From 0231a7f5dead80f7ab6109ade2cc58a7ef95d1ba Mon Sep 17 00:00:00 2001 From: Jessica Frazelle Date: Mon, 8 Jun 2015 19:15:41 -0700 Subject: [PATCH 01/36] Make the main script an executable for if I want to run it on my host Fix image sprawl to work Fix port range Signed-off-by: Jessica Frazelle --- docker-bench-security.sh | 0 tests/5_container_runtime.sh | 23 +++++++++++++---------- tests/6_docker_security_operations.sh | 6 +++--- 3 files changed, 16 insertions(+), 13 deletions(-) mode change 100644 => 100755 docker-bench-security.sh diff --git a/docker-bench-security.sh b/docker-bench-security.sh old mode 100644 new mode 100755 diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 11e14df..7133b9e 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -201,18 +201,21 @@ else fail=0 for c in $containers; do - port=$(docker port "$c" | awk '{print $1}' | cut -d '/' -f1) + ports=$(docker port "$c" | awk '{print $1}' | cut -d '/' -f1) - if [ ! -z "$port" ] && [ "$port" -lt 1025 ]; then - # If it's the first container, fail the test - if [ $fail -eq 0 ]; then - warn "$check_5_8" - warn " * Privileged Port in use: $port in $c" - fail=1 - else - warn " * Privileged Port in use: $port in $c" + # iterate through port range (line delimited) + for port in $ports; do + if [ ! -z "$port" ] && [ "0$port" -lt 1025 ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_5_8" + warn " * Privileged Port in use: $port in $c" + fail=1 + else + warn " * Privileged Port in use: $port in $c" + fi fi - fi + done done # We went through all the containers and found no privileged ports if [ $fail -eq 0 ]; then diff --git a/tests/6_docker_security_operations.sh b/tests/6_docker_security_operations.sh index f5b1f01..3165986 100644 --- a/tests/6_docker_security_operations.sh +++ b/tests/6_docker_security_operations.sh @@ -40,8 +40,8 @@ images=$(docker images -q | wc -l | awk '{print $1}') active_images=0 for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do - if [[ $(docker images --no-trunc -a | grep $c) ]]; then - ((active_images++)) + if docker images --no-trunc -a | grep $c > /dev/null ; then + active_images=$(( active_images += 1 )) fi done @@ -53,7 +53,7 @@ else info " * There are currently: $images images" fi -if [[ "$active_images" -lt "$((images / 2))" ]]; then +if [ "$active_images" -lt "$((images / 2))" ]; then warn " * Only $active_images out of $images are in use" fi From b24a9d15b9669264cab5f89072cd2ff25cf1fd01 Mon Sep 17 00:00:00 2001 From: Jessica Frazelle Date: Mon, 8 Jun 2015 23:45:07 -0700 Subject: [PATCH 02/36] use official alpine image as the base Signed-off-by: Jessica Frazelle --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5b948bc..a552ef4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM gliderlabs/alpine:3.1 +FROM alpine:3.1 RUN apk --update add docker From 56a7cb8779b12bb373918949b16ea14be8b4357d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 11 Jun 2015 02:17:14 +0200 Subject: [PATCH 03/36] Issue #25, dont warn if file is missing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/1_host_configuration.sh | 180 ++++++++++++++++++++++------------ 1 file changed, 120 insertions(+), 60 deletions(-) diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index 6e2b66d..d97a1ba 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -71,140 +71,200 @@ fi # 1.9 check_1_9="1.9 - Audit Docker files and directories - /var/lib/docker" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /var/lib/docker >/dev/null 2>&1 +directory="/var/lib/docker" +if [ -d "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_9" + auditctl -l | grep $directory >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_9" + else + warn "$check_1_9" + fi else - warn "$check_1_9" + warn "1.9 - Failed to inspect: auditctl command not found." fi else - warn "1.9 - Failed to inspect: auditctl command not found." + info "$check_1_9" + info " * Directory not found" fi # 1.10 check_1_10="1.10 - Audit Docker files and directories - /etc/docker" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/docker >/dev/null 2>&1 +directory="/etc/docker" +if [ -d "$directory" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_10" + auditctl -l | grep $directory >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_10" + else + warn "$check_1_10" + fi else - warn "$check_1_10" + warn "1.10 - Failed to inspect: auditctl command not found." fi else - warn "1.10 - Failed to inspect: auditctl command not found." + info "$check_1_10" + info " * Directory not found" fi # 1.11 check_1_11="1.11 - Audit Docker files and directories - docker-registry.service" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /usr/lib/systemd/system/docker-registry.service >/dev/null 2>&1 +file="/usr/lib/systemd/system/docker-registry.service" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_11" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_11" + else + warn "$check_1_11" + fi else - warn "$check_1_11" + warn "1.11 - Failed to inspect: auditctl command not found." fi else - warn "1.11 - Failed to inspect: auditctl command not found." + info "$check_1_11" + info " * File not found" fi # 1.12 check_1_12="1.12 - Audit Docker files and directories - docker.service" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /usr/lib/systemd/system/docker.service >/dev/null 2>&1 +file="/usr/lib/systemd/system/docker.service" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_12" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_12" + else + warn "$check_1_12" + fi else - warn "$check_1_12" + warn "1.12 - Failed to inspect: auditctl command not found." fi else - warn "1.12 - Failed to inspect: auditctl command not found." + info "$check_1_12" + info " * File not found" fi # 1.13 check_1_13="1.13 - Audit Docker files and directories - /var/run/docker.sock" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /var/run/docker.sock >/dev/null 2>&1 +file="/var/run/docker.sock" +if [ -e "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_13" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_13" + else + warn "$check_1_13" + fi else - warn "$check_1_13" + warn "1.13 - Failed to inspect: auditctl command not found." fi else - warn "1.13 - Failed to inspect: auditctl command not found." + info "$check_1_13" + info " * File not found" fi # 1.14 check_1_14="1.14 - Audit Docker files and directories - /etc/sysconfig/docker" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/sysconfig/docker >/dev/null 2>&1 +file="/etc/sysconfig/docker" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_14" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_14" + else + warn "$check_1_14" + fi else - warn "$check_1_14" + warn "1.14 - Failed to inspect: auditctl command not found." fi else - warn "1.14 - Failed to inspect: auditctl command not found." + info "$check_1_14" + info " * File not found" fi # 1.15 check_1_15="1.15 - Audit Docker files and directories - /etc/sysconfig/docker-network" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/sysconfig/docker-network >/dev/null 2>&1 +file="/etc/sysconfig/docker-network" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_15" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_15" + else + warn "$check_1_15" + fi else - warn "$check_1_15" + warn "1.15 - Failed to inspect: auditctl command not found." fi else - warn "1.15 - Failed to inspect: auditctl command not found." + info "$check_1_15" + info " * File not found" fi # 1.16 check_1_16="1.16 - Audit Docker files and directories - /etc/sysconfig/docker-registry" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/sysconfig/docker-registry >/dev/null 2>&1 +file="/etc/sysconfig/docker-registry" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_16" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_16" + else + warn "$check_1_16" + fi else - warn "$check_1_16" + warn "1.16 - Failed to inspect: auditctl command not found." fi else - warn "1.16 - Failed to inspect: auditctl command not found." + info "$check_1_16" + info " * File not found" fi # 1.17 check_1_17="1.17 - Audit Docker files and directories - /etc/sysconfig/docker-storage" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/sysconfig/docker-storage >/dev/null 2>&1 +file="/etc/sysconfig/docker-storage" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_17" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_17" + else + warn "$check_1_17" + fi else - warn "$check_1_17" + warn "1.17 - Failed to inspect: auditctl command not found." fi else - warn "1.17 - Failed to inspect: auditctl command not found." + info "$check_1_17" + info " * File not found" fi # 1.18 check_1_18="1.18 - Audit Docker files and directories - /etc/default/docker" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/default/docker >/dev/null 2>&1 +file="/etc/default/docker" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_18" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_18" + else + warn "$check_1_18" + fi else - warn "$check_1_18" + warn "1.18 - Failed to inspect: auditctl command not found." fi else - warn "1.18 - Failed to inspect: auditctl command not found." + info "$check_1_18" + info " * File not found" fi From 2d25ddbcaf27c455a89a950ab2e3ad3146994d48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 11 Jun 2015 02:35:54 +0200 Subject: [PATCH 04/36] Issue #24, remove -U, -u MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/2_docker_daemon_configuration.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index 8561f52..ed94926 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -5,7 +5,7 @@ info "2 - Docker Daemon Configuration" # 2.1 check_2_1="2.1 - Do not use lxc execution driver" -pgrep -U root -u root -lf docker | grep lxc >/dev/null 2>&1 +pgrep -lf docker | grep lxc >/dev/null 2>&1 if [ $? -eq 0 ]; then warn "$check_2_1" else @@ -14,7 +14,7 @@ fi # 2.2 check_2_2="2.2 - Restrict network traffic between containers" -pgrep -U root -u root -lf docker | grep "icc=false" >/dev/null 2>&1 +pgrep -lf docker | grep "icc=false" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_2_2" else @@ -23,7 +23,7 @@ fi # 2.3 check_2_3="2.3 - Set the logging level" -pgrep -U root -u root -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1 +pgrep -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1 if [ $? -eq 0 ]; then warn "$check_2_3" else @@ -32,7 +32,7 @@ fi # 2.4 check_2_4="2.4 - Allow Docker to make changes to iptables" -pgrep -U root -u root -lf docker | grep "iptables=false" >/dev/null 2>&1 +pgrep -lf docker | grep "iptables=false" >/dev/null 2>&1 if [ $? -eq 0 ]; then warn "$check_2_4" else @@ -41,7 +41,7 @@ fi # 2.5 check_2_5="2.5 - Do not use insecure registries" -pgrep -U root -u root -lf docker | grep "insecure-registry" >/dev/null 2>&1 +pgrep -lf docker | grep "insecure-registry" >/dev/null 2>&1 if [ $? -eq 0 ]; then warn "$check_2_5" else @@ -50,7 +50,7 @@ fi # 2.6 check_2_6="2.6 - Setup a local registry mirror" -pgrep -U root -u root -lf docker | grep "registry-mirror" >/dev/null 2>&1 +pgrep -lf docker | grep "registry-mirror" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_2_6" else @@ -69,7 +69,7 @@ fi # 2.8 check_2_8="2.8 - Do not bind Docker to another IP/Port or a Unix socket" -pgrep -U root -u root -lf docker | grep "\-H" >/dev/null 2>&1 +pgrep -lf docker | grep "\-H" >/dev/null 2>&1 if [ $? -eq 0 ]; then info "$check_2_8" info " * Docker daemon running with -H" @@ -79,9 +79,9 @@ fi # 2.9 check_2_9="2.9 - Configure TLS authentication for Docker daemon" -pgrep -U root -u root -lf docker | grep "tcp://" >/dev/null 2>&1 +pgrep -lf docker | grep "tcp://" >/dev/null 2>&1 if [ $? -eq 0 ]; then - pgrep -U root -u root -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1 + pgrep -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_2_9" info " * Docker daemon currently listening on TCP" @@ -96,7 +96,7 @@ fi # 2.10 check_2_10="2.10 - Set default ulimit as appropriate" -pgrep -U root -u root -lf docker | grep "default-ulimit" >/dev/null 2>&1 +pgrep -lf docker | grep "default-ulimit" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_2_10" else From f4ee80ba3e807c505595d974ca940f336c4e4e26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 11 Jun 2015 21:37:44 +0200 Subject: [PATCH 05/36] add -v /var/lib:/var/lib MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bcedb95..8351725 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by run ``` -docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ +docker run -it --net host --pid host -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker-bench-security \ diogomonica/docker-bench-security ``` @@ -30,7 +30,7 @@ If you wish to build and run this container yourself, you can follow the followi ``` git clone https://github.com/diogomonica/docker-bench-security.git cd docker-bench-security; docker build -t docker-bench-security . -docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ +docker run -it --net host --pid host -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label security-benchmark \ docker-bench-security ``` From ebcbf9a231adf8c59b36ff9edeaf87836ce22fff Mon Sep 17 00:00:00 2001 From: Diogo Monica Date: Thu, 11 Jun 2015 16:26:49 -0700 Subject: [PATCH 06/36] Add first version of CONTRIBUTING.md --- CONTRIBUTING.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..36d2d2f --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,48 @@ +# Contributing to Docker Bench for Security + +Want to hack on Docker Bench? Awesome! Here are instructions to get you +started. + +The Docker Bench for Security is a part of the [Docker](https://www.docker.com) project, and follows +the same rules and principles. If you're already familiar with the way +Docker does things, you'll feel right at home. + +Otherwise, go read +[Docker's contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md). + +### Development Environment Setup + +The only thing you need to hack on Docker Bench for Security is a POSIX 2004 compliant shell. We try to keep the project compliant for maximum portability + +#### Start hacking + +You can build the container that wraps the docker-bench for security: +```sh +✗ git clone git@github.com:docker/docker-bench-security.git +✗ docker build -t diogomonica/docker-bench-security . +``` + +Or you can simply run the shell script locally: + +```sh +✗ sh docker-bench-security.sh +``` + +The Docker Bench has the main script called `docker-bench-security.sh`. This is the main script that checks for all the dependencies, deals with command line arguments and loads all the tests. + +The tests are split in 6 different files: + +```sh +✗ docker-bench-security git:(master) ✗ tree tests +tests +├── 1_host_configuration.sh +├── 2_docker_daemon_configuration.sh +├── 3_docker_daemon_configuration_files.sh +├── 4_container_images.sh +├── 5_container_runtime.sh +└── 6_docker_security_operations.sh +``` + +To modify the Docker Bench for Security you should first clone the repository, make your changes, and then sign off on your commits. After that feel free to send us a pull-request with the changes. + +While this tool is inspired in the CIS Docker 1.6 Benchmark, feel free to add new tests. We will try to turn dockerbench.com into a list of good community benchmarks for both security and performance, and we would love community contributions. From de92a186485f5ec62f85ef1daa10e62c2d5bf89a