Test running docker via -t docker://

[bartosznaumowicz-olx]

Hi,
is it possible to test running dokcer with this profile? I'm trying to run it via docker and point different container.
docker run -it --rm -v $(pwd):/share -v /var/run/docker.sock:/var/run/docker.sock chef/inspec exec https://github.com/dev-sec/cis-docker-benchmark -t docker://<container_id>

All what I get is 99 skipped controls.

[atomic111]

Hi @bartosznaumowicz-olx , if i understood your question correctly you want to test the services within the container. like a nginx or so? Then you have to execute the nginx-baseline in the container.

Those tests running on the docker host and it inspect the container and there capabilities like this test: https://github.com/dev-sec/cis-docker-benchmark/blob/master/controls/container_runtime.rb#L96-L115, as an example. This test checks kernel capabilities for containers.

[bartosznaumowicz-olx]

Hi,
not quite. I have a running container for e.g. 0b059353c982. Lets say it's a ubuntu 16.04. From host I would like to scan this container via command provided upper.

Or, perhaps, cis-docker-benchmark can scan only host machine?

[atomic111]

@bartosznaumowicz-olx Sorry, may be i have a long line today. This Benchamrk tests the docker host and the running containers on this host. Inspec is able to inspect the running container via the docker api.

you execute the cis-docker-benchmark like inspec exec cis-docker-benchmark -t ssh://. Some tests iterate over the running container to check the privs, the capabilities and so on for a running container.

May be, you describe me what do you want to test on the running container. As an example, you want to test, if a container runs with the privileged flag. then this is the test for you: https://github.com/dev-sec/cis-docker-benchmark/blob/master/controls/container_runtime.rb#L117-L133

You can execute the test, if you take this command: inspec exec cis-docker-benchmark -t ssh://. Inspec iterates over the running container and extract if the flag is set.

[bartosznaumowicz-olx]

So if I'm running it via docker and want to test host machine I need to ssh to host? That's the only supported protocol? I can't use -t docker://<container_id> to point container that I want to scan?

[atomic111]

the cis-docker-benchmark design is to have access to the docker host to inspec the CIS Rules from the host and the running container. You can run it locally like inspec exec cis-docker-benchmark.

You can use the ssh-baseline, nginx-baseline or so to inspect the running config inside of a container via inspec exec nginx-baseline -t docker://.

Can you please describe what do you want to achieve? Do you want to test a service within the container?

[bartosznaumowicz-olx]

I'm trying to verify if container is compliant with PCI requirements. No difference what kind of service is running inside.

When I'm trying to do this with -t docker:// all my tests a skipped.

[atomic111]

sorry, now i got your point. the baseline design is that you execute inspec via ssh or locally on shell.

if you want to use the baseline via the docker api, then we need some changes. feel free to create some PRs for that. this would help.

[atomic111]

@bartosznaumowicz-olx this is a nice tutorial about the inspec docker resource http://lollyrock.com/articles/inspec-for-docker/

[atomic111]

@bartosznaumowicz-olx can i close this issue?