https://github.com/nokia/containerd-bench-security

https://github.com/nokia/containerd-bench-security

Last synced: about 2 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/nokia/containerd-bench-security
• Owner: nokia
• License: apache-2.0
• Created: 2022-11-29T08:01:51.000Z (almost 2 years ago)
• Default Branch: master
• Last Pushed: 2024-03-14T03:40:40.000Z (6 months ago)
• Last Synced: 2024-06-19T07:03:03.868Z (3 months ago)
• Language: Shell
• Size: 106 KB
• Stars: 6
• Watchers: 4
• Forks: 5
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE.md

Awesome Lists containing this project

README

        
# Containerd Bench for Security

![Containerd Bench for Security running](img/benchmark_log.png)

The Containerd Bench for Security is a script that checks for dozens of common best-practices around deploying containers with containerd in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.3.1](https://www.cisecurity.org/benchmark/docker/).

We are making this available as an open source utility so the user community of Containerd can have an easy way to self-assess their hosts and containers against this benchmark.

## Running Containerd Bench for Security

### Run from your base host

You can simply run this script from your base host by running:

```sh

git clone https://github.com/nokia/containerd-bench-security.git

cd containerd-security

sudo sh containerd-bench-security.sh

```

### Run as container

We provide a Dockerfile to build Containerd Bench for Security as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.

First you will need to build the container based on the [descriptions](#building-docker-image) and then run it. 

```sh

TODO: Add run instructions.

```

### Note

Note that when distributions do not contain `auditctl`, the audit tests will check `/etc/audit/audit.rules` to see if a rule is present instead.

### Containerd Bench for Security options

```sh

  -b           optional  Do not print colors

  -h           optional  Print this help message

  -l FILE      optional  Log output in FILE, inside container if run from container

  -u USERS     optional  Comma delimited list of trusted user(s)

  -c CHECK     optional  Comma delimited list of specific check(s) id

  -e CHECK     optional  Comma delimited list of specific check(s) id to exclude

  -i INCLUDE   optional  Comma delimited list of patterns within a container or image name to check

  -x EXCLUDE   optional  Comma delimited list of patterns within a container or image name to exclude from check

  -n LIMIT     optional  In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).

  -p PRINT     optional  Disable the printing of remediation measures. Default: print remediation measures.

```

By default the Containerd Bench for Security script will run all available CIS tests and produce

logs in the log folder from current directory, named `containerd-bench-security.sh.log.json` and

`containerd-bench-security.sh.log`.

If the container is used then the log files will be created inside the container in location `/usr/local/bin/log/`. If you wish to access them from the host after the container has been run you will need to mount a volume for storing them in.

The CIS based checks are named `check__`, e.g. `check_2_6` and community contributed checks are named `check_c_`.

`sh containerd-bench-security.sh -c check_2_2` will only run check `2.2 Ensure the logging level is set to 'info'`.

`sh containerd-bench-security.sh -e check_2_2` will run all available checks except `2.2 Ensure the logging level is set to 'info'`.

`sh containerd-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group

`sh containerd-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run allavailable checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`

`sh containerd-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`

Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.

## Building Docker image

You have two options if you wish to build and run this container yourself:

1. Use Docker Build: (**`Note: it requires docker to be installed!`**)

```sh

git clone https://github.com/nokia/containerd-bench-security.git

cd containerd-bench-security

docker build --no-cache -t containerd-bench-security .

```

Followed by an appropriate `run` command as stated above.

2. Use Docker Compose:

```sh

git clone https://github.com/nokia/containerd-bench-security.git

cd containerd-bench-security

docker-compose run --rm containerd-bench-security

```

## Contribute

We are happy to receive user feedback as GitHub issues and contributions as GitHub PR-s. Detailed thechincal instructions are in the [contributor guide](CONTRIBUTING.md).

## License

Containerd Bench for Security is licensed under the [Apache License Version 2.0](LICENSE.md).