From ee3e8dedb3b8f9d877d472f8fb88263dc3e23487 Mon Sep 17 00:00:00 2001 From: "Mr. Secure" Date: Sat, 24 Sep 2016 19:42:39 -0500 Subject: [PATCH 1/9] Fixes #167 - use get_docker_cumulative_command_line_args to check TLS settings Additionally, split warning into 2 parts: no TLS, TLS w/o verification Signed-off-by: Mr. Secure --- tests/2_docker_daemon_configuration.sh | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index 3822b62..22795cf 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -52,19 +52,26 @@ fi check_2_6="2.6 - Configure TLS authentication for Docker daemon" get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1 if [ $? -eq 0 ]; then - get_command_line_args docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1 + get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_2_6" - info " * Docker daemon currently listening on TCP" + get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_2_6" + #pass " * Docker daemon currently listening on TCP with TLS and verification" + else + warn "$check_2_6" + warn " * Docker daemon currently listening on TCP with TLS, but no verification" + fi else warn "$check_2_6" - warn " * Docker daemon currently listening on TCP without --tlsverify" + warn " * Docker daemon currently listening on TCP without TLS" fi else info "$check_2_6" info " * Docker daemon not listening on TCP" fi + # 2.7 check_2_7="2.7 - Set default ulimit as appropriate" get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1 From 0a10dde3c0fbdb5326edc29a612bc1b6df25b3cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 11 Jan 2017 09:26:28 +0100 Subject: [PATCH 2/9] use alpine 3.5 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- Dockerfile | 2 +- distros/Dockerfile.alpine | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b16159a..bb03276 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.2 +FROM alpine:3.5 LABEL org.label-schema.name="docker-bench-security" \ org.label-schema.url="https://dockerbench.com" \ diff --git a/distros/Dockerfile.alpine b/distros/Dockerfile.alpine index b16159a..bb03276 100644 --- a/distros/Dockerfile.alpine +++ b/distros/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM alpine:3.2 +FROM alpine:3.5 LABEL org.label-schema.name="docker-bench-security" \ org.label-schema.url="https://dockerbench.com" \ From 67c7562937f22dc2f77ee114eecda83e2b5406cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 11 Jan 2017 11:44:37 +0100 Subject: [PATCH 3/9] 1.12.6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/1_host_configuration.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index bf13f7f..d55d295 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -41,8 +41,8 @@ fi check_1_5="1.5 - Keep Docker up to date" docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \ | awk '{print $NF; exit}' | tr -d '[:alpha:]-,') -docker_current_version="1.12.5" -docker_current_date="2016-12-15" +docker_current_version="1.12.6" +docker_current_date="2017-01-10" do_version_check "$docker_current_version" "$docker_version" if [ $? -eq 11 ]; then warn "$check_1_5" From 31cf7c928564ced53c6e4fa426d73e1ee6110ffd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 11 Jan 2017 15:32:05 +0100 Subject: [PATCH 4/9] CVE-2016-9962 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- Dockerfile | 22 +++++++++++++--------- distros/Dockerfile.alpine | 22 +++++++++++++--------- 2 files changed, 26 insertions(+), 18 deletions(-) diff --git a/Dockerfile b/Dockerfile index bb03276..404e2cb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,20 +4,24 @@ LABEL org.label-schema.name="docker-bench-security" \ org.label-schema.url="https://dockerbench.com" \ org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" -ENV VERSION 1.10.0 +ENV VERSION 1.12.6 +ENV SHA256 cadc6025c841e034506703a06cf54204e51d0cadfae4bae62628ac648d82efdd WORKDIR /usr/bin RUN apk update && \ apk upgrade && \ - apk --update add curl && \ - curl -sS https://get.docker.com/builds/Linux/x86_64/docker-$VERSION > docker-$VERSION && \ - curl -sS https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.sha256 > docker-$VERSION.sha256 && \ - sha256sum -c docker-$VERSION.sha256 && \ - ln -s docker-$VERSION docker && \ - chmod u+x docker-$VERSION && \ - apk del curl && \ - rm -rf /var/cache/apk/* + apk --update add coreutils wget ca-certificates && \ + wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz && \ + wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz.sha256 && \ + sha256sum -c docker-$VERSION.tgz.sha256 && \ + echo "$SHA256 docker-$VERSION.tgz" | sha256sum -c - && \ + tar -xzvf docker-$VERSION.tgz -C /tmp && \ + mv /tmp/docker/docker . && \ + chmod u+x docker* && \ + rm -rf /tmp/docker* && \ + apk del wget ca-certificates && \ + rm -rf /var/cache/apk/* docker-$VERSION.tgz docker-$VERSION.tgz.sha256 RUN mkdir /docker-bench-security