NEWS ANALYSIS: The Docker Bench for Security isn't a panacea for container security, but more tools are likely to complement it over time.
There seems to be no shortage of available online documentation and best practices for how security should be done, for all manner of technology deployments. The real security challenge, however, isn't always about having available best practices, but rather in having the time and resources to implement them.
That's why tools that can help automate the process of security configuration are so vital and important.
Now, Docker is getting its own tool for checking security configurations. Many of the earlier criticisms about the popular open-source application container virtualization technology, now a little more than 2 years old, revolved around security.
Earlier this month, Docker developers, along with the Center for Internet Security (CIS), published a benchmark report
outlining best practices for secure Docker deployment. The CIS Benchmark is a very robust set of practices with 84 recommendations spread across 119 pages.
Simply put, it's not easy for one human to fully digest and implement the CIS Benchmark recommendations for Docker rapidly. That said, many of the suggestions in the CIS Benchmark are just good, solid best practices that are important to consider for any application deployment on a Linux host operating system.
To make it easier to test a Docker deployment to see if it aligns with the CIS Benchmark, Docker Security Lead Diogo Monica has released an open-source script called Docker Bench for Security.
"The Docker Bench for Security is a script that checks for all the automatable tests included in the CIS Docker 1.6 Benchmark," the Github project page
for the script states. "We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark."
The Docker Bench for Security script is packaged as a Docker container to make it easier to run and test. One of the CIS Benchmark's recommendations is to limit container privileges to only what is needed to run. Somewhat ironically, the Docker Bench for Security script is a very high-privilege container that has broad access to host resources—usually something a container should not be able to do. That said, as a security testing tool, the container does need the broad access to validate host configuration for container deployment properly.
The idea of a script to check for security configuration in an open-source technology is not new. In the early days of Linux, when some of the same concerns about security were being raised, the Bastille Linux
script became quite popular. With Bastille, users are guided through a set of configuration options to ensure Linux security.
The Docker Bench for Security script isn't the be-all-and-end-all for container security. Instead, it's an important idea that will be expanded over time with more tools.
"This is the first in many planned tools we aim to bring to the Docker user community in checking and improving the security of their deployments," Monica wrote in a May 28 blog post
Docker is all about accelerating time-to-deployment as well as application scale. It makes perfectly good sense that the Docker community is now building tools to help accelerate secure configuration, too.
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist.