diff --git a/README.md b/README.md index bcedb95..f2be9a3 100644 --- a/README.md +++ b/README.md @@ -13,10 +13,12 @@ We packaged docker bench as a small container for your convenience. Note that th The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by running our pre-built container: -``` -docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ --v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker-bench-security \ -diogomonica/docker-bench-security +```sh +docker run -it --net host --pid host \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /usr/lib/systemd:/usr/lib/systemd \ + -v /etc:/etc --label docker-bench-security \ + diogomonica/docker-bench-security ``` Docker bench requires Docker 1.6.2 or later in order to run, since it depends on the `--label` to exclude the current container from being inspected. If you can't upgrade to 1.6.2, I feel free to remove the `--label` flag or run the shell script locally (see below). @@ -27,19 +29,23 @@ Additionally, there was a bug in Docker 1.6.0 that would not allow mounting `-v If you wish to build and run this container yourself, you can follow the following steps: -``` +```sh git clone https://github.com/diogomonica/docker-bench-security.git -cd docker-bench-security; docker build -t docker-bench-security . -docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ --v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label security-benchmark \ -docker-bench-security +cd docker-bench-security +docker build -t docker-bench-security . +docker run -it --net host --pid host \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /usr/lib/systemd:/usr/lib/systemd \ + -v /etc:/etc --label security-benchmark \ + docker-bench-security ``` Also, this script can also be simply run from your base host by running: -``` +```sh git clone https://github.com/diogomonica/docker-bench-security.git -cd docker-bench-security; sh docker-bench-security.sh +cd docker-bench-security +sh docker-bench-security.sh ``` This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform.