Running docker build -t cis . from the root of this repository builds a CIS Hardened container, with scripts provided by OVH here: https://github.com/ovh/debian-cis.

Additional hardening can be applied to the container by first determining which checks are failing, using the following command docker run cis /opt/cis/bin/hardening.sh --audit-all. In the subsequent output, failed checks can be easily identified; the check can be enabled by remedying the fault and enabling the check in the conf.d/$SCRIPT_NAME.cfg file.

Take the following broken check:

9.1.4_cron_daily_perm_own [INFO] Working on 9.1.4_cron_daily_perm_ownership
9.1.4_cron_daily_perm_own [INFO] Checking Configuration
9.1.4_cron_daily_perm_own [INFO] Performing audit
9.1.4_cron_daily_perm_own [ OK ] /etc/cron.daily has correct ownership
9.1.4_cron_daily_perm_own [ KO ] /etc/cron.daily permissions were not set to 700
9.1.4_cron_daily_perm_own [ KO ] Check Failed

We can remedy this, by adding a RUN directive in the Dockerfile to correctly set file permissions: RUN chmod 0700 /etc/cron.daily. After re-building the container and running the --audit-all command again above, we can see this check is now passing:

9.1.4_cron_daily_perm_own [INFO] Working on 9.1.4_cron_daily_perm_ownership
9.1.4_cron_daily_perm_own [INFO] Checking Configuration
9.1.4_cron_daily_perm_own [INFO] Performing audit
9.1.4_cron_daily_perm_own [ OK ] /etc/cron.daily has correct ownership
9.1.4_cron_daily_perm_own [ OK ] /etc/cron.daily has correct permissions
9.1.4_cron_daily_perm_own [ OK ] Check Passed

Adding the file /conf.d/9.1.4_cron_daily_perm_own.cfg with the content status=enabled to to the repository, will now enable this check for all future builds.