docker-bench-security/tests/2_docker_daemon_configuration.sh

#!/bin/sh

check_2() {
  logit ""
  local id="2"
  local desc="Docker daemon configuration"
  checkHeader="$id - $desc"
  info "$checkHeader"
  startsectionjson "$id" "$desc"
}

# 2.1
check_2_1() {
  local id="2.1"
  local desc="Ensure network traffic is restricted between containers on the default bridge (Scored)"
  local remediation="Edit the Docker daemon configuration file to ensure that inter-container communication is disabled: \"icc\": false."
  local remediationImpact="Inter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks."
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  else
    warn "$check"
    saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}"
    resulttestjson "WARN"
    currentScore=$((currentScore - 1))
  fi
}

# 2.2
check_2_2() {
  local id="2.2"
  local desc="Ensure the logging level is set to 'info' (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
    if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
      pass "$check"
      resulttestjson "PASS"
      currentScore=$((currentScore + 1))
    elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
      pass "$check"
      resulttestjson "PASS"
      currentScore=$((currentScore + 1))
    else
      warn "$check"
      resulttestjson "WARN"
      currentScore=$((currentScore - 1))
    fi
  elif get_docker_effective_command_line_args '-l'; then
    if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
      pass "$check"
      resulttestjson "PASS"
      currentScore=$((currentScore + 1))
    else
      warn "$check"
      resulttestjson "WARN"
      currentScore=$((currentScore - 1))
    fi
  else
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  fi
}

# 2.3
check_2_3() {
  local id="2.3"
  local desc="Ensure Docker is allowed to make changes to iptables (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
    warn "$check"
    resulttestjson "WARN"
    currentScore=$((currentScore - 1))
  elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
    warn "$check"
    resulttestjson "WARN"
    currentScore=$((currentScore - 1))
  else
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  fi
}

# 2.4
check_2_4() {
  local id="2.4"
  local desc="Ensure insecure registries are not used (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
    warn "$check"
    resulttestjson "WARN"
    currentScore=$((currentScore - 1))
  elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
    if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
      pass "$check"
      resulttestjson "PASS"
      currentScore=$((currentScore + 1))
    else
      warn "$check"
      resulttestjson "WARN"
      currentScore=$((currentScore - 1))
    fi
  else
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  fi
}

# 2.5
check_2_5() {
  local id="2.5"
  local desc="Ensure aufs storage driver is not used (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if docker info 2>/dev/null | grep -e "^\sStorage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
    warn "$check"
    resulttestjson "WARN"
    currentScore=$((currentScore - 1))
  else
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  fi
}

# 2.6
check_2_6() {
  local id="2.6"
  local desc="Ensure TLS authentication for Docker daemon is configured (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if [ $(get_docker_configuration_file_args 'tcp://') ] || \
    [ $(get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://') >/dev/null 2>&1 ]; then
    if [ $(get_docker_configuration_file_args '"tlsverify":' | grep 'true') ] || \
        [ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then
      pass "$check"
      resulttestjson "PASS"
      currentScore=$((currentScore + 1))
    elif [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
        [ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then
      warn "$check"
      warn "     * Docker daemon currently listening on TCP with TLS, but no verification"
      resulttestjson "WARN" "Docker daemon currently listening on TCP with TLS, but no verification"
      currentScore=$((currentScore - 1))
    else
      warn "$check"
      warn "     * Docker daemon currently listening on TCP without TLS"
      resulttestjson "WARN" "Docker daemon currently listening on TCP without TLS"
      currentScore=$((currentScore - 1))
    fi
  else
    info "$check"
    info "     * Docker daemon not listening on TCP"
    resulttestjson "INFO" "Docker daemon not listening on TCP"
    currentScore=$((currentScore + 0))
  fi
}

# 2.7
check_2_7() {
  local id="2.7"
  local desc="Ensure the default ulimit is configured appropriately (Not Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  else
    info "$check"
    info "     * Default ulimit doesn't appear to be set"
    resulttestjson "INFO" "Default ulimit doesn't appear to be set"
    currentScore=$((currentScore + 0))
  fi
}

