name	performing-docker-bench-security-assessment
description	Docker Bench for Security is an open-source script that checks dozens of common best practices around deploying Docker containers in production. Based on the CIS Docker Benchmark, it audits host confi
domain	cybersecurity
subdomain	container-security
tags	["containers","docker","security","CIS-benchmark","assessment"]
version	1.0
author	mahipal
license	Apache-2.0
nist_csf	["PR.PS-01","PR.IR-01","ID.AM-08","DE.CM-01"]
mitre_attack	["T1610","T1611","T1609","T1525"]

Performing Docker Bench Security Assessment

Overview

Docker Bench for Security is an open-source script that checks dozens of common best practices around deploying Docker containers in production. Based on the CIS Docker Benchmark, it audits host configuration, Docker daemon settings, container images, runtime configurations, and security operations to generate a compliance report with pass/fail/warn results.

When to Use

When conducting security assessments that involve performing docker bench security assessment
When following incident response procedures for related security events
When performing scheduled security testing or auditing activities
When validating security controls through hands-on testing

Prerequisites

Docker Engine installed and running
Root or sudo access on Docker host
Docker Bench Security script or container image

Workflow

Step 1: Run Docker Bench Security

# Run as a container (recommended)
docker run --rm --net host --pid host --userns host --cap-add audit_control \
  -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
  -v /etc:/etc:ro \
  -v /usr/bin/containerd:/usr/bin/containerd:ro \
  -v /usr/bin/runc:/usr/bin/runc:ro \
  -v /usr/lib/systemd:/usr/lib/systemd:ro \
  -v /var/lib:/var/lib:ro \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  --label docker_bench_security \
  docker/docker-bench-security

# Run with JSON output
docker run --rm --net host --pid host --userns host --cap-add audit_control \
  -v /etc:/etc:ro \
  -v /var/lib:/var/lib:ro \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  docker/docker-bench-security -l /dev/stdout 2>/dev/null | tee docker-bench-results.json

# Run specific sections only
docker run --rm --net host --pid host --userns host \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  docker/docker-bench-security -c container_images,container_runtime

Step 2: Interpret Results

[INFO] 1 - Host Configuration
[PASS] 1.1.1 - Ensure a separate partition for containers has been created
[WARN] 1.1.2 - Ensure only trusted users are allowed to control Docker daemon
[PASS] 1.1.3 - Ensure auditing is configured for the Docker daemon

[INFO] 2 - Docker daemon configuration
[FAIL] 2.1 - Run the Docker daemon as a non-root user
[PASS] 2.2 - Ensure network traffic is restricted between containers on the default bridge

Step 3: Remediate Common Failures

# Fix 2.2: Restrict inter-container communication
echo '{"icc": false}' | sudo tee /etc/docker/daemon.json

# Fix 2.17: Restrict containers from acquiring new privileges
echo '{"no-new-privileges": true}' | sudo tee -a /etc/docker/daemon.json

# Fix 5.3: Restrict Linux kernel capabilities
# Use --cap-drop ALL in docker run commands

# Fix 5.12: Mount container's root filesystem as read only
# Use --read-only flag in docker run commands

# Restart Docker daemon after configuration changes
sudo systemctl restart docker

Step 4: Automate Scheduled Assessments

# docker-compose for scheduled assessment
version: '3.8'
services:
  bench-security:
    image: docker/docker-bench-security
    network_mode: host
    pid: host
    userns_mode: host
    cap_add:
      - audit_control
    volumes:
      - /etc:/etc:ro
      - /var/lib:/var/lib:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./results:/results
    command: -l /results/bench-$(date +%Y%m%d).log
    deploy:
      restart_policy:
        condition: none

Validation Commands

# Verify remediation
docker run --rm docker/docker-bench-security 2>&1 | grep -E "(PASS|FAIL|WARN)" | sort | uniq -c

# Count results by type
docker run --rm docker/docker-bench-security 2>&1 | grep -c "PASS"
docker run --rm docker/docker-bench-security 2>&1 | grep -c "FAIL"
docker run --rm docker/docker-bench-security 2>&1 | grep -c "WARN"

References

Mehr aus diesem Repository

gleiches Repository

acquiring-disk-image-with-dd-and-dcfldd

mukul975/Anthropic-Cybersecurity-Skills

Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.

