docker-bench

Home

Docker Bench for Security

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated and are inspired by the CIS Docker Benchmark.

Project Repository: https://github.com/docker/docker-bench-security

Running the Benchmark

The Docker Bench for Security is distributed as a Docker container. You can run it with the following command, which is adapted from the official documentation:

docker run -it --rm --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST="${DOCKER_CONTENT_TRUST:-}" \
    -v /var/lib:/var/lib:ro \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    -v /etc:/etc:ro \
    -v /usr/bin/containerd:/usr/bin/containerd:ro \
    -v /usr/bin/runc:/usr/bin/runc:ro \
    -v /usr/lib/systemd:/usr/lib/systemd:ro \
    --label docker_bench_security \
    docker/docker-bench-security

Explanation of common arguments:

  • -it: Runs the container in interactive mode with a TTY.

  • --rm: Automatically removes the container when it exits.

  • --net host, --pid host, --userns host: Allows the benchmark script to inspect the host's network, PID namespace, and user namespace, which is necessary for a comprehensive analysis.

  • --cap-add audit_control: Adds the AUDIT_CONTROL capability, required for some tests.

  • -e DOCKER_CONTENT_TRUST="${DOCKER_CONTENT_TRUST:-}": Passes the host's DOCKER_CONTENT_TRUST environment variable to the container. If it's not set on the host, it defaults to an empty string.

  • -v /path/on/host:/path/in/container:ro: Mounts host directories and files as read-only (ro) into the container. This allows the script to inspect Docker configurations, systemd files, the Docker socket, etc.

    • /var/lib typically contains Docker's data directory.

    • /var/run/docker.sock is the Docker daemon socket.

    • /etc contains system configuration files.

    • Paths to containerd and runc binaries are mounted to check their versions and configurations.

    • /usr/lib/systemd is mounted to inspect Docker service files.

  • --label docker_bench_security: Applies a label to the container, which can be useful for identifying it.

  • docker/docker-bench-security: The official Docker image for the benchmark tool.

After running the command, the script will perform a series of checks and output the results to your terminal, indicating areas that are configured well and areas that might need attention.

Home

Previouscreating_containersNextdocker_namespaces_explained

Last updated