# 2.8
check_2_8() {
  local id="2.8"
  local desc="Enable user namespace support (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  else
    warn "$check"
    resulttestjson "WARN"
    currentScore=$((currentScore - 1))
  fi
}

# 2.9
check_2_9() {
  local id="2.9"
  local desc="Ensure the default cgroup usage has been confirmed (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if get_docker_configuration_file_args 'cgroup-parent' | grep -v ''; then
    warn "$check"
    info "     * Confirm cgroup usage"
    resulttestjson "WARN" "Confirm cgroup usage"
    currentScore=$((currentScore + 0))
  elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
    warn "$check"
    info "     * Confirm cgroup usage"
    resulttestjson "WARN" "Confirm cgroup usage"
    currentScore=$((currentScore + 0))
  else
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  fi
}

# 2.10
check_2_10() {
  local id="2.10"
  local desc="Ensure base device size is not changed until needed (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
    warn "$check"
    resulttestjson "WARN"
    currentScore=$((currentScore - 1))
  elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
    warn "$check"
    resulttestjson "WARN"
    currentScore=$((currentScore - 1))
  else
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  fi
}

# 2.11
check_2_11() {
  local id="2.11"
  local desc="Ensure that authorization for Docker client commands is enabled (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  else
    warn "$check"
    resulttestjson "WARN"
    currentScore=$((currentScore - 1))
  fi
}

# 2.12
check_2_12() {
  local id="2.12"
  local desc="Ensure centralized and remote logging is configured (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
    warn "$check"
    resulttestjson "WARN"
    currentScore=$((currentScore - 1))
  else
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  fi
}

# 2.13
check_2_13() {
  local id="2.13"
  local desc="Ensure live restore is enabled (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  else
    if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
      pass "$check (Incompatible with swarm mode)"
      resulttestjson "PASS"
      currentScore=$((currentScore + 1))
    elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
      pass "$check"
      resulttestjson "PASS"
      currentScore=$((currentScore + 1))
    else
      warn "$check"
      resulttestjson "WARN"
      currentScore=$((currentScore - 1))
    fi
  fi
}

# 2.14
check_2_14() {
  local id="2.14"
  local desc="Ensure Userland Proxy is Disabled (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  else
    warn "$check"
    resulttestjson "WARN"
    currentScore=$((currentScore - 1))
  fi
}

# 2.15
check_2_15() {
  local id="2.15"
  local desc="Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Not Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  else
    info "$check"
    resulttestjson "INFO"
    currentScore=$((currentScore + 0))
  fi
}

# 2.16
check_2_16() {
  docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
    | awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4)

  local id="2.16"
  local desc="Ensure that experimental features are not implemented in production (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if [ "$docker_version" -le 1903 ]; then
    if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
      pass "$check"
      resulttestjson "PASS"
      currentScore=$((currentScore + 1))
    else
      warn "$check"
      resulttestjson "WARN"
      currentScore=$((currentScore - 1))
    fi
  else
    local desc="$desc (Deprecated)"
    local check="$id  - $desc"
    info "$desc"
    resulttestjson "INFO"
  fi
}

# 2.17
check_2_17() {
  local id="2.17"
  local desc="Ensure containers are restricted from acquiring new privileges (Scored)"
  local check="$id  - $desc"
  starttestjson "$id" "$desc"

  totalChecks=$((totalChecks + 1))
  if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
    pass "$check"
    resulttestjson "PASS"
    currentScore=$((currentScore + 1))
  else
    warn "$check"
    resulttestjson "WARN"
    currentScore=$((currentScore - 1))
  fi
}

check_2_end() {
  endsectionjson
}
-												First version of the CIS Docker Benchmark v1.0.0

											
										
										
											2015-05-11 06:08:28 +02:00
+								#!/bin/sh
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2() {
-												Print remediation measures at the end of the logs

											
										
										
											2021-03-10 20:47:52 +01:00
+								  logit ""
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2"
 								  local desc="Docker daemon configuration"
-												Print remediation measures at the end of the logs

											
										
