Harden Docker with CIS – (P1) Environment setup

In posts to come, I’ll refer to the security guidelines provided by CIS and try to harden a Docker CE (Community Edition) installation on Debian and Cent-OS servers. I am not sure how many items out of the complete list I’ll be able to complete. However, I intend to cover as much as possible, and provide an explanation for the items that I will leave out.

Installing Docker

Getting docker up and running is rather simple. Navigate to https://get.docker.com/ and follow the 2 simple commands provided at the top of the page.

$ curl -fsSL https://get.docker.com -o get-docker.sh $ sh get-docker.sh
Code language: Bash (bash)

I’ll be using Debian 10 (buster) and CentOS 7 as my base machines in this series of tutorials. CentOS 8 is currently (At the time of writing this post) not supported by Docker. The process of installation is simple in both the operating systems.

To verify the installation execute docker version in the command line, you should see the version information for docker client and the docker server.

[email protected]:~$ docker version Client: Docker Engine - Community Version: 19.03.13 API version: 1.40 Go version: go1.13.15 Git commit: 4484c46d9d Built: Wed Sep 16 17:02:55 2020 OS/Arch: linux/amd64 Experimental: false Server: Docker Engine - Community Engine: Version: 19.03.13 API version: 1.40 (minimum version 1.12) Go version: go1.13.15 Git commit: 4484c46d9d Built: Wed Sep 16 17:01:25 2020 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.3.7 GitCommit: 8fba4e9a7d01810a393d5d25a3621dc101981175 runc: Version: 1.0.0-rc10 GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd docker-init: Version: 0.18.0 GitCommit: fec3683
Code language: Bash (bash)

However, if you don’t see this information and get an error as one below. Start the docker daemon service, and ensure that the current user is part of the docker group on the host.

[email protected]:~$ docker version Client: Docker Engine - Community Version: 19.03.13 API version: 1.40 Go version: go1.13.15 Git commit: 4484c46d9d Built: Wed Sep 16 17:02:55 2020 OS/Arch: linux/amd64 Experimental: false Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
Code language: Bash (bash)

Run the following commands to fix the issue, as stated in the code block above.

## Start the docker daemon service $ sudo systemctl start docker ## Add the current user to the docker group. Make sure to login again to the account ## to enforce the group membership changes $ sudo usermod -aG docker $USER
Code language: Bash (bash)

If you have questions or need help setting things up, reach out to me @jtnydv