From 26470706924c4a3597b36adeb8d336fdb876ffbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 2 Jun 2023 22:16:31 +0000 Subject: [PATCH] update Docker container instructions, remove out-of-date Dockerfiles MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .github/workflows/slsa.yml | 2 +- Dockerfile | 8 ++--- README.md | 58 ++++++++++++++++++------------------- distros/Dockerfile.alpine | 19 ------------ distros/Dockerfile.centos | 15 ---------- distros/Dockerfile.debian | 24 --------------- distros/Dockerfile.openSUSE | 13 --------- distros/Dockerfile.rhel | 18 ------------ distros/README.md | 21 -------------- docker-compose.yml | 38 ++++++++++++------------ 10 files changed, 53 insertions(+), 163 deletions(-) delete mode 100644 distros/Dockerfile.alpine delete mode 100644 distros/Dockerfile.centos delete mode 100644 distros/Dockerfile.debian delete mode 100644 distros/Dockerfile.openSUSE delete mode 100644 distros/Dockerfile.rhel delete mode 100644 distros/README.md diff --git a/.github/workflows/slsa.yml b/.github/workflows/slsa.yml index b5257c8..192a6e2 100644 --- a/.github/workflows/slsa.yml +++ b/.github/workflows/slsa.yml @@ -24,7 +24,7 @@ jobs: - name: Build artifacts run: | - find *.sh distros/* functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256 + find *.sh functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256 - name: Generate hashes shell: bash diff --git a/Dockerfile b/Dockerfile index 6aaa8da..b72b51a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.15 +FROM alpine:3.18 LABEL \ org.label-schema.name="docker-bench-security" \ @@ -6,9 +6,9 @@ LABEL \ org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" RUN apk add --no-cache iproute2 \ - docker-cli \ - dumb-init \ - jq + docker-cli \ + dumb-init \ + jq COPY . /usr/local/bin/ diff --git a/README.md b/README.md index 82d8a20..522c7e4 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.5.0](https://www.cisecurity.org/benchmark/docker/). -We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark. +We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark. Release | CIS | :---:|:---:| @@ -30,11 +30,33 @@ sudo sh docker-bench-security.sh ### Run with Docker +#### Building Docker image + +You have two options if you wish to build and run this container yourself: + +1. Use Docker Build: + +```sh +git clone https://github.com/docker/docker-bench-security.git +cd docker-bench-security +docker build --no-cache -t docker-bench-security . +``` + +Followed by an appropriate `docker run` command as stated above. + +2. Use Docker Compose: + +```sh +git clone https://github.com/docker/docker-bench-security.git +cd docker-bench-security +docker-compose run --rm docker-bench-security +``` + _Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405](https://github.com/docker/docker-bench-security/issues/405) for more information._ -We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host. +Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host. -The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container: +### Using the container ```sh docker run --rm --net host --pid host --userns host --cap-add audit_control \ @@ -46,7 +68,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --label docker_bench_security \ - docker/docker-bench-security + docker-bench-security ``` Don't forget to adjust the shared volumes according to your operating system. @@ -66,7 +88,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --label docker_bench_security \ - docker/docker-bench-security + docker-bench-security ``` 2. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker @@ -81,7 +103,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --label docker_bench_security \ - docker/docker-bench-security + docker-bench-security ``` ### Note @@ -119,32 +141,10 @@ The CIS based checks are named `check_
