mirror of
https://github.com/docker/docker-bench-security.git
synced 2024-11-01 00:21:45 +01:00
update Docker container instructions, remove out-of-date Dockerfiles
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
parent
1d29a1f405
commit
2647070692
10 changed files with 53 additions and 163 deletions
2
.github/workflows/slsa.yml
vendored
2
.github/workflows/slsa.yml
vendored
|
@ -24,7 +24,7 @@ jobs:
|
|||
|
||||
- name: Build artifacts
|
||||
run: |
|
||||
find *.sh distros/* functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
|
||||
find *.sh functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
|
||||
|
||||
- name: Generate hashes
|
||||
shell: bash
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
FROM alpine:3.15
|
||||
FROM alpine:3.18
|
||||
|
||||
LABEL \
|
||||
org.label-schema.name="docker-bench-security" \
|
||||
|
@ -6,9 +6,9 @@ LABEL \
|
|||
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
|
||||
|
||||
RUN apk add --no-cache iproute2 \
|
||||
docker-cli \
|
||||
dumb-init \
|
||||
jq
|
||||
docker-cli \
|
||||
dumb-init \
|
||||
jq
|
||||
|
||||
COPY . /usr/local/bin/
|
||||
|
||||
|
|
58
README.md
58
README.md
|
@ -4,7 +4,7 @@
|
|||
|
||||
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.5.0](https://www.cisecurity.org/benchmark/docker/).
|
||||
|
||||
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
|
||||
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.
|
||||
|
||||
Release | CIS |
|
||||
:---:|:---:|
|
||||
|
@ -30,11 +30,33 @@ sudo sh docker-bench-security.sh
|
|||
|
||||
### Run with Docker
|
||||
|
||||
#### Building Docker image
|
||||
|
||||
You have two options if you wish to build and run this container yourself:
|
||||
|
||||
1. Use Docker Build:
|
||||
|
||||
```sh
|
||||
git clone https://github.com/docker/docker-bench-security.git
|
||||
cd docker-bench-security
|
||||
docker build --no-cache -t docker-bench-security .
|
||||
```
|
||||
|
||||
Followed by an appropriate `docker run` command as stated above.
|
||||
|
||||
2. Use Docker Compose:
|
||||
|
||||
```sh
|
||||
git clone https://github.com/docker/docker-bench-security.git
|
||||
cd docker-bench-security
|
||||
docker-compose run --rm docker-bench-security
|
||||
```
|
||||
|
||||
_Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405](https://github.com/docker/docker-bench-security/issues/405) for more information._
|
||||
|
||||
We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
|
||||
Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
|
||||
|
||||
The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container:
|
||||
### Using the container
|
||||
|
||||
```sh
|
||||
docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
||||
|
@ -46,7 +68,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
|||
-v /var/lib:/var/lib:ro \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||
--label docker_bench_security \
|
||||
docker/docker-bench-security
|
||||
docker-bench-security
|
||||
```
|
||||
|
||||
Don't forget to adjust the shared volumes according to your operating system.
|
||||
|
@ -66,7 +88,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
|||
-v /var/lib:/var/lib:ro \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||
--label docker_bench_security \
|
||||
docker/docker-bench-security
|
||||
docker-bench-security
|
||||
```
|
||||
|
||||
2. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker
|
||||
|
@ -81,7 +103,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
|||
-v /var/lib:/var/lib:ro \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||
--label docker_bench_security \
|
||||
docker/docker-bench-security
|
||||
docker-bench-security
|
||||
```
|
||||
|
||||
### Note
|
||||
|
@ -119,32 +141,10 @@ The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6` and
|
|||
|
||||
`sh docker-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group
|
||||
|
||||
`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run allavailable checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
|
||||
`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run all available checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
|
||||
|
||||
`sh docker-bench-security.sh -c container_images,container_runtime` will run just the container_images and container_runtime checks
|
||||
|
||||
`sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`
|
||||
|
||||
Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.
|
||||
|
||||
## Building Docker image
|
||||
|
||||
You have two options if you wish to build and run this container yourself:
|
||||
|
||||
1. Use Docker Build:
|
||||
|
||||
```sh
|
||||
git clone https://github.com/docker/docker-bench-security.git
|
||||
cd docker-bench-security
|
||||
docker build --no-cache -t docker-bench-security .
|
||||
```
|
||||
|
||||
Followed by an appropriate `docker run` command as stated above.
