CIS Docker Benchmark v1.7.0

docker info --format '{{ .Swarm }}' 

docker swarm leave 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}' 

1. Verify AppArmor is installed. 
2. Create or import a AppArmor profile for Docker containers. 
3. Enable enforcement of the policy. 
4. Start your Docker container using the customized AppArmor profile.

 docker run --interactive --tty --security-opt="apparmor:PROFILENAME" ubuntu /bin/bash 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }} MountLabel={{ .MountLabel }} ProcessLabel={{ .ProcessLabel }}' 

• Set the SELinux State. 
• Set the SELinux Policy. 
• Create or import a SELinux policy template for Docker containers. 
• Start Docker in daemon mode with SELinux enabled. 

docker daemon --selinux-enabled 

{ 
"selinux-enabled": true 
} 

• Start your Docker container using the security options. 

docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}' 

docker run --cap-add={"Capability 1","Capability 2"} <Run arguments> <Container Image Name or ID> <Command>

docker run --cap-drop={"Capability 1","Capability 2"} <Run arguments> <Container Image Name or ID> <Command>

docker run --cap-drop=all --cap-add={"Capability 1","Capability 2"} <Run arguments> <Container Image Name or ID> <Command>

docker service create --cap-drop=all --cap-add={"Capability 1","Capability 2"} <Run arguments> <Container Image Name or ID> <Command>

AUDIT_WRITE 
CHOWN 
DAC_OVERRIDE 
FOWNER 
FSETID 
KILL 
MKNOD 
NET_BIND_SERVICE 
NET_RAW 
SETFCAP 
SETGID 
SETPCAP 
SETUID 
SYS_CHROOT 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}' 

docker run --interactive --tty --privileged centos /bin/bash 

/ 
/boot 
/dev 
/etc 
/lib
/lib64 
/proc 
/sys 
/usr 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' 

• Difficult to manage access policies and security compliance for SSH server 
• Difficult to manage keys and passwords across various containers 
• Difficult to manage security upgrades for SSH server 

docker ps --quiet 

docker exec <CONTAINER ID> ps -el 

docker exec --interactive --tty <CONTAINER ID> sh 

docker attach <CONTAINER ID>

docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}' 

docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}' 

docker run --interactive --tty --publish 5000 --publish 5001 --publish 5002 centos /bin/bash 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}' 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}' 

docker run -d --memory 256m centos sleep 1000 

docker inspect --format='{{ .Id }}: Memory={{.HostConfig.Memory}} KernelMemory={{.HostConfig.KernelMemory}} Swap={{.HostConfig.MemorySwap}}'  

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}' 

docker run -d --cpu-shares 512 centos sleep 1000 

• Enable use --tmpfs for temporary file writes to /tmp 
• Use Docker shared data volumes for persistent data writes 

docker host: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'

docker run <Run arguments> --read-only <Container Image Name or ID> <Command> 

• Using the --tmpfs option to mount a temporary file system for non-persistent data writes. 

docker run --interactive --tty --read-only --tmpfs "/run" --tmpfs "/tmp" centos /bin/bash 

• Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem. 

docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw centos /bin/bash 

• Utilizing the Docker shared-storage volume plugin for Docker data volume to persist container data. 

docker volume create -d convoy --opt o=size=20GB my-named-volume docker run --interactive --tty --read-only -v my-named-volume:/run/app/data centos /bin/bash 

• Transmitting container data outside of the Docker controlled area during the container's runtime for container data in order to ensure that it is persistent. Examples include hosted databases, network file shares and APIs. 

docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}' 

docker run --detach --publish 10.2.3.4:49153:80 nginx 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}' 

docker run --detach --restart=on-failure:5 nginx 

docker run --pid=host rhel7 strace -p 1234 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}' 

docker run --interactive --tty --pid=host centos /bin/bash 

docker run --interactive --tty --ipc=container:e3a7a1a97c58 centos /bin/bash 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}' 

docker run --interactive --tty --ipc=host centos /bin/bash 

• r - read only 
• w - writable 
• m - mknod allowed 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Devices={{ .HostConfig.Devices }}' 

• CgroupPermissions - For example, rwm 
• PathInContainer - Device path within the container
• PathOnHost - Device path on the host 

docker run --interactive --tty --device=/dev/tty0:/dev/tty0:rwm -- device=/dev/temp_sda:/dev/temp_sda:rwm centos bash 

docker run --interactive --tty --device=/dev/tty0:/dev/tty0:rw -- device=/dev/temp_sda:/dev/temp_sda:r centos bash 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Ulimits={{ .HostConfig.Ulimits }}' 

docker run -ti -d --ulimit nofile=1024:1024 centos sleep 1000 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}' 

docker run  --volume=/hostPath:/containerPath:shared <Container Image Name or ID> <Command>

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}' 

docker run --rm --interactive --tty --uts=host rhel7.2 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}' 

ausearch -k docker | grep exec | grep privileged 

ausearch -k docker | grep exec | grep user 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}' 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}' 

docker run --rm -it --security-opt=no-new-privileges ubuntu bash 

docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' 

docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}' 

docker run -it --pids-limit 100  

docker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}' 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}' 

docker run --rm -it --userns=host ubuntu bash 

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock