mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-18 16:22:33 +01:00
Merge pull request #526 from konstruktoid/docker
update Docker container instructions, remove out-of-date Dockerfiles
This commit is contained in:
commit
26dc83ed28
10 changed files with 53 additions and 163 deletions
2
.github/workflows/slsa.yml
vendored
2
.github/workflows/slsa.yml
vendored
|
@ -24,7 +24,7 @@ jobs:
|
||||||
|
|
||||||
- name: Build artifacts
|
- name: Build artifacts
|
||||||
run: |
|
run: |
|
||||||
find *.sh distros/* functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
|
find *.sh functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
|
||||||
|
|
||||||
- name: Generate hashes
|
- name: Generate hashes
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
FROM alpine:3.15
|
FROM alpine:3.18
|
||||||
|
|
||||||
LABEL \
|
LABEL \
|
||||||
org.label-schema.name="docker-bench-security" \
|
org.label-schema.name="docker-bench-security" \
|
||||||
|
@ -6,9 +6,9 @@ LABEL \
|
||||||
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
|
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
|
||||||
|
|
||||||
RUN apk add --no-cache iproute2 \
|
RUN apk add --no-cache iproute2 \
|
||||||
docker-cli \
|
docker-cli \
|
||||||
dumb-init \
|
dumb-init \
|
||||||
jq
|
jq
|
||||||
|
|
||||||
COPY . /usr/local/bin/
|
COPY . /usr/local/bin/
|
||||||
|
|
||||||
|
|
58
README.md
58
README.md
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.5.0](https://www.cisecurity.org/benchmark/docker/).
|
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.5.0](https://www.cisecurity.org/benchmark/docker/).
|
||||||
|
|
||||||
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
|
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.
|
||||||
|
|
||||||
Release | CIS |
|
Release | CIS |
|
||||||
:---:|:---:|
|
:---:|:---:|
|
||||||
|
@ -30,11 +30,33 @@ sudo sh docker-bench-security.sh
|
||||||
|
|
||||||
### Run with Docker
|
### Run with Docker
|
||||||
|
|
||||||
|
#### Building Docker image
|
||||||
|
|
||||||
|
You have two options if you wish to build and run this container yourself:
|
||||||
|
|
||||||
|
1. Use Docker Build:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
git clone https://github.com/docker/docker-bench-security.git
|
||||||
|
cd docker-bench-security
|
||||||
|
docker build --no-cache -t docker-bench-security .
|
||||||
|
```
|
||||||
|
|
||||||
|
Followed by an appropriate `docker run` command as stated above.
|
||||||
|
|
||||||
|
2. Use Docker Compose:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
git clone https://github.com/docker/docker-bench-security.git
|
||||||
|
cd docker-bench-security
|
||||||
|
docker-compose run --rm docker-bench-security
|
||||||
|
```
|
||||||
|
|
||||||
_Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405](https://github.com/docker/docker-bench-security/issues/405) for more information._
|
_Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405](https://github.com/docker/docker-bench-security/issues/405) for more information._
|
||||||
|
|
||||||
We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
|
Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
|
||||||
|
|
||||||
The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container:
|
### Using the container
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
||||||
|
@ -46,7 +68,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
||||||
-v /var/lib:/var/lib:ro \
|
-v /var/lib:/var/lib:ro \
|
||||||
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||||
--label docker_bench_security \
|
--label docker_bench_security \
|
||||||
docker/docker-bench-security
|
docker-bench-security
|
||||||
```
|
```
|
||||||
|
|
||||||
Don't forget to adjust the shared volumes according to your operating system.
|
Don't forget to adjust the shared volumes according to your operating system.