_`, e.g. `check_2_6` and `sh docker-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group -`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run allavailable checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'` +`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run all available checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'` `sh docker-bench-security.sh -c container_images,container_runtime` will run just the container_images and container_runtime checks `sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled` Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information. - -## Building Docker image - -You have two options if you wish to build and run this container yourself: - -1. Use Docker Build: - -```sh -git clone https://github.com/docker/docker-bench-security.git -cd docker-bench-security -docker build --no-cache -t docker-bench-security . -``` - -Followed by an appropriate `docker run` command as stated above. - -2. Use Docker Compose: - -```sh -git clone https://github.com/docker/docker-bench-security.git -cd docker-bench-security -docker-compose run --rm docker-bench-security -``` diff --git a/distros/Dockerfile.alpine b/distros/Dockerfile.alpine deleted file mode 100644 index ed4596a..0000000 --- a/distros/Dockerfile.alpine +++ /dev/null @@ -1,19 +0,0 @@ -FROM alpine:3.13 - -LABEL \ - org.label-schema.name="docker-bench-security" \ - org.label-schema.url="https://dockerbench.com" \ - org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" - -RUN apk add --no-cache iproute2 \ - docker-cli \ - dumb-init - -COPY . /usr/local/bin/ - -HEALTHCHECK CMD exit 0 - -WORKDIR /usr/local/bin - -ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] -CMD [""] diff --git a/distros/Dockerfile.centos b/distros/Dockerfile.centos deleted file mode 100644 index 4c0dcfb..0000000 --- a/distros/Dockerfile.centos +++ /dev/null @@ -1,15 +0,0 @@ -# REPOSITORY https://github.com/fatherlinux/docker-bench-security - -FROM centos - -MAINTAINER smccarty@redhat.com - -RUN yum install -y docker iproute audit procps-ng; yum clean all - -RUN mkdir /docker-bench-security - -COPY . /docker-bench-security - -WORKDIR /docker-bench-security - -ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"] diff --git a/distros/Dockerfile.debian b/distros/Dockerfile.debian deleted file mode 100644 index 25f6496..0000000 --- a/distros/Dockerfile.debian +++ /dev/null @@ -1,24 +0,0 @@ -FROM debian:sid@sha256:022a3cafe84d704c272794863ca5e383667c99312358e816ad1ff6e9a41ce4f6 - -LABEL org.label-schema.name="docker-bench-security" \ - org.label-schema.url="https://github.com/konstruktoid/docker-bench-security" \ - org.label-schema.vcs-url="https://github.com/konstruktoid/docker-bench-security.git" - -RUN \ - apt-get update && \ - apt-get -y upgrade && \ - apt-get -y install auditd ca-certificates docker.io \ - gawk iproute2 procps --no-install-recommends && \ - apt-get -y clean && \ - apt-get -y autoremove && \ - rm -rf /var/lib/apt/lists/* \ - /usr/share/doc /usr/share/doc-base \ - /usr/share/man /usr/share/locale /usr/share/zoneinfo - -RUN mkdir /docker-bench-security - -COPY . /docker-bench-security - -WORKDIR /docker-bench-security - -ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"] diff --git a/distros/Dockerfile.openSUSE b/distros/Dockerfile.openSUSE deleted file mode 100644 index d5a0add..0000000 --- a/distros/Dockerfile.openSUSE +++ /dev/null @@ -1,13 +0,0 @@ -# REPOSITORY https://github.com/docker/docker-bench-security -FROM opensuse/leap:latest - -RUN zypper -n in audit docker iproute2 && \ - mkdir /docker-bench-security && \ - rm /usr/bin/awk && \ - cp /usr/bin/gawk /usr/bin/awk - -COPY . /docker-bench-security - -WORKDIR /docker-bench-security - -ENTRYPOINT ["/bin/bash", "docker-bench-security.sh"] diff --git a/distros/Dockerfile.rhel b/distros/Dockerfile.rhel deleted file mode 100644 index c1b5618..0000000 --- a/distros/Dockerfile.rhel +++ /dev/null @@ -1,18 +0,0 @@ -# REPOSITORY https://github.com/fatherlinux/docker-bench-security - -FROM rhel7 - -MAINTAINER smccarty@redhat.com - -RUN yum install -y yum-utils; yum clean all -RUN yum-config-manager --disable "*" &>/dev/null -RUN yum-config-manager --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms -RUN yum install -y docker iproute audit procps-ng; yum clean all - -RUN mkdir /docker-bench-security - -COPY . /docker-bench-security - -WORKDIR /docker-bench-security - -ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"] diff --git a/distros/README.md b/distros/README.md deleted file mode 100644 index be4de17..0000000 --- a/distros/README.md +++ /dev/null @@ -1,21 +0,0 @@ -# Distribution specific Dockerfiles - -## Requirements - -### Dockerfile name - -The format should be `Dockerfile.{distribution name}`. - -### Keep your images up-to-date - -Use the distribution package manager to keep your image up-to-date. - -### Labels - -Use the following labels in your Dockerfile: - -``` -LABEL org.label-schema.name="docker-bench-security" \ - org.label-schema.url="" \ - org.label-schema.vcs-url="