From a4afe51cb66dd8bbf474174a037684f11f10e9cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCrgen=20Hermann?= Date: Mon, 20 Nov 2017 15:06:30 +0100 Subject: [PATCH 01/12] Add "--userns host" to docker run example If UID remapping is configured as a default, it has to be defeated. Signed-off-by: Juergen Hermann --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9bc2903..4bf4aaf 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container: ```sh -docker run -it --net host --pid host --cap-add audit_control \ +docker run -it --net host --pid host --userns host --cap-add audit_control \ -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ From 173d347c5258b195a16d656d7da982c55536f6f5 Mon Sep 17 00:00:00 2001 From: Ernst de Haan Date: Mon, 20 Nov 2017 15:22:24 +0100 Subject: [PATCH 02/12] Trivial: fixed typo in README file. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixed a small typo; changed “[…] was build to” to “[…] was built to” --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9bc2903..aaf7784 100644 --- a/README.md +++ b/README.md @@ -79,5 +79,5 @@ cd docker-bench-security sudo sh docker-bench-security.sh ``` -This script was build to be POSIX 2004 compliant, so it should be portable +This script was built to be POSIX 2004 compliant, so it should be portable across any Unix platform. From 6e70402f4a1d5dcc37a5f3b2ee7c415971551d57 Mon Sep 17 00:00:00 2001 From: Tom Partington Date: Wed, 6 Dec 2017 10:56:27 +1100 Subject: [PATCH 03/12] Switch to the HTTPS endpoint for the alpine APK repositories Signed-off-by: Tom Partington --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 8a0f810..70ef4d9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,9 @@ LABEL org.label-schema.name="docker-bench-security" \ org.label-schema.url="https://dockerbench.com" \ org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" +# Switch to the HTTPS endpoint for the apk repositories as per https://github.com/gliderlabs/docker-alpine/issues/184 +RUN sed -i 's/http\:\/\/dl-cdn.alpinelinux.org/https\:\/\/alpine.global.ssl.fastly.net/g' /etc/apk/repositories + RUN \ apk upgrade --no-cache && \ apk add --no-cache \ From be2a7b6b6ee85b35035b8bc799ecef6f0c86b7d5 Mon Sep 17 00:00:00 2001 From: Maik Ellerbrock Date: Mon, 11 Dec 2017 00:56:49 +0100 Subject: [PATCH 04/12] feat(dockerfile): update alpine and cleanup the dockerfile Signed-off-by: Maik Ellerbrock --- Dockerfile | 26 +++++++++++--------------- distros/Dockerfile.alpine | 25 ++++++++++++------------- 2 files changed, 23 insertions(+), 28 deletions(-) diff --git a/Dockerfile b/Dockerfile index 70ef4d9..1e398c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,27 +1,23 @@ -FROM alpine:3.6 +FROM alpine:3.7 -LABEL org.label-schema.name="docker-bench-security" \ - org.label-schema.url="https://dockerbench.com" \ - org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" +LABEL \ + org.label-schema.name="docker-bench-security" \ + org.label-schema.url="https://dockerbench.com" \ + org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" -# Switch to the HTTPS endpoint for the apk repositories as per https://github.com/gliderlabs/docker-alpine/issues/184 -RUN sed -i 's/http\:\/\/dl-cdn.alpinelinux.org/https\:\/\/alpine.global.ssl.fastly.net/g' /etc/apk/repositories +COPY ./*.sh /usr/local/bin/ +COPY ./tests/*.sh /usr/local/bin/tests/ +# Switch to the HTTPS endpoint for the apk repositories +# https://github.com/gliderlabs/docker-alpine/issues/184 RUN \ - apk upgrade --no-cache && \ + sed -i 's/http\:\/\/dl-cdn.alpinelinux.org/https\:\/\/alpine.global.ssl.fastly.net/g' /etc/apk/repositories && \ apk add --no-cache \ docker \ dumb-init && \ - rm -rf /usr/bin/docker-* /usr/bin/dockerd && \ - mkdir /usr/local/bin/tests - -COPY ./*.sh /usr/local/bin/ - -COPY ./tests/*.sh /usr/local/bin/tests/ + rm -rf /usr/bin/docker?