diff --git a/distros/Dockerfile.alpine b/distros/Dockerfile.alpine index bb03276..404e2cb 100644 --- a/distros/Dockerfile.alpine +++ b/distros/Dockerfile.alpine @@ -4,20 +4,24 @@ LABEL org.label-schema.name="docker-bench-security" \ org.label-schema.url="https://dockerbench.com" \ org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" -ENV VERSION 1.10.0 +ENV VERSION 1.12.6 +ENV SHA256 cadc6025c841e034506703a06cf54204e51d0cadfae4bae62628ac648d82efdd WORKDIR /usr/bin RUN apk update && \ apk upgrade && \ - apk --update add curl && \ - curl -sS https://get.docker.com/builds/Linux/x86_64/docker-$VERSION > docker-$VERSION && \ - curl -sS https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.sha256 > docker-$VERSION.sha256 && \ - sha256sum -c docker-$VERSION.sha256 && \ - ln -s docker-$VERSION docker && \ - chmod u+x docker-$VERSION && \ - apk del curl && \ - rm -rf /var/cache/apk/* + apk --update add coreutils wget ca-certificates && \ + wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz && \ + wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz.sha256 && \ + sha256sum -c docker-$VERSION.tgz.sha256 && \ + echo "$SHA256 docker-$VERSION.tgz" | sha256sum -c - && \ + tar -xzvf docker-$VERSION.tgz -C /tmp && \ + mv /tmp/docker/docker . && \ + chmod u+x docker* && \ + rm -rf /tmp/docker* && \ + apk del wget ca-certificates && \ + rm -rf /var/cache/apk/* docker-$VERSION.tgz docker-$VERSION.tgz.sha256 RUN mkdir /docker-bench-security From 91e684da65d640cf9cea9ccfd6cc806e7ab0c05a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 20 Jan 2017 11:53:18 +0100 Subject: [PATCH 5/9] 1.13.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/1_host_configuration.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index d55d295..0a284ff 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -41,8 +41,8 @@ fi check_1_5="1.5 - Keep Docker up to date" docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \ | awk '{print $NF; exit}' | tr -d '[:alpha:]-,') -docker_current_version="1.12.6" -docker_current_date="2017-01-10" +docker_current_version="1.13.0" +docker_current_date="2017-01-18" do_version_check "$docker_current_version" "$docker_version" if [ $? -eq 11 ]; then warn "$check_1_5" From d617e9ba57dfd589973b4f3e9094dd5e4b1a8281 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 20 Jan 2017 12:16:50 +0100 Subject: [PATCH 6/9] Fixes #164 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 77e82d9..a6d84ff 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ The easiest way to run your hosts against the Docker Bench for Security is by ru ```sh docker run -it --net host --pid host --cap-add audit_control \ + -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ @@ -37,6 +38,7 @@ git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security docker build -t docker-bench-security . docker run -it --net host --pid host --cap-add audit_control \ + -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ From 2204534b203578e8728d51831804f8ad0674c2a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 20 Jan 2017 12:25:56 +0100 Subject: [PATCH 7/9] markdown lint MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- README.md | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index a6d84ff..4063c19 100644 --- a/README.md +++ b/README.md @@ -2,16 +2,26 @@ ![Docker Bench for Security running](https://raw.githubusercontent.com/docker/docker-bench-security/master/benchmark_log.png "Docker Bench for Security running") -The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the [CIS Docker 1.11 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post. +The Docker Bench for Security is a script that checks for dozens of common +best-practices around deploying Docker containers in production. The tests are +all automated, and are inspired by the [CIS Docker 1.11 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf). +We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) +blog post. -We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark. +We are making this available as an open-source utility so the Docker community +can have an easy way to self-assess their hosts and docker containers against +this benchmark. ## Running Docker Bench for Security -We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host. Don't forget to adjust the shared volumes according to your operating system, it may not for example use systemd. - -The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container: +We packaged docker bench as a small container for your convenience. Note that +this container is being run with a *lot* of privilege -- sharing the host's +filesystem, pid and network namespaces, due to portions of the benchmark +applying to the running host. Don't forget to adjust the shared volumes +according to your operating system, it may