{"id":13416255,"url":"https://github.com/dev-sec/cis-docker-benchmark","last_synced_at":"2025-03-14T23:31:31.137Z","repository":{"id":43092870,"uuid":"59814924","full_name":"dev-sec/cis-docker-benchmark","owner":"dev-sec","description":"CIS Docker Benchmark - InSpec Profile","archived":false,"fork":false,"pushed_at":"2023-05-02T12:59:10.000Z","size":236,"stargazers_count":472,"open_issues_count":7,"forks_count":113,"subscribers_count":37,"default_branch":"master","last_synced_at":"2024-04-18T17:06:11.795Z","etag":null,"topics":["cis-docker-benchmark","docker","hardening","inspec","security"],"latest_commit_sha":null,"homepage":"https://dev-sec.io/baselines/docker/","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dev-sec.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-05-27T07:35:56.000Z","updated_at":"2024-07-30T23:49:08.912Z","dependencies_parsed_at":"2024-07-30T23:58:52.835Z","dependency_job_id":null,"html_url":"https://github.com/dev-sec/cis-docker-benchmark","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dev-sec%2Fcis-docker-benchmark","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dev-sec%2Fcis-docker-benchmark/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dev-sec%2Fcis-docker-benchmark/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dev-sec%2Fcis-docker-benchmark/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dev-sec","download_url":"https://codeload.github.com/dev-sec/cis-docker-benchmark/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243663505,"owners_count":20327299,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cis-docker-benchmark","docker","hardening","inspec","security"],"created_at":"2024-07-30T21:00:56.090Z","updated_at":"2025-03-14T23:31:27.207Z","avatar_url":"https://github.com/dev-sec.png","language":"Ruby","readme":"# CIS Docker Benchmark - InSpec Profile\n\n[![Build Status](http://img.shields.io/travis/dev-sec/cis-docker-benchmark.svg)][1]\n[![Supermarket](https://img.shields.io/badge/InSpec%20Profile-CIS%20Docker%20Benchmark-brightgreen.svg)](https://supermarket.chef.io/tools/cis-docker-benchmark)\n[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2]\n\n## Description\n\nThis [InSpec](https://github.com/chef/inspec) compliance profile implement the [CIS Docker 1.13.0 Benchmark](https://downloads.cisecurity.org/) in an automated way to provide security best-practice tests around Docker daemon and containers in a production environment.\n\nInSpec is an open-source run-time framework and rule language used to specify compliance, security, and policy requirements for testing any node in your infrastructure.\n\n## Requirements\n\n* at least [InSpec](http://inspec.io/) version 2.3.23\n* Docker 1.13+\n\n### Platform\n\n* Debian 8\n* Ubuntu 16.04\n* CentOS 7\n\n## Attributes\n\nWe use a yml attribute file to steer the configuration, the following options are available:\n\n* `trusted_user: vagrant`\n  define trusted user to control Docker daemon.\n* `authorization_plugin: authz-broker`\n  define authorization plugin to manage access to Docker daemon.\n* `log_driver: syslog`\n  define preferable way to store logs.\n* `log_opts: /syslog-address/`\n  define Docker daemon log-opts.\n* `registry_cert_path: /etc/docker/certs.d`\n  directory contains various Docker registry directories.\n* `registry_name: /etc/docker/certs.d/registry_hostname:port`\n  directory contain certificate certain Docker registry.\n* `registry_ca_file: /etc/docker/certs.d/registry_hostname:port/ca.crt`\n  certificate file for a certain Docker registry certificate files.\n* `container_user: vagrant`\n  define user within containers.\n* `app_armor_profile: docker-default`\n  define apparmor profile for Docker containers.\n* `selinux_profile: /label\\:level\\:s0-s0\\:c1023/`\n  define SELinux profile for Docker containers.\n* `container_capadd: null`\n  define needed capabilities for containers. example: `container_capadd: NET_ADMIN,SYS_ADMIN`\n* `managable_container_number: 25`\n  keep number of containers on a host to a manageable total.\n* `daemon_tlscacert : /etc/docker/ssl/ca.pem`\n  configure the certificate authority.\n* `daemon_tlscert: /etc/docker/ssl/server_cert.pem`\n  configure the server certificate.\n* `daemon_tlskey: /etc/docker/ssl/server_key.pem`\n  configure the server key.\n* `swarm_mode: inactive`\n  configure the swarm mode.\n* `swarm_max_manager_nodes: 3`\n  configure the maximum number of swarm leaders.\n* `swarm_port: 2377`\n  configure the swarm port.\n* `benchmark_version`\n  to execute also the old controls from previous benchmarks, e.g. set it to 1.12.0 to execute also the tests from cis-benchmark-1.12.0 (which is the default).\n\nThese settings can be overridden using an attributes file (e.g. --attrs \u003cattributefile.yml\u003e). See [sample_attributes.yml](sample_attributes.yml) as an example.\n\n## Usage\n\nInSpec makes it easy to run your tests wherever you need. More options listed here: [InSpec cli](http://inspec.io/docs/reference/cli/)\n\n```sh\n# run profile locally\n$ git clone https://github.com/dev-sec/cis-docker-benchmark\n$ inspec exec cis-docker-benchmark\n\n# run profile locally and directly from Github\n$ inspec exec https://github.com/dev-sec/cis-docker-benchmark\n\n# run profile on remote host via SSH\ninspec exec cis-docker-benchmark -t ssh://user@hostname -i /path/to/key\n\n# run profile on remote host via SSH with sudo\ninspec exec cis-docker-benchmark -t ssh://user@hostname -i /path/to/key --sudo\n\n# run profile on remote host via SSH with sudo and define attribute value\ninspec exec cis-docker-benchmark --attrs sample_attributes.yml\n\n# run profile direct from inspec supermarket\ninspec supermarket exec dev-sec/cis-docker-benchmark -t ssh://user@hostname --key-files private_key --sudo\n```\n\n### Run individual controls\n\nIn order to verify individual controls, just provide the control ids to InSpec:\n\n```sh\ninspec exec cis-docker-benchmark --controls 'cis-docker-benchmark-1.4 cis-docker-benchmark-1.5'\n```\n\n## Contributors + Kudos\n\n* Patrick Muench [atomic111](https://github.com/atomic111)\n* Dominik Richter [arlimus](https://github.com/arlimus)\n* Christoph Hartmann [chris-rock](https://github.com/chris-rock)\n\n## License and Author\n\n* Author:: Patrick Muench \u003cpatrick.muench1111@gmail.com\u003e\n* Author:: Christoph Hartmann \u003cchris@lollyrock.com\u003e\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n\u003chttp://www.apache.org/licenses/LICENSE-2.0\u003e\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n\n[1]: http://travis-ci.org/dev-sec/cis-docker-benchmark\n[2]: https://gitter.im/dev-sec/general\n[3]: https://downloads.cisecurity.org/\n","funding_links":[],"categories":["Container Operations","Ruby","Tools","工具：覆盖攻防全流程的实用利器"],"sub_categories":["Security","Compliance","3. 合规检查（对齐行业基准，自动化加固）"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdev-sec%2Fcis-docker-benchmark","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdev-sec%2Fcis-docker-benchmark","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdev-sec%2Fcis-docker-benchmark/lists"}