0
0
Dockerdevops~10 mins

Security benchmarks (CIS Docker) - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Security benchmarks (CIS Docker)
Start: Docker Host Setup
Install Docker
Run CIS Docker Benchmark Scan
Analyze Scan Report
Apply Recommended Fixes
Re-scan to Verify Compliance
Maintain Regular Scans & Updates
This flow shows how to secure Docker by running CIS benchmarks, analyzing results, fixing issues, and verifying compliance.
Execution Sample
Docker
git clone https://github.com/docker/docker-bench-security.git && cd docker-bench-security && sudo ./docker-bench-security.sh --json-file cis_report.json
cat cis_report.json
# Review report
# Fix issues
# Re-run scan
Run a CIS Docker benchmark scan on the Docker host setup, save the report, review it, fix issues, and re-scan to check compliance.
Process Table
StepCommand/ActionResult/OutputSystem State Change
1git clone https://github.com/docker/docker-bench-security.git && cd docker-bench-security && sudo ./docker-bench-security.sh --json-file cis_report.jsonScan completes, JSON report savedReport file 'cis_report.json' created with benchmark results
2cat cis_report.jsonJSON output listing passed and failed checksUser reads scan results to identify issues
3Apply fixes (e.g., update Dockerfile, change permissions)No direct outputDockerfile and host configuration updated to fix issues
4cd docker-bench-security && sudo ./docker-bench-security.sh --json-file cis_report.jsonNew scan report generatedReport updated reflecting fixes, fewer or no failures
5Repeat fixes and scans as neededImproved compliance over timeSystem moves towards CIS benchmark compliance
💡 Scan shows no critical failures, indicating CIS Docker benchmark compliance achieved
Status Tracker
VariableStartAfter Scan 1After FixesAfter Scan 2Final
Scan ReportNoneJSON with failuresNone (fixes applied)JSON with fewer/no failuresCompliant report
Key Moments - 3 Insights
Why does the scan report show failures even if Docker is installed?
The scan checks many security settings beyond installation, like permissions and configurations. See execution_table step 2 where the report lists these failures.
What happens if I don't fix the issues found in the scan?
The system remains non-compliant and vulnerable. The scan will keep showing failures as in step 4 until fixes are applied (step 3).
Can I run the scan multiple times?
Yes, running scans repeatedly after fixes (steps 4 and 5) helps verify improvements and maintain security.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is created after the first scan command?
AA new Docker image
BA JSON report file named 'cis_report.json'
CA running Docker container
DA backup of the Dockerfile
💡 Hint
Refer to execution_table row 1, 'Result/Output' column
At which step does the system state change by applying fixes?
AStep 1
BStep 2
CStep 3
DStep 4
💡 Hint
Check execution_table 'System State Change' column for step 3
If you skip re-running the scan after fixes, what happens to compliance status?
ACompliance status remains unknown
BCompliance is verified automatically
CSystem becomes compliant immediately
DScan report deletes itself
💡 Hint
See execution_table steps 4 and 5 about re-scanning to verify compliance
Concept Snapshot
CIS Docker benchmarks help secure Docker setups.
Run 'sudo ./docker-bench-security.sh --json-file cis_report.json' to get a report.
Review report for failures, fix issues in Dockerfile or host.
Re-run scan to verify fixes.
Repeat regularly to maintain security compliance.
Full Transcript
This visual execution shows how to use CIS Docker security benchmarks. First, you run a scan command that checks your Docker environment, saving results in a JSON report. Then, you read the report to find security issues. Next, you apply fixes like changing permissions or updating configurations. After that, you run the scan again to see if the fixes worked. This cycle repeats until your Docker setup meets the CIS security standards, helping keep your containers safe.