2015-05-11 06:08:28 +02:00
#!/bin/sh
2018-01-16 13:46:49 +01:00
check_1( ) {
logit ""
2021-03-09 11:42:48 +01:00
local id = "1"
local desc = "Host Configuration"
2021-03-10 20:47:52 +01:00
checkHeader = " $id - $desc "
info " $checkHeader "
2021-03-09 11:42:48 +01:00
startsectionjson " $id " " $desc "
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2018-01-16 13:46:49 +01:00
check_1_1( ) {
2021-03-09 11:42:48 +01:00
local id = "1.1"
local desc = "General Configuration"
local check = " $id - $desc "
info " $check "
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2019-08-26 14:37:25 +02:00
check_1_1_1( ) {
2021-03-09 11:42:48 +01:00
local id = "1.1.1"
local desc = "Ensure the container host has been Hardened (Not Scored)"
2021-03-18 09:28:45 +01:00
local remediation = "You may consider various Security Benchmarks for your container host."
local remediationImpact = "None."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2021-03-16 09:05:49 +01:00
note -c " $check "
logcheckresult "INFO"
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2019-08-26 14:37:25 +02:00
check_1_1_2( ) {
2021-03-09 11:42:48 +01:00
local id = "1.1.2"
local desc = "Ensure that the version of Docker is up to date (Not Scored)"
2021-03-18 09:28:45 +01:00
local remediation = "You should monitor versions of Docker releases and make sure your software is updated as required."
local remediationImpact = "You should perform a risk assessment regarding Docker version updates and review how they may impact your operations."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
docker_version = $( docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,' )
docker_current_version = " $( date +%y.%m.0 -d @$(( $( date +%s) - 2592000 )) ) "
do_version_check " $docker_current_version " " $docker_version "
if [ $? -eq 11 ] ; then
2021-03-16 09:05:49 +01:00
info -c " $check "
2019-08-26 15:13:50 +02:00
info " * Using $docker_version , verify is it up to date as deemed necessary "
info " * Your operating system vendor may provide support and security maintenance for Docker"
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" " Using $docker_version "
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
pass -c " $check "
2019-08-26 15:13:50 +02:00
info " * Using $docker_version which is current "
info " * Check with your operating system vendor for support and security maintenance for Docker"
2021-03-16 09:05:49 +01:00
logcheckresult "PASS" " Using $docker_version "
2018-01-16 13:46:49 +01:00
fi
}
2015-05-11 06:08:28 +02:00
2019-08-26 14:37:25 +02:00
check_1_2( ) {
2021-03-09 11:42:48 +01:00
local id = "1.2"
local desc = "Linux Hosts Specific Configuration"
local check = " $id - $desc "
info " $check "
2019-08-26 14:37:25 +02:00
}
check_1_2_1( ) {
2021-03-09 11:42:48 +01:00
local id = "1.2.1"
local desc = "Ensure a separate partition for containers has been created (Scored)"
2021-03-16 09:05:49 +01:00
local remediation = "For new installations, you should create a separate partition for the /var/lib/docker mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition."
2021-03-18 09:28:45 +01:00
local remediationImpact = "None."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
2019-08-26 14:37:25 +02:00
2020-09-29 12:41:25 +02:00
docker_root_dir = $( docker info -f '{{ .DockerRootDir }}' )
if docker info | grep -q userns ; then
docker_root_dir = $( readlink -f " $docker_root_dir /.. " )
fi
if mountpoint -q -- " $docker_root_dir " >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2019-08-26 14:37:25 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2019-08-26 14:37:25 +02:00
fi
}
2021-03-16 09:05:49 +01:00
check_1_2_2( ) {
2021-03-09 11:42:48 +01:00
local id = "1.2.2"
local desc = "Ensure only trusted users are allowed to control Docker daemon (Scored)"
2021-03-16 09:05:49 +01:00
local remediation = "You should remove any untrusted users from the docker group using command sudo gpasswd -d <your-user> docker or add trusted users to the docker group using command sudo usermod -aG docker <your-user>. You should not create a mapping of sensitive directories from the host to container volumes."
