The goal of swarm-sec is to assess and highlight the security issues in a native swarm cluster setup and faciliate a developer or administrator to deploy a secure cluster environment. swarm-sec is an extension to docker-bench-security.
Currently swarm-sec can:
- Assesses possible issues in swarm daemon configuration
- Details node-specific security issues in the cluster
- Remote connection issues between the node and swarm manager
The list of test scenarios considered in the current version is documented here
- Install swarm by following the instructions here
- Setup a few node cluster and start the manager and cluster as described here. For dev environment, install swarm manually as described here
- Ensure that all nodes run docker version 1.6.0 or above (run
docker version)
Step-by-step installation and setup information are enumerated below:
Get the source:
git clone https://github.com/snrism/swarm-sec.gitBuild swarm-sec:
cd <swarm-sec>
docker build -t swarm-sec .
docker run -it --net host --pid host --cap-add audit_control \
-v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /etc:/etc --label swarm-sec \
swarm-secAlternatively, swarm-sec can be started by just running
cd <swarm-sec>
sh swarm-sec.sh (Not recommended. Lets containerize swarm-sec :))Get help using:
docker run -it --net host --pid host --cap-add audit_control \
-v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /etc:/etc --label swarm-sec \
swarm-sec -hRun swarm-sec for entire cluster using:
docker run -it --net host --pid host --cap-add audit_control \
-v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /etc:/etc --label swarm-sec \
swarm-secRun swarm-sec on a single cluster node using:
docker run -it --net host --pid host --cap-add audit_control \
-v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /etc:/etc --label swarm-sec \
swarm-sec -n <hostname> -t <token-id>