Using Docker Bench to Enhance Container Security

30 minutes
  • 4 Learning Objectives

About this Hands-on Lab

This lab allows the student to explore the Docker Bench utility for hardening Docker installations. The student gains access to the lab server via SSH, and clones the Docker Bench repo from Then the student executes the bench utility, views the report, and then enables auditing of the Docker Daemon. After enabling auditing, the utility is run again and the new report is compared with the old.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Clone the Docker Bench repo from GitHub into the current working directory.

Clone the docker bench repo from GitHub:

$ git clone
Change directory to the docker-bench-security directory and run the docker-bench-security script.

Change your present working directory to docker-bench-security:

$ cd docker-bench-security

Using superuser permissions execute the shell script and redirect standard output to a file called /tmp/bench1.out

$ sudo sh > /tmp/bench1.out

*The sudo command will prompt your for the cloud_user password

After running the report, you may look at the contents with the Linux <code>more</code> command:

$ more /tmp/bench1.out

Update the audit rules on the server to include auditing the Docker Daemon

To list the rules already setup on the host, you may enter:

$ sudo auditctl -l

Use the auditctl command to add a rule to audit the Docker files in /var/lib/docker:

$ sudo auditctl -w /var/lib/docker -k "docker lib"

This will setup auditing on the docker daemon. To check you may enter the -l command again.

$ sudo auditctl -l
Run the Docker Bench security utility again and compare the output with the first run.

Now run the docker bench utility again and direct output to /tmp/bench2.out:

$ sudo sh > /tmp/bench2.out

To view the new report contanets, you may use the <code>more</code> command again.

$ more /tmp/bench2.out

Now use the Linux diff command to compare the output from the first run in bench1.out to the second run in bench2.out:

$ diff /tmp/bench1.out /tmp/bench2.out

Additional Resources

You have been tasked with reviewing Docker Security for your team's host of servers. Clone the Docker Bench security script from Docker's official repo, then run the script against the provided server and save the output to /tmp/bench1.out. Review the script's findings, then solve one of the warnings (such as auditing the files in /var/lib/docker). Rerun the script, this time outputting the results to /tmp/bench2.out. Run a diff of the two files to see that your change has taken affect.

The Docker Bench Security repository can be found at:

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?