Chef Blogs

Docker Container Compliance with InSpec

Adam Leff | Posted on | Chef InSpec | community | compliance

Thanks to its speed and approachability, Docker has done a great deal to make containers popular. Need a quick Redis server? docker run redis and boom, you’ve got a Redis server. However, compared to traditional hosts and virtual machines, containers are considerably more difficult to reason about. Is my software in the container the version I expect? Is my software configured properly? Am I using a dependency that has a known vulnerability? Depending on how your container was built or from where it was retrieved, you may not be able to easily answer these questions.

Intro to InSpec

InSpec by Chef is an open-source testing framework that uses a human-readable language to define infrastructure tests and compliance controls. InSpec can locally or remotely test a host and report back its compliance status.

InSpec provides an incredibly easy way to answer questions such as:

  • Is package “my_app” installed?
  • Is server “my_service” running?
  • Is the SSH server configured to only accept protocol version 2?
  • Is the “max_allowed_packet” setting in the “mysql” section of “/etc/my.cnf” set to “16M”?

After creating a profile which contains controls using the many resources available in InSpec, the profile becomes Compliance as Code, allowing the automated scanning and reporting of a host’s compliance. Scanning a host is as simple as running inspec exec PROFILE_NAME. For example, to scan a host locally using a profile called frontend_alpha:

inspec exec frontend_alpha

To scan a host via SSH using the same profile:

inspec exec frontend_alpha -t ssh://192.168.1.100

InSpec does not need to install any software on a remote host to be able to successfully determine its compliance status.

Compliance for Containers

In addition to scanning a host locally or remotely, InSpec can inspect a Docker container via the Docker API. This provides the ability to make assertions about a live, running container without requiring any changes to the container’s contents or build process.

For example, to scan a running container with the ID of fa215305c18e as listed in the output of docker ps:

inspec exec frontend_alpha -t docker://fa215305c18e

This is an incredibly powerful ability. As an organization’s compliance controls evolve, containers do not need to be rebuilt to include additional data (such as inventories or additional software), nor do containers’ origins need to be traced to determine how it was built or what the build contains. Simply modify the profile with additional controls, and the existing container can be rescanned.

Scanning the Docker Host

It’s not enough to simply scan the containers. If the Docker host itself (the host on which all the containers are running) is vulnerable, the security posture of the containers cannot be guaranteed.

The Center for Internet Security’s (CIS) Docker 1.11.0 Benchmark is one effort to document a set of best practices for proper Docker host security configuration. However, much like many traditional compliance rules and guidelines, it is provided as a PDF file which, in and of itself, cannot be automated.

Thankfully, the Dev-Sec.io project, to which the InSpec maintainers contribute regularly, has published an open-source InSpec profile that implements the CIS Docker Benchmark. Since InSpec can read profiles using many methods, including via HTTP to a git repository, scanning a Docker host is as simple as:

inspec exec https://github.com/dev-sec/cis-docker-benchmark -t ssh://192.168.123.11

The Dev-Sec.io project also provides a number of other InSpec profiles and Chef cookbooks that can be used to detect and remediate common OS and application hardening concerns.

Publishing and Sharing Profiles

In addition to the profiles created by the Dev-Sec.io project, members of the InSpec community are publishing their own profiles on the Chef Supermarket. On the Supermarket, you may find a profile that already fits your needs or find a profile that can serve as a great starting point. Profiles can depend on other profiles; for more information see the “Profile Dependencies” section of the profiles documentation page.

If you have a profile you think your fellow InSpec community members could benefit from, we’d love to help publish your contribution on the Supermarket!

Wrapping Up

Compliance doesn’t need to be an afterthought, and using containers doesn’t need to be a roadblock for achieving high degrees of compliance. Learn more about InSpec’s easy-to-use framework for creating compliance-as-code and scanning your infrastructure at http://inspec.io, and join us in the #inspec channel in the Chef Community Slack team.