The Docker Bench For Safety - A Script That Checks For Dozens Of Mutual Best-Practices To A Greater Extent Than Or Less Deploying Docker Containers Inwards Production
The Docker Bench for Security is a script that checks for dozens of mutual best-practices some deploying Docker containers inward production. The tests are all automated, in addition to are inspired yesteryear the CIS Docker Community Edition Benchmark v1.1.0. We are releasing this every bit a follow-up to our Understanding Docker Security in addition to Best Practices weblog post.
We are making this available every bit an open-source utility then the Docker community tin hand the sack accept an slow agency to self-assess their hosts in addition to docker containers against this benchmark.
Running Docker Bench for Security
We packaged docker bench every bit a modest container for your convenience. Note that this container is beingness run amongst a lot of privilege -- sharing the host's filesystem, pid in addition to network namespaces, due to portions of the benchmark applying to the running host. Don't forget to arrange the shared volumes according to your operating system, for lawsuit it powerfulness non utilisation systemd.
The easiest agency to run your hosts against the Docker Bench for Security is yesteryear running our pre-built container:
docker run -it --net host --pid host --userns host --cap-add audit_control \ -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker_bench_security \ docker/docker-bench-security
Note that when distributions doesn't incorporate
auditctl
, the audit tests volition banking enterprise tally /etc/audit/audit.rules
to come across if a dominion is introduce instead.Distribution specific Dockerfiles that fixes this lawsuit are available inward the distros directory.
The distribution specific Dockerfiles may also tending if the distribution you're using haven't nonetheless shipped Docker version 1.13.0 or later.
Docker Bench for Security options
-b optional Do non impress colors -h optional Print this tending message -l FILE optional Log output inward FILE -c CHECK optional Comma delimited listing of specific check(s) -e CHECK optional Comma delimited listing of specific check(s) to exclude -i INCLUDE optional Comma delimited listing of patterns inside a container refer to banking enterprise tally -x EXCLUDE optional Comma delimited listing of patterns inside a container refer to exclude from check
docker-bench-security.sh.log.json
in addition to docker-bench-security.sh.log
. The CIS based checks are named check__
, e.g. check_2_6
in addition to community contributed checks are named check_c_
. Influenza A virus subtype H5N1 consummate listing of checks are introduce inward functions_lib.sh.sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c check_2_2
volition exclusively run check 2.2 Ensure the logging grade is laid to 'info'
.sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e check_2_2
volition run all available checks except 2.2 Ensure the logging grade is laid to 'info'
.Note that when submitting checks, render information why it is a reasonable exam to add together in addition to delight include some form of official documentation verifying that information.
Building Docker Bench for Security
If you lot want to create in addition to run this container yourself, you lot tin hand the sack follow the next steps:
git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security docker create --no-cache -t docker-bench-security . docker run -it --net host --pid host --cap-add audit_control \ -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker_bench_security \ docker-bench-security
git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security docker-compose run --rm docker-bench-security
git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security sudo sh docker-bench-security.sh