Skip to main content

Using Docker Bench to Enhance Container Security

Hands-On Lab

 

Photo of

Training Architect

Length

00:30:00

Difficulty

Beginner

This lab allows the student to explore the Docker Bench utility for hardening Docker installations. The student gains access to the lab server via SSH, and clones the Docker Bench repo from github.com. Then the student executes the bench utility, views the report, and then enables auditing of the Docker Daemon. After enabling auditing, the utility is run again and the new report is compared with the old.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Gain access to the EC2 CentOS7 server through the terminal of your choice using ssh to log in as cloud_user.

$ ssh cloud_user@[Public IP Here]

Clone the docker-bench repo from github.com:

$ git clone https://github.com/docker/docker-bench-security.git

Change your present working directory to docker-bench-security:

$ cd docker-bench-security

Using superuser permissions execute the docker-bench-security.sh shell script and redirect standard output to a file called /tmp/bench1.out

$ sudo sh docker-bench-security.sh > /tmp/bench1.out

*The sudo command will prompt your for the cloud_user password

Use the more command to look at the first part of the docker bench output:

$ more /tmp/bench1.out

Use the auditctl command to list any auditing rules that are already setup on the system:

$ sudo auditctl -l

Use the auditctl command to add a rule to audit the /var/lib/docker directory:

$ sudo auditctl -w /var/lib/docker -k "docker lib"

Now run the docker bench utility again and direct output to /tmp/bench2.out:

$ sudo sh docker-bench-security.sh > /tmp/bench2.out

Now use the Linux diff command to compare the output from the first run in bench1.out to the second run in bench2.out:

$ diff /tmp/bench1.out /tmp/bench2.out

* This concludes this lab