local remediationImpact = "Only trust user are allow to build and execute containers as normal user."
local check = " $id - $desc "
2021-03-09 11:42:48 +01:00
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2020-05-08 13:09:52 +02:00
if command -v getent >/dev/null 2>& 1; then
docker_users = $( getent group docker)
else
docker_users = $( grep 'docker' /etc/group)
fi
2021-03-16 09:05:49 +01:00
docker_users = $( printf "%s" " $docker_users " | awk -F: '{print $4}' )
local doubtfulusers = ""
if [ -n " $dockertrustusers " ] ; then
for u in $( printf "%s" " $docker_users " | sed "s/,/ /g" ) ; do
if ! printf "%s" " $dockertrustusers " | grep -q " $u " ; then
if [ -n " ${ doubtfulusers } " ] ; then
doubtfulusers = " ${ doubtfulusers } , $u "
else
doubtfulusers = " $u "
fi
fi
done
else
info -c " $check "
info " * Users: $docker_users "
logcheckresult "INFO" "doubtfulusers" " $docker_users "
fi
if [ -n " ${ doubtfulusers } " ] ; then
warn -s " $check "
warn " * Doubtful users: $doubtfulusers "
logcheckresult "WARN" "doubtfulusers" " $doubtfulusers "
fi
if [ -z " ${ doubtfulusers } " ] && [ -n " ${ dockertrustusers } " ] ; then
pass -s " $check "
logcheckresult "PASS"
fi
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2019-08-26 14:37:25 +02:00
check_1_2_3( ) {
2021-03-09 11:42:48 +01:00
local id = "1.2.3"
local desc = "Ensure auditing is configured for the Docker daemon (Scored)"
2021-03-28 08:47:49 +02:00
local remediation = "Install auditd. Add -w /usr/bin/dockerd -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
2021-03-10 20:47:52 +01:00
local remediationImpact = "Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2019-10-16 09:49:18 +02:00
file = "/usr/bin/dockerd"
2018-01-16 13:46:49 +01:00
if command -v auditctl >/dev/null 2>& 1; then
if auditctl -l | grep " $file " >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
elif grep -s " $file " " $auditrules " | grep "^[^#;]" 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2015-05-11 06:08:28 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2015-05-11 06:08:28 +02:00
fi
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2019-08-26 14:37:25 +02:00
check_1_2_4( ) {
2021-03-09 11:42:48 +01:00
local id = "1.2.4"
local desc = "Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored)"
2021-03-28 08:47:49 +02:00
local remediation = "Install auditd. Add -w /var/lib/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
2021-03-10 20:47:52 +01:00
local remediationImpact = "Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
directory = "/var/lib/docker"
if [ -d " $directory " ] ; then
if command -v auditctl >/dev/null 2>& 1; then
if auditctl -l | grep $directory >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
elif grep -s " $directory " " $auditrules " | grep "^[^#;]" 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2016-04-14 21:15:33 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2016-04-14 21:15:33 +02:00
fi
else
2021-03-16 09:05:49 +01:00
info -c " $check "
2019-08-26 15:13:50 +02:00
info " * Directory not found"
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" "Directory not found"
2016-04-14 21:15:33 +02:00
fi
2018-01-16 13:46:49 +01:00
}
2016-04-14 21:15:33 +02:00
2019-08-26 14:37:25 +02:00
check_1_2_5( ) {
2021-03-09 11:42:48 +01:00
local id = "1.2.5"
local desc = "Ensure auditing is configured for Docker files and directories - /etc/docker (Scored)"
2021-03-28 08:47:49 +02:00
local remediation = "Install auditd. Add -w /etc/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
2021-03-10 20:47:52 +01:00
local remediationImpact = "Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
directory = "/etc/docker"
if [ -d " $directory " ] ; then
if command -v auditctl >/dev/null 2>& 1; then
if auditctl -l | grep $directory >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
elif grep -s " $directory " " $auditrules " | grep "^[^#;]" 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2015-06-11 02:17:14 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2015-06-11 02:17:14 +02:00
fi
2015-05-11 06:08:28 +02:00
else
2021-03-16 09:05:49 +01:00
info -c " $check "
2019-08-26 15:13:50 +02:00
info " * Directory not found"
