Fix the bug that a container may not have ps command

docker / docker-bench-security

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

Apache License 2.0

9.17k stars 1.02k forks source link

Fix the bug that a container may not have ps command #481

Open NitroCao opened 3 years ago

NitroCao commented 3 years ago

The reason why we should not execute ps command in containers:

some containers don't have ps command.
if a container shares the PID namespace with the host machine, the check command would report false positives.

The better way is to get the PID of the first process inside containers in the host PID namespace first, then find all processes whose PPID is the PID of the first process inside the container.