{"id":13684504,"url":"https://github.com/nokia/containerd-bench-security","last_synced_at":"2025-07-27T15:33:14.308Z","repository":{"id":152002172,"uuid":"571939065","full_name":"nokia/containerd-bench-security","owner":"nokia","description":null,"archived":false,"fork":false,"pushed_at":"2024-03-14T03:40:40.000Z","size":109,"stargazers_count":7,"open_issues_count":2,"forks_count":5,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-11-12T05:37:28.431Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nokia.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-29T08:01:51.000Z","updated_at":"2024-08-02T09:33:28.000Z","dependencies_parsed_at":"2024-01-14T16:09:12.111Z","dependency_job_id":"5fde22d4-c0f6-437a-9e22-d5f6a64a9544","html_url":"https://github.com/nokia/containerd-bench-security","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nokia%2Fcontainerd-bench-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nokia%2Fcontainerd-bench-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nokia%2Fcontainerd-bench-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nokia%2Fcontainerd-bench-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nokia","download_url":"https://codeload.github.com/nokia/containerd-bench-security/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227817160,"owners_count":17824199,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T14:00:34.283Z","updated_at":"2024-12-02T23:10:23.300Z","avatar_url":"https://github.com/nokia.png","language":"Shell","funding_links":[],"categories":["蓝队工具"],"sub_categories":["基线检测"],"readme":"# Containerd Bench for Security\n\n![Containerd Bench for Security running](img/benchmark_log.png)\n\nThe Containerd Bench for Security is a script that checks for dozens of common best-practices around deploying containers with containerd in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.3.1](https://www.cisecurity.org/benchmark/docker/).\n\nWe are making this available as an open source utility so the user community of Containerd can have an easy way to self-assess their hosts and containers against this benchmark.\n\n## Running Containerd Bench for Security\n\n### Run from your base host\n\nYou can simply run this script from your base host by running:\n\n```sh\ngit clone https://github.com/nokia/containerd-bench-security.git\ncd containerd-security\nsudo sh containerd-bench-security.sh\n```\n\n### Run as container\n\nWe provide a Dockerfile to build Containerd Bench for Security as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.\n\nFirst you will need to build the container based on the [descriptions](#building-docker-image) and then run it. \n\n```sh\nTODO: Add run instructions.\n```\n\n### Note\n\nNote that when distributions do not contain `auditctl`, the audit tests will check `/etc/audit/audit.rules` to see if a rule is present instead.\n\n### Containerd Bench for Security options\n\n```sh\n  -b           optional  Do not print colors\n  -h           optional  Print this help message\n  -l FILE      optional  Log output in FILE, inside container if run from container\n  -u USERS     optional  Comma delimited list of trusted user(s)\n  -c CHECK     optional  Comma delimited list of specific check(s) id\n  -e CHECK     optional  Comma delimited list of specific check(s) id to exclude\n  -i INCLUDE   optional  Comma delimited list of patterns within a container or image name to check\n  -x EXCLUDE   optional  Comma delimited list of patterns within a container or image name to exclude from check\n  -n LIMIT     optional  In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).\n  -p PRINT     optional  Disable the printing of remediation measures. Default: print remediation measures.\n```\n\nBy default the Containerd Bench for Security script will run all available CIS tests and produce\nlogs in the log folder from current directory, named `containerd-bench-security.sh.log.json` and\n`containerd-bench-security.sh.log`.\n\nIf the container is used then the log files will be created inside the container in location `/usr/local/bin/log/`. If you wish to access them from the host after the container has been run you will need to mount a volume for storing them in.\n\nThe CIS based checks are named `check_\u003csection\u003e_\u003cnumber\u003e`, e.g. `check_2_6` and community contributed checks are named `check_c_\u003cnumber\u003e`.\n\n`sh containerd-bench-security.sh -c check_2_2` will only run check `2.2 Ensure the logging level is set to 'info'`.\n\n`sh containerd-bench-security.sh -e check_2_2` will run all available checks except `2.2 Ensure the logging level is set to 'info'`.\n\n`sh containerd-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group\n\n`sh containerd-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run allavailable checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`\n\n`sh containerd-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`\n\nNote that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.\n\n## Building Docker image\n\nYou have two options if you wish to build and run this container yourself:\n\n1. Use Docker Build: (**`Note: it requires docker to be installed!`**)\n\n```sh\ngit clone https://github.com/nokia/containerd-bench-security.git\ncd containerd-bench-security\ndocker build --no-cache -t containerd-bench-security .\n```\n\nFollowed by an appropriate `run` command as stated above.\n\n2. Use Docker Compose:\n\n```sh\ngit clone https://github.com/nokia/containerd-bench-security.git\ncd containerd-bench-security\ndocker-compose run --rm containerd-bench-security\n```\n\n## Contribute\n\nWe are happy to receive user feedback as GitHub issues and contributions as GitHub PR-s. Detailed thechincal instructions are in the [contributor guide](CONTRIBUTING.md).\n\n## License\n\nContainerd Bench for Security is licensed under the [Apache License Version 2.0](LICENSE.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnokia%2Fcontainerd-bench-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnokia%2Fcontainerd-bench-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnokia%2Fcontainerd-bench-security/lists"}