GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2024-11-01 08:31:44 +01:00
Code Issues Projects Releases Packages Wiki Activity
docker-bench-security/README.md

54 lines
2.8 KiB
Markdown
Raw Normal View History

Updating Readme
2015-05-28 00:10:09 +02:00
# Docker Bench for Security
First version of the CIS Docker Benchmark v1.0.0
2015-05-11 06:08:28 +02:00
Update README.md
2015-05-28 00:26:23 +02:00
![Docker Bench for Security running](https://github.com/diogomonica/docker-bench-security/raw/master/benchmark_log.png?raw=true "Docker Bench for Security running")
Adding screenshot to readme
2015-05-14 23:34:03 +02:00
Update README
2015-06-28 20:00:37 +02:00
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the [CIS Docker 1.6 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post.
First version of the CIS Docker Benchmark v1.0.0
2015-05-11 06:08:28 +02:00
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
Updating Readme
2015-05-28 00:10:09 +02:00
## Running Docker Bench for Security
First version of the CIS Docker Benchmark v1.0.0
2015-05-11 06:08:28 +02:00
Rename to docker-bench
2015-05-26 05:18:22 +02:00
We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
First version of the CIS Docker Benchmark v1.0.0
2015-05-11 06:08:28 +02:00
Update README
2015-06-28 20:00:37 +02:00
The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container:
First version of the CIS Docker Benchmark v1.0.0
2015-05-11 06:08:28 +02:00
New README Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-14 23:03:11 +02:00
```sh
add cap_audit_control for auditctl to work Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-15 22:15:24 +02:00
docker run -it --net host --pid host --cap-add audit_control \
-v /var/lib:/var/lib \
New README Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-14 23:03:11 +02:00
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /etc:/etc --label docker-bench-security \
Fixed Examples
2015-06-17 02:21:54 +02:00
diogomonica/docker-bench-security
First version of the CIS Docker Benchmark v1.0.0
2015-05-11 06:08:28 +02:00
```
Small tweaks to README
2015-05-28 00:24:26 +02:00
Docker bench requires Docker 1.6.2 or later in order to run, since it depends on the `--label` to exclude the current container from being inspected. If you can't upgrade to 1.6.2, I feel free to remove the `--label` flag or run the shell script locally (see below).
Update README
2015-05-15 05:33:02 +02:00
Additionally, there was a bug in Docker 1.6.0 that would not allow mounting `-v /dev:/dev`. If you are getting an error while accessing `resolv.conf`, please update your docker to 1.6.2.
Changed README with Docker 1.6 requirement.
2015-05-15 00:51:55 +02:00
Updating Readme
2015-05-28 00:10:09 +02:00
## Building Docker Bench for Security
First version of the CIS Docker Benchmark v1.0.0
2015-05-11 06:08:28 +02:00
If you wish to build and run this container yourself, you can follow the following steps:
New README Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-14 23:03:11 +02:00
```sh
add cap_audit_control for auditctl to work Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-15 22:15:24 +02:00
git clone https://github.com/docker/docker-bench-security.git
New README Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-14 23:03:11 +02:00
cd docker-bench-security
docker build -t docker-bench-security .
add cap_audit_control for auditctl to work Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-15 22:15:24 +02:00
docker run -it --net host --pid host --cap-add audit_control \
-v /var/lib:/var/lib \
New README Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-14 23:03:11 +02:00
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
consistent labeling Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-19 23:31:44 +02:00
-v /etc:/etc --label docker-bench-security \
Fixing local running of container in README
2015-06-17 20:25:52 +02:00
docker-bench-security
First version of the CIS Docker Benchmark v1.0.0
2015-05-11 06:08:28 +02:00
```
Also, this script can also be simply run from your base host by running:
New README Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-14 23:03:11 +02:00
```sh
change to docker repository Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-14 23:54:15 +02:00
git clone https://github.com/docker/docker-bench-security.git
New README Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-14 23:03:11 +02:00
cd docker-bench-security
sh docker-bench-security.sh
First version of the CIS Docker Benchmark v1.0.0
2015-05-11 06:08:28 +02:00
```
This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform.
Reference in a new issue Copy permalink