2015-05-28 00:10:09 +02:00
# Docker Bench for Security
2015-05-11 06:08:28 +02:00
2016-04-21 20:33:32 +02:00
2015-05-14 23:34:03 +02:00
2017-01-20 12:25:56 +01:00
The Docker Bench for Security is a script that checks for dozens of common
best-practices around deploying Docker containers in production. The tests are
2017-07-07 10:22:27 +02:00
all automated, and are inspired by the [CIS Docker Community Edition Benchmark v1.1.0 ](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_Community_Edition_Benchmark_v1.1.0.pdf ).
2017-01-20 12:25:56 +01:00
We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices ](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/ )
blog post.
2015-05-11 06:08:28 +02:00
2017-01-20 12:25:56 +01:00
We are making this available as an open-source utility so the Docker community
can have an easy way to self-assess their hosts and docker containers against
this benchmark.
2015-05-11 06:08:28 +02:00
2015-05-28 00:10:09 +02:00
## Running Docker Bench for Security
2015-05-11 06:08:28 +02:00
2017-01-20 12:25:56 +01:00
We packaged docker bench as a small container for your convenience. Note that
this container is being run with a *lot* of privilege -- sharing the host's
filesystem, pid and network namespaces, due to portions of the benchmark
applying to the running host. Don't forget to adjust the shared volumes
2017-03-13 12:13:24 +01:00
according to your operating system, for example it might not use systemd.
2015-05-11 06:08:28 +02:00
2017-01-20 12:25:56 +01:00
The easiest way to run your hosts against the Docker Bench for Security is by
running our pre-built container:
2015-05-11 06:08:28 +02:00
2015-06-14 23:03:11 +02:00
```sh
2017-11-20 15:06:30 +01:00
docker run -it --net host --pid host --userns host --cap-add audit_control \
2017-01-20 12:16:50 +01:00
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
2015-06-15 22:15:24 +02:00
-v /var/lib:/var/lib \
2015-06-14 23:03:11 +02:00
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
2015-07-25 14:20:56 +02:00
-v /etc:/etc --label docker_bench_security \
2015-08-13 06:43:01 +02:00
docker/docker-bench-security
2015-05-11 06:08:28 +02:00
```
2017-09-21 10:22:26 +02:00
Docker bench requires Docker 1.13.0 or later in order to run.
2015-05-15 05:33:02 +02:00
2017-01-25 10:22:08 +01:00
Note that when distributions doesn't contain `auditctl` , the audit tests will
check `/etc/audit/audit.rules` to see if a rule is present instead.
2017-01-20 12:25:56 +01:00
Distribution specific Dockerfiles that fixes this issue are available in the
[distros directory ](https://github.com/docker/docker-bench-security/tree/master/distros ).
2015-05-15 00:51:55 +02:00
2017-01-20 12:25:56 +01:00
The [distribution specific Dockerfiles ](https://github.com/docker/docker-bench-security/tree/master/distros )
may also help if the distribution you're using haven't yet shipped Docker
2018-01-16 13:45:06 +01:00
version 1.13.0 or later.
### Docker Bench for Security options
```sh
-h optional Print this help message
-l FILE optional Log output in FILE
2018-02-27 15:43:51 +01:00
-c CHECK optional Comma delimited list of specific check(s)
2018-05-10 14:45:59 +02:00
-e CHECK optional Comma delimited list of specific check(s) to exclude
-x EXCLUDE optional Comma delimited list of patterns within a container name to exclude from check
2018-01-16 13:45:06 +01:00
```
2018-01-18 11:28:36 +01:00
By default the Docker Bench for Security script will run all available CIS tests
and produce logs in the current directory named `docker-bench-security.sh.log.json`
2018-01-16 13:45:06 +01:00
and `docker-bench-security.sh.log` .
The CIS based checks are named `check_<section>_<number>` , e.g. `check_2_6`
and community contributed checks are named `check_c_<number>` .
A complete list of checks are present in [functions_lib.sh ](functions_lib.sh ).
`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c check_2_2`
2016-05-15 17:30:51 +02:00
2018-01-18 11:28:36 +01:00
Note that when submitting checks, provide information why it is a
reasonable test to add and please include some kind of official documentation
verifying that information.
2015-05-28 00:10:09 +02:00
## Building Docker Bench for Security
2015-05-11 06:08:28 +02:00
2017-01-20 12:25:56 +01:00
If you wish to build and run this container yourself, you can follow the
following steps:
2015-05-11 06:08:28 +02:00
2015-06-14 23:03:11 +02:00
```sh
2015-06-15 22:15:24 +02:00
git clone https://github.com/docker/docker-bench-security.git
2015-06-14 23:03:11 +02:00
cd docker-bench-security
docker build -t docker-bench-security .
2015-06-15 22:15:24 +02:00
docker run -it --net host --pid host --cap-add audit_control \
2017-01-20 12:16:50 +01:00
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
2015-06-15 22:15:24 +02:00
-v /var/lib:/var/lib \
2015-06-14 23:03:11 +02:00
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
2015-07-25 14:20:56 +02:00
-v /etc:/etc --label docker_bench_security \
2015-06-17 20:25:52 +02:00
docker-bench-security
2015-05-11 06:08:28 +02:00
```
2015-09-21 11:52:39 +02:00
or use [Docker Compose ](https://docs.docker.com/compose/ ):
2017-01-20 12:25:56 +01:00
2015-09-21 11:52:39 +02:00
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker-compose run --rm docker-bench-security
```
2015-05-11 06:08:28 +02:00
Also, this script can also be simply run from your base host by running:
2015-06-14 23:03:11 +02:00
```sh
2015-06-14 23:54:15 +02:00
git clone https://github.com/docker/docker-bench-security.git
2015-06-14 23:03:11 +02:00
cd docker-bench-security
2017-07-07 12:03:40 +02:00
sudo sh docker-bench-security.sh
2015-05-11 06:08:28 +02:00
```
2017-11-20 15:22:24 +01:00
This script was built to be POSIX 2004 compliant, so it should be portable
2017-01-20 12:25:56 +01:00
across any Unix platform.
