2015-05-28 00:10:09 +02:00
# Docker Bench for Security
2015-05-11 06:08:28 +02:00
2021-03-11 12:12:05 +01:00
![Docker Bench for Security running ](img/benchmark_log.png )
2015-05-14 23:34:03 +02:00
2023-08-25 14:37:35 +02:00
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.6.0 ](https://www.cisecurity.org/benchmark/docker/ ).
2021-03-16 09:13:31 +01:00
2023-06-03 00:16:31 +02:00
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.
2015-05-11 06:08:28 +02:00
2023-03-06 13:11:02 +01:00
Release | CIS |
:---:|:---:|
2023-08-25 14:37:35 +02:00
1.6.0|1.6.0|
2023-03-06 13:11:02 +01:00
1.5.0|1.5.0|
1.3.6|1.4.0|
1.3.5|1.2.0|
1.3.3|1.1.0|
1.3.0|1.13.0|
2015-05-28 00:10:09 +02:00
## Running Docker Bench for Security
2015-05-11 06:08:28 +02:00
2021-03-16 09:13:31 +01:00
### Run from your base host
You can simply run this script from your base host by running:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sudo sh docker-bench-security.sh
```
2023-06-02 15:18:42 +02:00
> Note: [`jq`](https://jqlang.github.io/jq/) is an optional but recommended dependency.
2021-03-16 09:13:31 +01:00
### Run with Docker
2023-06-03 00:16:31 +02:00
#### Building Docker image
You have two options if you wish to build and run this container yourself:
1. Use Docker Build:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker build --no-cache -t docker-bench-security .
```
2023-10-06 07:51:33 +02:00
Followed by an appropriate `docker run` command as stated below.
2023-06-03 00:16:31 +02:00
2. Use Docker Compose:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker-compose run --rm docker-bench-security
```
2022-01-06 21:32:59 +01:00
_Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405 ](https://github.com/docker/docker-bench-security/issues/405 ) for more information._
2023-06-03 00:16:31 +02:00
Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
2015-05-11 06:08:28 +02:00
2023-06-03 00:16:31 +02:00
### Using the container
2015-05-11 06:08:28 +02:00
2015-06-14 23:03:11 +02:00
```sh
2020-11-17 22:49:07 +01:00
docker run --rm --net host --pid host --userns host --cap-add audit_control \
2017-01-20 12:16:50 +01:00
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
2019-08-29 15:11:10 +02:00
-v /etc:/etc:ro \
2020-04-16 17:17:51 +02:00
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
2019-08-29 15:11:10 +02:00
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
2019-04-10 13:15:33 +02:00
--label docker_bench_security \
2023-06-03 00:16:31 +02:00
docker-bench-security
2015-05-11 06:08:28 +02:00
```
2020-04-16 17:17:51 +02:00
Don't forget to adjust the shared volumes according to your operating system.
Some examples are:
2021-03-16 09:13:31 +01:00
1. On Ubuntu the `docker.service` and `docker.secret` files are located in
`/lib/systemd/system` folder by default.
2020-04-01 13:19:55 +02:00
```sh
2020-11-17 22:49:07 +01:00
docker run --rm --net host --pid host --userns host --cap-add audit_control \
2020-04-01 13:19:55 +02:00
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
2021-03-16 09:13:31 +01:00
-v /etc:/etc:ro \
-v /lib/systemd/system:/lib/systemd/system:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
2020-04-01 13:19:55 +02:00
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
2023-06-03 00:16:31 +02:00
docker-bench-security
2020-04-01 13:19:55 +02:00
```
2021-10-01 17:39:17 +02:00
2. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker
2021-03-16 09:13:31 +01:00
binaries.
2020-04-10 15:27:32 +02:00
```sh
2021-10-01 17:39:17 +02:00
sudo touch /etc/hostname
2020-11-17 22:49:07 +01:00
docker run --rm --net host --pid host --userns host --cap-add audit_control \
2020-04-10 15:27:32 +02:00
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
2021-03-16 09:13:31 +01:00
-v /etc:/etc \
2020-04-10 15:27:32 +02:00
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
2023-06-03 00:16:31 +02:00
docker-bench-security
2020-04-10 15:27:32 +02:00
```
2021-03-16 09:13:31 +01:00
### Note
2015-05-15 05:33:02 +02:00
2021-03-16 09:13:31 +01:00
Docker bench requires Docker 1.13.0 or later in order to run.
2015-05-15 00:51:55 +02:00
2021-03-16 09:13:31 +01:00
Note that when distributions don't contain `auditctl` , the audit tests will check `/etc/audit/audit.rules` to see if a rule is present instead.
2018-01-16 13:45:06 +01:00
### Docker Bench for Security options
```sh
2018-10-25 11:39:35 +02:00
-b optional Do not print colors
2018-01-16 13:45:06 +01:00
-h optional Print this help message
2021-02-23 18:25:12 +01:00
-l FILE optional Log output in FILE, inside container if run using docker
2021-03-16 09:13:31 +01:00
-u USERS optional Comma delimited list of trusted docker user(s)
-c CHECK optional Comma delimited list of specific check(s) id
-e CHECK optional Comma delimited list of specific check(s) id to exclude
2019-07-30 12:38:38 +02:00
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
2023-07-26 18:47:50 +02:00
-t LABEL optional Comma delimited list of labels within a container or image to check
2021-03-10 09:01:18 +01:00
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
2021-03-16 09:13:31 +01:00
-p PRINT optional Disable the printing of remediation measures. Default: print remediation measures.
2018-01-16 13:45:06 +01:00
```
2021-05-25 20:43:33 +02:00
By default the Docker Bench for Security script will run all available CIS tests and produce
2021-09-30 15:02:41 +02:00
logs in the log folder from current directory, named `docker-bench-security.log.json` and
`docker-bench-security.log` .
2021-02-23 18:25:12 +01:00
2021-03-16 09:13:31 +01:00
If the docker container is used then the log files will be created inside the container in location `/usr/local/bin/log/` . If you wish to access them from the host after the container has been run you will need to mount a volume for storing them in.
2021-02-23 18:25:12 +01:00
2021-05-25 20:43:33 +02:00
The CIS based checks are named `check_<section>_<number>` , e.g. `check_2_6` and community contributed checks are named `check_c_<number>` .
2018-01-16 13:45:06 +01:00
2021-03-16 09:13:31 +01:00
`sh docker-bench-security.sh -c check_2_2` will only run check `2.2 Ensure the logging level is set to 'info'` .
2018-10-23 12:16:55 +02:00
2021-03-16 09:13:31 +01:00
`sh docker-bench-security.sh -e check_2_2` will run all available checks except `2.2 Ensure the logging level is set to 'info'` .
2016-05-15 17:30:51 +02:00
2021-03-16 09:13:31 +01:00
`sh docker-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group
2019-12-09 15:19:17 +01:00
2023-06-03 00:16:31 +02:00
`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run all available checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
2019-12-09 15:19:17 +01:00
2021-09-28 23:51:40 +02:00
`sh docker-bench-security.sh -c container_images,container_runtime` will run just the container_images and container_runtime checks
2021-03-16 09:13:31 +01:00
`sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`
2019-12-05 16:21:46 +01:00
2021-03-16 09:13:31 +01:00
Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.