|
||||
|
||||
2. Use Docker Compose:
|
||||
|
||||
```sh
|
||||
git clone https://github.com/docker/docker-bench-security.git
|
||||
cd docker-bench-security
|
||||
docker-compose run --rm docker-bench-security
|
||||
```
|
||||
|
|
|
@ -1,19 +0,0 @@
|
|||
FROM alpine:3.13
|
||||
|
||||
LABEL \
|
||||
org.label-schema.name="docker-bench-security" \
|
||||
org.label-schema.url="https://dockerbench.com" \
|
||||
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
|
||||
|
||||
RUN apk add --no-cache iproute2 \
|
||||
docker-cli \
|
||||
dumb-init
|
||||
|
||||
COPY . /usr/local/bin/
|
||||
|
||||
HEALTHCHECK CMD exit 0
|
||||
|
||||
WORKDIR /usr/local/bin
|
||||
|
||||
ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]
|
||||
CMD [""]
|
|
@ -1,15 +0,0 @@
|
|||
# REPOSITORY https://github.com/fatherlinux/docker-bench-security
|
||||
|
||||
FROM centos
|
||||
|
||||
MAINTAINER smccarty@redhat.com
|
||||
|
||||
RUN yum install -y docker iproute audit procps-ng; yum clean all
|
||||
|
||||
RUN mkdir /docker-bench-security
|
||||
|
||||
COPY . /docker-bench-security
|
||||
|
||||
WORKDIR /docker-bench-security
|
||||
|
||||
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
|
|
@ -1,24 +0,0 @@
|
|||
FROM debian:sid@sha256:022a3cafe84d704c272794863ca5e383667c99312358e816ad1ff6e9a41ce4f6
|
||||
|
||||
LABEL org.label-schema.name="docker-bench-security" \
|
||||
org.label-schema.url="https://github.com/konstruktoid/docker-bench-security" \
|
||||
org.label-schema.vcs-url="https://github.com/konstruktoid/docker-bench-security.git"
|
||||
|
||||
RUN \
|
||||
apt-get update && \
|
||||
apt-get -y upgrade && \
|
||||
apt-get -y install auditd ca-certificates docker.io \
|
||||
gawk iproute2 procps --no-install-recommends && \
|
||||
apt-get -y clean && \
|
||||
apt-get -y autoremove && \
|
||||
rm -rf /var/lib/apt/lists/* \
|
||||
/usr/share/doc /usr/share/doc-base \
|
||||
/usr/share/man /usr/share/locale /usr/share/zoneinfo
|
||||
|
||||
RUN mkdir /docker-bench-security
|
||||
|
||||
COPY . /docker-bench-security
|
||||
|
||||
WORKDIR /docker-bench-security
|
||||
|
||||
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
|
|
@ -1,13 +0,0 @@
|
|||
# REPOSITORY https://github.com/docker/docker-bench-security
|
||||
FROM opensuse/leap:latest
|
||||
|
||||
RUN zypper -n in audit docker iproute2 && \
|
||||
mkdir /docker-bench-security && \
|
||||
rm /usr/bin/awk && \
|
||||
cp /usr/bin/gawk /usr/bin/awk
|
||||
|
||||
COPY . /docker-bench-security
|
||||
|
||||
WORKDIR /docker-bench-security
|
||||
|
||||
ENTRYPOINT ["/bin/bash", "docker-bench-security.sh"]
|
|
@ -1,18 +0,0 @@
|
|||
# REPOSITORY https://github.com/fatherlinux/docker-bench-security
|
||||
|
||||
FROM rhel7
|
||||
|
||||
MAINTAINER smccarty@redhat.com
|
||||
|
||||
RUN yum install -y yum-utils; yum clean all
|
||||
RUN yum-config-manager --disable "*" &>/dev/null
|
||||
RUN yum-config-manager --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms
|
||||
RUN yum install -y docker iproute audit procps-ng; yum clean all
|
||||
|
||||
RUN mkdir /docker-bench-security
|
||||
|
||||
COPY . /docker-bench-security
|
||||
|
||||
WORKDIR /docker-bench-security
|
||||
|
||||
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
|
|
@ -1,21 +0,0 @@
|
|||
# Distribution specific Dockerfiles
|
||||
|
||||
## Requirements
|
||||
|
||||
### Dockerfile name
|
||||
|
||||
The format should be `Dockerfile.{distribution name}`.
|
||||
|
||||
### Keep your images up-to-date
|
||||
|
||||
Use the distribution package manager to keep your image up-to-date.
|
||||
|
||||
### Labels
|
||||
|
||||
Use the following labels in your Dockerfile:
|
||||
|
||||
```
|
||||
LABEL org.label-schema.name="docker-bench-security" \
|
||||
org.label-schema.url="<YOUR GIT REPOSITORY HTTPS ADDRESS>" \
|
||||
org.label-schema.vcs-url="<YOUR REPOSITORY HTTPS GIT ADDRESS"
|
||||
```
|
|
@ -1,21 +1,21 @@
|
|||
docker-bench-security:
|
||||
# use image if you have a dedicated build step:
|
||||
# docker build --rm -t docker-bench-security .
|
||||
# image: docker-bench-security
|
||||
services:
|
||||
docker-bench-security:
|
||||
# use image if you have a dedicated build step:
|
||||
# docker build --rm -t docker-bench-security .
|
||||
# image: docker-bench-security
|
||||
|
||||
# use build path to Dockerfile if docker-compose should build the image
|
||||
build: .
|
||||
# use build path to Dockerfile if docker-compose should build the image
|
||||
build: .
|
||||
|
||||
cap_add:
|
||||
- audit_control
|
||||
labels:
|
||||
- docker_bench_security
|
||||
net: host
|
||||
pid: host
|
||||
stdin_open: true
|
||||
tty: true
|
||||
volumes:
|
||||
- /var/lib:/var/lib:ro
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
- /usr/lib/systemd:/usr/lib/systemd:ro
|
||||
- /etc:/etc:ro
|
||||
cap_add:
|
||||
- audit_control
|
||||
labels:
|
||||
- docker_bench_security
|
||||
pid: host
|
||||
stdin_open: true
|
||||
tty: true
|
||||
volumes:
|
||||
- /var/lib:/var/lib:ro
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
- /usr/lib/systemd:/usr/lib/systemd:ro
|
||||
- /etc:/etc:ro
|
||||
|
|
Loading…
Reference in a new issue