|
||||||
|
@ -66,7 +88,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
||||||
-v /var/lib:/var/lib:ro \
|
-v /var/lib:/var/lib:ro \
|
||||||
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||||
--label docker_bench_security \
|
--label docker_bench_security \
|
||||||
docker/docker-bench-security
|
docker-bench-security
|
||||||
```
|
```
|
||||||
|
|
||||||
2. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker
|
2. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker
|
||||||
|
@ -81,7 +103,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
||||||
-v /var/lib:/var/lib:ro \
|
-v /var/lib:/var/lib:ro \
|
||||||
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||||
--label docker_bench_security \
|
--label docker_bench_security \
|
||||||
docker/docker-bench-security
|
docker-bench-security
|
||||||
```
|
```
|
||||||
|
|
||||||
### Note
|
### Note
|
||||||
|
@ -119,32 +141,10 @@ The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6` and
|
||||||
|
|
||||||
`sh docker-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group
|
`sh docker-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group
|
||||||
|
|
||||||
`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run allavailable checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
|
`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run all available checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
|
||||||
|
|
||||||
`sh docker-bench-security.sh -c container_images,container_runtime` will run just the container_images and container_runtime checks
|
`sh docker-bench-security.sh -c container_images,container_runtime` will run just the container_images and container_runtime checks
|
||||||
|
|
||||||
`sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`
|
`sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`
|
||||||
|
|
||||||
Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.
|
Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.
|
||||||
|
|
||||||
## Building Docker image
|
|
||||||
|
|
||||||
You have two options if you wish to build and run this container yourself:
|
|
||||||
|
|
||||||
1. Use Docker Build:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
git clone https://github.com/docker/docker-bench-security.git
|
|
||||||
cd docker-bench-security
|
|
||||||
docker build --no-cache -t docker-bench-security .
|
|
||||||
```
|
|
||||||
|
|
||||||
Followed by an appropriate `docker run` command as stated above.
|
|
||||||
|
|
||||||
2. Use Docker Compose:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
git clone https://github.com/docker/docker-bench-security.git
|
|
||||||
cd docker-bench-security
|
|
||||||
docker-compose run --rm docker-bench-security
|
|
||||||
```
|
|
||||||
|
|
|
@ -1,19 +0,0 @@
|
||||||
FROM alpine:3.13
|
|
||||||
|
|
||||||
LABEL \
|
|
||||||
org.label-schema.name="docker-bench-security" \
|
|
||||||
org.label-schema.url="https://dockerbench.com" \
|
|
||||||
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
|
|
||||||
|
|
||||||
RUN apk add --no-cache iproute2 \
|
|
||||||
docker-cli \
|
|
||||||
dumb-init
|
|
||||||
|
|
||||||
COPY . /usr/local/bin/
|
|
||||||
|
|
||||||
HEALTHCHECK CMD exit 0
|
|
||||||
|
|
||||||
WORKDIR /usr/local/bin
|
|
||||||
|
|
||||||
ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]
|
|
||||||
CMD [""]
|
|
|
@ -1,15 +0,0 @@
|
||||||
# REPOSITORY https://github.com/fatherlinux/docker-bench-security
|
|
||||||
|
|
||||||
FROM centos
|
|
||||||
|
|
||||||
MAINTAINER smccarty@redhat.com
|
|
||||||
|
|
||||||
RUN yum install -y docker iproute audit procps-ng; yum clean all
|
|
||||||
|
|
||||||
RUN mkdir /docker-bench-security
|
|
||||||
|
|
||||||
COPY . /docker-bench-security
|
|
||||||
|
|
||||||
WORKDIR /docker-bench-security
|
|
||||||
|
|
||||||
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
|
|
|
@ -1,24 +0,0 @@
|
||||||
FROM debian:sid@sha256:022a3cafe84d704c272794863ca5e383667c99312358e816ad1ff6e9a41ce4f6
|
|
||||||
|
|
||||||
