Runs Docker Bench for Security to audit Docker host configs, daemon settings, images, and runtime against CIS benchmarks, generating pass/fail/warn compliance reports. Useful for production container security checks.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Docker Bench for Security 是一个开源脚本,用于检查生产环境中部署 Docker 容器的数十项常见最佳实践。基于 CIS Docker Benchmark,它审计宿主机配置、Docker daemon 设置、容器镜像、运行时配置和安全运营,生成包含通过/失败/警告结果的合规报告。
Runs Docker Bench for Security to audit host configuration, daemon settings, images, and runtime against CIS Docker benchmarks. For production container security assessments.
Runs Docker Bench Security audits on Docker hosts against CIS benchmarks, checking config, daemon, images, runtime. Generates pass/fail reports for production container compliance.
Hardens Docker containers for production per CIS Docker Benchmark v1.8.0, covering daemon config, secure Dockerfiles with multi-stage builds, and runtime flags for least privilege and isolation.
Share bugs, ideas, or general feedback.
Docker Bench for Security 是一个开源脚本,用于检查生产环境中部署 Docker 容器的数十项常见最佳实践。基于 CIS Docker Benchmark,它审计宿主机配置、Docker daemon 设置、容器镜像、运行时配置和安全运营,生成包含通过/失败/警告结果的合规报告。
# 以容器方式运行(推荐)
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security
# 以 JSON 格式输出运行
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /etc:/etc:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
docker/docker-bench-security -l /dev/stdout 2>/dev/null | tee docker-bench-results.json
# 仅运行特定部分
docker run --rm --net host --pid host --userns host \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
docker/docker-bench-security -c container_images,container_runtime
[INFO] 1 - 宿主机配置
[PASS] 1.1.1 - 确保已为容器创建独立分区
[WARN] 1.1.2 - 确保只有受信任的用户可以控制 Docker daemon
[PASS] 1.1.3 - 确保已为 Docker daemon 配置审计
[INFO] 2 - Docker daemon 配置
[FAIL] 2.1 - 以非 root 用户运行 Docker daemon
[PASS] 2.2 - 确保默认网桥上容器间网络流量受限
# 修复 2.2:限制容器间通信
echo '{"icc": false}' | sudo tee /etc/docker/daemon.json
# 修复 2.17:限制容器获取新权限
echo '{"no-new-privileges": true}' | sudo tee -a /etc/docker/daemon.json
# 修复 5.3:限制 Linux 内核能力
# 在 docker run 命令中使用 --cap-drop ALL
# 修复 5.12:以只读方式挂载容器根文件系统
# 在 docker run 命令中使用 --read-only 参数
# 配置更改后重启 Docker daemon
sudo systemctl restart docker
# 定期评估的 docker-compose 配置
version: '3.8'
services:
bench-security:
image: docker/docker-bench-security
network_mode: host
pid: host
userns_mode: host
cap_add:
- audit_control
volumes:
- /etc:/etc:ro
- /var/lib:/var/lib:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./results:/results
command: -l /results/bench-$(date +%Y%m%d).log
deploy:
restart_policy:
condition: none
# 验证修复效果
docker run --rm docker/docker-bench-security 2>&1 | grep -E "(PASS|FAIL|WARN)" | sort | uniq -c
# 按类型统计结果
docker run --rm docker/docker-bench-security 2>&1 | grep -c "PASS"
docker run --rm docker/docker-bench-security 2>&1 | grep -c "FAIL"
docker run --rm docker/docker-bench-security 2>&1 | grep -c "WARN"