Merge branch 'master' into issue265

.dockerignore

@@ -1 +1,5 @@
 .git
+*.md
+*.png
+distros
+

Dockerfile

@@ -1,24 +1,25 @@
-FROM alpine:3.6
+FROM alpine:3.7
 
-LABEL org.label-schema.name="docker-bench-security" \
+LABEL \
+  org.label-schema.name="docker-bench-security" \
   org.label-schema.url="https://dockerbench.com" \
   org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
 
+# Switch to the HTTPS endpoint for the apk repositories
+# https://github.com/gliderlabs/docker-alpine/issues/184
 RUN \
-  apk upgrade --no-cache && \
+  sed -i 's/http\:\/\/dl-cdn.alpinelinux.org/https\:\/\/alpine.global.ssl.fastly.net/g' /etc/apk/repositories && \
   apk add --no-cache \
     docker \
     dumb-init && \
-  rm -rf /usr/bin/docker-* /usr/bin/dockerd && \
-  mkdir /usr/local/bin/tests
+  rm -rf /usr/bin/docker?*
 
 COPY ./*.sh /usr/local/bin/
-
 COPY ./tests/*.sh /usr/local/bin/tests/
 
-WORKDIR /usr/local/bin
-
 HEALTHCHECK CMD exit 0
 
+WORKDIR /usr/local/bin
+
 ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]
 

README.md

@@ -24,7 +24,7 @@ The easiest way to run your hosts against the Docker Bench for Security is by
 running our pre-built container:
 
 ```sh
-docker run -it --net host --pid host --cap-add audit_control \
+docker run -it --net host --pid host --userns host --cap-add audit_control \
     -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
     -v /var/lib:/var/lib \
     -v /var/run/docker.sock:/var/run/docker.sock \
@@ -79,5 +79,5 @@ cd docker-bench-security
 sudo sh docker-bench-security.sh
 ```
 
-This script was build to be POSIX 2004 compliant, so it should be portable
+This script was built to be POSIX 2004 compliant, so it should be portable
 across any Unix platform.

distros/Dockerfile.alpine

@@ -1,24 +1,25 @@
-FROM alpine:3.6
+FROM alpine:3.7
 
-LABEL org.label-schema.name="docker-bench-security" \
+LABEL \
+  org.label-schema.name="docker-bench-security" \
   org.label-schema.url="https://dockerbench.com" \
   org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
 
+# Switch to the HTTPS endpoint for the apk repositories
+# https://github.com/gliderlabs/docker-alpine/issues/184
 RUN \
-  apk upgrade --no-cache && \
+  sed -i 's/http\:\/\/dl-cdn.alpinelinux.org/https\:\/\/alpine.global.ssl.fastly.net/g' /etc/apk/repositories && \
   apk add --no-cache \
     docker \
     dumb-init && \
-  rm -rf /usr/bin/docker-* /usr/bin/dockerd && \
-  mkdir /usr/local/bin/tests
+  rm -rf /usr/bin/docker?*
 
 COPY ./*.sh /usr/local/bin/
-
 COPY ./tests/*.sh /usr/local/bin/tests/
 
-WORKDIR /usr/local/bin
-
 HEALTHCHECK CMD exit 0
 
+WORKDIR /usr/local/bin
+
 ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]
 

distros/Dockerfile.centos

@@ -4,7 +4,7 @@ FROM centos
 
 MAINTAINER smccarty@redhat.com
 
-RUN yum install -y docker net-tools audit procps-ng; yum clean all
+RUN yum install -y docker iproute audit procps-ng; yum clean all
 
 RUN mkdir /docker-bench-security
 

distros/Dockerfile.debian

@@ -8,7 +8,7 @@ RUN \
     apt-get update && \
     apt-get -y upgrade && \
     apt-get -y install auditd ca-certificates docker.io \
-      gawk net-tools procps --no-install-recommends && \
+      gawk iproute2 procps --no-install-recommends && \
     apt-get -y clean && \
     apt-get -y autoremove && \
     rm -rf /var/lib/apt/lists/* \

distros/Dockerfile.openSUSE

@@ -4,7 +4,7 @@ FROM opensuse
 
 MAINTAINER security@suse.com
 
-RUN zypper -n in docker net-tools audit
+RUN zypper -n in docker iproute2 audit
 
 RUN mkdir /docker-bench-security
 

distros/Dockerfile.rhel

@@ -7,7 +7,7 @@ MAINTAINER smccarty@redhat.com
 RUN yum install -y yum-utils; yum clean all
 RUN yum-config-manager --disable "*" &>/dev/null
 RUN yum-config-manager --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms
-RUN yum install -y docker net-tools audit procps-ng; yum clean all
+RUN yum install -y docker iproute audit procps-ng; yum clean all
 
 RUN mkdir /docker-bench-security
 

docker-bench-security.sh

@@ -19,7 +19,7 @@ myname=$(basename "${this_path}")     ## file name of this script.
 export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/
 
 # Check for required program(s)
-req_progs='awk docker grep netstat stat'
+req_progs='awk docker grep ss stat'
 for p in $req_progs; do
   command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
 done

tests/5_container_runtime.sh

@@ -641,7 +641,8 @@ else
 
   fail=0
   for c in $containers; do
-    if docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'seccomp:unconfined' 2>/dev/null 1>&2; then
+    if docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | \
+      grep -E 'seccomp:unconfined|seccomp=unconfined' 2>/dev/null 1>&2; then
       # If it's the first container, fail the test
       if [ $fail -eq 0 ]; then
         warn "$check_5_21"

tests/7_docker_swarm_configuration.sh

@@ -40,7 +40,7 @@ fi
 check_7_3="7.3  - Ensure swarm services are binded to a specific host interface"
 totalChecks=$((totalChecks + 1))
 if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
-  netstat -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
+  ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
   if [ $? -eq 1 ]; then
     pass "$check_7_3"
     logjson "7.3" "PASS"