* WORKDIR /usr/local/bin -HEALTHCHECK CMD exit 0 - ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] diff --git a/distros/Dockerfile.alpine b/distros/Dockerfile.alpine index 8a0f810..1e398c7 100644 --- a/distros/Dockerfile.alpine +++ b/distros/Dockerfile.alpine @@ -1,24 +1,23 @@ -FROM alpine:3.6 +FROM alpine:3.7 -LABEL org.label-schema.name="docker-bench-security" \ - org.label-schema.url="https://dockerbench.com" \ - org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" +LABEL \ + org.label-schema.name="docker-bench-security" \ + org.label-schema.url="https://dockerbench.com" \ + org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" +COPY ./*.sh /usr/local/bin/ +COPY ./tests/*.sh /usr/local/bin/tests/ + +# Switch to the HTTPS endpoint for the apk repositories +# https://github.com/gliderlabs/docker-alpine/issues/184 RUN \ - apk upgrade --no-cache && \ + sed -i 's/http\:\/\/dl-cdn.alpinelinux.org/https\:\/\/alpine.global.ssl.fastly.net/g' /etc/apk/repositories && \ apk add --no-cache \ docker \ dumb-init && \ - rm -rf /usr/bin/docker-* /usr/bin/dockerd && \ - mkdir /usr/local/bin/tests - -COPY ./*.sh /usr/local/bin/ - -COPY ./tests/*.sh /usr/local/bin/tests/ + rm -rf /usr/bin/docker?* WORKDIR /usr/local/bin -HEALTHCHECK CMD exit 0 - ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] From bbe32c5bec087f5393529b5f9966792a51867cda Mon Sep 17 00:00:00 2001 From: Maik Ellerbrock Date: Mon, 11 Dec 2017 22:14:47 +0100 Subject: [PATCH 05/12] perf(dockerfile): move copy at the end to improve cache invalidation --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1e398c7..96ca66c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,9 +5,6 @@ LABEL \ org.label-schema.url="https://dockerbench.com" \ org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" -COPY ./*.sh /usr/local/bin/ -COPY ./tests/*.sh /usr/local/bin/tests/ - # Switch to the HTTPS endpoint for the apk repositories # https://github.com/gliderlabs/docker-alpine/issues/184 RUN \ @@ -17,6 +14,9 @@ RUN \ dumb-init && \ rm -rf /usr/bin/docker?* +COPY ./*.sh /usr/local/bin/ +COPY ./tests/*.sh /usr/local/bin/tests/ + WORKDIR /usr/local/bin ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] From dcfcccd5f786089fa52878d7c58f808befc60cae Mon Sep 17 00:00:00 2001 From: Maik Ellerbrock Date: Thu, 14 Dec 2017 00:22:54 +0100 Subject: [PATCH 06/12] refactor(healthcheck): reactivate healthcheck --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 96ca66c..b8a6f18 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,8 @@ RUN \ COPY ./*.sh /usr/local/bin/ COPY ./tests/*.sh /usr/local/bin/tests/ +HEALTHCHECK CMD exit 0 + WORKDIR /usr/local/bin ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] From 2521d596d1ad04ca505b112e398ab87a6aec2c17 Mon Sep 17 00:00:00 2001 From: Maik Ellerbrock Date: Thu, 14 Dec 2017 02:46:48 +0100 Subject: [PATCH 07/12] fix(dockerfile): copy dockerfile to distro --- distros/Dockerfile.alpine | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/distros/Dockerfile.alpine b/distros/Dockerfile.alpine index 1e398c7..b8a6f18 100644 --- a/distros/Dockerfile.alpine +++ b/distros/Dockerfile.alpine @@ -5,9 +5,6 @@ LABEL \ org.label-schema.url="https://dockerbench.com" \ org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" -COPY ./*.sh /usr/local/bin/ -COPY ./tests/*.sh /usr/local/bin/tests/ - # Switch to the HTTPS endpoint for the apk repositories # https://github.com/gliderlabs/docker-alpine/issues/184 RUN \ @@ -17,6 +14,11 @@ RUN \ dumb-init && \ rm -rf /usr/bin/docker?* +COPY ./*.sh /usr/local/bin/ +COPY ./tests/*.sh /usr/local/bin/tests/ + +HEALTHCHECK CMD exit 0 + WORKDIR /usr/local/bin ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] From 34a8dfeb975b907e66bac6541b723ac57ef8bce2 Mon Sep 17 00:00:00 2001 From: Maik Ellerbrock Date: Thu, 14 Dec 2017 19:37:42 +0100 Subject: [PATCH 08/12] perf(update .dockerignore file): Signed-off-by: Maik Ellerbrock --- .dockerignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.dockerignore b/.dockerignore index 6b8710a..db3e3b9 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1 +1,5 @@ .git +*.md +*.png +distros + From 997ce7330e1e69a377f14eab7fcb0b94348f5790 Mon Sep 17 00:00:00 2001 From: Karol Babioch Date: Thu, 11 Jan 2018 16:43:53 +0100 Subject: [PATCH 09/12] Replace netstat by ss ss(8) is a modern replacement for netstat(8). The former is slowly replacing the latter in major Linux distributions, which makes it necessary to switch at some point. This addresses #278. Signed-off-by: Karol Babioch --- docker-bench-security.sh | 2 +- tests/7_docker_swarm_configuration.