mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-19 00:32:34 +01:00
Support for 'CIS Docker Benchmark 1.12.0'
Signed-off-by: Ravi Kumar Vadapalli <vadapalli.ravikumar@gmail.com>
This commit is contained in:
parent
338f35bf36
commit
6aae32f4e5
4 changed files with 219 additions and 3 deletions
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
![Docker Bench for Security running](https://raw.githubusercontent.com/docker/docker-bench-security/master/benchmark_log.png "Docker Bench for Security running")
|
![Docker Bench for Security running](https://raw.githubusercontent.com/docker/docker-bench-security/master/benchmark_log.png "Docker Bench for Security running")
|
||||||
|
|
||||||
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the [CIS Docker 1.11 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post.
|
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the [CIS Docker 1.12 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.12.0_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post.
|
||||||
|
|
||||||
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
|
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
|
||||||
|
|
||||||
|
|
|
@ -134,3 +134,48 @@ if [ $? -eq 0 ]; then
|
||||||
else
|
else
|
||||||
warn "$check_2_13"
|
warn "$check_2_13"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# 2.14
|
||||||
|
check_2_14="2.14 - Enable live restore"
|
||||||
|
get_docker_effective_command_line_args '--live-restore' 2>/dev/null | grep "live-restore" >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
pass "$check_2_14"
|
||||||
|
else
|
||||||
|
warn "$check_2_14"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 2.15
|
||||||
|
check_2_15="2.15 - Do not enable swarm mode, if not needed"
|
||||||
|
docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1
|
||||||
|
if [ $? -eq 1 ]; then
|
||||||
|
pass "$check_2_15"
|
||||||
|
else
|
||||||
|
warn "$check_2_15"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 2.16
|
||||||
|
check_2_16="2.16 - Control the number of manager nodes in a swarm"
|
||||||
|
docker node ls 2>/dev/null | grep "Leader" >/dev/null 2>&1
|
||||||
|
if [ $? -eq 1 ]; then
|
||||||
|
pass "$check_2_16"
|
||||||
|
else
|
||||||
|
warn "$check_2_16"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 2.17
|
||||||
|
check_2_17="2.17 - Bind swarm services to a specific host interface"
|
||||||
|
netstat -lt 2>/dev/null | grep -i 2377 >/dev/null 2>&1
|
||||||
|
if [ $? -eq 1 ]; then
|
||||||
|
pass "$check_2_17"
|
||||||
|
else
|
||||||
|
warn "$check_2_17"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 2.18
|
||||||
|
check_2_18="2.18 - Disable Userland Proxy"
|
||||||
|
get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
pass "$check_2_18"
|
||||||
|
else
|
||||||
|
warn "$check_2_18"
|
||||||
|
fi
|
||||||
|
|
|
@ -38,6 +38,8 @@ fi
|
||||||
# Make the loop separator go back to space
|
# Make the loop separator go back to space
|
||||||
set +f; unset IFS
|
set +f; unset IFS
|
||||||
|
|
||||||
|
images=$(docker images -q)
|
||||||
|
|
||||||
# 4.5
|
# 4.5
|
||||||
check_4_5="4.5 - Enable Content trust for Docker"
|
check_4_5="4.5 - Enable Content trust for Docker"
|
||||||
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
|
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
|
||||||
|
@ -45,3 +47,57 @@ if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
|
||||||
else
|
else
|
||||||
warn "$check_4_5"
|
warn "$check_4_5"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# 4.6
|
||||||
|
check_4_6="4.6 - Add HEALTHCHECK instruction to the container image"
|
||||||
|
fail=0
|
||||||
|
for img in $images; do
|
||||||
|
docker inspect --format='{{.Config.Healthcheck}}' $img 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
fail=1
|
||||||
|
warn "$check_4_6"
|
||||||
|
fi
|
||||||
|
imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null`
|
||||||
|
warn " No Healthcheck found : $imgName"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
pass "$check_4_6"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 4.7
|
||||||
|
check_4_7="4.7 - Do not use update instructions alone in the Dockerfile"
|
||||||
|
fail=0
|
||||||
|
for img in $images; do
|
||||||
|
docker history $img 2>/dev/null | grep -e "update" >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
fail=1
|
||||||
|
info "$check_4_7"
|
||||||
|
fi
|
||||||
|
imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null`
|
||||||
|
info " update instruction found in history of $imgName"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
pass "$check_4_7"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 4.9
|
||||||
|
check_4_9="4.9 - Use COPY instead of ADD in Dockerfile"
|
||||||
|
fail=0
|
||||||
|
for img in $images; do
|
||||||
|