										
											2021-03-10 20:47:52 +01:00
+								  checkHeader="$id - $desc"
 								  info "$checkHeader"
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  startsectionjson "$id" "$desc"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								}
-												First version of the CIS Docker Benchmark v1.0.0

											
										
										
											2015-05-11 06:08:28 +02:00
 								# 2.1
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_1() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.1"
 								  local desc="Ensure network traffic is restricted between containers on the default bridge (Scored)"
-												Improve wording

											
										
										
											2021-03-11 07:30:01 +01:00
+								  local remediation="Edit the Docker daemon configuration file to ensure that inter-container communication is disabled: \"icc\": false."
-												Print remediation measures at the end of the logs

											
										
										
											2021-03-10 20:47:52 +01:00
+								  local remediationImpact="Inter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks."
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
 								  if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												add score and totalChecks to 2_

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2017-10-23 15:39:32 +02:00
+								    currentScore=$((currentScore + 1))
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												add score and totalChecks to 2_

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2017-10-23 15:39:32 +02:00
+								    currentScore=$((currentScore + 1))
-												check config file settings

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2017-02-20 11:21:18 +01:00
+								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												Print remediation measures at the end of the logs

											
										
										
											2021-03-10 20:47:52 +01:00
+								    saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "WARN"
-												add score and totalChecks to 2_

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2017-10-23 15:39:32 +02:00
+								    currentScore=$((currentScore - 1))
-												check config file settings

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2017-02-20 11:21:18 +01:00
+								  fi
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								}
 								# 2.2
 								check_2_2() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.2"
 								  local desc="Ensure the logging level is set to 'info' (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
 								  if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
 								    if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								      resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								      currentScore=$((currentScore + 1))
 								    elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								      resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								      currentScore=$((currentScore + 1))
 								    else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								      resulttestjson "WARN"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								      currentScore=$((currentScore - 1))
 								    fi
 								  elif get_docker_effective_command_line_args '-l'; then
 								    if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								      resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								      currentScore=$((currentScore + 1))
 								    else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								      resulttestjson "WARN"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								      currentScore=$((currentScore - 1))
 								    fi
 								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												add score and totalChecks to 2_

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2017-10-23 15:39:32 +02:00
+								    currentScore=$((currentScore + 1))
-												fix test 2.2 check for log level

Signed-off-by: Kevin Lim <kevin.lim@sap.com>

											
										
										
											2016-09-28 23:20:51 +02:00
+								  fi
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								}
-												First version of the CIS Docker Benchmark v1.0.0

											
										
										
											2015-05-11 06:08:28 +02:00
 								# 2.3
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_3() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.3"
 								  local desc="Ensure Docker is allowed to make changes to iptables (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
 								  if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "WARN"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore - 1))
 								  elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "WARN"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore - 1))
 								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
 								  fi
 								}
-												First version of the CIS Docker Benchmark v1.0.0

											
										
										
											2015-05-11 06:08:28 +02:00
 								# 2.4
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_4() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.4"
 								  local desc="Ensure insecure registries are not used (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
 								  if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "WARN"
-												add score and totalChecks to 2_

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2017-10-23 15:39:32 +02:00
+								    currentScore=$((currentScore - 1))
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
 								    if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								      resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								      currentScore=$((currentScore + 1))
 								    else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								      resulttestjson "WARN"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								      currentScore=$((currentScore - 1))
 								    fi
 								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
-												check config file settings

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2017-02-20 11:21:18 +01:00
+								  fi
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								}
-												First version of the CIS Docker Benchmark v1.0.0

											
										
										
											2015-05-11 06:08:28 +02:00
 								# 2.5
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_5() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.5"
 								  local desc="Ensure aufs storage driver is not used (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
-												Fix check condition

Signed-off-by: zawazawa0316 <37421794+zawazawa0316@users.noreply.github.com>

											
										
										
											2020-03-03 13:51:49 +01:00
+								  if docker info 2>/dev/null | grep -e "^\sStorage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "WARN"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore - 1))
 								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
 								  fi
 								}
-												First version of the CIS Docker Benchmark v1.0.0

											
										
										
											2015-05-11 06:08:28 +02:00
 								# 2.6
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_6() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.6"
 								  local desc="Ensure TLS authentication for Docker daemon is configured (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
-												locate configuration file before we run the tests #410

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2019-12-17 15:03:54 +01:00
+								  if [ $(get_docker_configuration_file_args 'tcp://') ] || \
-												Fixes incorrect reporting of TLS configuration in test 2.6

Signed-off-by: Nigel Brown <nigel@windsock.io>

											
										
										
											2018-07-10 15:35:30 +02:00
+								    [ $(get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://') >/dev/null 2>&1 ]; then
 								    if [ $(get_docker_configuration_file_args '"tlsverify":' | grep 'true') ] || \
 								        [ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								      resulttestjson "PASS"
-												Fixes incorrect reporting of TLS configuration in test 2.6

Signed-off-by: Nigel Brown <nigel@windsock.io>

											
										
										
											2018-07-10 15:35:30 +02:00
+								      currentScore=$((currentScore + 1))
 								    elif [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
 								        [ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      warn "$check"
-												Fixes incorrect reporting of TLS configuration in test 2.6

Signed-off-by: Nigel Brown <nigel@windsock.io>

											
										
										
											2018-07-10 15:35:30 +02:00
+								      warn "     * Docker daemon currently listening on TCP with TLS, but no verification"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								      resulttestjson "WARN" "Docker daemon currently listening on TCP with TLS, but no verification"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								      currentScore=$((currentScore - 1))
-												Fixes #167 - use get_docker_cumulative_command_line_args to check TLS settings

Additionally, split warning into 2 parts:  no TLS, TLS w/o verification

Signed-off-by: Mr. Secure <ben.github@mrsecure.org>

											
										
										
											2016-09-25 02:42:39 +02:00
+								    else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      warn "$check"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								      warn "     * Docker daemon currently listening on TCP without TLS"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								      resulttestjson "WARN" "Docker daemon currently listening on TCP without TLS"
-												add score and totalChecks to 2_

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2017-10-23 15:39:32 +02:00
+								      currentScore=$((currentScore - 1))
-												Fixes #167 - use get_docker_cumulative_command_line_args to check TLS settings

Additionally, split warning into 2 parts:  no TLS, TLS w/o verification

Signed-off-by: Mr. Secure <ben.github@mrsecure.org>

											
										
										
											2016-09-25 02:42:39 +02:00
+								    fi
-												update chap 2 to cis 1.11

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2016-04-14 22:25:11 +02:00
+								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    info "$check"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    info "     * Docker daemon not listening on TCP"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "INFO" "Docker daemon not listening on TCP"
-												consistent currentScore

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-07-01 20:04:20 +02:00
+								    currentScore=$((currentScore + 0))
-												update chap 2 to cis 1.11

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2016-04-14 22:25:11 +02:00
+								  fi
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								}
-												Fixes #167 - use get_docker_cumulative_command_line_args to check TLS settings

Additionally, split warning into 2 parts:  no TLS, TLS w/o verification

Signed-off-by: Mr. Secure <ben.github@mrsecure.org>

											
										
										
											2016-09-25 02:42:39 +02:00
-												First version of the CIS Docker Benchmark v1.0.0

											
										
										
											2015-05-11 06:08:28 +02:00
+								# 2.7
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_7() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.7"
 								  local desc="Ensure the default ulimit is configured appropriately (Not Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
 								  if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
 								  elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
 								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    info "$check"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    info "     * Default ulimit doesn't appear to be set"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "INFO" "Default ulimit doesn't appear to be set"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 0))
 								  fi
 								}
-												First version of the CIS Docker Benchmark v1.0.0

											
										
										
											2015-05-11 06:08:28 +02:00
 								# 2.8
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_8() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.8"
 								  local desc="Enable user namespace support (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
 								  if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
 								  elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
 								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "WARN"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore - 1))
 								  fi
 								}
-												First version of the CIS Docker Benchmark v1.0.0

											
										
