GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-11-04 02:58:59 +00:00
Code Issues Projects Releases Packages Wiki Activity

update Docker container instructions, remove out-of-date Dockerfiles

Browse source 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
Thomas Sjögren 2023-06-02 22:16:31 +00:00
commit 2647070692
No known key found for this signature in database
10 changed files with 53 additions and 163 deletions

2
.github/workflows/slsa.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
- name: Build artifacts
run: |
find *.sh distros/* functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
find *.sh functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
- name: Generate hashes
shell: bash

8
Dockerfile
View file

@ -1,4 +1,4 @@
FROM alpine:3.15
FROM alpine:3.18
LABEL \
org.label-schema.name="docker-bench-security" \
@ -6,9 +6,9 @@ LABEL \
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
RUN apk add --no-cache iproute2 \
docker-cli \
dumb-init \
jq
docker-cli \
dumb-init \
jq
COPY . /usr/local/bin/

58
README.md
View file

@ -4,7 +4,7 @@
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.5.0](https://www.cisecurity.org/benchmark/docker/).
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.
Release | CIS |
:---:|:---:|
@ -30,11 +30,33 @@ sudo sh docker-bench-security.sh
### Run with Docker
#### Building Docker image
You have two options if you wish to build and run this container yourself:
1. Use Docker Build:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker build --no-cache -t docker-bench-security .
```
Followed by an appropriate `docker run` command as stated above.
2. Use Docker Compose:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker-compose run --rm docker-bench-security
```
_Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405](https://github.com/docker/docker-bench-security/issues/405) for more information._
We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container:
### Using the container
```sh
docker run --rm --net host --pid host --userns host --cap-add audit_control \
@ -46,7 +68,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security
docker-bench-security
```
Don't forget to adjust the shared volumes according to your operating system.
@ -66,7 +88,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security
docker-bench-security
```
2. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker
@ -81,7 +103,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security
docker-bench-security
```
### Note
@ -119,32 +141,10 @@ The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6` and
`sh docker-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group
`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run allavailable checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run all available checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
`sh docker-bench-security.sh -c container_images,container_runtime` will run just the container_images and container_runtime checks
`sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`
Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.
## Building Docker image
You have two options if you wish to build and run this container yourself:
1. Use Docker Build:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker build --no-cache -t docker-bench-security .
```
Followed by an appropriate `docker run` command as stated above.
2. Use Docker Compose:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker-compose run --rm docker-bench-security
```

19
distros/Dockerfile.alpine
View file

@ -1,19 +0,0 @@
FROM alpine:3.13
LABEL \
org.label-schema.name="docker-bench-security" \
org.label-schema.url="https://dockerbench.com" \
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
RUN apk add --no-cache iproute2 \
docker-cli \
dumb-init
COPY . /usr/local/bin/
HEALTHCHECK CMD exit 0
WORKDIR /usr/local/bin
ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]
CMD [""]

15
distros/Dockerfile.centos
View file

@ -1,15 +0,0 @@
# REPOSITORY https://github.com/fatherlinux/docker-bench-security
FROM centos
MAINTAINER smccarty@redhat.com
RUN yum install -y docker iproute audit procps-ng; yum clean all
RUN mkdir /docker-bench-security
COPY . /docker-bench-security
WORKDIR /docker-bench-security
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]

24
distros/Dockerfile.debian
View file

@ -1,24 +0,0 @@
FROM debian:sid@sha256:022a3cafe84d704c272794863ca5e383667c99312358e816ad1ff6e9a41ce4f6
LABEL org.label-schema.name="docker-bench-security" \
org.label-schema.url="https://github.com/konstruktoid/docker-bench-security" \
org.label-schema.vcs-url="https://github.com/konstruktoid/docker-bench-security.git"
RUN \
apt-get update && \
apt-get -y upgrade && \
apt-get -y install auditd ca-certificates docker.io \
gawk iproute2 procps --no-install-recommends && \
apt-get -y clean && \
apt-get -y autoremove && \
rm -rf /var/lib/apt/lists/* \
/usr/share/doc /usr/share/doc-base \
/usr/share/man /usr/share/locale /usr/share/zoneinfo
RUN mkdir /docker-bench-security
COPY . /docker-bench-security
WORKDIR /docker-bench-security
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]

13
distros/Dockerfile.openSUSE
View file

@ -1,13 +0,0 @@
# REPOSITORY https://github.com/docker/docker-bench-security
FROM opensuse/leap:latest
RUN zypper -n in audit docker iproute2 && \
mkdir /docker-bench-security && \
rm /usr/bin/awk && \
cp /usr/bin/gawk /usr/bin/awk
COPY . /docker-bench-security
WORKDIR /docker-bench-security
ENTRYPOINT ["/bin/bash", "docker-bench-security.sh"]

18
distros/Dockerfile.rhel
View file

@ -1,18 +0,0 @@
# REPOSITORY https://github.com/fatherlinux/docker-bench-security
FROM rhel7
MAINTAINER smccarty@redhat.com
RUN yum install -y yum-utils; yum clean all
RUN yum-config-manager --disable "*" &>/dev/null
RUN yum-config-manager --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms
RUN yum install -y docker iproute audit procps-ng; yum clean all
RUN mkdir /docker-bench-security
COPY . /docker-bench-security
WORKDIR /docker-bench-security
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]

21
distros/README.md
View file

@ -1,21 +0,0 @@
# Distribution specific Dockerfiles
## Requirements
### Dockerfile name
The format should be `Dockerfile.{distribution name}`.
### Keep your images up-to-date
Use the distribution package manager to keep your image up-to-date.
### Labels
Use the following labels in your Dockerfile:
```
LABEL org.label-schema.name="docker-bench-security" \
org.label-schema.url="<YOUR GIT REPOSITORY HTTPS ADDRESS>" \
org.label-schema.vcs-url="<YOUR REPOSITORY HTTPS GIT ADDRESS"
```

38
docker-compose.yml
View file

@ -1,21 +1,21 @@
docker-bench-security:
# use image if you have a dedicated build step:
# docker build --rm -t docker-bench-security .
# image: docker-bench-security
services:
docker-bench-security:
# use image if you have a dedicated build step:
# docker build --rm -t docker-bench-security .
# image: docker-bench-security
# use build path to Dockerfile if docker-compose should build the image
build: .
# use build path to Dockerfile if docker-compose should build the image
build: .
cap_add:
- audit_control
labels:
- docker_bench_security
net: host
pid: host
stdin_open: true
tty: true
volumes:
- /var/lib:/var/lib:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /usr/lib/systemd:/usr/lib/systemd:ro
- /etc:/etc:ro
cap_add:
- audit_control
labels:
- docker_bench_security
pid: host
stdin_open: true
tty: true
volumes:
- /var/lib:/var/lib:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /usr/lib/systemd:/usr/lib/systemd:ro
- /etc:/etc:ro