GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-31 06:22:32 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' into issue265

Browse source
This commit is contained in:
Thomas Sjögren 2018-01-12 11:49:04 +01:00 committed by GitHub
commit 25b40c94a2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 36 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.dockerignore
View file

@ -1 +1,5 @@
.git .git
*.md
*.png
distros

17
Dockerfile
View file

@ -1,24 +1,25 @@
FROM alpine:3.6 FROM alpine:3.7
LABEL org.label-schema.name="docker-bench-security" \ LABEL \
org.label-schema.name="docker-bench-security" \
org.label-schema.url="https://dockerbench.com" \ org.label-schema.url="https://dockerbench.com" \
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
# Switch to the HTTPS endpoint for the apk repositories
# https://github.com/gliderlabs/docker-alpine/issues/184
RUN \ RUN \
apk upgrade --no-cache && \ sed -i 's/http\:\/\/dl-cdn.alpinelinux.org/https\:\/\/alpine.global.ssl.fastly.net/g' /etc/apk/repositories && \
apk add --no-cache \ apk add --no-cache \
docker \ docker \
dumb-init && \ dumb-init && \
rm -rf /usr/bin/docker-* /usr/bin/dockerd && \ rm -rf /usr/bin/docker?*
mkdir /usr/local/bin/tests
COPY ./*.sh /usr/local/bin/ COPY ./*.sh /usr/local/bin/
COPY ./tests/*.sh /usr/local/bin/tests/ COPY ./tests/*.sh /usr/local/bin/tests/
WORKDIR /usr/local/bin
HEALTHCHECK CMD exit 0 HEALTHCHECK CMD exit 0
WORKDIR /usr/local/bin
ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]

4
README.md
View file

@ -24,7 +24,7 @@ The easiest way to run your hosts against the Docker Bench for Security is by
running our pre-built container: running our pre-built container:
```sh ```sh
docker run -it --net host --pid host --cap-add audit_control \ docker run -it --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /var/lib:/var/lib \ -v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \ -v /var/run/docker.sock:/var/run/docker.sock \
@ -79,5 +79,5 @@ cd docker-bench-security
sudo sh docker-bench-security.sh sudo sh docker-bench-security.sh
``` ```
This script was build to be POSIX 2004 compliant, so it should be portable This script was built to be POSIX 2004 compliant, so it should be portable
across any Unix platform. across any Unix platform.

17
distros/Dockerfile.alpine
View file

@ -1,24 +1,25 @@
FROM alpine:3.6 FROM alpine:3.7
LABEL org.label-schema.name="docker-bench-security" \ LABEL \
org.label-schema.name="docker-bench-security" \
org.label-schema.url="https://dockerbench.com" \ org.label-schema.url="https://dockerbench.com" \
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
# Switch to the HTTPS endpoint for the apk repositories
# https://github.com/gliderlabs/docker-alpine/issues/184
RUN \ RUN \
apk upgrade --no-cache && \ sed -i 's/http\:\/\/dl-cdn.alpinelinux.org/https\:\/\/alpine.global.ssl.fastly.net/g' /etc/apk/repositories && \
apk add --no-cache \ apk add --no-cache \
docker \ docker \
dumb-init && \ dumb-init && \
rm -rf /usr/bin/docker-* /usr/bin/dockerd && \ rm -rf /usr/bin/docker?*
mkdir /usr/local/bin/tests
COPY ./*.sh /usr/local/bin/ COPY ./*.sh /usr/local/bin/
COPY ./tests/*.sh /usr/local/bin/tests/ COPY ./tests/*.sh /usr/local/bin/tests/
WORKDIR /usr/local/bin
HEALTHCHECK CMD exit 0 HEALTHCHECK CMD exit 0
WORKDIR /usr/local/bin
ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]

2
distros/Dockerfile.centos
View file

@ -4,7 +4,7 @@ FROM centos
MAINTAINER smccarty@redhat.com MAINTAINER smccarty@redhat.com
RUN yum install -y docker net-tools audit procps-ng; yum clean all RUN yum install -y docker iproute audit procps-ng; yum clean all
RUN mkdir /docker-bench-security RUN mkdir /docker-bench-security

2
distros/Dockerfile.debian
View file

@ -8,7 +8,7 @@ RUN \
apt-get update && \ apt-get update && \
apt-get -y upgrade && \ apt-get -y upgrade && \
apt-get -y install auditd ca-certificates docker.io \ apt-get -y install auditd ca-certificates docker.io \
gawk net-tools procps --no-install-recommends && \ gawk iproute2 procps --no-install-recommends && \
apt-get -y clean && \ apt-get -y clean && \
apt-get -y autoremove && \ apt-get -y autoremove && \
rm -rf /var/lib/apt/lists/* \ rm -rf /var/lib/apt/lists/* \

2
distros/Dockerfile.openSUSE
View file

@ -4,7 +4,7 @@ FROM opensuse
MAINTAINER security@suse.com MAINTAINER security@suse.com
RUN zypper -n in docker net-tools audit RUN zypper -n in docker iproute2 audit
RUN mkdir /docker-bench-security RUN mkdir /docker-bench-security

2
distros/Dockerfile.rhel
View file

@ -7,7 +7,7 @@ MAINTAINER smccarty@redhat.com
RUN yum install -y yum-utils; yum clean all RUN yum install -y yum-utils; yum clean all
RUN yum-config-manager --disable "*" &>/dev/null RUN yum-config-manager --disable "*" &>/dev/null
RUN yum-config-manager --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms RUN yum-config-manager --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms
RUN yum install -y docker net-tools audit procps-ng; yum clean all RUN yum install -y docker iproute audit procps-ng; yum clean all
RUN mkdir /docker-bench-security RUN mkdir /docker-bench-security

2
docker-bench-security.sh
View file

@ -19,7 +19,7 @@ myname=$(basename "${this_path}") ## file name of this script.
export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/ export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/
# Check for required program(s) # Check for required program(s)
req_progs='awk docker grep netstat stat' req_progs='awk docker grep ss stat'
for p in $req_progs; do for p in $req_progs; do
command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; } command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
done done

3
tests/5_container_runtime.sh
View file

@ -641,7 +641,8 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
if docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'seccomp:unconfined' 2>/dev/null 1>&2; then if docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | \
grep -E 'seccomp:unconfined|seccomp=unconfined' 2>/dev/null 1>&2; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_21" warn "$check_5_21"

2
tests/7_docker_swarm_configuration.sh
View file

@ -40,7 +40,7 @@ fi
check_7_3="7.3 - Ensure swarm services are binded to a specific host interface" check_7_3="7.3 - Ensure swarm services are binded to a specific host interface"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
netstat -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1 ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
if [ $? -eq 1 ]; then if [ $? -eq 1 ]; then
pass "$check_7_3" pass "$check_7_3"
logjson "7.3" "PASS" logjson "7.3" "PASS"