Find out how vulnerable your Docker deployment really is by running this handy script.
If you’re a Docker admin, you might want to take the time to ensure your Docker deployment is properly installed and configured. You could do that manually, but that would take considerable effort. Fortunately, a script is available that allows you to run extensive tests against your Docker installment. This script is called docker-bench-test, and it does an incredible amount of testing. In fact, the scans are so thorough, the results of your test will take you considerable time to evaluate.
Fortunately, installing docker-bench-test won’t take quite that long. Let’s get this test up and running. I’ll demonstrate on Ubuntu Server 18.04 and will assume you already have Docker up and running.
SEE: Serverless computing: A guide for IT leaders (TechRepublic Premium)
The first thing to do is to install the necessary dependency. Since docker-bench-test runs bats testing, you’ll need bats installed. To do this, follow these steps:
- Open a terminal (or log into your Ubuntu server).
- Add the repository with the command sudo add-apt-repository ppa:duggan/bats.
- Update apt with the command sudo apt-get update.
- Install bats with the command sudo apt-get install bats -y.
You’ll also need git installed, which can be done with the command:
sudo apt-get install git
Once the bats and git installations are complete, you’re ready to continue.
Downloading and using docker-bench-test
The docker-bench-test comes in the form of a script. In order to get the script, you need to check out the latest version with the command:
git clone https://github.com/gaia-adm/docker-bench-test.git
With the tool checked out, change into the newly created directory with the command:
It’s now time to run the script. Because the script is required to access certain privileged directories, it must be run with sudo. We’ll issue the command so that it displays the results in TAP format. By default, the results will be written to the /var/docker-bench-test/results directory, and will be time stamped for each test run. This command is:
sudo ./docker-bench-test.sh -t
The tests do take some time to complete. When they finish, you can view the file with the command:
Where XXX is the timestamp.
The results will give you a plethora of information. Scan through the file, line by line, and you should see some very valid bits to help you improve your Docker deployment (Figure A).
If you find the results of the tests aren’t being outputted to the default directory, your best bet is to simply send them directly to a file with a command like:
sudo ./docker-bench-test.sh -t > docker-test-results
You could then view the results with the command:
Some of the results should be easy fixes (such as making sure you have trusted users that can run the Docker daemon), while others may be a bit more complex to resolve (such as the content trust issues). I suggest getting every quick fix taken care of immediately. Once you have all of the simple issues resolved, go back through and tackle the more challenging issues.
Worth the time
Spend the time combing through the results of this test. You’ll be surprised at how much pertinent information you’ll find, regarding your Docker installation. The minutes or hours you spend are definitely worth the time, considering the information that can be gleaned.