Skip to content

Docker (Engine)

Docker is a widely used containerization platform that allows you to build, run, and manage containers. It provides a simple and efficient way to package applications and their dependencies into portable containers.

How it works

The bifrost agent supports running on Docker and enables auditing and securing containers deployed directly on Docker Engine. The agent is deployed as a container on Docker to enable the usual features (reading Linux Kernel audit events and loading/unloading security profiles). To enable automatic detection of containers being deployed the agent also works as a Docker API proxy and intercepts container create requests.

Prerequisites

  • Docker Engine installed on a host machine that has AppArmor enabled (like Ubuntu and Debian).
  • Access to Docker API either via Unix socket (default) or TCP socket.
  • Account in bifrost portal and an AGENT_KEY for registered cluster there.

Privileges for bifrost-agent

The agent needs to run with some extra capabilities (AUDIT_READ, NET_BROADCAST, MAC_ADMIN) same as when deployed on Kubernetes) and bind mounting the host path /var/run/docker.sock and /sys/kernel/security/apparmor to the container.

Deployment

bifrost portal

  1. Create a new cluster in the bifrost portal.
  2. Register new cluster in portal.
  3. Copy the AGENT_KEY from the cluster details page.

Docker CLI

To deploy the bifrost agent using the Docker CLI, you can use the following command:

Terminal window
docker run -d --name bifrost-agent \
-e SECURITY_FS_PATH=/host/sys/kernel/security \
-e AGENT_KEY=$AGENT_KEY \
--cap-add NET_BROADCAST \
--cap-add AUDIT_READ \
--cap-add MAC_ADMIN \
-v /sys/kernel/security/apparmor:/host/sys/kernel/security/apparmor \
-v /var/run/docker.sock:/var/run/docker.sock \
-p 2375:2375 \
public.ecr.aws/bifrostsec/bifrost-agent:0.9.7

Docker Compose

To make it easier to deploy the bifrost agent, you can use Docker Compose.

Terminal window
docker-compose up -d

With the following docker-compose.yaml file:

name: bifrost-agent
services:
bifrost-agent:
image: public.ecr.aws/bifrostsec/bifrost-agent:0.9.7
environment:
- AGENT_KEY=$AGENT_KEY
- SECURITY_FS_PATH=/host/sys/kernel/security
cap_add:
- NET_BROADCAST
- AUDIT_READ
- MAC_ADMIN
volumes:
- type: bind
source: /sys/kernel/security/apparmor
target: /host/sys/kernel/security/apparmor
- type: bind
source: /var/run/docker.sock
target: /var/run/docker.sock
ports:
- 2375:2375

Operation

Configure docker client

Set environment variable DOCKER_HOST=tcp://localhost:2375 to use the bifrost agent as a Docker API proxy.

Deploy container with labels

Deploy your container you want to audit and use labels to configure how bifrost-agent will handle it.

Example:

Terminal window
docker run \
--label com.bifrostsec.environment.name=dev \
--label com.bifrostsec.profile.mode=audit \
--label com.bifrostsec.service.name=nginx \
--label com.bifrostsec.service.version=1.27.4 \
nginx:1.27.4

Deploy container without labels

Some defaults (environment name and profile mode) can be set/overridden by setting environment variables for bifrost-agent and these values will apply for all containers deployed. Settings these defaults together with deploying named containers enables bifrost on any deployed container.

Run bifrost-agent with these extra environment variables:

Terminal window
-e ENVIRONMENT_NAME=dev
-e PROFILE_MODE=audit

Deploy named container with no labels:

Terminal window
docker run --name nginx nginx:1.27.4

Container labels

Container labelEnv var overrideDefault value
com.bifrostsec.environment.nameENVIRONMENT_NAME(none)
com.bifrostsec.profile.modePROFILE_MODEaudit
com.bifrostsec.service.name(none)from container name (if set during deploy)
com.bifrostsec.service.version(none)from container image tag