										
											2015-05-11 06:08:28 +02:00
 								# 2.9
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_9() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.9"
 								  local desc="Ensure the default cgroup usage has been confirmed (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
-												Fixed check 2.9

Signed-off-by: Boris Gorbylev <ekho@ekho.name>

											
										
										
											2019-02-21 17:11:01 +01:00
+								  if get_docker_configuration_file_args 'cgroup-parent' | grep -v ''; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    info "     * Confirm cgroup usage"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "WARN" "Confirm cgroup usage"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 0))
 								  elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    info "     * Confirm cgroup usage"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "WARN" "Confirm cgroup usage"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 0))
 								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
 								  fi
 								}
-												First version of the CIS Docker Benchmark v1.0.0

											
										
										
											2015-05-11 06:08:28 +02:00
 								# 2.10
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_10() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.10"
 								  local desc="Ensure base device size is not changed until needed (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
 								  if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "WARN"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore - 1))
 								  elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "WARN"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore - 1))
 								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
 								  fi
 								}
-												update chap 2 to cis 1.11

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2016-04-14 22:25:11 +02:00
 								# 2.11
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_11() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.11"
 								  local desc="Ensure that authorization for Docker client commands is enabled (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
 								  if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
 								  elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
 								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "WARN"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore - 1))
 								  fi
 								}
-												Fix for issue #47.

Introduces a new function in helper_lib.sh to query the command line
arguments of the running instances of a binary. This is done to get
rid of the problem of "-lf" versus "-alf" for pgrep.

Signed-off-by: Joachim Lusiardi <joachim@lusiardi.de>

											
										
										
											2015-06-22 21:36:56 +02:00
-												update chap 2 to cis 1.11

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2016-04-14 22:25:11 +02:00
+								# 2.12
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_12() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.12"
 								  local desc="Ensure centralized and remote logging is configured (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
 								  if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "WARN"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore - 1))
 								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
 								  fi
 								}
-												update chap 2 to cis 1.11

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2016-04-14 22:25:11 +02:00
 								# 2.13
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_13() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.13"
 								  local desc="Ensure live restore is enabled (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												first pass on section 2

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2019-08-27 14:54:08 +02:00
+								  totalChecks=$((totalChecks + 1))
 								  if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												first pass on section 2

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2019-08-27 14:54:08 +02:00
+								    resulttestjson "PASS"
 								    currentScore=$((currentScore + 1))
 								  else
 								    if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      pass "$check (Incompatible with swarm mode)"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								      resulttestjson "PASS"
-												deprecated --disable-legacy-registry

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-07-01 20:53:20 +02:00
+								      currentScore=$((currentScore + 1))
-												first pass on section 2

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2019-08-27 14:54:08 +02:00
+								    elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								      resulttestjson "PASS"
-												deprecated --disable-legacy-registry

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-07-01 20:53:20 +02:00
+								      currentScore=$((currentScore + 1))
 								    else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								      resulttestjson "WARN"
-												deprecated --disable-legacy-registry

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-07-01 20:53:20 +02:00
+								      currentScore=$((currentScore - 1))
 								    fi
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  fi
 								}
-												Support for 'CIS Docker Benchmark 1.12.0'

Signed-off-by: Ravi Kumar Vadapalli <vadapalli.ravikumar@gmail.com>

											
										
										
											2016-12-20 16:01:58 +01:00
 								# 2.14
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_14() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.14"
 								  local desc="Ensure Userland Proxy is Disabled (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
-												first pass on section 2

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2019-08-27 14:54:08 +02:00
+								  if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												first pass on section 2

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2019-08-27 14:54:08 +02:00
+								    resulttestjson "PASS"
 								    currentScore=$((currentScore + 1))
 								  elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												add score and totalChecks to 2_

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2017-10-23 15:39:32 +02:00
+								    currentScore=$((currentScore + 1))
-												#182 checks

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2017-01-23 13:13:48 +01:00
+								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												first pass on section 2

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2019-08-27 14:54:08 +02:00
+								    resulttestjson "WARN"
 								    currentScore=$((currentScore - 1))
-												#182 checks

