The Docker Bench For Security – A Script That Checks For Dozens Of Common Best-Practices Around Deploying Docker Containers In Production

0
3
The Docker Bench For Security - A Script That Checks For Dozens Of Common Best-Practices Around Deploying Docker Containers In Production

We are making this accessible as an open-supply utility so the Docker group can have a straightforward method to self-assess their hosts and docker containers in opposition to this benchmark.


Running Docker Bench for Security
We packaged docker bench as a small container in your comfort. Note that this container is being run with a lot of privilege — sharing the host’s filesystem, pid and community namespaces, on account of parts of the benchmark making use of to the working host. Don’t overlook to regulate the shared volumes in line with your working system, for instance it won’t use systemd.
The best method to run your hosts in opposition to the Docker Bench for Security is by working our pre-constructed container:

docker run -it --net host --pid host --userns host --cap-add audit_control 
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST 
    -v /var/lib:/var/lib 
    -v /var/run/docker.sock:/var/run/docker.sock 
    -v /usr/lib/systemd:/usr/lib/systemd 
    -v /and many others:/and many others --label docker_bench_security 
    docker/docker-bench-safety

Docker bench requires Docker 1.13.zero or later as a way to run.
Note that when distributions does not comprise auditctl, the
audit checks will test /and many others/audit/audit.guidelines to see if a rule is current as a substitute.
Distribution particular Dockerfiles that fixes this difficulty can be found within the distros directory.
The distribution specific Dockerfiles can also assist if the distribution you are utilizing have not but shipped Docker model 1.13.zero or later.

Docker Bench for Security choices

  -b           optionally available  Do not print colours
  -h           optionally available  Print this assist message
  -l FILE      optionally available  Log output in FILE
  -c CHECK     optionally available  Comma delimited record of particular test(s)
  -e CHECK     optionally available  Comma delimited record of particular test(s) to exclude
  -i INCLUDE   optionally available  Comma delimited record of patterns inside a container title to test
  -x EXCLUDE   optionally available  Comma delimited record of patterns inside a container title to exclude from test

By default the Docker Bench for Security script will run all accessible CIS checks and produce logs within the present listing named docker-bench-safety.sh.log.json and docker-bench-safety.sh.log. The CIS primarily based checks are named check_<part>_<quantity>, e.g. check_2_6 and group contributed checks are named check_c_<quantity>. A full record of checks are current in functions_lib.sh.
sh docker-bench-safety.sh -l /tmp/docker-bench-safety.sh.log -c check_2_2 will solely run check 2.2 Ensure the logging degree is ready to 'data'.
sh docker-bench-safety.sh -l /tmp/docker-bench-safety.sh.log -e check_2_2 will run all accessible checks besides 2.2 Ensure the logging degree is ready to 'data'.
Note that when submitting checks, present info why it’s a affordable take a look at so as to add and please embrace some form of official documentation verifying that info.

Building Docker Bench for Security
If you want to construct and run this container your self, you possibly can comply with the next steps:

git clone https://github.com/docker/docker-bench-safety.git
cd docker-bench-safety
docker construct --no-cache -t docker-bench-safety .
docker run -it --net host --pid host --cap-add audit_control 
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST 
    -v /var/lib:/var/lib 
    -v /var/run/docker.sock:/var/run/docker.sock 
    -v /usr/lib/systemd:/usr/lib/systemd 
    -v /and many others:/and many others --label docker_bench_security 
    docker-bench-safety

or use Docker Compose:

git clone https://github.com/docker/docker-bench-safety.git
cd docker-bench-safety
docker-compose run --rm docker-bench-safety

Also, this script can be merely run out of your base host by working:

git clone https://github.com/docker/docker-bench-safety.git
cd docker-bench-safety
sudo sh docker-bench-safety.sh

This script was constructed to be POSIX 2004 compliant, so it ought to be transportable throughout any Unix platform.

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.