sh docker-bench-security.sh -e check_2_2 # 表示检查所有, 除了 check_2_2(2.2 Ensure the logging level is set to 'info')
也可以只检查某项
sh docker-bench-security.sh -c check_2_2
使用很简单.
在使用的时候可以通过 --help 查看支持的命令行选项, 我在使用的时候发现 docker 镜像中支持的与 Git 仓库中写的不一致, 当然你可以自己打一个镜像.
构建镜像
- Git clone https://github.com/docker/docker-bench-security.git
- cd docker-bench-security
- docker build --no-cache -t docker-bench-security .
下面是在 Mac 上执行一次巡检的 Demo.
- Docker Desktop for Mac
- docker run --rm --net host --pid host --userns host --cap-add audit_control \
- -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
- -v /var/lib:/var/lib:ro \
- -v /var/run/docker.sock:/var/run/docker.sock:ro \
- -v `pwd`:/usr/local/bin/log/ \
- --label docker_bench_security \
- docker/docker-bench-security -t devops.v1
- # ------------------------------------------------------------------------------
- # Docker Bench for Security v1.3.4
- #
- # Docker, Inc. (c) 2015-
- #
- # Checks for dozens of common best-practices around deploying Docker containers in production.
- # Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
- # ------------------------------------------------------------------------------
- Initializing Thu Sep 2 04:55:59 UTC 2021
- Looking for image devops.v1
- [INFO] 1 - Host Configuration
- [WARN] 1.1 - Ensure a separate partition for containers has been created
- [NOTE] 1.2 - Ensure the container host has been Hardened
....[省略省略过多内容]
- [PASS] 7.10 - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled)
- [INFO] Checks: 105
- [INFO] Score: 7
参考资料
[1]Center for Internet Security (CIS): https://www.cisecurity.org/
[2]Docker bench security: https://github.com/docker/docker-bench-security
[3]CIS Docker Benchmark: https://www.cisecurity.org/benchmark/docker/
来源: http://os.51cto.com/art/202109/680481.htm