2026-06-0115.7k

analyzing-active-directory-acl-abuse

mukul975/Anthropic-Cybersecurity-Skills

Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths

2026-06-0115.7k

analyzing-android-malware-with-apktool

mukul975/Anthropic-Cybersecurity-Skills

Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.

2026-06-0115.7k

analyzing-api-gateway-access-logs

mukul975/Anthropic-Cybersecurity-Skills

Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules.

2026-06-0115.7k

analyzing-apt-group-with-mitre-navigator

mukul975/Anthropic-Cybersecurity-Skills

Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.

2026-06-0115.7k

analyzing-azure-activity-logs-for-threats

mukul975/Anthropic-Cybersecurity-Skills

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.

2026-06-0115.7k

Performing Docker Bench Security Assessment

Overview

When to Use

When conducting security assessments that involve performing docker bench security assessment

When following incident response procedures for related security events

When performing scheduled security testing or auditing activities

When validating security controls through hands-on testing

Prerequisites

Docker Engine installed and running

Root or sudo access on Docker host

Docker Bench Security script or container image

Workflow

Step 1: Run Docker Bench Security

# Run as a container (recommended) docker run --rm --net host --pid host --userns host --cap-add audit_control \ -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /etc:/etc:ro \ -v /usr/bin/containerd:/usr/bin/containerd:ro \ -v /usr/bin/runc:/usr/bin/runc:ro \ -v /usr/lib/systemd:/usr/lib/systemd:ro \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --label docker_bench_security \ docker/docker-bench-security # Run with JSON output docker run --rm --net host --pid host --userns host --cap-add audit_control \ -v /etc:/etc:ro \ -v /var/lib:/var/lib:ro \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ docker/docker-bench-security -l /dev/stdout 2>/dev/null | tee docker-bench-results.json # Run specific sections only docker run --rm --net host --pid host --userns host \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ docker/docker-bench-security -c container_images,container_runtime

Step 2: Interpret Results

[INFO] 1 - Host Configuration [PASS] 1.1.1 - Ensure a separate partition for containers has been created [WARN] 1.1.2 - Ensure only trusted users are allowed to control Docker daemon [PASS] 1.1.3 - Ensure auditing is configured for the Docker daemon [INFO] 2 - Docker daemon configuration [FAIL] 2.1 - Run the Docker daemon as a non-root user [PASS] 2.2 - Ensure network traffic is restricted between containers on the default bridge

Step 3: Remediate Common Failures

# Fix 2.2: Restrict inter-container communication echo '{"icc": false}' | sudo tee /etc/docker/daemon.json # Fix 2.17: Restrict containers from acquiring new privileges echo '{"no-new-privileges": true}' | sudo tee -a /etc/docker/daemon.json # Fix 5.3: Restrict Linux kernel capabilities # Use --cap-drop ALL in docker run commands # Fix 5.12: Mount container's root filesystem as read only # Use --read-only flag in docker run commands # Restart Docker daemon after configuration changes sudo systemctl restart docker

Step 4: Automate Scheduled Assessments

# docker-compose for scheduled assessment version: '3.8' services: bench-security: image: docker/docker-bench-security network_mode: host pid: host userns_mode: host cap_add: - audit_control volumes: - /etc:/etc:ro - /var/lib:/var/lib:ro - /var/run/docker.sock:/var/run/docker.sock:ro - ./results:/results command: -l /results/bench-$(date +%Y%m%d).log deploy: restart_policy: condition: none

Validation Commands

References