From cf7b13d5ba0f550424cf25eca0189c99a8fa3684 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 15 Jun 2015 22:15:24 +0200 Subject: [PATCH] add cap_audit_control for auditctl to work MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 74de8e8..a5f6dba 100644 --- a/README.md +++ b/README.md @@ -14,11 +14,12 @@ The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by run ```sh -docker run -it --net host --pid host -v /var/lib:/var/lib \ +docker run -it --net host --pid host --cap-add audit_control \ + -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker-bench-security \ - diogomonica/docker-bench-security + docker-bench-security ``` Docker bench requires Docker 1.6.2 or later in order to run, since it depends on the `--label` to exclude the current container from being inspected. If you can't upgrade to 1.6.2, I feel free to remove the `--label` flag or run the shell script locally (see below). @@ -30,10 +31,11 @@ Additionally, there was a bug in Docker 1.6.0 that would not allow mounting `-v If you wish to build and run this container yourself, you can follow the following steps: ```sh -git clone https://github.com/diogomonica/docker-bench-security.git +git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security docker build -t docker-bench-security . -docker run -it --net host --pid host -v /var/lib:/var/lib \ +docker run -it --net host --pid host --cap-add audit_control \ + -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label security-benchmark \