Erroneous message about Docker not being restricted

[fmarier]

I see the following on my machine:

✗ Access Security: Access to Docker is restricted > Access to Docker is not restricted

but as far as I know, only my own user (+ root I imagine) is allowed to use docker:

$ grep docker /etc/group
docker:x:138:francois

That's using the docker.io packages:

$ dpkg -l docker.io
ii  docker.io      24.0.7-0ubuntu2~22.04.1 amd64        Linux container runtime

[fmarier]

If I run the check manually, it does fail as expected:

$ sudo -u testuser docker run --rm hello-world
docker: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create": dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.

[dz0ny]

The idea with this check is to prevent hijacking developer machines with potential vulnerabilities or APT in distribution/packages/runtimes/containers, by limiting who can execute docker commands and how containers run.

For example:
User **francois** can run `docker run --privileged --mode host malware-image-with-apt` without any authentication.

This could be mitigated by running Docker containers via sudo mode when executing or running in rootless mode.

Couple of reasons for this check:

• https://www.trendmicro.com/en_us/research/24/l/gafgyt-malware-targeting-docker-remote-api-servers.html
• https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/
• https://www.bleepingcomputer.com/news/security/docker-hub-repositories-hide-over-1-650-malicious-containers/
• https://sysdig.com/blog/analysis-of-supply-chain-attacks-through-public-docker-images/

[dz0ny]

Docker’s check now specifically recommends a rootless setup.

[fmarier]

Alright, I reinstalled docker on my machine by following these instructions and then enabled rootless mode.

It's still detected by paretosecurity check as non-restricted though:

$ paretosecurity version
  • 0.0.57@c8ecb634ea91e1290bf623e616840d800b001e8c 2024-12-24T14:07:52Z

$ paretosecurity check
  [...]
 ✗  Access Security: Access to Docker is restricted > Access to Docker is not restricted

$ sudo -u nobody docker run --rm hello-world
docker: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?.
See 'docker run --help'.

$ sudo -u francois docker run --rm hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

Is this expected to work now?

[dz0ny]

The updated commit was in main, but not released yet. The new release contains it https://github.com/ParetoSecurity/pareto-linux/releases/tag/0.0.58

[fmarier]

With 0.0.58, I see the expected result but wrong error message if I run paretocheck security as my normal user:

$ paretosecurity check
...
 ✓  Access Security: Docker is not running in rootless mode

and the check fails if I run it as root:

$ sudo paretosecurity check
...
 ✗  Access Security: Access to Docker is restricted > Docker is running in rootless mode

[dz0ny]

Can you run paretosecurity version and paste the report.

[fmarier]

Here's the full log (IP/mac addresses pruned):

francois@gardur:~$ paretosecurity check
  • Starting checks...
 ✓  System Integrity: Critical kernel parameters are correct
 ✓  System Updates: All packages are up to date
 ✗  Firewall & Sharing: Remote login is disabled > Remote access services found running on ports: SSH(22)
 ✓  Access Security: Password after sleep or screensaver is on
 ✗  Access Security: SSH keys have sufficient algorithm strength > SSH key brave-sk is using weak encryption
 ✓  Access Security: SSH keys are password protected
 ✓  Access Security: SSH configuration is secure.
 ✓  Access Security: Automatic login is off
 ✗  System Updates: Pareto Security is up to date > Pareto Security is oudated
 WARNING  System Integrity: SecureBoot is enabled > skipped
 ✓  Firewall & Sharing: No file sharing services found running
 ✓  System Integrity: Block device encryption is enabled
 ✓  Firewall & Sharing: Sharing printers is off
 ✗  Firewall & Sharing: Firewall is on > 
 ✓  Access Security: Docker is running in rootless mode
  • Checks completed.
  • To ensure your system is checked every hour, please run `paretosecurity check --install` to set it up.

francois@gardur:~$ sudo paretosecurity check
  • Please run this command as a normal user, as it won't report all checks correctly.
  • Starting checks...
  • Failed to check firewalld status                 error=exit status 3 output=inactive

 ✓  System Integrity: Critical kernel parameters are correct
 ✓  System Updates: All packages are up to date
 ✗  Firewall & Sharing: Remote login is disabled > Remote access services found running on ports: SSH(22)
 ✗  Firewall & Sharing: Firewall is on > Firewall is off
▀  System Integrity: SecureBoot is enabled (0s)
 ✓  Firewall & Sharing: Sharing printers is off
 ✓  Firewall & Sharing: No file sharing services found running
 ✓  System Integrity: Block device encryption is enabled
 ✗  System Updates: Pareto Security is up to date > Pareto Security is oudated
 ✓  Access Security: Password after sleep or screensaver is on
 ✓  Access Security: Automatic login is off
 WARNING  Access Security: SSH keys have password protection > skipped
 ✗  Access Security: Access to Docker is restricted > Docker is not running in rootless mode
 WARNING  Access Security: SSH keys have sufficient algorithm strength > skipped
 ✓  Access Security: SSH configuration is secure.
  • Checks completed.
  • To link your account with the team, please run `paretosecurity link`.
  • For more information, please visit https://paretosecurity.com/dashboard
  • To ensure your system is checked every hour, please run `paretosecurity check --install` to set it up.

francois@gardur:~$ paretosecurity version
  • 0.0.67@755735ac99f8cf41915134f521221f3914f59c29 2025-01-09T16:36:58Z
  • Built with go1.23.4
  • Machine UUID: 074dda2d-bc2b-548f-baae-cf815db3ef6e
  • Name: gardur
  • OS Version: Pop!_OS 22.04 LTS
  • Model Name: Lemur Pro
  • Model Serial: Unknown
  • Host Info: {
  "architecture": "x86_64",
  "native_architecture": "x86_64",
  "boot_time": "2024-12-16T14:11:10-08:00",
  "containerized": false,
  "name": "gardur",
  "ip": [
    "127.0.0.1/8",
...
    "::1/128",
...
  ],
  "kernel_version": "6.9.3-76060903-generic",
  "mac": [
...
  ],
  "os": {
    "type": "linux",
    "family": "debian",
    "platform": "pop",
    "name": "Pop!_OS",
    "version": "22.04 LTS",
    "major": 22,
    "minor": 4,
    "patch": 0,
    "codename": "jammy"
  },
  "timezone": "PST",
  "timezone_offset_sec": -28800,
  "id": "2d2ead1f46b5a636c4119e2062e2e893"
}