$ docker run -it -v /var/run/docker.sock:/var/run/docker.sockdebian /bin/bash

$ apt-get update
$ apt-get install apt-transport-https ca-certificates curl gnupg2 \software-properties-common

$ add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/debian \$(lsb_release -cs) \stable"
$ apt-get update

$ apt-get install docker-ce

$ docker run -it -v /:/host debian /bin/bash
$ chroot /host
$ /bin/bash

$ sudo service auditd restart

$ sestatus

$ sudo apt-get install selinux

$ ps -efZ | grep docker

$ docker ps -q | xargs docker inspect --format '{{.Id}}: SecurityOpt = {{.HostConfig.SecurityOpt}}'

yum -y install selinux-policy-devel

$ sudo apt-get install apparmor-profiles

$ docker info | grep apparmor

$ docker ps -q | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{.AppArmorProfile}}'

$ apparmor_status

$ docker container run --rm -it --cap-add SYS_ADMIN --security-opt seccomp=unconfined ubuntu sh

# mkdir mydir1; mkdir mydir2; mount --bind mydir1 mydir2

$ docker container run --rm -it --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor=unconfined ubuntu sh
# mkdir dir1; mkdir dir2; mount --bind dir1 dir2
# ls -l

$ docker info | grep seccomp

touch policy.json
{
  "defaultAction": "SCMP_ACT_ALLOW",
  "syscalls": [
    {
      "name": "mkdir",
      "action": "SCMP_ACT_ERRNO"
    },
    {
      "name": "chmod",
      "action": "SCMP_ACT_ERRNO"
    },
    {
      "name": "chown",
      "action": "SCMP_ACT_ERRNO"
    }
  ]
}

$ docker run --rm -it --security-opt seccomp:policy.json alpine sh

$ mkdir newdir
$ chown root:root bin
$ chmod +x /etc/resolv.conf

$ docker run -it --net host --pid host --cap-add audit_control \
-v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /etc:/etc --label docker_bench_security \
docker/docker-bench-security

$ export DOCKER_CONTENT_TRUST=1

$ docker container run --detach -ti --name mypython python /bin/bash

$ docker container run --detach -ti -u 1000 --read-only -m 256mb --securityopt=no-new-privileges --cpu-shares=500 --pids-limit=1 --name mypython python /bin/bash

policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "$c")

policy=$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' "$c")

user=$(docker inspect --format 'User={{.Config.User}}' "$c")

FIND=$(grep "^USER" ${AUDIT_FILE} | cut -d' ' -f2 )
    if [ -z "${FIND}" ]; then
        ReportWarning "dockerfile" "No user declared in Dockerfile. Container will execute command as root."
    else
        USER=$(echo ${FIND})
        Display --indent 2 --text "User" --result "${USER}"
fi

$ gem install dockscan

$ dockscan unix:///var/run/docker.sock


