Support for 'CIS Docker Benchmark 1.12.0'

Signed-off-by: Ravi Kumar Vadapalli <vadapalli.ravikumar@gmail.com>
This commit is contained in:
Ravi Kumar Vadapalli 2016-12-20 20:31:58 +05:30
parent 338f35bf36
commit 6aae32f4e5
4 changed files with 219 additions and 3 deletions

View file

@ -2,7 +2,7 @@
![Docker Bench for Security running](https://raw.githubusercontent.com/docker/docker-bench-security/master/benchmark_log.png "Docker Bench for Security running")
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the [CIS Docker 1.11 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post.
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the [CIS Docker 1.12 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.12.0_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post.
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.

View file

@ -134,3 +134,48 @@ if [ $? -eq 0 ]; then
else
warn "$check_2_13"
fi
# 2.14
check_2_14="2.14 - Enable live restore"
get_docker_effective_command_line_args '--live-restore' 2>/dev/null | grep "live-restore" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_2_14"
else
warn "$check_2_14"
fi
# 2.15
check_2_15="2.15 - Do not enable swarm mode, if not needed"
docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1
if [ $? -eq 1 ]; then
pass "$check_2_15"
else
warn "$check_2_15"
fi
# 2.16
check_2_16="2.16 - Control the number of manager nodes in a swarm"
docker node ls 2>/dev/null | grep "Leader" >/dev/null 2>&1
if [ $? -eq 1 ]; then
pass "$check_2_16"
else
warn "$check_2_16"
fi
# 2.17
check_2_17="2.17 - Bind swarm services to a specific host interface"
netstat -lt 2>/dev/null | grep -i 2377 >/dev/null 2>&1
if [ $? -eq 1 ]; then
pass "$check_2_17"
else
warn "$check_2_17"
fi
# 2.18
check_2_18="2.18 - Disable Userland Proxy"
get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_2_18"
else
warn "$check_2_18"
fi

View file

@ -38,6 +38,8 @@ fi
# Make the loop separator go back to space
set +f; unset IFS
images=$(docker images -q)
# 4.5
check_4_5="4.5 - Enable Content trust for Docker"
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
@ -45,3 +47,57 @@ if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
else
warn "$check_4_5"
fi
# 4.6
check_4_6="4.6 - Add HEALTHCHECK instruction to the container image"
fail=0
for img in $images; do
docker inspect --format='{{.Config.Healthcheck}}' $img 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ $fail -eq 0 ]; then
fail=1
warn "$check_4_6"
fi
imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null`
warn " No Healthcheck found : $imgName"
fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_6"
fi
# 4.7
check_4_7="4.7 - Do not use update instructions alone in the Dockerfile"
fail=0
for img in $images; do
docker history $img 2>/dev/null | grep -e "update" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ $fail -eq 0 ]; then
fail=1
info "$check_4_7"
fi
imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null`
info " update instruction found in history of $imgName"
fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_7"
fi
# 4.9
check_4_9="4.9 - Use COPY instead of ADD in Dockerfile"
fail=0
for img in $images; do
docker history $img 2> /dev/null | grep 'ADD' >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ $fail -eq 0 ]; then
fail=1
info "$check_4_9"
fi
imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null`
info " found ADD in docker history of $imgName"
fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_9"
fi

View file

@ -514,7 +514,7 @@ else
fi
fi
done
# We went through all the containers and found none with UTSMode as host
# We went through all the containers and found none with default secomp profile disabled
if [ $fail -eq 0 ]; then
pass "$check_5_21"
fi
@ -561,8 +561,123 @@ else
fi
fi
done
# We went through all the containers and found none with UTSMode as host
# We went through all the containers and found none with capability to acquire additional privileges
if [ $fail -eq 0 ]; then
pass "$check_5_25"
fi
# 5.26
check_5_26="5.26 - Check container health at runtime"
fail=0
for c in $containers; do
docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2
if [ $? -ne 0 ]; then
if [ $fail -eq 0 ]; then
warn "$check_5_26"
warn " * Health check not set for $c"
fail=1
else
warn " * Health check not set for $c"
fi
fi
done
if [ $fail -eq 0 ]; then
pass "$check_5_26"
fi
# 5.28
check_5_28="5.28 - Use PIDs cgroup limit"
fail=0
for c in $containers; do
pidslimit=`docker inspect --format '{{.HostConfig.PidsLimit }}' "$c"`
if [ $pidslimit -le 0 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_28"
warn " * pidslimit not set: $c"
fail=1
else
warn " * pidslimit not set: $c"
fi
fi
done
# We went through all the containers and found all with PIDs limit
if [ $fail -eq 0 ]; then
pass "$check_5_28"
fi
# 5.29
check_5_29="5.29 - Do not use Docker's default bridge docker0"
fail=0
networks=`docker network ls -q 2>/dev/null`
for net in $networks; do
docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1
if [ $? -eq 0 ]; then
docker0Containers=`docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null`
if [ -n "$docker0Containers" ]; then
if [ $fail -eq 0 ]; then
warn "$check_5_29"
fail=1
fi
for c in $docker0Containers; do
warn " * container in docker0 network: $c"
done
fi
fi
done
# We went through all the containers and found none in docker0 network
if [ $fail -eq 0 ]; then
pass "$check_5_29"
fi
# 5.30
check_5_30="5.30 - Do not share the host's user namespaces"
fail=0
for c in $containers; do
docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1
if [ $? -eq 0 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_30"
warn " * Namespace shared: $c"
fail=1
else
warn " * Namespace shared: $c"
fi
fi
done
# We went through all the containers and found none with host's user namespace shared
if [ $fail -eq 0 ]; then
pass "$check_5_30"
fi
# 5.31
check_5_31="5.31 - Do not mount the Docker socket inside any containers"
fail=0
for c in $containers; do
docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1
if [ $? -eq 0 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_31"
warn " * Docker sock shared: $c"
fail=1
else
warn " * Docekr sock shared: $c"
fi
fi
done
# We went through all the containers and found none with docker.sock shared
if [ $fail -eq 0 ]; then
pass "$check_5_31"
fi
fi