Dockerdevops~5 mins

Security benchmarks (CIS Docker) - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Security benchmarks help you keep your Docker containers safe by following best practices. The CIS Docker benchmark is a guide that shows how to configure Docker securely to avoid common risks.

When you want to make sure your Docker containers do not have security holes.

When you need to audit your Docker setup for compliance with security standards.

When you want to reduce the risk of attackers exploiting your Docker environment.

When you are deploying Docker containers in production and want to follow best security practices.

When you want to learn how to configure Docker daemon and containers safely.

Commands

This command shows detailed information about your Docker installation, including security settings and runtime details.

Terminal

docker info

Expected OutputExpected

Client: Context: default Debug Mode: false Server: Containers: 3 Running: 1 Paused: 0 Stopped: 2 Images: 5 Server Version: 24.0.2 Storage Driver: overlay2 Logging Driver: json-file Cgroup Driver: cgroupfs Security Options: seccomp apparmor Kernel Version: 5.15.0-70-generic Operating System: Ubuntu 22.04.2 LTS OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 7.7GiB

This command runs the official Docker Bench Security script as a container. It checks your Docker host and containers against the CIS Docker benchmark rules.

Terminal

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/bench docker/docker-bench-security

Expected OutputExpected

Docker Bench for Security ========================= [INFO] 1 - Host Configuration [PASS] 1.1 - Ensure a separate partition for containers has been created [WARN] 1.2 - Ensure that Docker is using a supported storage driver [INFO] 2 - Docker Daemon Configuration [PASS] 2.1 - Ensure that Docker daemon is started with a user namespace [FAIL] 2.2 - Ensure that the Docker daemon is configured to use TLS ... Summary: Passed: 15 Warnings: 3 Failed: 2

→

-v /var/run/docker.sock:/var/run/docker.sock - Gives the container access to the Docker daemon to inspect the host.

→

--rm - Removes the container after the scan finishes.

This command lists running containers and shows their security options to check if they have extra protections like seccomp or AppArmor profiles.

Terminal

docker ps --quiet --filter 'status=running' | xargs -n 1 docker inspect --format '{{.Name}}: SecurityOpts={{.HostConfig.SecurityOpt}}'

Expected OutputExpected

/my-app: SecurityOpts=[seccomp=default] /my-db: SecurityOpts=[]

→

--filter 'status=running' - Filters to only running containers.

Key Concept

If you remember nothing else from this pattern, remember: running automated CIS benchmark checks helps you find and fix Docker security issues quickly.

Common Mistakes

Running Docker containers without any security options like seccomp or AppArmor.

This leaves containers more exposed to attacks and privilege escalations.

Always configure containers with appropriate security profiles and verify with docker inspect.

Ignoring warnings and failures from the Docker Bench Security scan.

Warnings and failures indicate real security risks that can be exploited.

Review and fix all warnings and failures reported by the benchmark scan.

Running the Docker Bench Security script without mounting the Docker socket.

The script cannot inspect the Docker host or containers without access to the Docker daemon.

Always mount /var/run/docker.sock inside the container when running the benchmark.

Summary

Use 'docker info' to check your Docker environment and security settings.

Run the Docker Bench Security container to scan your Docker host against CIS benchmarks.

Inspect running containers' security options to ensure they have proper protections.