强化 Docker 主机Harden your Docker hosts

Azure 安全中心会识别在 IaaS Linux VM 上或其他运行 Docker 容器的 Linux 计算机上承载的非托管容器。Azure Security Center identifies unmanaged containers hosted on IaaS Linux VMs, or other Linux machines running Docker containers. 安全中心会持续评估这些容器的配置。Security Center continuously assesses the configurations of these containers. 然后,它会将其与 Internet 安全中心 (CIS) 的 Docker 基准进行比较。It then compares them with the Center for Internet Security (CIS) Docker Benchmark.

安全中心包含 CIS 的 Docker 基准的完整规则集,并会在容器不符合控件标准的情况下发出警报。Security Center includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls. 在发现错误配置时,安全中心会生成安全建议。When it finds misconfigurations, Security Center generates security recommendations. 使用安全中心的建议页面来查看建议和修正问题。Use Security Center's recommendations page to view recommendations and remediate issues.

发现漏洞时,它们会被分组到一个建议中。When vulnerabilities are found, they're grouped inside a single recommendation.

备注

这些 CIS 基准检查不会在 AKS 托管实例或 Databricks 托管 VM 上运行。These CIS benchmark checks will not run on AKS-managed instances or Databricks-managed VMs.

可用性Availability

方面Aspect 详细信息Details
发布状态:Release state: 正式发布版 (GA)General Availability (GA)
定价:Pricing: 需要用于服务器的 Azure DefenderRequires Azure Defender for servers
所需角色和权限:Required roles and permissions: 主机连接到的工作区上的读取器Reader on the workspace to which the host connects
云:Clouds: 是 中国云China cloud

识别和修正 Docker 配置中的安全漏洞Identify and remediate security vulnerabilities in your Docker configuration

  1. 在安全中心的菜单中,打开“建议”页。From Security Center's menu, open the Recommendations page.

  2. 筛选到建议 应修正容器安全配置中的漏洞并选择建议。Filter to the recommendation Vulnerabilities in container security configurations should be remediated and select the recommendation.

    建议页显示受影响的资源(Docker 主机)。The recommendation page shows the affected resources (Docker hosts).

    修复容器安全配置中的漏洞的建议

  3. 若要查看和修正特定的故障主机的 CIS 控件,请选择要调查的主机。To view and remediate the CIS controls that a specific host failed, select the host you want to investigate.

    提示

    如果是从“资产清单”页开始并在那里获得此建议,请选择“建议”页上的“执行操作”按钮。If you started at the asset inventory page and reached this recommendation from there, selec tthe Take action button on the recommendation page.

    用于启动 Log Analytics 的“执行操作”按钮

    Log Analytics 随即打开,其中包含可运行的自定义操作。Log Analytics opens with a custom operation ready to run. 默认自定义查询包括评估的所有失败规则的列表,以及有助于你解决问题的指南。The default custom query includes a list of all failed rules that were assessed, along with guidelines to help you resolve the issues.

    带有查询的 Log Analytics 页,其中显示所有故障的 CIS 控件

  4. 如有必要,请调整查询参数。Tweak the query parameters if necessary.

  5. 当确定命令适合主机使用时,请选择“运行”。When you're sure the command is appropriate and ready for your host, select Run.

后续步骤Next steps

Docker 强化只是安全中心容器安全功能的一个方面。Docker hardening is just one aspect of Security Center's container security features.

了解安全中心的容器安全性的详细信息。Learn more Container security in Security Center.