Cnitch – Checks Docker Engine Processes Running as Root

cnitch (snitch or container snitch) is a simple framework and command line tool for monitoring Docker containers to identify any processes which are running as root.

Running a processes and Docker as root may have a serious security issues. The process that runs inside the container as the root user is actually a process that runs as the root user on the host itself. This allows a malicious process to gain unrestricted access to the host itself.

Cnitch - Checks Docker Engine Processes Running as Root
Cnitch – Checks Docker Engine Processes Running as Root

cnitch connects to the Docker Engine using the API and queries the currently running containers, it then inspects the processes running inside this container and identifies any which are running as the root user.
When a root process is found this information is sent to the configurable reporting modules allowing you to audit or take action on this information.

At present cnitch has the capability of reporting to StatsD and StdOut. Reporting backends are extensible to make it easy to support any backend, for example it would be a fairly trivial process to build a backend to support log stash or another log file aggregation tool.

Whether you run cnitch in a Docker container or if you run it as a binary it needs access to the Docker api by setting the URL of the server or the path to the socket with the environment variable DOCKER_HOST

You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments