That image embed lynis, a tools for auditing Linux systems
The idea is to use Docker's lightweight isolation to have an auto-sufficient image that embed lynis and its dependencies, to perform on-demand audit without installing anything on your system, and leaving the place clean after the audit.
From here, just pre-download the image from the registry :
$ docker pull dduportal/lynis:2.1.0
It is strongly recommended to use tags, even if dduportal/lynis will work as latest tag is implied.
Then you have to choices : running directly your test or build your own, which enable you to embed your stuff.
- You can run the container in "quickie mode" to just run lynis in an isolated container :
$ docker run dduportal/lynis --help- To fetch logs, reports, use docker inside the container, or other advanced use cases, don't forget to share the need files and folders :
# Auditing a dockerfile which is in the current directory :
$ docker run \
-v $(pwd):/app \
-v $(pwd)/lynis-logs:/var/log \
dduportal/lynis:2.1.0 \
--auditor "John Doe" \
--quick \
audit dockerfile /app/Dockerfile
$ ls ./lynis-logs
lynis.log lynis-report.dat - If you have some plugins (Lynis Enterprise paid user or community), share them from your host :
$ docker run \
-v /usr/local/lynis-plugins:/lynis-plugins \
lynis \
--plugin-dir /lynis-plugins \
audit systemThe goal here is to embed your own stuff to adapt the behaviour of the image to your needs :
- Include your plugins
- Include your test profiles
- Pre-configure the image to make it indepednant from your host ...
For that, sue a Dockerfile :
$ cat Dockerfile
FROM dduportal/lynis:2.1.0
MAINTAINER <your name>
ADD ./your-plugins /app/plugins
ADD ./your-scripts /app/scripts
RUN apk --update add <package you need>
ENTRYPOINT ["/bin/sh"]
CMD ["/app/scripts/exec-lynis.sh"]
$ docker build -t my-lynis:1.0.0 ./
...
$ docker run -t my-lynis:1.0.0
...
Since this image just need bats and little dependencies, we use Alpine Linux as a base image :
- It is a light image (~5 Mb)
- It embed an usefull and complete package manager : apk which has a lot of available packages
We embed a set of basic packages :
- bash : It is for convenience around the numerous lynis scripts that will need its
- curl (and ca-certificates): because we need to download stuff thru HTTPS for lynis checks
- openssl : cryptographic stuff Bro'
Do not hesitate to contribute by forking this repository
Pick at least one :
-
Implement tests in
/tests/bats/ -
Write the Dockerfile
-
(Re)Write the documentation corrections
Finnaly, open the Pull Request : CircleCi will automatically build and test for you