Merge pull request #526 from konstruktoid/docker

update Docker container instructions, remove out-of-date Dockerfiles
2024-11-01 00:21:45 +01:00 · 2023-06-02 22:18:33 +00:00 · 2023-06-02 22:18:33 +00:00 · 26dc83ed28
commit 26dc83ed28
parent 1d29a1f405 2647070692
10 changed files with 53 additions and 163 deletions
--- a/.github/workflows/slsa.yml
+++ b/.github/workflows/slsa.yml
@ -24,7 +24,7 @@ jobs:

      - name: Build artifacts
        run: |
-          find *.sh distros/* functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
+          find *.sh functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256

      - name: Generate hashes
        shell: bash
--- a/8
+++ b/8
@ -1,4 +1,4 @@
-FROM alpine:3.15
+FROM alpine:3.18

 LABEL \
  org.label-schema.name="docker-bench-security" \
@ -6,9 +6,9 @@ LABEL \
  org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"

 RUN apk add --no-cache iproute2 \
-                       docker-cli \
-                       dumb-init \
-                       jq
+    docker-cli \
+    dumb-init \
+    jq

 COPY . /usr/local/bin/

--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@

 The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.5.0](https://www.cisecurity.org/benchmark/docker/).

-We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
+We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.

 Release | CIS |
 :---:|:---:|
@ -30,11 +30,33 @@ sudo sh docker-bench-security.sh

 ### Run with Docker

+#### Building Docker image
+
+You have two options if you wish to build and run this container yourself:
+
+1. Use Docker Build:
+
+```sh
+git clone https://github.com/docker/docker-bench-security.git
+cd docker-bench-security
+docker build --no-cache -t docker-bench-security .
+```
+
+Followed by an appropriate `docker run` command as stated above.
+
+2. Use Docker Compose:
+
+```sh
+git clone https://github.com/docker/docker-bench-security.git
+cd docker-bench-security
+docker-compose run --rm docker-bench-security
+```
+
 _Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405](https://github.com/docker/docker-bench-security/issues/405) for more information._

-We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
+Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.

-The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container:
+### Using the container

 ```sh
 docker run --rm --net host --pid host --userns host --cap-add audit_control \
@ -46,7 +68,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
-    docker/docker-bench-security
+    docker-bench-security
 ```

 Don't forget to adjust the shared volumes according to your operating system.
@ -66,7 +88,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
-    docker/docker-bench-security
+    docker-bench-security
 ```

 2. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker
@ -81,7 +103,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    --label docker_bench_security \
-    docker/docker-bench-security
+    docker-bench-security
 ```

 ### Note
@ -119,32 +141,10 @@ The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6` and

 `sh docker-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group

-`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run allavailable checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
+`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run all available checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`

 `sh docker-bench-security.sh -c container_images,container_runtime` will run just the container_images and container_runtime checks

