{"id":18497843,"url":"https://github.com/containers/podman-security-bench","last_synced_at":"2025-09-14T13:27:39.092Z","repository":{"id":37778271,"uuid":"408953935","full_name":"containers/podman-security-bench","owner":"containers","description":null,"archived":false,"fork":false,"pushed_at":"2024-09-28T10:49:26.000Z","size":179,"stargazers_count":43,"open_issues_count":2,"forks_count":11,"subscribers_count":10,"default_branch":"main","last_synced_at":"2024-12-07T08:41:47.510Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/containers.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-09-21T19:45:25.000Z","updated_at":"2024-12-05T14:11:04.000Z","dependencies_parsed_at":"2024-11-06T13:45:34.951Z","dependency_job_id":"37677b2a-f8e1-42a4-9977-121baaa453f7","html_url":"https://github.com/containers/podman-security-bench","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containers%2Fpodman-security-bench","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containers%2Fpodman-security-bench/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containers%2Fpodman-security-bench/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containers%2Fpodman-security-bench/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/containers","download_url":"https://codeload.github.com/containers/podman-security-bench/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230501172,"owners_count":18236061,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T13:36:14.567Z","updated_at":"2024-12-19T21:08:59.854Z","avatar_url":"https://github.com/containers.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Podman Security Tests\n\n![Podman Security Tests running](img/benchmark_log.png)\n\nPodman Security is a script that checks for dozens of common best-practices around deploying Podman containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.3.1](https://www.cisecurity.org/benchmark/docker/).\n\nWe are making this available as an open-source utility so the Podman community\ncan have an easy way to self-assess their hosts and podman containers against\nthis benchmark.\n\n## Running Podman Security\n\n### Run from your base host\n\nYou can simply run this script from your base host by running:\n\n```sh\ngit clone https://github.com/containers/podman-security-bench.git\ncd podman-security-bench\nsudo bash podman-security-bench.sh\n```\n\n### Note\n\nPodman bench requires Podman 3.3.0 or later in order to run.\n\nNote that when distributions don't contain `auditctl`, the audit tests will check `/etc/audit/audit.rules` to see if a rule is present instead.\n\n### Podman Security Bench options\n\n```sh\n  -b           optional  Do not print colors\n  -h           optional  Print this help message\n  -l FILE      optional  Log output in FILE, inside container if run using podman\n  -c CHECK     optional  Comma delimited list of specific check(s) id\n  -e CHECK     optional  Comma delimited list of specific check(s) id to exclude\n  -i INCLUDE   optional  Comma delimited list of patterns within a container or image name to check\n  -x EXCLUDE   optional  Comma delimited list of patterns within a container or image name to exclude from check\n  -n LIMIT     optional  In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).\n  -p PRINT     optional  Disable the printing of remediation measures. Default: print remediation measures.\n  -w PATH      optional  Path to directory containing files with allowed content.\n```\n\nBy default, the Podman Security Bench script will run all available CIS tests and produce\nlogs in the log folder from current directory, named `podman-security-bench.log.json` and\n`podman-security-bench.log`.\n\nThe CIS based checks are named `check_\u003csection\u003e_\u003cnumber\u003e`, e.g. `check_2_6` and community contributed checks are named `check_c_\u003cnumber\u003e`.\n\n`sh podman-security-bench.sh -c check_2_2` will only run check `2.2 Ensure the logging level is set to 'info'`.\n\n`sh podman-security-bench.sh -e check_2_2` will run all available checks except `2.2 Ensure the logging level is set to 'info'`.\n\n`sh podman-security-bench.sh -e podman_enterprise_configuration` will run all available checks except the podman_enterprise_configuration group\n\n`sh podman-security-bench.sh -e podman_enterprise_configuration,check_2_2` will run all available checks except the podman_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`\n\n`sh podman-security-bench.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Podman is Enabled`\n\nNote that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.\n\n### Allowed Content\n\nSome of the checks require an allow file in order to verify content or configuration of a container.\nFor example check\\_4\\_8 (Ensure setuid and setgid permissions are removed) uses a file\ncontaining all the files which are allowed to have setuid or setgid set.\n\nThere is a default file for every affected check below directory `default-lists`.\nThey must follow a simple naming pattern:\n\n* `allow_check_x.y`\n\n\nMost likely\nthese defaults will not suit the requirements for your particular containers. That's why it is\n*highly advisable* to provide your own files at runtime.\nTo do so just provide your files with something like `-w path/to/your/files`, which must point to a\ndirectory containing all required files.\n\nBeware if a required file cannot be found, an error message is issued and the test will not be\nexecuted.\n\nThe next three chapters provide some advice of how to analyze containers an allow script has to be\ncreated for.\n\n#### Analyzing Packages in a Container (4.3)\n\nExample:\n```\n$ podman exec 540d7db05f99 apk list\nlibretls-3.3.4-r3 x86_64 {libretls} (ISC AND (BSD-3-Clause OR MIT)) [installed]\nmusl-1.2.2-r7 x86_64 {musl} (MIT) [installed]\nbash-5.1.16-r0 x86_64 {bash} (GPL-3.0-or-later) [installed]\njava-cacerts-1.0-r1 x86_64 {java-cacerts} (MIT) [installed]\n...\n```\nOr use the respective package manager command when not using alpine.\nNow don't take over complete lines into your file for packages. Simply use the base name of a\npackage. E.g. to exclude package `bash-5.1.16-r0` from the allowed packages, simply put `bash` into\none line of your file.\n\n#### Analyzing setuid and setgid in a Container (4.8)\n\nExample:\n```\n$ podman export 540d7db05f99 | tar -tv 2\u003e/dev/null | grep -E '^[-rwx].*(s|S).*\\s[0-9]' | awk '{print $6}'\netc/shadow\n```\nThis will provide all files having setuid or setgid set. They may server as a basis for your\nfile. It's up to you to decide.\n\n#### Analyzing configured Ports in a Container (5.8)\n\nExample:\n```\n$ podman inspect c2afbaf5b3 --format '{{ .NetworkSettings.Ports }}'\nmap[4711/tcp:[] 8080/tcp:[]]\n```\n\nThis will show you a map containing all configured ports. If it's OK to have them configured, simply\nput\n\n```\n4711\n8080\n```\ninto your file.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainers%2Fpodman-security-bench","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontainers%2Fpodman-security-bench","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainers%2Fpodman-security-bench/lists"}