when we use Docker on a daily basis, we do not know whether our environment is safe, whether there is a problem, today we recommend a Docker environment scanning Tool-docker-bench-security. He is an open source scanning tool, the official address is: Https://github.com/docker/docker-bench-security, by running a container, can quickly and systematically monitor your Docker environment for security.
Here is an example of a run:
650) this.width=650; "Src=" http://mmbiz.qpic.cn/mmbiz_png/ zrkrx6mds1od1tdsfcyeyvueoanppddf4geuj6gz23reicnfngnugiaorm4d1qvribvhhero1fq0y7ym0mfnodgaa/640?wx_fmt=png& Tp=webp&wxfrom=5&wx_lazy=1 "style=" Margin:0px;padding:0px;height:auto;width:auto; "alt=" 640?wx_fmt=png &tp=webp&wxfrom=5&wx_lazy= "/>
As can be seen from the above, the container in the host configuration and engine configuration two aspects of the inspection, can be said to be very comprehensive. Docker Bench Security is a script thatchecks whether your environment can be used in a product environment through a large number of BEST-PR Atice.
Run Docker-bench-secrury
The project is to package the scanning process into a small container, due to the need to check the external Docker running environment, so a series of privileges, such as: Host file system, PID, network, SYSTEMD, etc. The simplest way to run is to run a container that has already been built:
Docker run-it--net host--pid host--cap-add Audit_control \
-v/var/lib:/var/lib \
-v/var/run/docker.sock:/var/run/docker.sock \
-V/USR/LIB/SYSTEMD:/USR/LIB/SYSTEMD \
-v/etc:/etc--label docker_bench_security \
Docker/docker-bench-security
To be able to run this container, the Docker version needs to be at least 1.10 later, and the image is based on alpine and then encapsulated by Dockerfile.
How to get the latest version and compile the image
The official image is sometimes not necessarily up to date, if you need to get the latest version, in the following way:
git clone https://github.com/docker/docker-bench-security.git
CD docker-bench-security
Docker build-t docker-bench-security .
Docker run-it--net host--pid host--cap-add Audit_control \
-v/var/lib:/var/lib \
-v/var/run/docker.sock:/var/run/docker.sock \
-V/USR/LIB/SYSTEMD:/USR/LIB/SYSTEMD \
-v/etc:/etc--label docker_bench_security \
Docker-bench-security
or use Docker-compose:
git clone https://github.com/docker/docker-bench-security.git
CD docker-bench-security
Docker-compose Run--rm docker-bench-security
or use the original script directly on the host:
git clone https://github.com/docker/docker-bench-security.git
CD docker-bench-security
SH docker-bench-security.sh
The script for this project is compatible with POSIX 2004 and is therefore available under all *nix systems. Okay, so here's the basic introduction, is your Docker environment scanned?
Learn more about Docker container technology with the public number "Genie Cloud" or "Godocker"
Is your Docker environment safe?