LABEL org.label-schema.name="docker-bench-security" \
|
|
||||||
org.label-schema.url="https://github.com/konstruktoid/docker-bench-security" \
|
|
||||||
org.label-schema.vcs-url="https://github.com/konstruktoid/docker-bench-security.git"
|
|
||||||
|
|
||||||
RUN \
|
|
||||||
apt-get update && \
|
|
||||||
apt-get -y upgrade && \
|
|
||||||
apt-get -y install auditd ca-certificates docker.io \
|
|
||||||
gawk iproute2 procps --no-install-recommends && \
|
|
||||||
apt-get -y clean && \
|
|
||||||
apt-get -y autoremove && \
|
|
||||||
rm -rf /var/lib/apt/lists/* \
|
|
||||||
/usr/share/doc /usr/share/doc-base \
|
|
||||||
/usr/share/man /usr/share/locale /usr/share/zoneinfo
|
|
||||||
|
|
||||||
RUN mkdir /docker-bench-security
|
|
||||||
|
|
||||||
COPY . /docker-bench-security
|
|
||||||
|
|
||||||
WORKDIR /docker-bench-security
|
|
||||||
|
|
||||||
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
|
|
|
@ -1,13 +0,0 @@
|
||||||
# REPOSITORY https://github.com/docker/docker-bench-security
|
|
||||||
FROM opensuse/leap:latest
|
|
||||||
|
|
||||||
RUN zypper -n in audit docker iproute2 && \
|
|
||||||
mkdir /docker-bench-security && \
|
|
||||||
rm /usr/bin/awk && \
|
|
||||||
cp /usr/bin/gawk /usr/bin/awk
|
|
||||||
|
|
||||||
COPY . /docker-bench-security
|
|
||||||
|
|
||||||
WORKDIR /docker-bench-security
|
|
||||||
|
|
||||||
ENTRYPOINT ["/bin/bash", "docker-bench-security.sh"]
|
|
|
@ -1,18 +0,0 @@
|
||||||
# REPOSITORY https://github.com/fatherlinux/docker-bench-security
|
|
||||||
|
|
||||||
FROM rhel7
|
|
||||||
|
|
||||||
MAINTAINER smccarty@redhat.com
|
|
||||||
|
|
||||||
RUN yum install -y yum-utils; yum clean all
|
|
||||||
RUN yum-config-manager --disable "*" &>/dev/null
|
|
||||||
RUN yum-config-manager --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms
|
|
||||||
RUN yum install -y docker iproute audit procps-ng; yum clean all
|
|
||||||
|
|
||||||
RUN mkdir /docker-bench-security
|
|
||||||
|
|
||||||
COPY . /docker-bench-security
|
|
||||||
|
|
||||||
WORKDIR /docker-bench-security
|
|
||||||
|
|
||||||
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
|
|
|
@ -1,21 +0,0 @@
|
||||||
# Distribution specific Dockerfiles
|
|
||||||
|
|
||||||
## Requirements
|
|
||||||
|
|
||||||
### Dockerfile name
|
|
||||||
|
|
||||||
The format should be `Dockerfile.{distribution name}`.
|
|
||||||
|
|
||||||
### Keep your images up-to-date
|
|
||||||
|
|
||||||
Use the distribution package manager to keep your image up-to-date.
|
|
||||||
|
|
||||||
### Labels
|
|
||||||
|
|
||||||
Use the following labels in your Dockerfile:
|
|
||||||
|
|
||||||
```
|
|
||||||
LABEL org.label-schema.name="docker-bench-security" \
|
|
||||||
org.label-schema.url="<YOUR GIT REPOSITORY HTTPS ADDRESS>" \
|
|
||||||
org.label-schema.vcs-url="<YOUR REPOSITORY HTTPS GIT ADDRESS"
|
|
||||||
```
|
|
|
@ -1,21 +1,21 @@
|
||||||
docker-bench-security:
|
services:
|
||||||
# use image if you have a dedicated build step:
|
docker-bench-security:
|
||||||
# docker build --rm -t docker-bench-security .
|
# use image if you have a dedicated build step:
|
||||||
# image: docker-bench-security
|
# docker build --rm -t docker-bench-security .
|
||||||
|
# image: docker-bench-security
|
||||||
|
|
||||||
# use build path to Dockerfile if docker-compose should build the image
|
# use build path to Dockerfile if docker-compose should build the image
|
||||||
build: .
|
build: .
|
||||||
|
|
||||||
cap_add:
|
cap_add:
|
||||||
- audit_control
|
- audit_control
|
||||||
labels:
|
labels:
|
||||||
- docker_bench_security
|
- docker_bench_security
|
||||||
net: host
|
pid: host
|
||||||
pid: host
|
stdin_open: true
|
||||||
stdin_open: true
|
tty: true
|
||||||
tty: true
|
volumes:
|
||||||
volumes:
|
- /var/lib:/var/lib:ro
|
||||||
- /var/lib:/var/lib:ro
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
- /usr/lib/systemd:/usr/lib/systemd:ro
|
||||||
- /usr/lib/systemd:/usr/lib/systemd:ro
|
- /etc:/etc:ro
|
||||||
- /etc:/etc:ro
|
|
||||||
|
|
Loading…
Reference in a new issue