Docker Bench for Security

The Docker Bench for Security manages ensuring Docker deployments adhere to security best practices, a common oversight in containerized environments. This tool is built around the CIS Docker Benchmark, currently supporting versions up to v1.6.0, and automates the process of checking dozens of security configurations.

Technically, the tool is a script that can be run directly from the host or within a Docker container. When run from the host, it executes a series of automated tests that inspect various aspects of the Docker setup, including host configuration, Docker daemon settings, container runtime, and image management. The script relies on extensive mounting of host filesystems, network, and PID namespaces to perform comprehensive checks, which includes auditing configuration files, system rights, and library vulnerabilities based on a CVE database.

Operationally, running the script requires significant privileges due to the need to access sensitive host resources. This is achieved through commands like docker run --rm --net host --pid host --userns host --cap-add audit_control, which ensures the container has the necessary capabilities to perform the audits. The script also allows for selective execution of specific checks or exclusion of certain tests, providing flexibility in tailoring the audit to specific environments.

Key considerations include the need for jq as an optional but recommended dependency and the requirement to manually build the Docker image if using the latest versions, as the pre-built images may be out-of-date. Additionally, the tool's performance and output are highly dependent on the version of Docker and the CIS benchmark being used, with the tool automatically determining the appropriate test set based on the host's Docker version or allowing manual specification through command-line flags.