 `sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`

 Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.
-
-## Building Docker image
-
-You have two options if you wish to build and run this container yourself:
-
-1. Use Docker Build:
-
-```sh
-git clone https://github.com/docker/docker-bench-security.git
-cd docker-bench-security
-docker build --no-cache -t docker-bench-security .
-```
-
-Followed by an appropriate `docker run` command as stated above.
-
-2. Use Docker Compose:
-
-```sh
-git clone https://github.com/docker/docker-bench-security.git
-cd docker-bench-security
-docker-compose run --rm docker-bench-security
-```
--- a/distros/Dockerfile.alpine
+++ b/distros/Dockerfile.alpine
@ -1,19 +0,0 @@
-FROM alpine:3.13
-
-LABEL \
-  org.label-schema.name="docker-bench-security" \
-  org.label-schema.url="https://dockerbench.com" \
-  org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
-
-RUN apk add --no-cache iproute2 \
-                       docker-cli \
-                       dumb-init
-
-COPY . /usr/local/bin/
-
-HEALTHCHECK CMD exit 0
-
-WORKDIR /usr/local/bin
-
-ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]
-CMD [""]
--- a/distros/Dockerfile.centos
+++ b/distros/Dockerfile.centos
@ -1,15 +0,0 @@
-# REPOSITORY https://github.com/fatherlinux/docker-bench-security
-
-FROM centos
-
-MAINTAINER smccarty@redhat.com
-
-RUN yum install -y docker iproute audit procps-ng; yum clean all
-
-RUN mkdir /docker-bench-security
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
--- a/distros/Dockerfile.debian
+++ b/distros/Dockerfile.debian
@ -1,24 +0,0 @@
-FROM debian:sid@sha256:022a3cafe84d704c272794863ca5e383667c99312358e816ad1ff6e9a41ce4f6
-
-LABEL org.label-schema.name="docker-bench-security" \
-      org.label-schema.url="https://github.com/konstruktoid/docker-bench-security" \
-      org.label-schema.vcs-url="https://github.com/konstruktoid/docker-bench-security.git"
-
-RUN \
-    apt-get update && \
-    apt-get -y upgrade && \
-    apt-get -y install auditd ca-certificates docker.io \
-      gawk iproute2 procps --no-install-recommends && \
-    apt-get -y clean && \
-    apt-get -y autoremove && \
-    rm -rf /var/lib/apt/lists/* \
-      /usr/share/doc /usr/share/doc-base \
-      /usr/share/man /usr/share/locale /usr/share/zoneinfo
-
-RUN mkdir /docker-bench-security
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
--- a/distros/Dockerfile.openSUSE
+++ b/distros/Dockerfile.openSUSE
@ -1,13 +0,0 @@
-# REPOSITORY https://github.com/docker/docker-bench-security
-FROM opensuse/leap:latest
-
-RUN zypper -n in audit docker iproute2 && \
-    mkdir /docker-bench-security && \
-    rm /usr/bin/awk && \
-    cp /usr/bin/gawk /usr/bin/awk
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/bash", "docker-bench-security.sh"]
--- a/distros/Dockerfile.rhel
+++ b/distros/Dockerfile.rhel
@ -1,18 +0,0 @@
-# REPOSITORY https://github.com/fatherlinux/docker-bench-security
-
-FROM rhel7
-
-MAINTAINER smccarty@redhat.com
-
-RUN yum install -y yum-utils; yum clean all
-RUN yum-config-manager --disable "*" &>/dev/null
-RUN yum-config-manager --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms
-RUN yum install -y docker iproute audit procps-ng; yum clean all
-
-RUN mkdir /docker-bench-security
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
--- a/distros/README.md
+++ b/distros/README.md
@ -1,21 +0,0 @@
-# Distribution specific Dockerfiles
-
-## Requirements
-
-### Dockerfile name
-
-The format should be `Dockerfile.{distribution name}`.
-
-### Keep your images up-to-date
-
-Use the distribution package manager to keep your image up-to-date.
-
-### Labels
-
-Use the following labels in your Dockerfile:
-
-```
-LABEL org.label-schema.name="docker-bench-security" \
-      org.label-schema.url="<YOUR GIT REPOSITORY HTTPS ADDRESS>" \
-      org.label-schema.vcs-url="<YOUR REPOSITORY HTTPS GIT ADDRESS"
-```
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,21 +1,21 @@
-docker-bench-security:
-    # use image if you have a dedicated build step:
-    #   docker build --rm -t docker-bench-security .
-    # image: docker-bench-security
+services:
+  docker-bench-security:
+      # use image if you have a dedicated build step:
+      #   docker build --rm -t docker-bench-security .
+      # image: docker-bench-security

-    # use build path to Dockerfile if docker-compose should build the image
-    build: .
+      # use build path to Dockerfile if docker-compose should build the image
+      build: .

-    cap_add:
-        - audit_control
-    labels:
-        - docker_bench_security
-    net: host
-    pid: host
-    stdin_open: true
-    tty: true
-    volumes:
-        - /var/lib:/var/lib:ro
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /usr/lib/systemd:/usr/lib/systemd:ro
-        - /etc:/etc:ro
+      cap_add:
+          - audit_control
+      labels:
+          - docker_bench_security
+      pid: host
+      stdin_open: true
+      tty: true
+      volumes:
+          - /var/lib:/var/lib:ro
+          - /var/run/docker.sock:/var/run/docker.sock:ro
+          - /usr/lib/systemd:/usr/lib/systemd:ro
+          - /etc:/etc:ro