drydock提供了一种使用可编辑审计模板评估Docker守护程序配置和容器安全性的灵活方法
NOTICE: Development is temporarily slowed down due to involvement with Docker’s Actuary. Feel free to make PRs, I will review ASAP, and be patient for updates :)
drydock is a Docker security audit tool written in Python. It was initially inspired by docker-bench-security but aims to provide a more flexible way for assesing Docker installations and deployments. drydock allows easy creation and use of custom audit profiles in order to eliminate noise and false alarms. Reports are saved in JSON format for easier parsing. drydock makes heavy use of docker-py client API to communicate with Docker.
At the moment all of the security checks performed are based on the CIS Docker 1.6 Benchmark.
Using drydock is as simple as :
git clone https://github.com/zuBux/drydock.gitpip install -r requirements.txtpython drydock.py
A profile containing all checks is provided in conf/default.yaml and can be used as reference for creating custom profiles. You can disable an audit by commenting it out (and its options, if any).
Since there are audits which require administrative privileges (e.x examining auditd rules) users are advised to run drydock as root for more accurate results.
Assuming that your Docker daemon uses unix sockets (default configuration), the following options are available:
-f
Example:
python drydock.py -o audit_aws -f xml -p conf/myprofile.yml -v 2
If your Docker daemon listens on an exposed port, using TLS, you must provide the following :
-d <IP:port> Docker daemon IP and listening port
Example:
python drydock.py -d 10.0.0.2:2736 -c /home/user/cert/cert.pem -k /home/user/cert/cert.key -o audit_remote -p conf/myprofile.yml
drydock is in beta stage and needs testing under different environments (currently tested only on Ubuntu/Debian deployments). All contributions ( bugs/improvements/suggestions etc. ) are welcome!