GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 08:12:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

initial commit of tests/1_host_configuration.sh v1.3.1

Browse source 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
Thomas Sjögren 2021-05-25 20:49:45 +02:00
parent ca4ef8fa57
commit 4a4ae81a03
1 changed files with 319 additions and 121 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

440
tests/1_host_configuration.sh
View file

@ -1,4 +1,4 @@
#!/bin/sh
#!/bin/bash
check_1() {
logit ""
@ -11,57 +11,14 @@ check_1() {
check_1_1() {
local id="1.1"
local desc="General Configuration"
local desc="Linux Hosts Specific Configuration"
local check="$id - $desc"
info "$check"
}
check_1_1_1() {
local id="1.1.1"
local desc="Ensure the container host has been Hardened (Not Scored)"
local remediation="You may consider various Security Benchmarks for your container host."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_1_1_2() {
local id="1.1.2"
local desc="Ensure that the version of Docker is up to date (Not Scored)"
local remediation="You should monitor versions of Docker releases and make sure your software is updated as required."
local remediationImpact="You should perform a risk assessment regarding Docker version updates and review how they may impact your operations."
local check="$id - $desc"
starttestjson "$id" "$desc"
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))"
do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then
pass -c "$check"
info " * Using $docker_version, verify is it up to date as deemed necessary"
logcheckresult "INFO" "Using $docker_version"
return
fi
pass -c "$check"
info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker"
logcheckresult "PASS" "Using $docker_version"
}
check_1_2() {
local id="1.2"
local desc="Linux Hosts Specific Configuration"
local check="$id - $desc"
info "$check"
}
check_1_2_1() {
local id="1.2.1"
local desc="Ensure a separate partition for containers has been created (Scored)"
local desc="Ensure a separate partition for containers has been created (Automated)"
local remediation="For new installations, you should create a separate partition for the /var/lib/docker mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition."
local remediationImpact="None."
local check="$id - $desc"
@ -81,9 +38,9 @@ check_1_2_1() {
logcheckresult "WARN"
}
check_1_2_2() {
local id="1.2.2"
local desc="Ensure only trusted users are allowed to control Docker daemon (Scored)"
check_1_1_2() {
local id="1.1.2"
local desc="Ensure only trusted users are allowed to control Docker daemon (Automated)"
local remediation="You should remove any untrusted users from the docker group using command sudo gpasswd -d <your-user> docker or add trusted users to the docker group using command sudo usermod -aG docker <your-user>. You should not create a mapping of sensitive directories from the host to container volumes."
local remediationImpact="Only trust user are allow to build and execute containers as normal user."
local check="$id - $desc"
@ -123,12 +80,12 @@ check_1_2_2() {
fi
}
check_1_2_3() {
local id="1.2.3"
local desc="Ensure auditing is configured for the Docker daemon (Scored)"
check_1_1_3() {
local id="1.1.3"
local desc="Ensure auditing is configured for the Docker daemon (Automated)"
local remediation="Install auditd. Add -w /usr/bin/dockerd -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/dockerd"
@ -151,12 +108,40 @@ check_1_2_3() {
logcheckresult "WARN"
}
check_1_2_4() {
local id="1.2.4"
local desc="Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored)"
check_1_1_4() {
local id="1.1.4"
local desc="Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)"
local remediation="Install auditd. Add -a exit,always -F path=/run/containerd -F perm=war -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/run/containerd"
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_1_1_5() {
local id="1.1.5"
local desc="Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)"
local remediation="Install auditd. Add -w /var/lib/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/var/lib/docker"
@ -185,12 +170,12 @@ check_1_2_4() {
logcheckresult "INFO" "Directory not found"
}
check_1_2_5() {
local id="1.2.5"
local desc="Ensure auditing is configured for Docker files and directories - /etc/docker (Scored)"
check_1_1_6() {
local id="1.1.6"
local desc="Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)"
local remediation="Install auditd. Add -w /etc/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/etc/docker"
@ -219,13 +204,13 @@ check_1_2_5() {
logcheckresult "INFO" "Directory not found"
}
check_1_2_6() {
local id="1.2.6"
local desc="Ensure auditing is configured for Docker files and directories - docker.service (Scored)"
check_1_1_7() {
local id="1.1.7"
local desc="Ensure auditing is configured for Docker files and directories - docker.service (Automated)"
local remediation
remediation="Install auditd. Add -w $(get_service_file docker.service) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file docker.service)"
@ -254,13 +239,47 @@ check_1_2_6() {
logcheckresult "INFO" "File not found"
}
check_1_2_7() {
local id="1.2.7"
local desc="Ensure auditing is configured for Docker files and directories - docker.socket (Scored)"
