localremediation="For new installations, you should create a separate partition for the /var/lib/docker mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition."
localremediation="You should remove any untrusted users from the docker group using command sudo gpasswd -d <your-user> docker or add trusted users to the docker group using command sudo usermod -aG docker <your-user>. You should not create a mapping of sensitive directories from the host to container volumes."
localremediationImpact="Only trust user are allow to build and execute containers as normal user."
localremediation="Install auditd. Add -w /usr/bin/dockerd -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
localdesc="Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)"
localremediation="Install auditd. Add -a exit,always -F path=/run/containerd -F perm=war -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
localcheck="$id - $desc"
starttestjson "$id""$desc"
file="/run/containerd"
ifcommand -v auditctl >/dev/null 2>&1;then
if auditctl -l | grep "$file" >/dev/null 2>&1;then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file""$auditrules"| grep "^[^#;]" 2>/dev/null 1>&2;then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_1_1_5(){
localid="1.1.5"
localdesc="Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)"
localremediation="Install auditd. Add -w /var/lib/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
localremediation="Install auditd. Add -w /etc/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
remediation="Install auditd. Add -w $(get_service_file docker.service) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
remediation="Install auditd. Add -w $(get_service_file containerd.sock) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
remediation="Install auditd. Add -w $(get_service_file docker.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
localremediation="Install auditd. Add -w /etc/default/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
localdesc="Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)"
localremediation="Install auditd. Add -w /etc/docker/daemon.json -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
localcheck="$id - $desc"
starttestjson "$id""$desc"
file="/etc/docker/daemon.json"
if[ -f "$file"];then
ifcommand -v auditctl >/dev/null 2>&1;then
if auditctl -l | grep $file >/dev/null 2>&1;then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file""$auditrules"| grep "^[^#;]" 2>/dev/null 1>&2;then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO""File not found"
}
check_1_1_12(){
localid="1.1.12"
localdesc="1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)"
localremediation="Install auditd. Add -w /etc/containerd/config.toml -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
localcheck="$id - $desc"
starttestjson "$id""$desc"
file="/etc/containerd/config.toml"
if[ -f "$file"];then
ifcommand -v auditctl >/dev/null 2>&1;then
if auditctl -l | grep $file >/dev/null 2>&1;then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file""$auditrules"| grep "^[^#;]" 2>/dev/null 1>&2;then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO""File not found"
}
check_1_1_13(){
localid="1.1.13"
localdesc="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)"
localremediation="Install auditd. Add -w /etc/sysconfig/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
localdesc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)"
localremediation="Install auditd. Add -w /usr/bin/containerd -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
localdesc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)"
localremediation="Install auditd. Add -w /usr/bin/containerd-shim -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
if grep -s "$file""$auditrules"| grep "^[^#;]" 2>/dev/null 1>&2;then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO""File not found"
}
check_1_1_16(){
localid="1.1.16"
localdesc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)"
localremediation="Install auditd. Add -w /usr/bin/containerd-shim-runc-v1 -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
localdesc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)"
localremediation="Install auditd. Add -w /usr/bin/containerd-shim-runc-v2 -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
localdesc="Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)"
localremediation="Install auditd. Add -w /usr/bin/runc -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
localremediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
localcheck="$id - $desc"
starttestjson "$id""$desc"
file="/usr/bin/runc"
if[ -f "$file"];then
ifcommand -v auditctl >/dev/null 2>&1;then
if auditctl -l | grep $file >/dev/null 2>&1;then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file""$auditrules"| grep "^[^#;]" 2>/dev/null 1>&2;then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO""File not found"
}
check_1_2(){
localid="1.2"
localdesc="General Configuration"
localcheck="$id - $desc"
info "$check"
}
check_1_2_1(){
localid="1.2.1"
localdesc="Ensure the container host has been Hardened (Manual)"
localremediation="You may consider various Security Benchmarks for your container host."
localremediationImpact="None."
localcheck="$id - $desc"
starttestjson "$id""$desc"
note -c "$check"
logcheckresult "INFO"
}
check_1_2_2(){
localid="1.2.2"
localdesc="Ensure that the version of Docker is up to date (Manual)"
localremediation="You should monitor versions of Docker releases and make sure your software is updated as required."
localremediationImpact="You should perform a risk assessment regarding Docker version updates and review how they may impact your operations."
localcheck="$id - $desc"
starttestjson "$id""$desc"
docker_version=$(docker version | grep -i -A2 '^server'| grep ' Version:'\
