GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #423 from illyaMs/master

Browse source 
[Ubuntu] Fix issue with docker.service and docker.socket files not found
This commit is contained in:
Thomas Sjögren 2020-04-15 09:05:50 +00:00 committed by GitHub
commit 2cdfa3df25
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 27 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
README.md
View file

@ -33,9 +33,8 @@ docker run -it --net host --pid host --userns host --cap-add audit_control \
docker/docker-bench-security
```
Don't forget to adjust the shared volumes according to your operating system,
for example `Docker Desktop` on macOS don't have `/usr/lib/systemd` or the above
Docker binaries.
Don't forget to adjust the shared volumes according to your operating system. Some examples are:
1. `Docker Desktop` on macOS don't have `/usr/lib/systemd` or the above Docker binaries.
```sh
docker run -it --net host --pid host --userns host --cap-add audit_control \
@ -48,6 +47,22 @@ docker run -it --net host --pid host --userns host --cap-add audit_control \
docker/docker-bench-security
```
2. On Ubuntu the `docker.service` and `docker.secret` files are located in `/lib/systemd/system` folder by default.
```sh
docker run -it --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /lib/systemd/system:/lib/systemd/system:ro \
-v /usr/bin/docker-containerd:/usr/bin/docker-containerd:ro \
-v /usr/bin/docker-runc:/usr/bin/docker-runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security
```
Docker bench requires Docker 1.13.0 or later in order to run.
Note that when distributions doesn't contain `auditctl`, the audit tests will

4
helper_lib.sh
View file

@ -103,11 +103,13 @@ get_docker_configuration_file_args() {
grep "$OPTION" "$CONFIG_FILE" | sed 's/.*://g' | tr -d '" ',
}
get_systemd_service_file() {
get_service_file() {
SERVICE="$1"
if [ -f "/etc/systemd/system/$SERVICE" ]; then
echo "/etc/systemd/system/$SERVICE"
elif [ -f "/lib/systemd/system/$SERVICE" ]; then
echo "/lib/systemd/system/$SERVICE"
elif systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
else

4
tests/1_host_configuration.sh
View file

@ -214,7 +214,7 @@ check_1_2_6() {
starttestjson "$id_1_2_6" "$desc_1_2_6"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)"
file="$(get_service_file docker.service)"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
@ -251,7 +251,7 @@ check_1_2_7() {
starttestjson "$id_1_2_7" "$desc_1_2_7"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)"
file="$(get_service_file docker.socket)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then

8
tests/3_docker_daemon_configuration_files.sh
View file

@ -17,7 +17,7 @@ check_3_1() {
starttestjson "$id_3_1" "$desc_3_1"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)"
file="$(get_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_1"
@ -45,7 +45,7 @@ check_3_2() {
starttestjson "$id_3_2" "$desc_3_2"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)"
file="$(get_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_2"
@ -73,7 +73,7 @@ check_3_3() {
starttestjson "$id_3_3" "$desc_3_3"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)"
file="$(get_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_3"
@ -101,7 +101,7 @@ check_3_4() {
starttestjson "$id_3_4" "$desc_3_4"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)"
file="$(get_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_4"