View profile

Measuring Configuration Security With Docker Bench

Revue
 
Last week we looked at the Docker defaults for keeping your app more secure, but today's newsletter i
 

FasterOps: Improving Your Container DevOps Skills

November 11 · Issue #18 · View online
Commentary on tools and techniques I find interesting around Docker, Kubernetes, Cloud Native DevOps, and DevSecOps.
Last week we looked at the Docker defaults for keeping your app more secure, but today’s newsletter is going to cover benchmarking of your Docker hosts configuration as well, to scan for security best practices.
Real-Time Docker Monitoring
www.datadoghq.comShare
This weeks sponsor: Enhance visibility into the performance of your entire containerized environment and investigate issues quickly with Datadog. Optimize horizontal auto-scaling with high-granularity metrics and easily detect clusters over or under-allocating available resources via the auto-generated container map. Try monitoring your Docker containers with Datadog and they’ll send you a free t-shirt!
Measuring Docker's Configuration Security
Today we are focused on Docker Bench. This scanning tool can be run as a Docker container so the test can be spun up and run very quickly. I cover this benchmark tool in my recent YouTube Live show where I listed my security best practices.
Host Configuration Benchmarking (Starts at 25:30)
www.youtube.comShare
Using tools to measure your Docker configurations baseline of security
Securing Docker · BretFisher/ama · GitHub
github.comShare
A common question I get.
GitHub - docker/docker-bench-security: Benchmark for Security
github.comShare
The Docker Bench for Security is a script that checks for dozens of common best-practices.
How Does it work?
By granting the bench container high levels of privilege to the host file system, network namespaces, and more, the container executes a scan to run all available CIS tests on the host, and will also output logs in the current directory. By running these tests, we can see how we stand up against the standards set by the Center for Internet Security.
CIS Docker Benchmarks - CIS
www.cisecurity.orgShare
Securing Docker An objective, consensus-driven s
How Do I Run it?
The container can be run with the following docker run command:
For a copy/paste-able command, see the GitHub repo in the links above
For a copy/paste-able command, see the GitHub repo in the links above
You might notice this container is highly privileged and requires a lot of access. You’re right, but this access is only to determine how safe your setup is. It’s a one-time run, and will stop when finished. You also might need to tweak your volumes in the command provided based on your OS and filesystem type. Also in that command come options for colored text, or exporting the results to a log file, or even exclusion options to skip a certain check.
Thanks for reading,
–Bret
Weekly YouTube Live: bretfisher.com/youtube
Course Coupons: bretfisher.com/courses
Podcast: bretfisher.com/podcast
Twitter: twitter.com/bretfisher
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Bret Fisher, Virginia Beach, Virginia, USA