### Run Docker Bench from Host Source: https://github.com/docker/docker-bench-security/blob/master/README.md Clone the repository and execute the main script directly on the host machine. Ensure you have git installed. ```sh git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security sudo sh docker-bench-security.sh ``` -------------------------------- ### Run Docker Bench with Docker Compose Source: https://github.com/docker/docker-bench-security/blob/master/README.md Execute the Docker Bench security check using Docker Compose. This is a convenient way to run the benchmark if Docker Compose is installed. ```sh git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security docker-compose run --rm docker-bench-security ``` -------------------------------- ### Build Docker Bench Security Container Source: https://github.com/docker/docker-bench-security/blob/master/CONTRIBUTING.md Clone the repository, navigate to the directory, and build the Docker image for Docker Bench for Security. ```sh git clone git@github.com:docker/docker-bench-security.git cd docker-bench-security docker build -t docker-bench-security . ``` -------------------------------- ### Docker Bench for Security Command-Line Options Source: https://github.com/docker/docker-bench-security/blob/master/README.md Lists the available command-line flags for customizing the Docker Bench for Security script's behavior, such as disabling colors, logging to a file, or filtering checks. ```sh -b optional Do not print colors -h optional Print this help message -l FILE optional Log output in FILE, inside container if run using docker -u USERS optional Comma delimited list of trusted docker user(s) -c CHECK optional Comma delimited list of specific check(s) id -e CHECK optional Comma delimited list of specific check(s) id to exclude -i INCLUDE optional Comma delimited list of patterns within a container or image name to check -x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check -t LABEL optional Comma delimited list of labels within a container or image to check -n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit). -p PRINT optional Disable the printing of remediation measures. Default: print remediation measures. ``` -------------------------------- ### Run Docker Bench Security Locally Source: https://github.com/docker/docker-bench-security/blob/master/CONTRIBUTING.md Clone the repository, navigate to the directory, and execute the Docker Bench for Security script using sudo. ```sh git clone git@github.com:docker/docker-bench-security.git cd docker-bench-security sudo sh docker-bench-security.sh ``` -------------------------------- ### Build Docker Image for Docker Bench Source: https://github.com/docker/docker-bench-security/blob/master/README.md Clone the repository and build the Docker image locally using Docker Build. This method avoids using a potentially outdated pre-built image. ```sh git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security docker build --no-cache -t docker-bench-security . ``` -------------------------------- ### Run Docker Bench Container (Default Configuration) Source: https://github.com/docker/docker-bench-security/blob/master/README.md Execute the Docker Bench security check within a container using default host volume mounts. This command requires Docker 1.13.0 or later. ```sh docker run --rm --net host --pid host --userns host --cap-add audit_control \ -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /etc:/etc:ro \ -v /usr/bin/containerd:/usr/bin/containerd:ro \ -v /usr/bin/runc:/usr/bin/runc:ro \ -v /usr/lib/systemd:/usr/lib/systemd:ro \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --label docker_bench_security \ docker-bench-security ``` -------------------------------- ### Docker Bench for Security Test Directory Structure Source: https://github.com/docker/docker-bench-security/blob/master/CONTRIBUTING.md Overview of the directory structure for Docker Bench for Security tests, showing the organization of individual test scripts. ```sh tests/ ├── 1_host_configuration.sh ├── 2_docker_daemon_configuration.sh ├── 3_docker_daemon_configuration_files.sh ├── 4_container_images.sh ├── 5_container_runtime.sh ├── 6_docker_security_operations.sh ├── 7_docker_swarm_configuration.sh ├── 8_docker_enterprise_configuration.sh └── 99_community_checks.sh ``` -------------------------------- ### Run Docker Bench Container (Ubuntu Systemd Paths) Source: https://github.com/docker/docker-bench-security/blob/master/README.md Execute the Docker Bench security check within a container, adjusting systemd paths for Ubuntu. This ensures correct access to systemd service files. ```sh docker run --rm --net host --pid host --userns host --cap-add audit_control \ -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /etc:/etc:ro \ -v /lib/systemd/system:/lib/systemd/system:ro \ -v /usr/bin/containerd:/usr/bin/containerd:ro \ -v /usr/bin/runc:/usr/bin/runc:ro \ -v /usr/lib/systemd:/usr/lib/systemd:ro \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --label docker_bench_security \ docker-bench-security ``` -------------------------------- ### Run Docker Bench Container (macOS with Hostname Adjustment) Source: https://github.com/docker/docker-bench-security/blob/master/README.md Execute the Docker Bench security check within a container on macOS. This requires creating an /etc/hostname file and adjusts volume mounts for macOS limitations. ```sh sudo touch /etc/hostname docker run --rm --net host --pid host --userns host --cap-add audit_control \ -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /etc:/etc \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --label docker_bench_security \ docker-bench-security ``` -------------------------------- ### Run Multiple Specific Docker Bench Checks Source: https://github.com/docker/docker-bench-security/blob/master/README.md Executes only a defined set of checks by listing them with the '-c' flag. This is helpful for focusing on critical areas. ```sh sh docker-bench-security.sh -c container_images,container_runtime ``` -------------------------------- ### Run a Specific Docker Bench Check Source: https://github.com/docker/docker-bench-security/blob/master/README.md Executes only a single, specified check using the '-c' flag. This is useful for targeted security audits. ```sh sh docker-bench-security.sh -c check_2_2 ``` -------------------------------- ### Exclude Multiple Docker Bench Checks and Groups Source: https://github.com/docker/docker-bench-security/blob/master/README.md Combines exclusion of a check group and a specific check using the '-e' flag with a comma-separated list. This provides granular control over which tests are run. ```sh sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2 ``` -------------------------------- ### Run Specific Checks While Excluding Others Source: https://github.com/docker/docker-bench-security/blob/master/README.md Combines running a group of checks with the '-c' flag and excluding a specific check within that group using the '-e' flag. This allows for precise test selection. ```sh sh docker-bench-security.sh -c container_images -e check_4_5 ``` -------------------------------- ### Exclude a Specific Docker Bench Check Source: https://github.com/docker/docker-bench-security/blob/master/README.md Runs all available checks except for a particular one, specified using the '-e' flag. This allows skipping irrelevant or already-addressed tests. ```sh sh docker-bench-security.sh -e check_2_2 ``` -------------------------------- ### Exclude a Docker Bench Check Group Source: https://github.com/docker/docker-bench-security/blob/master/README.md Skips an entire group of checks by providing the group name with the '-e' flag. Useful for avoiding checks related to specific configurations. ```sh sh docker-bench-security.sh -e docker_enterprise_configuration ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.