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index ce4de2c..280c552 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -19,7 +19,7 @@ myname=$(basename "${this_path}") ## file name of this script. export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/ # Check for required program(s) -req_progs='awk docker grep netstat stat' +req_progs='awk docker grep ss stat' for p in $req_progs; do command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; } done diff --git a/tests/7_docker_swarm_configuration.sh b/tests/7_docker_swarm_configuration.sh index a3a80c7..df1f67d 100644 --- a/tests/7_docker_swarm_configuration.sh +++ b/tests/7_docker_swarm_configuration.sh @@ -32,7 +32,7 @@ fi # 7.3 check_7_3="7.3 - Ensure swarm services are binded to a specific host interface" if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then - netstat -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1 + ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1 if [ $? -eq 1 ]; then pass "$check_7_3" logjson "7.3" "PASS" From f5542683c50ea28969a012361239eacb3b7cd820 Mon Sep 17 00:00:00 2001 From: Karol Babioch Date: Fri, 12 Jan 2018 10:44:04 +0100 Subject: [PATCH 10/12] Replaced net-tools with iproute2 in Dockerfiles Signed-off-by: Karol Babioch --- distros/Dockerfile.centos | 2 +- distros/Dockerfile.debian | 2 +- distros/Dockerfile.openSUSE | 2 +- distros/Dockerfile.rhel | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/distros/Dockerfile.centos b/distros/Dockerfile.centos index 1fa0ea4..4c0dcfb 100644 --- a/distros/Dockerfile.centos +++ b/distros/Dockerfile.centos @@ -4,7 +4,7 @@ FROM centos MAINTAINER smccarty@redhat.com -RUN yum install -y docker net-tools audit procps-ng; yum clean all +RUN yum install -y docker iproute audit procps-ng; yum clean all RUN mkdir /docker-bench-security diff --git a/distros/Dockerfile.debian b/distros/Dockerfile.debian index 0833424..4284f54 100644 --- a/distros/Dockerfile.debian +++ b/distros/Dockerfile.debian @@ -8,7 +8,7 @@ RUN \ apt-get update && \ apt-get -y upgrade && \ apt-get -y install auditd ca-certificates docker.io \ - gawk net-tools procps --no-install-recommends && \ + gawk iproute2 procps --no-install-recommends && \ apt-get -y clean && \ apt-get -y autoremove && \ rm -rf /var/lib/apt/lists/* \ diff --git a/distros/Dockerfile.openSUSE b/distros/Dockerfile.openSUSE index e841ffe..9e455f0 100644 --- a/distros/Dockerfile.openSUSE +++ b/distros/Dockerfile.openSUSE @@ -4,7 +4,7 @@ FROM opensuse MAINTAINER security@suse.com -RUN zypper -n in docker net-tools audit +RUN zypper -n in docker iproute2 audit RUN mkdir /docker-bench-security diff --git a/distros/Dockerfile.rhel b/distros/Dockerfile.rhel index 7c7f8d8..c1b5618 100644 --- a/distros/Dockerfile.rhel +++ b/distros/Dockerfile.rhel @@ -7,7 +7,7 @@ MAINTAINER smccarty@redhat.com RUN yum install -y yum-utils; yum clean all RUN yum-config-manager --disable "*" &>/dev/null RUN yum-config-manager --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms -RUN yum install -y docker net-tools audit procps-ng; yum clean all +RUN yum install -y docker iproute audit procps-ng; yum clean all RUN mkdir /docker-bench-security From e0a302eb407bb216787c8505752bd366964fc50d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 12 Jan 2018 11:09:16 +0100 Subject: [PATCH 11/12] adapt to 18.01 docker version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/1_host_configuration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index ef6ac4c..2264251 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -24,7 +24,7 @@ logjson "1.2" "INFO" # 1.3 check_1_3="1.3 - Ensure Docker is up to date" -docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \ +docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \ | awk '{print $NF; exit}' | tr -d '[:alpha:]-,') docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))" do_version_check "$docker_current_version" "$docker_version" From 57acb04a965210eeface677cbc7553f01666371a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 12 Jan 2018 11:36:14 +0100 Subject: [PATCH 12/12] catch seccomp:unconfined|seccomp=unconfined MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/5_container_runtime.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 61658a7..68401d7 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -562,7 +562,8 @@ else fail=0 for c in $containers; do - if docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'seccomp:unconfined' 2>/dev/null 1>&2; then + if docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | \ + grep -E 'seccomp:unconfined|seccomp=unconfined' 2>/dev/null 1>&2; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_21"