update Docker container instructions, remove out-of-date Dockerfiles

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

.github/workflows/slsa.yml

@@ -24,7 +24,7 @@ jobs:
 
       - name: Build artifacts
         run: |
-          find *.sh distros/* functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
+          find *.sh functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
 
       - name: Generate hashes
         shell: bash

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.15
+FROM alpine:3.18
 
 LABEL \
   org.label-schema.name="docker-bench-security" \

README.md

@@ -4,7 +4,7 @@
 
 The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.5.0](https://www.cisecurity.org/benchmark/docker/).
 
-We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
+We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.
 
 Release | CIS |
 :---:|:---:|
@@ -30,11 +30,33 @@ sudo sh docker-bench-security.sh
 
 ### Run with Docker
 
+#### Building Docker image
+
+You have two options if you wish to build and run this container yourself:
+
+1. Use Docker Build:
+
+```sh
+git clone https://github.com/docker/docker-bench-security.git
+cd docker-bench-security
+docker build --no-cache -t docker-bench-security .
+```
+
+Followed by an appropriate `docker run` command as stated above.
+
+2. Use Docker Compose:
+
+```sh
+git clone https://github.com/docker/docker-bench-security.git
+cd docker-bench-security
+docker-compose run --rm docker-bench-security
+```
+
 _Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405](https://github.com/docker/docker-bench-security/issues/405) for more information._
 
-We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
+Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
 
-The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container:
+### Using the container
 
 ```sh
 docker run --rm --net host --pid host --userns host --cap-add audit_control \
@@ -46,7 +68,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
     -v /var/lib:/var/lib:ro \
     -v /var/run/docker.sock:/var/run/docker.sock:ro \
     --label docker_bench_security \
-    docker/docker-bench-security
+    docker-bench-security
 ```
 
 Don't forget to adjust the shared volumes according to your operating system.
@@ -66,7 +88,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
     -v /var/lib:/var/lib:ro \
     -v /var/run/docker.sock:/var/run/docker.sock:ro \
     --label docker_bench_security \
-    docker/docker-bench-security
+    docker-bench-security
 ```
 
 2. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker
@@ -81,7 +103,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
     -v /var/lib:/var/lib:ro \
     -v /var/run/docker.sock:/var/run/docker.sock:ro \
     --label docker_bench_security \
-    docker/docker-bench-security
+    docker-bench-security
 ```
 
 ### Note
@@ -126,25 +148,3 @@ The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6` and
 `sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`
 
 Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.
-
-## Building Docker image
-
-You have two options if you wish to build and run this container yourself:
-
-1. Use Docker Build:
-
-```sh
-git clone https://github.com/docker/docker-bench-security.git
-cd docker-bench-security
-docker build --no-cache -t docker-bench-security .
-```
-
-Followed by an appropriate `docker run` command as stated above.
-
-2. Use Docker Compose:
-
-```sh
-git clone https://github.com/docker/docker-bench-security.git
-cd docker-bench-security
-docker-compose run --rm docker-bench-security
-```

distros/Dockerfile.alpine

@@ -1,19 +0,0 @@
-FROM alpine:3.13
-
-LABEL \
-  org.label-schema.name="docker-bench-security" \
-  org.label-schema.url="https://dockerbench.com" \
-  org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
-
-RUN apk add --no-cache iproute2 \
-                       docker-cli \
-                       dumb-init
-
-COPY . /usr/local/bin/
-
-HEALTHCHECK CMD exit 0
-
-WORKDIR /usr/local/bin
-
-ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]
-CMD [""]

distros/Dockerfile.centos

@@ -1,15 +0,0 @@
-# REPOSITORY https://github.com/fatherlinux/docker-bench-security
-
-FROM centos
-
-MAINTAINER smccarty@redhat.com
-
-RUN yum install -y docker iproute audit procps-ng; yum clean all
-
-RUN mkdir /docker-bench-security
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]

distros/Dockerfile.debian

@@ -1,24 +0,0 @@
-FROM debian:sid@sha256:022a3cafe84d704c272794863ca5e383667c99312358e816ad1ff6e9a41ce4f6
-
-LABEL org.label-schema.name="docker-bench-security" \
-      org.label-schema.url="https://github.com/konstruktoid/docker-bench-security" \
-      org.label-schema.vcs-url="https://github.com/konstruktoid/docker-bench-security.git"
-
-RUN \
-    apt-get update && \
-    apt-get -y upgrade && \
-    apt-get -y install auditd ca-certificates docker.io \
-      gawk iproute2 procps --no-install-recommends && \
-    apt-get -y clean && \
-    apt-get -y autoremove && \
-    rm -rf /var/lib/apt/lists/* \
-      /usr/share/doc /usr/share/doc-base \
-      /usr/share/man /usr/share/locale /usr/share/zoneinfo
-
-RUN mkdir /docker-bench-security
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]

distros/Dockerfile.openSUSE

@@ -1,13 +0,0 @@
-# REPOSITORY https://github.com/docker/docker-bench-security
-FROM opensuse/leap:latest
-
-RUN zypper -n in audit docker iproute2 && \
-    mkdir /docker-bench-security && \
-    rm /usr/bin/awk && \
-    cp /usr/bin/gawk /usr/bin/awk
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/bash", "docker-bench-security.sh"]

distros/Dockerfile.rhel

@@ -1,18 +0,0 @@
-# REPOSITORY https://github.com/fatherlinux/docker-bench-security
-
-FROM rhel7
-
-MAINTAINER smccarty@redhat.com
-
-RUN yum install -y yum-utils; yum clean all
-RUN yum-config-manager --disable "*" &>/dev/null
-RUN yum-config-manager --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms
-RUN yum install -y docker iproute audit procps-ng; yum clean all
-
-RUN mkdir /docker-bench-security
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]

distros/README.md

@@ -1,21 +0,0 @@
-# Distribution specific Dockerfiles
-
-## Requirements
-
-### Dockerfile name
-
-The format should be `Dockerfile.{distribution name}`.
-
-### Keep your images up-to-date
-
-Use the distribution package manager to keep your image up-to-date.
-
-### Labels
-
-Use the following labels in your Dockerfile:
-
-```
-LABEL org.label-schema.name="docker-bench-security" \
-      org.label-schema.url="<YOUR GIT REPOSITORY HTTPS ADDRESS>" \
-      org.label-schema.vcs-url="<YOUR REPOSITORY HTTPS GIT ADDRESS"
-```

docker-compose.yml

@@ -1,3 +1,4 @@
+services:
   docker-bench-security:
       # use image if you have a dedicated build step:
       #   docker build --rm -t docker-bench-security .
@@ -10,7 +11,6 @@ docker-bench-security:
           - audit_control
       labels:
           - docker_bench_security
-    net: host
       pid: host
       stdin_open: true
       tty: true