check_1_1_8() {
local id="1.1.8"
local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
local remediation
remediation="Install auditd. Add -w $(get_service_file containerd.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file containerd.socket)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_9() {
local id="1.1.9"
local desc="Ensure auditing is configured for Docker files and directories - docker.socket (Automated)"
local remediation
remediation="Install auditd. Add -w $(get_service_file docker.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file docker.socket)"
@ -289,12 +308,12 @@ check_1_2_7() {
logcheckresult "INFO" "File not found"
}
check_1_2_8() {
local id="1.2.8"
local desc="Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored)"
check_1_1_10() {
local id="1.1.10"
local desc="Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)"
local remediation="Install auditd. Add -w /etc/default/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/default/docker"
@ -323,12 +342,80 @@ check_1_2_8() {
logcheckresult "INFO" "File not found"
}
check_1_2_9() {
local id="1.2.9"
local desc="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Scored)"
check_1_1_11() {
local id="1.1.11"
local desc="Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)"
local remediation="Install auditd. Add -w /etc/docker/daemon.json -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_12() {
local id="1.1.12"
local desc="1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)"
local remediation="Install auditd. Add -w /etc/containerd/config.toml -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/containerd/config.toml"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_13() {
local id="1.1.13"
local desc="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)"
local remediation="Install auditd. Add -w /etc/sysconfig/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/sysconfig/docker"
@ -357,46 +444,12 @@ check_1_2_9() {
logcheckresult "INFO" "File not found"
}
check_1_2_10() {
local id="1.2.10"
local desc="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored)"
local remediation="Install auditd. Add -w /etc/docker/daemon.json -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_2_11() {
local id="1.2.11"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Scored)"
check_1_1_14() {
local id="1.1.14"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)"
local remediation="Install auditd. Add -w /usr/bin/containerd -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/containerd"
@ -425,15 +478,15 @@ check_1_2_11() {
logcheckresult "INFO" "File not found"
}
check_1_2_12() {
local id="1.2.12"
local desc="Ensure auditing is configured for Docker files and directories - /usr/sbin/runc (Scored)"
local remediation="Install auditd. Add -w /usr/sbin/runc -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
check_1_1_15() {
local id="1.1.15"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)"
local remediation="Install auditd. Add -w /usr/bin/containerd-shim -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/sbin/runc"
file="/usr/bin/containerd-shim"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
@ -459,6 +512,151 @@ check_1_2_12() {
logcheckresult "INFO" "File not found"
}
check_1_1_16() {
local id="1.1.16"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)"
local remediation="Install auditd. Add -w /usr/bin/containerd-shim-runc-v1 -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/containerd-shim-runc-v1"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_17() {
local id="1.1.17"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)"
local remediation="Install auditd. Add -w /usr/bin/containerd-shim-runc-v2 -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/containerd-shim-runc-v2"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_18() {
local id="1.1.18"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)"
local remediation="Install auditd. Add -w /usr/bin/runc -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/runc"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_2() {
local id="1.2"
local desc="General Configuration"
local check="$id - $desc"
info "$check"
}
check_1_2_1() {
local id="1.2.1"
local desc="Ensure the container host has been Hardened (Manual)"
local remediation="You may consider various Security Benchmarks for your container host."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_1_2_2() {
local id="1.2.2"
local desc="Ensure that the version of Docker is up to date (Manual)"
local remediation="You should monitor versions of Docker releases and make sure your software is updated as required."
local remediationImpact="You should perform a risk assessment regarding Docker version updates and review how they may impact your operations."
local check="$id - $desc"
starttestjson "$id" "$desc"
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))"
do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then
pass -c "$check"
info " * Using $docker_version, verify is it up to date as deemed necessary"
logcheckresult "INFO" "Using $docker_version"
return
fi
pass -c "$check"
info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker"
logcheckresult "PASS" "Using $docker_version"
}
check_1_end() {
endsectionjson
}