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" "Directory not found"
2015-05-11 06:08:28 +02:00
fi
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2019-08-26 14:37:25 +02:00
check_1_2_6( ) {
2021-03-09 11:42:48 +01:00
local id = "1.2.6"
local desc = "Ensure auditing is configured for Docker files and directories - docker.service (Scored)"
2021-03-16 09:05:49 +01:00
local remediation
2021-03-28 08:47:49 +02:00
remediation = " Install auditd. Add -w $( systemctl show -p FragmentPath docker.service | sed 's/.*=//' ) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart. "
2021-03-10 20:47:52 +01:00
local remediationImpact = "Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2020-04-10 15:26:25 +02:00
file = " $( get_service_file docker.service) "
2018-01-16 13:46:49 +01:00
if [ -f " $file " ] ; then
if command -v auditctl >/dev/null 2>& 1; then
if auditctl -l | grep " $file " >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
elif grep -s " $file " " $auditrules " | grep "^[^#;]" 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2015-06-11 02:17:14 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2015-06-11 02:17:14 +02:00
fi
2015-05-11 06:08:28 +02:00
else
2021-03-16 09:05:49 +01:00
info -c " $check "
2019-08-26 15:13:50 +02:00
info " * File not found"
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" "File not found"
2015-05-11 06:08:28 +02:00
fi
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2019-08-26 14:37:25 +02:00
check_1_2_7( ) {
2021-03-09 11:42:48 +01:00
local id = "1.2.7"
local desc = "Ensure auditing is configured for Docker files and directories - docker.socket (Scored)"
2021-03-16 09:05:49 +01:00
local remediation
2021-03-28 08:47:49 +02:00
remediation = " Install auditd. Add -w $( systemctl show -p FragmentPath docker.socket | sed 's/.*=//' ) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart. "
2021-03-10 20:47:52 +01:00
local remediationImpact = "Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2020-04-10 15:26:25 +02:00
file = " $( get_service_file docker.socket) "
2018-01-16 13:46:49 +01:00
if [ -e " $file " ] ; then
if command -v auditctl >/dev/null 2>& 1; then
if auditctl -l | grep " $file " >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
elif grep -s " $file " " $auditrules " | grep "^[^#;]" 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2015-06-11 02:17:14 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2015-06-11 02:17:14 +02:00
fi
2015-05-11 06:08:28 +02:00
else
2021-03-16 09:05:49 +01:00
info -c " $check "
2019-08-26 15:13:50 +02:00
info " * File not found"
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" "File not found"
2015-05-11 06:08:28 +02:00
fi
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2019-08-26 14:37:25 +02:00
check_1_2_8( ) {
2021-03-09 11:42:48 +01:00
local id = "1.2.8"
local desc = "Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored)"
2021-03-28 08:47:49 +02:00
local remediation = "Install auditd. Add -w /etc/default/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
2021-03-10 20:47:52 +01:00
local remediationImpact = "Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
file = "/etc/default/docker"
if [ -f " $file " ] ; then
if command -v auditctl >/dev/null 2>& 1; then
if auditctl -l | grep $file >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
elif grep -s " $file " " $auditrules " | grep "^[^#;]" 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2015-06-11 02:17:14 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2015-06-11 02:17:14 +02:00
fi
2015-05-11 06:08:28 +02:00
else
2021-03-16 09:05:49 +01:00
info -c " $check "
2019-08-26 15:13:50 +02:00
info " * File not found"
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" "File not found"
2015-05-11 06:08:28 +02:00
fi
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2019-08-26 14:41:37 +02:00
check_1_2_9( ) {
2021-03-09 11:42:48 +01:00
local id = "1.2.9"
local desc = "Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Scored)"
2021-03-28 08:47:49 +02:00
local remediation = "Install auditd. Add -w /etc/sysconfig/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
2021-03-10 20:47:52 +01:00
local remediationImpact = "Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
