Docker Connector

This topic describes how to onboard the Docker connector. Using the Docker connector enables you to view real-time compliant or non-compliant data, and to integrate compliance into your DevOps pipeline.
Onboarding the Docker connector includes the following steps:

Understanding the Docker connector

The Docker connector enables you to collect data from Docker Containers, Docker Hosts, and Docker Daemons, and evaluate Docker content against the Center for Internet Security (CIS) Docker 1.12 Benchmark.This policy is created based on the recommended Docker Host, Docker Container, and Docker Daemon settings defined by CIS Docker 1.12.0 Benchmark Version 1.0.0, published on August 8th, 2016.

This also supports CIS Docker 1.13.0 Benchmark Version 1.0.0, published on  January 19th, 2017.

A Docker CIS policy is available as out-of-the-box content. Using this policy, you can evaluate Docker containers against CIS security benchmarks on either an individual Docker host. This policy covers security recommendations that you should follow to prepare the host or cluster that you plan to use for executing containerized workloads.

License utilization

The following resources consume a product license:

• Docker host
• Docker container
• Docker daemon

Completing prerequisites

Ensure that the computer on which the connector is downloaded meets the following prerequisites:

Single host deployment requirements:

• • Ensure that the computer on which the connector is downloaded has Java OpenJDK 11.0.2 installed on it.

  • The supported Docker versions are Docker 1.12 and 1.13
  • The OS on the Docker host must be Ubuntu 16, Red Hat Enterprise Linux 7, or CentOS 7.

  • sudo and docker group must be configured for the user from which docker connector needs to be run.

  • The auditd service (the utility to assist controlling the kernel's audit system) is installed and running on the Docker host.

  • SSH is installed and running on the Docker host.

  • SSH(default 22) port (inbound) is reachable from the Docker Connector.

Clustered (Kubernetes) deployment requirements:

• • This mode is deprecated, use Kubernetes connector or OpenShift connector for compliance on cluster deployments.

Docker connector Requirements:

• HTTPS (default 443) port is opened for outbound connectivity to internet. If URLs are whitelisted, provide access to the following URLs to communicate to BMC Helix Cloud Security - 

  • https://api.cloudservices.truesight.bmc.com/infra/dem/
  • https://api.cloudservices.truesight.bmc.com/ingest/dem/
  • https://api.cloudservices.truesight.bmc.com/wmw/
  • https://api.cloudservices.truesight.bmc.com/wmc/
  • https://api.cloudservices.truesight.bmc.com/security/caas/

• • SSH (default 22) port outbound to the docker hosts is configured.
    
    

Onboarding the Docker connector

1. Log in to Cloud Security with your registered credentials.
2. Select Configure icon > Connectors.
3. Click Add Connector.
4. Under Connector Type > On Premise Connectors (Installable), click Docker Connector and then click Continue.
5. In the Name your connector field, specify a name for the Docker connector.
   This name must be unique and must not have already been created.
   If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label appear next to the field.
   
   
   
   
6. In the Mode menu, select the deployment type.
   
   • Single Host Deployment : Checks the compliance on a single Docker host
   • Clustered (Kubernetes) Deployment : This mode is deprecated, use Kubernetes connector or OpenShift connector for compliance on cluster deployments
7. (For Single Host only) Enter the host credentials for the host to be evaluated:
   
   • Hostname. The name of the Docker host
   • Username. The username of the Docker host
   • Password. The password of the Docker host
     
     

8. Select the method for triggering collection cycles by choosing one of the following options from the Collection Mode menu:

   1. Select On Demand to enable on-demand scanning.

   2. Select Scheduled and select the hours or minutes for which Docker resources will be periodically collected and evaluated.

9. Click Continue.

10. If the download does not start automatically, click Download Connector setup and unzip the Docker Collector.zip file using any standard compression tool.
    The zip file will have the name that you specified for the connector in Step 3.

11. Execute the command chmod +x run.sh to grant execute permissions to the run.sh file. Then run the connector using the run.sh command.

    Note

    The time to complete data collection depends upon the number of targets that you have in your environment. Leave the command window open and switch over to the UI.

12. Click Continue.

13. Clear the default compliance policies that you will not use to evaluate your Docker account.
    To update a policy that you have selected, if an update is available, click Update in the information banner to the right of the selected policy and then click Update Policy on the confirmation message that appears.
    

14. Click Continue.

    The connector is downloaded and available in Cloud Security and the policies can be evaluated on the schedule you have set.
    As soon as the connector begins sending data, it displays in the green 'Running' state. It then collects the data and begins publishing it back to Cloud Security.

Performing next steps

To manage connector configuration and settings, see Managing connectors.

To assess the resources including why a rule failed, see Managing resources.

^{_{Back to top}}