 00:01:37,480 --> 00:01:40,569 ‫to be insecure, or not a feature, 36 00:01:40,600 --> 00:01:41,600 ‫that kind of stuff, right. 37 00:01:42,040 --> 00:01:43,804 ‫It's good education. It uses a thing 38 00:01:45,010 --> 00:01:47,850 ‫called the CIS Docker Benchmark, which is sort of an 39 00:01:48,040 --> 00:01:49,902 ‫industry standard for how to make sure 40 00:01:51,010 --> 00:01:54,129 ‫the security of a host is properly set up for Docker. 41 00:01:54,940 --> 00:01:57,159 ‫And it's great. It's an easy utility to run. 42 00:01:57,250 --> 00:01:59,979 ‫I would run it, like if you're going to be building servers 43 00:01:59,980 --> 00:02:03,069 ‫with Ansible, or Puppet, or whatever you're using 44 00:02:03,070 --> 00:02:05,520 ‫to build servers, you would...once you've got that 45 00:02:05,650 --> 00:02:08,469 ‫configuration, I would deploy your servers into a mock 46 00:02:08,470 --> 00:02:11,020 ‫setup. You're running your configuration tool. 47 00:02:11,410 --> 00:02:13,500 ‫Then I would run Docker Bench against it. 48 00:02:14,530 --> 00:02:15,550 ‫You would get a bunch of output. 49 00:02:15,850 --> 00:02:18,398 ‫You could go through those, one by one, deciding, am 50 00:02:18,940 --> 00:02:20,590 ‫I okay with this? Can I fix it? 51 00:02:20,650 --> 00:02:21,650 ‫What do I got to do? 52 00:02:22,150 --> 00:02:23,650 ‫Should I ignore it? That kind of stuff.