docker-bench-security VS kube-bench

# Clone Docker Bench git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security # Run the audit docker run -it --net host --pid host --userns host --cap-add audit_control \ -v /var/lib/docker:/var/lib/docker \ -v /etc/docker:/etc/docker \ docker/docker-bench-security

Docker Security GitHub Repository

Regular security audits are crucial for maintaining the security of your Docker environment. Docker Bench for Security is a script that checks for dozens of common best practices around deploying Docker containers in production.

Scanning your container images for vulnerabilities is a good approach. But this scanning is not one time job, it should be done regularly (weekly, monthly, etc.) You need to follow vulnerability reports and fix all of the vulnerabilities as soon as possible. I recommend some open-source tools that could be useful: Trivy, Docker-Bench, Grype.

For Docker configuration I have used this in the past (it utilizes the CIS Docker Benchmark): https://github.com/docker/docker-bench-security

So the main tool to scan against the CIS Docker benchmark (I'm presuming that's the one you're interested in) is https://github.com/docker/docker-bench-security .

git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security sudo sh docker-bench-security.sh

when deploying images on cloud, I always run it thru "docker bench security" It helps finding potential security holes in my images.

Use Docker Bench for Security to audit your container images

$ wget https://github.com/aquasecurity/kube-bench/releases/download/v0.10.2/kube-bench_0.10.2_linux_amd64.deb $ sudo dpkg -i kube-bench_0.10.2_linux_amd64.deb Selecting previously unselected package kube-bench. (Reading database ... 41333 files and directories currently installed.) Preparing to unpack kube-bench_0.10.2_linux_amd64.deb ... Unpacking kube-bench (0.10.2) ... Setting up kube-bench (0.10.2) ... $ kube-bench version 0.10.2

git clone https://github.com/aquasecurity/kube-bench.git cd kube-bench

kube-bench is an automated tool that scans your cluster to check it meets security best practices. The checks are configured as YAML files, which allow you to easily customize tests and add new ones. The default ruleset is based on the Kubernetes CIS Benchmark standard.

2. Kubebench: https://github.com/aquasecurity/kube-bench Kubebench is an open-source tool that checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark.

However, no matter how well our applications are secured, the security of our entire IT environment ultimately depends on the security of our infrastructure. Therefore, in the lab to follow, we will shift our focus away from Kubernetes workloads and instead explore how we can evaluate and improve upon the security of our Kubernetes clusters with kube-bench, the industry-leading Kubernetes benchmarking solution developed by Aqua.

The official repository can be found here with detailed installation instructions.

curl -L [https://github.com/aquasecurity/kube-bench/releases/download/v0.6.10/kube-bench_0.6.10_linux_amd64.deb](https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.deb) -o kube-bench_0.6.10_linux_amd64.deb

I haven't used Kubernetes for a while, but shouldn't kube-bench (1) be enough? Do you have to check anything manually?

(1) https://github.com/aquasecurity/kube-bench

kube-bench checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. We can deploy kube-bench as a Job that runs daily and consume its report in CI/CD to pass or fail the pipeline based on the level of severity.