mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-18 16:22:33 +01:00
Support for 'CIS Docker Benchmark 1.12.0'
Signed-off-by: Ravi Kumar Vadapalli <vadapalli.ravikumar@gmail.com>
This commit is contained in:
parent
338f35bf36
commit
6aae32f4e5
4 changed files with 219 additions and 3 deletions
|
@ -2,7 +2,7 @@
|
|||
|
||||
![Docker Bench for Security running](https://raw.githubusercontent.com/docker/docker-bench-security/master/benchmark_log.png "Docker Bench for Security running")
|
||||
|
||||
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the [CIS Docker 1.11 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post.
|
||||
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the [CIS Docker 1.12 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.12.0_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post.
|
||||
|
||||
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
|
||||
|
||||
|
|
|
@ -134,3 +134,48 @@ if [ $? -eq 0 ]; then
|
|||
else
|
||||
warn "$check_2_13"
|
||||
fi
|
||||
|
||||
# 2.14
|
||||
check_2_14="2.14 - Enable live restore"
|
||||
get_docker_effective_command_line_args '--live-restore' 2>/dev/null | grep "live-restore" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
pass "$check_2_14"
|
||||
else
|
||||
warn "$check_2_14"
|
||||
fi
|
||||
|
||||
# 2.15
|
||||
check_2_15="2.15 - Do not enable swarm mode, if not needed"
|
||||
docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1
|
||||
if [ $? -eq 1 ]; then
|
||||
pass "$check_2_15"
|
||||
else
|
||||
warn "$check_2_15"
|
||||
fi
|
||||
|
||||
# 2.16
|
||||
check_2_16="2.16 - Control the number of manager nodes in a swarm"
|
||||
docker node ls 2>/dev/null | grep "Leader" >/dev/null 2>&1
|
||||
if [ $? -eq 1 ]; then
|
||||
pass "$check_2_16"
|
||||
else
|
||||
warn "$check_2_16"
|
||||
fi
|
||||
|
||||
# 2.17
|
||||
check_2_17="2.17 - Bind swarm services to a specific host interface"
|
||||
netstat -lt 2>/dev/null | grep -i 2377 >/dev/null 2>&1
|
||||
if [ $? -eq 1 ]; then
|
||||
pass "$check_2_17"
|
||||
else
|
||||
warn "$check_2_17"
|
||||
fi
|
||||
|
||||
# 2.18
|
||||
check_2_18="2.18 - Disable Userland Proxy"
|
||||
get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
pass "$check_2_18"
|
||||
else
|
||||
warn "$check_2_18"
|
||||
fi
|
||||
|
|
|
@ -38,6 +38,8 @@ fi
|
|||
# Make the loop separator go back to space
|
||||
set +f; unset IFS
|
||||
|
||||
images=$(docker images -q)
|
||||
|
||||
# 4.5
|
||||
check_4_5="4.5 - Enable Content trust for Docker"
|
||||
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
|
||||
|
@ -45,3 +47,57 @@ if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
|
|||
else
|
||||
warn "$check_4_5"
|
||||
fi
|
||||
|
||||
# 4.6
|
||||
check_4_6="4.6 - Add HEALTHCHECK instruction to the container image"
|
||||
fail=0
|
||||
for img in $images; do
|
||||
docker inspect --format='{{.Config.Healthcheck}}' $img 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if [ $fail -eq 0 ]; then
|
||||
fail=1
|
||||
warn "$check_4_6"
|
||||
fi
|
||||
imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null`
|
||||
warn " No Healthcheck found : $imgName"
|
||||
fi
|
||||
done
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_4_6"
|
||||
fi
|
||||
|
||||
# 4.7
|
||||
check_4_7="4.7 - Do not use update instructions alone in the Dockerfile"
|
||||
fail=0
|
||||
for img in $images; do
|
||||
docker history $img 2>/dev/null | grep -e "update" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if [ $fail -eq 0 ]; then
|
||||
fail=1
|
||||
info "$check_4_7"
|
||||
fi
|
||||
imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null`
|
||||
info " update instruction found in history of $imgName"
|
||||
fi
|
||||
done
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_4_7"
|
||||
fi
|
||||
|
||||
# 4.9
|
||||
check_4_9="4.9 - Use COPY instead of ADD in Dockerfile"
|
||||
fail=0
|
||||
for img in $images; do
|
||||
docker history $img 2> /dev/null | grep 'ADD' >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if [ $fail -eq 0 ]; then
|
||||
fail=1
