Control Compliance Suite (CCS)

You want to know how docker collects data and its behavior when executed.

Docker version 1.11 on RHEL, CentOS and Ubuntu starting with the SCU 2016-2 release. 

Docker Configuration Assessments using Control Compliance Suite

Symantec CCS supports assessments against Docker version 1.11 on RHEL, CentOS and Ubuntu starting with the SCU 2016-2 release.

Supported applications in CCS

Docker assessments are supported to be run against the underlying Linux host which is represented as a UNIX Asset within CCS. UNIX Assets that run Docker will have appropriates value set in the asset properties indicating the Docker Version on the host. This enables the CCS user interface to appropriately filter the right set of technical standards (CIS and/or others) than can run on the underlying UNIX host.

In that sense, Docker assessments are not very different from our standard UNIX host assessments for configuration. CCS makes SSHv2 connections to the Docker host to run the assessments. CCS requires a separate credential for connection and one for data collection. The same user credential can be used for both as well. CCS also supports Certificate-based connection instead of using credentials for the same.

Once connected to the UNIX asset, CCS essentially runs Docker-specific commands to examine Docker configuration. Following are the specific set of commands used.

Docker Daemon and Container related information is collected by using following commands:
ps
systemctl
auditctl
docker info
docker ps
docker inspect <ContainerID>
docker exec <ContainerID> ps

All commands being run on the Docker host are for reading configuration only and not to change any Docker system configuration. The credential used for data collection must have the right privileges required for us to run these Docker commands.

Regardless, of the number of Docker images that may be spun-up on the host, the number of SSH connections is the same. And we are simply running Docker commands.

If SSH to the Docker host is disallowed, then you can leverage Agent-based scan support. In this case, the CCS agent will run the Docker commands locally on the host.