Before we look into the output of the audit in a little more detail, I am going to launch a vanilla Ubuntu 17.04 server and do a clean installation of Docker. Once installed, I will launch a few containers, all of which don't have very sensible settings.

I launched the following two containers from the Docker Hub:

$ docker container run -d --name root-nginx -v /:/mnt nginx
$ docker container run -d --name priv-nginx --privileged=true nginx

Then I built a customer image based on Ubuntu 16.04 that ran SSH and launched it using:

$ docker container run -d -P --name sshd eg_sshd

As you can see, in one image, we are mounting the root file system of our host with full read/write access in the root-nginx container. We are also running with extended privileges in priv-nginx and finally running SSH in sshd.

To start the audit on our Ubuntu Docker host, I ran the following:

docker run -it --net host --pid host --cap-add audit_control 
 -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST 
 -v /var/lib:/var/lib 
 -v /var/run/docker.sock:/var/run/docker.sock 
 -v /usr/lib/systemd:/usr/lib/systemd 
 -v /etc:/etc --label docker_bench_security 
 docker/docker-bench-security

As we are running on an operating system that supports systemd, we are mounting /usr/lib/systemd so that we can audit it.

There is a lot of output and a lot to digest, but what does it all mean? Let's take a look and break down each section.