|
||||
info "$check_4_9"
|
||||
fi
|
||||
imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null`
|
||||
info " found ADD in docker history of $imgName"
|
||||
fi
|
||||
done
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_4_9"
|
||||
fi
|
||||
|
|
|
@ -514,7 +514,7 @@ else
|
|||
fi
|
||||
fi
|
||||
done
|
||||
# We went through all the containers and found none with UTSMode as host
|
||||
# We went through all the containers and found none with default secomp profile disabled
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_5_21"
|
||||
fi
|
||||
|
@ -561,8 +561,123 @@ else
|
|||
fi
|
||||
fi
|
||||
done
|
||||
# We went through all the containers and found none with UTSMode as host
|
||||
# We went through all the containers and found none with capability to acquire additional privileges
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_5_25"
|
||||
fi
|
||||
|
||||
# 5.26
|
||||
check_5_26="5.26 - Check container health at runtime"
|
||||
|
||||
fail=0
|
||||
for c in $containers; do
|
||||
docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2
|
||||
if [ $? -ne 0 ]; then
|
||||
if [ $fail -eq 0 ]; then
|
||||
warn "$check_5_26"
|
||||
warn " * Health check not set for $c"
|
||||
fail=1
|
||||
else
|
||||
warn " * Health check not set for $c"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_5_26"
|
||||
fi
|
||||
|
||||
# 5.28
|
||||
check_5_28="5.28 - Use PIDs cgroup limit"
|
||||
|
||||
fail=0
|
||||
for c in $containers; do
|
||||
pidslimit=`docker inspect --format '{{.HostConfig.PidsLimit }}' "$c"`
|
||||
|
||||
if [ $pidslimit -le 0 ]; then
|
||||
# If it's the first container, fail the test
|
||||
if [ $fail -eq 0 ]; then
|
||||
warn "$check_5_28"
|
||||
warn " * pidslimit not set: $c"
|
||||
fail=1
|
||||
else
|
||||
warn " * pidslimit not set: $c"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
# We went through all the containers and found all with PIDs limit
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_5_28"
|
||||
fi
|
||||
|
||||
# 5.29
|
||||
check_5_29="5.29 - Do not use Docker's default bridge docker0"
|
||||
|
||||
fail=0
|
||||
networks=`docker network ls -q 2>/dev/null`
|
||||
for net in $networks; do
|
||||
docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
docker0Containers=`docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null`
|
||||
if [ -n "$docker0Containers" ]; then
|
||||
if [ $fail -eq 0 ]; then
|
||||
warn "$check_5_29"
|
||||
fail=1
|
||||
fi
|
||||
for c in $docker0Containers; do
|
||||
warn " * container in docker0 network: $c"
|
||||
done
|
||||
fi
|
||||
fi
|
||||
done
|
||||
# We went through all the containers and found none in docker0 network
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_5_29"
|
||||
fi
|
||||
|
||||
# 5.30
|
||||
check_5_30="5.30 - Do not share the host's user namespaces"
|
||||
|
||||
fail=0
|
||||
for c in $containers; do
|
||||
docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
# If it's the first container, fail the test
|
||||
if [ $fail -eq 0 ]; then
|
||||
warn "$check_5_30"
|
||||
warn " * Namespace shared: $c"
|
||||
fail=1
|
||||
else
|
||||
warn " * Namespace shared: $c"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
# We went through all the containers and found none with host's user namespace shared
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_5_30"
|
||||
fi
|
||||
|
||||
# 5.31
|
||||
check_5_31="5.31 - Do not mount the Docker socket inside any containers"
|
||||
|
||||
fail=0
|
||||
for c in $containers; do
|
||||
docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
# If it's the first container, fail the test
|
||||
if [ $fail -eq 0 ]; then
|
||||
warn "$check_5_31"
|
||||
warn " * Docker sock shared: $c"
|
||||
fail=1
|
||||
else
|
||||
warn " * Docekr sock shared: $c"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
# We went through all the containers and found none with docker.sock shared
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_5_31"
|
||||
fi
|
||||
fi
|
||||
|
|
Loading…
Reference in a new issue