not for example use systemd. +The easiest way to run your hosts against the Docker Bench for Security is by +running our pre-built container: ```sh docker run -it --net host --pid host --cap-add audit_control \ @@ -25,13 +35,19 @@ docker run -it --net host --pid host --cap-add audit_control \ Docker bench requires Docker 1.10.0 or later in order to run. -Also note that the default image and `Dockerfile` uses `FROM: alpine` which doesn't contain `auditctl`, this will generate errors in section 1.8 to 1.18. Distribution specific Dockerfiles that fixes this issue are available in the [distros directory](https://github.com/docker/docker-bench-security/tree/master/distros). +Also note that the default image and `Dockerfile` uses `FROM: alpine` which +doesn't contain `auditctl`, this will generate errors in section 1.8 to 1.18. +Distribution specific Dockerfiles that fixes this issue are available in the +[distros directory](https://github.com/docker/docker-bench-security/tree/master/distros). -The [distribution specific Dockerfiles](https://github.com/docker/docker-bench-security/tree/master/distros) may also help if the distribution you're using haven't yet shipped Docker version 1.10.0 or later. +The [distribution specific Dockerfiles](https://github.com/docker/docker-bench-security/tree/master/distros) +may also help if the distribution you're using haven't yet shipped Docker +version 1.10.0 or later. ## Building Docker Bench for Security -If you wish to build and run this container yourself, you can follow the following steps: +If you wish to build and run this container yourself, you can follow the +following steps: ```sh git clone https://github.com/docker/docker-bench-security.git @@ -47,6 +63,7 @@ docker run -it --net host --pid host --cap-add audit_control \ ``` or use [Docker Compose](https://docs.docker.com/compose/): + ```sh git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security @@ -61,4 +78,5 @@ cd docker-bench-security sh docker-bench-security.sh ``` -This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform. +This script was build to be POSIX 2004 compliant, so it should be portable +across any Unix platform. From 88c10c164e6e4a4dd858708161402439d7781a52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Sat, 21 Jan 2017 21:34:59 +0100 Subject: [PATCH 8/9] correct redirect MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- helper_lib.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helper_lib.sh b/helper_lib.sh index e1bf7c8..8b4a635 100644 --- a/helper_lib.sh +++ b/helper_lib.sh @@ -55,7 +55,7 @@ get_command_line_args() { get_docker_cumulative_command_line_args() { OPTION="$1" - if ! get_command_line_args "docker daemon" > 1 ; then + if ! get_command_line_args "docker daemon" >/dev/null 2>&1 ; then line_arg="docker daemon" else line_arg="dockerd" From a91d2fca56dda042cb1a6af70893fa8b960ce45d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 23 Jan 2017 12:05:01 +0100 Subject: [PATCH 9/9] 1.12 benchmark MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- README.md | 2 +- docker-bench-security.sh | 11 ++++------- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 4063c19..4bf45b1 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are -all automated, and are inspired by the [CIS Docker 1.11 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf). +all automated, and are inspired by the [CIS Docker 1.12 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.12.0_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post. diff --git a/docker-bench-security.sh b/docker-bench-security.sh index f7c0a1d..b284929 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -1,13 +1,11 @@ #!/bin/sh # ------------------------------------------------------------------------------ -# Docker Bench for Security v1.1.0 +# Docker Bench for Security v1.2.0 # # Docker, Inc. (c) 2015- # # Checks for dozens of common best-practices around deploying Docker containers in production. -# Inspired by the CIS Docker 1.11 Benchmark: -# https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker16.110 -# +# Inspired by the CIS Docker 1.12 Benchmark. # ------------------------------------------------------------------------------ # Load dependencies @@ -59,13 +57,12 @@ if [ -z "$logger" ]; then fi yell "# ------------------------------------------------------------------------------ -# Docker Bench for Security v1.1.0 +# Docker Bench for Security v1.2.0 # # Docker, Inc. (c) 2015- # # Checks for dozens of common best-practices around deploying Docker containers in production. -# Inspired by the CIS Docker 1.11 Benchmark: -# https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker16.110 +# Inspired by the CIS Docker 1.12 Benchmark. # ------------------------------------------------------------------------------" # Warn if not root