The Docker Bench For Safety - A Script That Checks For Dozens Of Mutual Best-Practices To A Greater Extent Than Or Less Deploying Docker Containers Inwards Production


The Docker Bench for Security is a script that checks for dozens of mutual best-practices some deploying Docker containers inward production. The tests are all automated, in addition to are inspired yesteryear the CIS Docker Community Edition Benchmark v1.1.0. We are releasing this every bit a follow-up to our Understanding Docker Security in addition to Best Practices weblog post.
We are making this available every bit an open-source utility then the Docker community tin hand the sack accept an slow agency to self-assess their hosts in addition to docker containers against this benchmark.

Running Docker Bench for Security
We packaged docker bench every bit a modest container for your convenience. Note that this container is beingness run amongst a lot of privilege -- sharing the host's filesystem, pid in addition to network namespaces, due to portions of the benchmark applying to the running host. Don't forget to arrange the shared volumes according to your operating system, for lawsuit it powerfulness non utilisation systemd.
The easiest agency to run your hosts against the Docker Bench for Security is yesteryear running our pre-built container:
docker run -it --net host --pid host --userns host --cap-add audit_control \     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \     -v /var/lib:/var/lib \     -v /var/run/docker.sock:/var/run/docker.sock \     -v /usr/lib/systemd:/usr/lib/systemd \     -v /etc:/etc --label docker_bench_security \     docker/docker-bench-security
Docker bench requires Docker 1.13.0 or afterwards inward social club to run.
Note that when distributions doesn't incorporate auditctl, the audit tests volition banking enterprise tally /etc/audit/audit.rules to come across if a dominion is introduce instead.
Distribution specific Dockerfiles that fixes this lawsuit are available inward the distros directory.
The distribution specific Dockerfiles may also tending if the distribution you're using haven't nonetheless shipped Docker version 1.13.0 or later.

Docker Bench for Security options
  -b           optional  Do non impress colors   -h           optional  Print this tending message   -l FILE      optional  Log output inward FILE   -c CHECK     optional  Comma delimited listing of specific check(s)   -e CHECK     optional  Comma delimited listing of specific check(s) to exclude   -i INCLUDE   optional  Comma delimited listing of patterns inside a container refer to banking enterprise tally   -x EXCLUDE   optional  Comma delimited listing of patterns inside a container refer to exclude from check
By default the Docker Bench for Security script volition run all available CIS tests in addition to attain logs inward the electrical flow directory named docker-bench-security.sh.log.json in addition to docker-bench-security.sh.log. The CIS based checks are named check_
_, e.g. check_2_6 in addition to community contributed checks are named check_c_. Influenza A virus subtype H5N1 consummate listing of checks are introduce inward functions_lib.sh.
sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c check_2_2 volition exclusively run check 2.2 Ensure the logging grade is laid to 'info'.
sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e check_2_2 volition run all available checks except 2.2 Ensure the logging grade is laid to 'info'.
Note that when submitting checks, render information why it is a reasonable exam to add together in addition to delight include some form of official documentation verifying that information.

Building Docker Bench for Security
If you lot want to create in addition to run this container yourself, you lot tin hand the sack follow the next steps:
git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security docker create --no-cache -t docker-bench-security . docker run -it --net host --pid host --cap-add audit_control \     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \     -v /var/lib:/var/lib \     -v /var/run/docker.sock:/var/run/docker.sock \     -v /usr/lib/systemd:/usr/lib/systemd \     -v /etc:/etc --label docker_bench_security \     docker-bench-security
or utilisation Docker Compose:
git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security docker-compose run --rm docker-bench-security
Also, this script tin hand the sack also locomote merely run from your base of operations host yesteryear running:
git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security sudo sh docker-bench-security.sh
This script was built to locomote POSIX 2004 compliant, then it should locomote portable across whatever Unix platform.