2015-05-28 00:10:09 +02:00
|
|
|
# Docker Bench for Security
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2020-04-16 17:17:51 +02:00
|
|
|
![Docker Bench for Security running](https://raw.githubusercontent.com/docker/docker-bench-security/master/benchmark_log.png)
|
2015-05-14 23:34:03 +02:00
|
|
|
|
2017-01-20 12:25:56 +01:00
|
|
|
The Docker Bench for Security is a script that checks for dozens of common
|
|
|
|
best-practices around deploying Docker containers in production. The tests are
|
2019-08-26 14:12:03 +02:00
|
|
|
all automated, and are inspired by the [CIS Docker Benchmark v1.2.0](https://www.cisecurity.org/benchmark/docker/).
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2017-01-20 12:25:56 +01:00
|
|
|
We are making this available as an open-source utility so the Docker community
|
|
|
|
can have an easy way to self-assess their hosts and docker containers against
|
|
|
|
this benchmark.
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2015-05-28 00:10:09 +02:00
|
|
|
## Running Docker Bench for Security
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2017-01-20 12:25:56 +01:00
|
|
|
We packaged docker bench as a small container for your convenience. Note that
|
|
|
|
this container is being run with a *lot* of privilege -- sharing the host's
|
|
|
|
filesystem, pid and network namespaces, due to portions of the benchmark
|
2020-04-01 13:19:55 +02:00
|
|
|
applying to the running host.
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2017-01-20 12:25:56 +01:00
|
|
|
The easiest way to run your hosts against the Docker Bench for Security is by
|
|
|
|
running our pre-built container:
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2015-06-14 23:03:11 +02:00
|
|
|
```sh
|
2020-11-17 22:49:07 +01:00
|
|
|
docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
2017-01-20 12:16:50 +01:00
|
|
|
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
|
2019-08-29 15:11:10 +02:00
|
|
|
-v /etc:/etc:ro \
|
2020-04-16 17:17:51 +02:00
|
|
|
-v /usr/bin/containerd:/usr/bin/containerd:ro \
|
|
|
|
-v /usr/bin/runc:/usr/bin/runc:ro \
|
2019-08-29 15:11:10 +02:00
|
|
|
-v /usr/lib/systemd:/usr/lib/systemd:ro \
|
|
|
|
-v /var/lib:/var/lib:ro \
|
|
|
|
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
2019-04-10 13:15:33 +02:00
|
|
|
--label docker_bench_security \
|
2015-08-13 06:43:01 +02:00
|
|
|
docker/docker-bench-security
|
2015-05-11 06:08:28 +02:00
|
|
|
```
|
|
|
|
|
2020-04-16 17:17:51 +02:00
|
|
|
Don't forget to adjust the shared volumes according to your operating system.
|
|
|
|
Some examples are:
|
|
|
|
|
2020-11-30 15:44:00 +01:00
|
|
|
1. `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker
|
2020-04-17 08:25:44 +02:00
|
|
|
binaries.
|
2020-04-01 13:19:55 +02:00
|
|
|
|
|
|
|
```sh
|
2020-11-17 22:49:07 +01:00
|
|
|
docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
2020-04-01 13:19:55 +02:00
|
|
|
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
|
|
|
|
-v /etc:/etc \
|
|
|
|
-v /var/lib:/var/lib:ro \
|
|
|
|
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
|
|
|
--label docker_bench_security \
|
|
|
|
docker/docker-bench-security
|
|
|
|
```
|
|
|
|
|
2020-04-17 08:25:44 +02:00
|
|
|
2. On Ubuntu the `docker.service` and `docker.secret` files are located in
|
|
|
|
`/lib/systemd/system` folder by default.
|
2020-04-10 15:27:32 +02:00
|
|
|
|
|
|
|
```sh
|
2020-11-17 22:49:07 +01:00
|
|
|
docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
2020-04-10 15:27:32 +02:00
|
|
|
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
|
|
|
|
-v /etc:/etc:ro \
|
|
|
|
-v /lib/systemd/system:/lib/systemd/system:ro \
|
2020-04-16 17:17:51 +02:00
|
|
|
-v /usr/bin/containerd:/usr/bin/containerd:ro \
|
|
|
|
-v /usr/bin/runc:/usr/bin/runc:ro \
|
2020-04-10 15:27:32 +02:00
|
|
|
-v /usr/lib/systemd:/usr/lib/systemd:ro \
|
|
|
|
-v /var/lib:/var/lib:ro \
|
|
|
|
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
|
|
|
--label docker_bench_security \
|
|
|
|
docker/docker-bench-security
|
|
|
|
```
|
|
|
|
|
2017-09-21 10:22:26 +02:00
|
|
|
Docker bench requires Docker 1.13.0 or later in order to run.
|
2015-05-15 05:33:02 +02:00
|
|
|
|
2020-11-30 15:44:00 +01:00
|
|
|
Note that when distributions don't contain `auditctl`, the audit tests will
|
2017-01-25 10:22:08 +01:00
|
|
|
check `/etc/audit/audit.rules` to see if a rule is present instead.
|
|
|
|
|
2020-11-30 15:44:00 +01:00
|
|
|
Distribution specific Dockerfiles that fix these issues are available in the
|
2017-01-20 12:25:56 +01:00
|
|
|
[distros directory](https://github.com/docker/docker-bench-security/tree/master/distros).