docker history $img 2> /dev/null | grep 'ADD' >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
fail=1
|
||||||
|
info "$check_4_9"
|
||||||
|
fi
|
||||||
|
imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null`
|
||||||
|
info " found ADD in docker history of $imgName"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
pass "$check_4_9"
|
||||||
|
fi
|
||||||
|
|
|
@ -514,7 +514,7 @@ else
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
# We went through all the containers and found none with UTSMode as host
|
# We went through all the containers and found none with default secomp profile disabled
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
pass "$check_5_21"
|
pass "$check_5_21"
|
||||||
fi
|
fi
|
||||||
|
@ -561,8 +561,123 @@ else
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
# We went through all the containers and found none with UTSMode as host
|
# We went through all the containers and found none with capability to acquire additional privileges
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
pass "$check_5_25"
|
pass "$check_5_25"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# 5.26
|
||||||
|
check_5_26="5.26 - Check container health at runtime"
|
||||||
|
|
||||||
|
fail=0
|
||||||
|
for c in $containers; do
|
||||||
|
docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
warn "$check_5_26"
|
||||||
|
warn " * Health check not set for $c"
|
||||||
|
fail=1
|
||||||
|
else
|
||||||
|
warn " * Health check not set for $c"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
pass "$check_5_26"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 5.28
|
||||||
|
check_5_28="5.28 - Use PIDs cgroup limit"
|
||||||
|
|
||||||
|
fail=0
|
||||||
|
for c in $containers; do
|
||||||
|
pidslimit=`docker inspect --format '{{.HostConfig.PidsLimit }}' "$c"`
|
||||||
|
|
||||||
|
if [ $pidslimit -le 0 ]; then
|
||||||
|
# If it's the first container, fail the test
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
warn "$check_5_28"
|
||||||
|
warn " * pidslimit not set: $c"
|
||||||
|
fail=1
|
||||||
|
else
|
||||||
|
warn " * pidslimit not set: $c"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
# We went through all the containers and found all with PIDs limit
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
pass "$check_5_28"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 5.29
|
||||||
|
check_5_29="5.29 - Do not use Docker's default bridge docker0"
|
||||||
|
|
||||||
|
fail=0
|
||||||
|
networks=`docker network ls -q 2>/dev/null`
|
||||||
|
for net in $networks; do
|
||||||
|
docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1
|
||||||
|
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
docker0Containers=`docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null`
|
||||||
|
if [ -n "$docker0Containers" ]; then
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
warn "$check_5_29"
|
||||||
|
fail=1
|
||||||
|
fi
|
||||||
|
for c in $docker0Containers; do
|
||||||
|
warn " * container in docker0 network: $c"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
# We went through all the containers and found none in docker0 network
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
pass "$check_5_29"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 5.30
|
||||||
|
check_5_30="5.30 - Do not share the host's user namespaces"
|
||||||
|
|
||||||
|
fail=0
|
||||||
|
for c in $containers; do
|
||||||
|
docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1
|
||||||
|
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
# If it's the first container, fail the test
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
warn "$check_5_30"
|
||||||
|
warn " * Namespace shared: $c"
|
||||||
|
fail=1
|
||||||
|
else
|
||||||
|
warn " * Namespace shared: $c"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
# We went through all the containers and found none with host's user namespace shared
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
pass "$check_5_30"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 5.31
|
||||||
|
check_5_31="5.31 - Do not mount the Docker socket inside any containers"
|
||||||
|
|
||||||
|
fail=0
|
||||||
|
for c in $containers; do
|
||||||
|
docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1
|
||||||
|
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
# If it's the first container, fail the test
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
warn "$check_5_31"
|
||||||
|
warn " * Docker sock shared: $c"
|
||||||
|
fail=1
|
||||||
|
else
|
||||||
|
warn " * Docekr sock shared: $c"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
# We went through all the containers and found none with docker.sock shared
|
||||||
|
if [ $fail -eq 0 ]; then
|
||||||
|
pass "$check_5_31"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in a new issue