mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 14:14:56 +03:00
mukul975
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
84 lines
1.9 KiB
Markdown
84 lines
1.9 KiB
Markdown
# API Reference: Docker Daemon Configuration Hardening
|
|
|
|
## daemon.json Location
|
|
- Linux: `/etc/docker/daemon.json`
|
|
- Windows: `C:\ProgramData\docker\config\daemon.json`
|
|
|
|
## Recommended daemon.json
|
|
```json
|
|
{
|
|
"icc": false,
|
|
"live-restore": true,
|
|
"userland-proxy": false,
|
|
"no-new-privileges": true,
|
|
"userns-remap": "default",
|
|
"log-driver": "json-file",
|
|
"log-opts": {"max-size": "10m", "max-file": "3"},
|
|
"tls": true,
|
|
"tlsverify": true,
|
|
"tlscacert": "/etc/docker/ca.pem",
|
|
"tlscert": "/etc/docker/server-cert.pem",
|
|
"tlskey": "/etc/docker/server-key.pem"
|
|
}
|
|
```
|
|
|
|
## CIS Docker Benchmark — Daemon Settings
|
|
|
|
| CIS # | Setting | Recommendation |
|
|
|-------|---------|---------------|
|
|
| 2.1 | `icc` | Set to `false` |
|
|
| 2.2 | `live-restore` | Set to `true` |
|
|
| 2.3 | `userland-proxy` | Set to `false` |
|
|
| 2.4 | `no-new-privileges` | Set to `true` |
|
|
| 2.6 | TLS | Enable with certificates |
|
|
| 2.8 | `userns-remap` | Set to `default` |
|
|
| 2.12 | Logging | Configure centralized logging |
|
|
|
|
## File Permission Checks
|
|
|
|
| File | Permissions |
|
|
|------|------------|
|
|
| `/etc/docker/daemon.json` | 644 |
|
|
| `/var/run/docker.sock` | 660 |
|
|
| `/etc/docker/certs.d/` | 444 |
|
|
| Docker service files | 644 |
|
|
|
|
## Docker Socket Security
|
|
|
|
### Check permissions
|
|
```bash
|
|
ls -la /var/run/docker.sock
|
|
# srw-rw---- 1 root docker 0 ... /var/run/docker.sock
|
|
```
|
|
|
|
### Restrict group access
|
|
```bash
|
|
chmod 660 /var/run/docker.sock
|
|
chown root:docker /var/run/docker.sock
|
|
```
|
|
|
|
## Content Trust (Image Signing)
|
|
|
|
### Enable globally
|
|
```bash
|
|
export DOCKER_CONTENT_TRUST=1
|
|
```
|
|
|
|
### In daemon.json
|
|
```json
|
|
{"content-trust": {"mode": "enforced"}}
|
|
```
|
|
|
|
## Docker Info Command
|
|
```bash
|
|
docker info --format '{{json .}}'
|
|
```
|
|
|
|
### Key Fields
|
|
| Field | Description |
|
|
|-------|-------------|
|
|
| `SecurityOptions` | seccomp, apparmor, userns |
|
|
| `LiveRestoreEnabled` | Live restore status |
|
|
| `RegistryConfig.InsecureRegistryCIDRs` | Insecure registries |
|
|
| `ServerVersion` | Docker version |
|