2019-08-26 14:41:37 +02:00
file = "/etc/sysconfig/docker"
if [ -f " $file " ] ; then
if command -v auditctl >/dev/null 2>& 1; then
if auditctl -l | grep $file >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2019-08-26 14:41:37 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2019-08-26 14:41:37 +02:00
fi
elif grep -s " $file " " $auditrules " | grep "^[^#;]" 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2019-08-26 14:41:37 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2019-08-26 14:41:37 +02:00
fi
else
2021-03-16 09:05:49 +01:00
info -c " $check "
2019-08-26 15:13:50 +02:00
info " * File not found"
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" "File not found"
2019-08-26 14:41:37 +02:00
fi
}
2019-08-26 14:37:25 +02:00
check_1_2_10( ) {
2021-03-09 11:42:48 +01:00
local id = "1.2.10"
local desc = "Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored)"
2021-03-28 08:47:49 +02:00
local remediation = "Install auditd. Add -w /etc/docker/daemon.json -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
2021-03-10 20:47:52 +01:00
local remediationImpact = "Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
file = "/etc/docker/daemon.json"
if [ -f " $file " ] ; then
if command -v auditctl >/dev/null 2>& 1; then
if auditctl -l | grep $file >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
elif grep -s " $file " " $auditrules " | grep "^[^#;]" 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2015-06-11 02:17:14 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2015-06-11 02:17:14 +02:00
fi
2015-05-11 06:08:28 +02:00
else
2021-03-16 09:05:49 +01:00
info -c " $check "
2019-08-26 15:13:50 +02:00
info " * File not found"
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" "File not found"
2015-05-11 06:08:28 +02:00
fi
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2019-08-26 14:37:25 +02:00
check_1_2_11( ) {
2021-03-09 11:42:48 +01:00
local id = "1.2.11"
local desc = "Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Scored)"
2021-03-28 08:47:49 +02:00
local remediation = "Install auditd. Add -w /usr/bin/containerd -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
2021-03-10 20:47:52 +01:00
local remediationImpact = "Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2019-08-26 14:37:25 +02:00
file = "/usr/bin/containerd"
2018-01-16 13:46:49 +01:00
if [ -f " $file " ] ; then
if command -v auditctl >/dev/null 2>& 1; then
if auditctl -l | grep $file >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
elif grep -s " $file " " $auditrules " | grep "^[^#;]" 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2015-06-11 02:17:14 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2015-06-11 02:17:14 +02:00
fi
2015-05-11 06:08:28 +02:00
else
2021-03-16 09:05:49 +01:00
info -c " $check "
2019-08-26 15:13:50 +02:00
info " * File not found"
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" "File not found"
2015-05-11 06:08:28 +02:00
fi
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2019-08-26 14:37:25 +02:00
check_1_2_12( ) {
2021-03-09 11:42:48 +01:00
local id = "1.2.12"
local desc = "Ensure auditing is configured for Docker files and directories - /usr/sbin/runc (Scored)"
2021-03-28 08:47:49 +02:00
local remediation = "Install auditd. Add -w /usr/sbin/runc -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
2021-03-10 20:47:52 +01:00
local remediationImpact = "Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2019-08-26 14:37:25 +02:00
file = "/usr/sbin/runc"
2018-01-16 13:46:49 +01:00
if [ -f " $file " ] ; then
if command -v auditctl >/dev/null 2>& 1; then
if auditctl -l | grep $file >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
elif grep -s " $file " " $auditrules " | grep "^[^#;]" 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2015-06-11 02:17:14 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2015-06-11 02:17:14 +02:00
fi
2015-05-11 06:08:28 +02:00
else
2021-03-16 09:05:49 +01:00
info -c " $check "
2019-08-26 15:13:50 +02:00
info " * File not found"
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" "File not found"
2015-05-11 06:08:28 +02:00
fi
2018-01-16 13:46:49 +01:00
}
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
check_1_end( ) {
endsectionjson
}
