creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 06:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/hardening-docker-daemon-configuration/references/workflows.md
T

2.6 KiB
Raw Blame History

Workflow - Hardening Docker Daemon Configuration

Phase 1: Baseline Assessment

# Check current Docker daemon configuration
docker info
docker system info --format '{{json .SecurityOptions}}'

# Check existing daemon.json
cat /etc/docker/daemon.json 2>/dev/null || echo "No daemon.json found"

# Run Docker Bench Security for baseline
docker run --rm --net host --pid host \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /etc:/etc:ro \
  docker/docker-bench-security 2>&1 | tee docker-bench-baseline.txt

Phase 2: Apply Hardened Configuration

Step 1 - Backup Current Config

sudo cp /etc/docker/daemon.json /etc/docker/daemon.json.bak 2>/dev/null

Step 2 - Deploy Hardened daemon.json

sudo tee /etc/docker/daemon.json <<'EOF'
{
  "icc": false,
  "userns-remap": "default",
  "no-new-privileges": true,
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "5"
  },
  "storage-driver": "overlay2",
  "live-restore": true,
  "userland-proxy": false,
  "default-ulimits": {
    "nofile": { "Name": "nofile", "Hard": 65536, "Soft": 32768 },
    "nproc": { "Name": "nproc", "Hard": 4096, "Soft": 2048 }
  },
  "experimental": false,
  "metrics-addr": "127.0.0.1:9323"
}
EOF

Step 3 - Restart Docker Daemon

sudo systemctl restart docker
sudo systemctl status docker

Step 4 - Verify Settings

docker info | grep -E "(Remap|ICC|Live Restore|Security)"

Phase 3: TLS Configuration

# Generate certificates (see SKILL.md for full commands)
# Deploy to /etc/docker/tls/

# Add TLS to daemon.json
sudo jq '. + {
  "tls": true,
  "tlsverify": true,
  "tlscacert": "/etc/docker/tls/ca.pem",
  "tlscert": "/etc/docker/tls/server-cert.pem",
  "tlskey": "/etc/docker/tls/server-key.pem",
  "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"]
}' /etc/docker/daemon.json | sudo tee /etc/docker/daemon.json.new
sudo mv /etc/docker/daemon.json.new /etc/docker/daemon.json

sudo systemctl restart docker

Phase 4: Post-Hardening Validation

# Run Docker Bench again
docker run --rm --net host --pid host \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /etc:/etc:ro \
  docker/docker-bench-security 2>&1 | tee docker-bench-hardened.txt

# Compare results
diff docker-bench-baseline.txt docker-bench-hardened.txt

Phase 5: Ongoing Monitoring

# Setup auditd rules for Docker
sudo auditctl -w /var/run/docker.sock -k docker
sudo auditctl -w /etc/docker -p wa -k docker-config
sudo auditctl -w /usr/bin/docker -k docker-binary
sudo auditctl -w /var/lib/docker -k docker-data

# Monitor Docker metrics
curl -s http://127.0.0.1:9323/metrics | head -20
Reference in New Issue View Git Blame Copy Permalink