|
2015-05-15 00:51:55 +02:00
|
|
|
|
2017-01-20 12:25:56 +01:00
|
|
|
The [distribution specific Dockerfiles](https://github.com/docker/docker-bench-security/tree/master/distros)
|
2020-11-30 15:44:00 +01:00
|
|
|
may also help if the distribution you're using hasn't yet shipped Docker
|
2018-01-16 13:45:06 +01:00
|
|
|
version 1.13.0 or later.
|
|
|
|
|
|
|
|
### Docker Bench for Security options
|
|
|
|
|
|
|
|
```sh
|
2018-10-25 11:39:35 +02:00
|
|
|
-b optional Do not print colors
|
2018-01-16 13:45:06 +01:00
|
|
|
-h optional Print this help message
|
|
|
|
-l FILE optional Log output in FILE
|
2018-02-27 15:43:51 +01:00
|
|
|
-c CHECK optional Comma delimited list of specific check(s)
|
2018-05-10 14:45:59 +02:00
|
|
|
-e CHECK optional Comma delimited list of specific check(s) to exclude
|
2019-07-30 12:38:38 +02:00
|
|
|
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
|
|
|
|
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
|
2018-01-16 13:45:06 +01:00
|
|
|
```
|
|
|
|
|
2018-01-18 11:28:36 +01:00
|
|
|
By default the Docker Bench for Security script will run all available CIS tests
|
|
|
|
and produce logs in the current directory named `docker-bench-security.sh.log.json`
|
2018-01-16 13:45:06 +01:00
|
|
|
and `docker-bench-security.sh.log`.
|
|
|
|
The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6`
|
|
|
|
and community contributed checks are named `check_c_<number>`.
|
2020-11-30 15:44:00 +01:00
|
|
|
A complete list of checks is present in [functions_lib.sh](functions_lib.sh).
|
2018-01-16 13:45:06 +01:00
|
|
|
|
|
|
|
`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c check_2_2`
|
2018-10-23 12:16:55 +02:00
|
|
|
will only run check `2.2 Ensure the logging level is set to 'info'`.
|
|
|
|
|
|
|
|
`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e check_2_2`
|
|
|
|
will run all available checks except `2.2 Ensure the logging level is set to 'info'`.
|
2016-05-15 17:30:51 +02:00
|
|
|
|
2019-12-09 15:19:17 +01:00
|
|
|
`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e docker_enterprise_configuration`
|
|
|
|
will run all available checks except the docker_enterprise_configuration group
|
|
|
|
|
|
|
|
`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e docker_enterprise_configuration,check_2_2`
|
|
|
|
will run all available checks except the docker_enterprise_configuration group
|
|
|
|
and `2.2 Ensure the logging level is set to 'info'`
|
|
|
|
|
2019-12-05 16:21:46 +01:00
|
|
|
`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c container_images -e check_4_5`
|
2020-04-17 08:25:44 +02:00
|
|
|
will run just the container_images checks except
|
|
|
|
`4.5 Ensure Content trust for Docker is Enabled`
|
2019-12-05 16:21:46 +01:00
|
|
|
|
2018-01-18 11:28:36 +01:00
|
|
|
Note that when submitting checks, provide information why it is a
|
|
|
|
reasonable test to add and please include some kind of official documentation
|
|
|
|
verifying that information.
|
|
|
|
|
2015-05-28 00:10:09 +02:00
|
|
|
## Building Docker Bench for Security
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2017-01-20 12:25:56 +01:00
|
|
|
If you wish to build and run this container yourself, you can follow the
|
|
|
|
following steps:
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2015-06-14 23:03:11 +02:00
|
|
|
```sh
|
2015-06-15 22:15:24 +02:00
|
|
|
git clone https://github.com/docker/docker-bench-security.git
|
2015-06-14 23:03:11 +02:00
|
|
|
cd docker-bench-security
|
2018-11-23 10:50:34 +01:00
|
|
|
docker build --no-cache -t docker-bench-security .
|
2015-05-11 06:08:28 +02:00
|
|
|
```
|
|
|
|
|
2020-04-17 13:11:37 +02:00
|
|
|
followed by an appropriate `docker run` command as stated above
|
2015-09-21 11:52:39 +02:00
|
|
|
or use [Docker Compose](https://docs.docker.com/compose/):
|
2017-01-20 12:25:56 +01:00
|
|
|
|
2015-09-21 11:52:39 +02:00
|
|
|
```sh
|
|
|
|
git clone https://github.com/docker/docker-bench-security.git
|
|
|
|
cd docker-bench-security
|
|
|
|
docker-compose run --rm docker-bench-security
|
|
|
|
```
|
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
Also, this script can also be simply run from your base host by running:
|
|
|
|
|
2015-06-14 23:03:11 +02:00
|
|
|
```sh
|
2015-06-14 23:54:15 +02:00
|
|
|
git clone https://github.com/docker/docker-bench-security.git
|
2015-06-14 23:03:11 +02:00
|
|
|
cd docker-bench-security
|
2017-07-07 12:03:40 +02:00
|
|
|
sudo sh docker-bench-security.sh
|
2015-05-11 06:08:28 +02:00
|
|
|
```
|
|
|
|
|
2017-11-20 15:22:24 +01:00
|
|
|
This script was built to be POSIX 2004 compliant, so it should be portable
|
2017-01-20 12:25:56 +01:00
|
|
|
across any Unix platform.
|