From 59c289eefec9d6262d3dda5bd4652a52180210ce Mon Sep 17 00:00:00 2001
From: J0WI <J0WI@users.noreply.github.com>
Date: Thu, 29 Aug 2019 15:11:10 +0200
Subject: [PATCH] Mount volumes read only

Signed-off-by: J0WI <J0WI@users.noreply.github.com>
---
 README.md          | 20 ++++++++++----------
 docker-compose.yml |  8 ++++----
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 9109302..0a43329 100644
--- a/README.md
+++ b/README.md
@@ -24,12 +24,12 @@ running our pre-built container:
 ```sh
 docker run -it --net host --pid host --userns host --cap-add audit_control \
     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-    -v /etc:/etc \
-    -v /usr/bin/docker-containerd:/usr/bin/docker-containerd \
-    -v /usr/bin/docker-runc:/usr/bin/docker-runc \
-    -v /usr/lib/systemd:/usr/lib/systemd \
-    -v /var/lib:/var/lib \
-    -v /var/run/docker.sock:/var/run/docker.sock \
+    -v /etc:/etc:ro \
+    -v /usr/bin/docker-containerd:/usr/bin/docker-containerd:ro \
+    -v /usr/bin/docker-runc:/usr/bin/docker-runc:ro \
+    -v /usr/lib/systemd:/usr/lib/systemd:ro \
+    -v /var/lib:/var/lib:ro \
+    -v /var/run/docker.sock:/var/run/docker.sock:ro \
     --label docker_bench_security \
     docker/docker-bench-security
 ```
@@ -87,10 +87,10 @@ cd docker-bench-security
 docker build --no-cache -t docker-bench-security .
 docker run -it --net host --pid host --cap-add audit_control \
     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-    -v /var/lib:/var/lib \
-    -v /var/run/docker.sock:/var/run/docker.sock \
-    -v /usr/lib/systemd:/usr/lib/systemd \
-    -v /etc:/etc --label docker_bench_security \
+    -v /var/lib:/var/lib:ro \
+    -v /var/run/docker.sock:/var/run/docker.sock:ro \
+    -v /usr/lib/systemd:/usr/lib/systemd:ro \
+    -v /etc:/etc:ro --label docker_bench_security \
     docker-bench-security
 ```
 
diff --git a/docker-compose.yml b/docker-compose.yml
index c10a67c..7a88f50 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -15,7 +15,7 @@ docker-bench-security:
     stdin_open: true
     tty: true
     volumes:
-        - /var/lib:/var/lib
-        - /var/run/docker.sock:/var/run/docker.sock
-        - /usr/lib/systemd:/usr/lib/systemd
-        - /etc:/etc
+        - /var/lib:/var/lib:ro
+        - /var/run/docker.sock:/var/run/docker.sock:ro
+        - /usr/lib/systemd:/usr/lib/systemd:ro
+        - /etc:/etc:ro