update Docker container instructions, remove out-of-date Dockerfiles

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2024-11-01 00:21:45 +01:00 · 2023-06-02 22:16:31 +00:00 · 2023-06-02 22:16:31 +00:00 · 2647070692
commit 2647070692
parent 1d29a1f405
10 changed files with 53 additions and 163 deletions
--- a/.github/workflows/slsa.yml
+++ b/.github/workflows/slsa.yml
@ -24,7 +24,7 @@ jobs:

      - name: Build artifacts
        run: |
-          find *.sh distros/* functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
+          find *.sh functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256

      - name: Generate hashes
        shell: bash
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-FROM alpine:3.15
+FROM alpine:3.18

 LABEL \
  org.label-schema.name="docker-bench-security" \
--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@

 The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.5.0](https://www.cisecurity.org/benchmark/docker/).

-We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
+We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.

 Release | CIS |
 :---:|:---:|
@ -30,11 +30,33 @@ sudo sh docker-bench-security.sh

 ### Run with Docker

+#### Building Docker image
+
+You have two options if you wish to build and run this container yourself:
+
+1. Use Docker Build:
+
+```sh
+git clone https://github.com/docker/docker-bench-security.git
+cd docker-bench-security
+docker build --no-cache -t docker-bench-security .
+```
+
+Followed by an appropriate `docker run` command as stated above.
+
+2. Use Docker Compose:
+
+```sh
+git clone https://github.com/docker/docker-bench-security.git
+cd docker-bench-security
+docker-compose run --rm docker-bench-security
+```
+
 _Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405](https://github.com/docker/docker-bench-security/issues/405) for more information._

-We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
+Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.

-The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container:
+### Using the container

 ```sh
 docker run --rm --net host --pid host --userns host --cap-add audit_control \
@ -46,7 +68,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
-    docker/docker-bench-security
+    docker-bench-security
 ```

 Don't forget to adjust the shared volumes according to your operating system.
@ -66,7 +88,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
-    docker/docker-bench-security
+    docker-bench-security
 ```

 2. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker
@ -81,7 +103,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
-    docker/docker-bench-security
+    docker-bench-security
 ```

 ### Note
@ -126,25 +148,3 @@ The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6` and
 `sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`

 Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.
-
-## Building Docker image
-
-You have two options if you wish to build and run this container yourself:
-
-1. Use Docker Build:
-
-```sh
-git clone https://github.com/docker/docker-bench-security.git
-cd docker-bench-security
-docker build --no-cache -t docker-bench-security .
-```
-
-Followed by an appropriate `docker run` command as stated above.
-
-2. Use Docker Compose:
-
-```sh
-git clone https://github.com/docker/docker-bench-security.git
-cd docker-bench-security
-docker-compose run --rm docker-bench-security
-```
--- a/distros/Dockerfile.alpine
+++ b/distros/Dockerfile.alpine
@ -1,19 +0,0 @@
-FROM alpine:3.13
-
-LABEL \
-  org.label-schema.name="docker-bench-security" \
-  org.label-schema.url="https://dockerbench.com" \
-  org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
-
-RUN apk add --no-cache iproute2 \
-                       docker-cli \
-                       dumb-init
-
-COPY . /usr/local/bin/
-
-HEALTHCHECK CMD exit 0
-
-WORKDIR /usr/local/bin
-
-ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]
-CMD [""]
--- a/distros/Dockerfile.centos
+++ b/distros/Dockerfile.centos
@ -1,15 +0,0 @@
-# REPOSITORY https://github.com/fatherlinux/docker-bench-security
-
-FROM centos
-
-MAINTAINER smccarty@redhat.com
-
-RUN yum install -y docker iproute audit procps-ng; yum clean all
-
-RUN mkdir /docker-bench-security
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
--- a/distros/Dockerfile.debian
+++ b/distros/Dockerfile.debian
@ -1,24 +0,0 @@
-FROM debian:sid@sha256:022a3cafe84d704c272794863ca5e383667c99312358e816ad1ff6e9a41ce4f6
-
-LABEL org.label-schema.name="docker-bench-security" \
-      org.label-schema.url="https://github.com/konstruktoid/docker-bench-security" \
-      org.label-schema.vcs-url="https://github.com/konstruktoid/docker-bench-security.git"
-
-RUN \
-    apt-get update && \
-    apt-get -y upgrade && \
-    apt-get -y install auditd ca-certificates docker.io \
-      gawk iproute2 procps --no-install-recommends && \
-    apt-get -y clean && \
-    apt-get -y autoremove && \
-    rm -rf /var/lib/apt/lists/* \
-      /usr/share/doc /usr/share/doc-base \
-      /usr/share/man /usr/share/locale /usr/share/zoneinfo
-
-RUN mkdir /docker-bench-security
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
--- a/distros/Dockerfile.openSUSE
+++ b/distros/Dockerfile.openSUSE
@ -1,13 +0,0 @@
-# REPOSITORY https://github.com/docker/docker-bench-security
-FROM opensuse/leap:latest
-
-RUN zypper -n in audit docker iproute2 && \
-    mkdir /docker-bench-security && \
-    rm /usr/bin/awk && \
-    cp /usr/bin/gawk /usr/bin/awk
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/bash", "docker-bench-security.sh"]
--- a/distros/Dockerfile.rhel
+++ b/distros/Dockerfile.rhel
@ -1,18 +0,0 @@
-# REPOSITORY https://github.com/fatherlinux/docker-bench-security
-
-FROM rhel7
-
-MAINTAINER smccarty@redhat.com
-
-RUN yum install -y yum-utils; yum clean all
-RUN yum-config-manager --disable "*" &>/dev/null
-RUN yum-config-manager --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms
-RUN yum install -y docker iproute audit procps-ng; yum clean all
-
-RUN mkdir /docker-bench-security
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
--- a/distros/README.md
+++ b/distros/README.md
@ -1,21 +0,0 @@
-# Distribution specific Dockerfiles
-
-## Requirements
-
-### Dockerfile name
-
-The format should be `Dockerfile.{distribution name}`.
-
-### Keep your images up-to-date
-
-Use the distribution package manager to keep your image up-to-date.
-
-### Labels
-
-Use the following labels in your Dockerfile:
-
-```
-LABEL org.label-schema.name="docker-bench-security" \
-      org.label-schema.url="<YOUR GIT REPOSITORY HTTPS ADDRESS>" \
-      org.label-schema.vcs-url="<YOUR REPOSITORY HTTPS GIT ADDRESS"
-```
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,3 +1,4 @@
+services:
  docker-bench-security:
      # use image if you have a dedicated build step:
      #   docker build --rm -t docker-bench-security .
@ -10,7 +11,6 @@ docker-bench-security:
          - audit_control
      labels:
          - docker_bench_security
-    net: host
      pid: host
      stdin_open: true
      tty: true