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2017-01-23 13:13:48 +01:00
+								  fi
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								}
-												Support for 'CIS Docker Benchmark 1.12.0'

Signed-off-by: Ravi Kumar Vadapalli <vadapalli.ravikumar@gmail.com>

											
										
										
											2016-12-20 16:01:58 +01:00
 								# 2.15
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_15() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.15"
 								  local desc="Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Not Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
-												first pass on section 2

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2019-08-27 14:54:08 +02:00
+								  if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
 								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    info "$check"
-												first pass on section 2

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2019-08-27 14:54:08 +02:00
+								    resulttestjson "INFO"
 								    currentScore=$((currentScore + 0))
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  fi
 								}
-												Support for 'CIS Docker Benchmark 1.12.0'

Signed-off-by: Ravi Kumar Vadapalli <vadapalli.ravikumar@gmail.com>

											
										
										
											2016-12-20 16:01:58 +01:00
 								# 2.16
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_16() {
-												Deprecate rule 2.16 for Docker > 19.03

The upcoming 20.x docker release will always have experimental features
enabled, which will stop this test from working.

More details can be found in docker/cli##2774

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

											
										
										
											2020-10-02 16:24:14 +02:00
+								  docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
 								    | awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4)
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.16"
 								  local desc="Ensure that experimental features are not implemented in production (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
-												Deprecate rule 2.16 for Docker > 19.03

The upcoming 20.x docker release will always have experimental features
enabled, which will stop this test from working.

More details can be found in docker/cli##2774

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

											
										
										
											2020-10-02 16:24:14 +02:00
+								  if [ "$docker_version" -le 1903 ]; then
 								    if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      pass "$check"
-												Deprecate rule 2.16 for Docker > 19.03

The upcoming 20.x docker release will always have experimental features
enabled, which will stop this test from working.

More details can be found in docker/cli##2774

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

											
										
										
											2020-10-02 16:24:14 +02:00
+								      resulttestjson "PASS"
 								      currentScore=$((currentScore + 1))
 								    else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								      warn "$check"
-												Deprecate rule 2.16 for Docker > 19.03

The upcoming 20.x docker release will always have experimental features
enabled, which will stop this test from working.

More details can be found in docker/cli##2774

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

											
										
										
											2020-10-02 16:24:14 +02:00
+								      resulttestjson "WARN"
 								      currentScore=$((currentScore - 1))
 								    fi
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    local desc="$desc (Deprecated)"
 								    local check="$id  - $desc"
 								    info "$desc"
-												Deprecate rule 2.16 for Docker > 19.03

The upcoming 20.x docker release will always have experimental features
enabled, which will stop this test from working.

More details can be found in docker/cli##2774

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

											
										
										
											2020-10-02 16:24:14 +02:00
+								    resulttestjson "INFO"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  fi
 								}
-												Support for 'CIS Docker Benchmark 1.12.0'

Signed-off-by: Ravi Kumar Vadapalli <vadapalli.ravikumar@gmail.com>

											
										
										
											2016-12-20 16:01:58 +01:00
 								# 2.17
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								check_2_17() {
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								  local id="2.17"
 								  local desc="Ensure containers are restricted from acquiring new privileges (Scored)"
 								  local check="$id  - $desc"
 								  starttestjson "$id" "$desc"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								  totalChecks=$((totalChecks + 1))
-												fix 2.18

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-02-09 11:02:04 +01:00
+								  if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
-												fix 2.18

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-02-09 11:02:04 +01:00
+								  elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    pass "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "PASS"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore + 1))
 								  else
-												Change global variable used only locally to local variable for simplification

											
										
										
											2021-03-09 11:42:48 +01:00
+								    warn "$check"
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
+								    resulttestjson "WARN"
-												convert all checks to functions

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

											
										
										
											2018-01-16 13:46:49 +01:00
+								    currentScore=$((currentScore - 1))
 								  fi
 								}
-												Improve docker-bench-security json output

Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

											
										
										
											2018-07-12 03:02:12 +02:00
 								check_2_end() {
 								  endsectionjson
 								}