Mon Sep 17 00:00:00 2001 From: Jessica Frazelle Date: Thu, 11 Jun 2015 16:20:05 -0700 Subject: [PATCH 07/36] make readme codeblocks prettier Signed-off-by: Jessica Frazelle --- README.md | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index bcedb95..f2be9a3 100644 --- a/README.md +++ b/README.md @@ -13,10 +13,12 @@ We packaged docker bench as a small container for your convenience. Note that th The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by running our pre-built container: -``` -docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ --v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker-bench-security \ -diogomonica/docker-bench-security +```sh +docker run -it --net host --pid host \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /usr/lib/systemd:/usr/lib/systemd \ + -v /etc:/etc --label docker-bench-security \ + diogomonica/docker-bench-security ``` Docker bench requires Docker 1.6.2 or later in order to run, since it depends on the `--label` to exclude the current container from being inspected. If you can't upgrade to 1.6.2, I feel free to remove the `--label` flag or run the shell script locally (see below). @@ -27,19 +29,23 @@ Additionally, there was a bug in Docker 1.6.0 that would not allow mounting `-v If you wish to build and run this container yourself, you can follow the following steps: -``` +```sh git clone https://github.com/diogomonica/docker-bench-security.git -cd docker-bench-security; docker build -t docker-bench-security . -docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ --v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label security-benchmark \ -docker-bench-security +cd docker-bench-security +docker build -t docker-bench-security . +docker run -it --net host --pid host \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /usr/lib/systemd:/usr/lib/systemd \ + -v /etc:/etc --label security-benchmark \ + docker-bench-security ``` Also, this script can also be simply run from your base host by running: -``` +```sh git clone https://github.com/diogomonica/docker-bench-security.git -cd docker-bench-security; sh docker-bench-security.sh +cd docker-bench-security +sh docker-bench-security.sh ``` This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform. From 5c3c36c5caf94430a41d69988d79e68f0340ca98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Sun, 14 Jun 2015 23:03:11 +0200 Subject: [PATCH 08/36] New README MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- README.md | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 8351725..eb5e117 100644 --- a/README.md +++ b/README.md @@ -13,10 +13,12 @@ We packaged docker bench as a small container for your convenience. Note that th The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by running our pre-built container: -``` -docker run -it --net host --pid host -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock \ --v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker-bench-security \ -diogomonica/docker-bench-security +```sh +docker run -it --net host --pid host -v /var/lib:/var/lib \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /usr/lib/systemd:/usr/lib/systemd \ + -v /etc:/etc --label docker-bench-security \ + diogomonica/docker-bench-security ``` Docker bench requires Docker 1.6.2 or later in order to run, since it depends on the `--label` to exclude the current container from being inspected. If you can't upgrade to 1.6.2, I feel free to remove the `--label` flag or run the shell script locally (see below). @@ -27,19 +29,23 @@ Additionally, there was a bug in Docker 1.6.0 that would not allow mounting `-v If you wish to build and run this container yourself, you can follow the following steps: -``` +```sh git clone https://github.com/diogomonica/docker-bench-security.git -cd docker-bench-security; docker build -t docker-bench-security . -docker run -it --net host --pid host -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock \ --v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label security-benchmark \ -docker-bench-security +cd docker-bench-security +docker build -t docker-bench-security . +docker run -it --net host --pid host -v /var/lib:/var/lib \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /usr/lib/systemd:/usr/lib/systemd \ + -v /etc:/etc --label security-benchmark \ + docker-bench-security ``` Also, this script can also be simply run from your base host by running: -``` +```sh git clone https://github.com/diogomonica/docker-bench-security.git -cd docker-bench-security; sh docker-bench-security.sh +cd docker-bench-security +sh docker-bench-security.sh ``` This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform. From 41a0f6301391983e3b2d7d8bf9bd4baac9ddbf43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Sun, 14 Jun 2015 23:54:15 +0200 Subject: [PATCH 09/36] change to docker repository MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f2be9a3..69512ad 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ docker run -it --net host --pid host \ Also, this script can also be simply run from your base host by running: ```sh -git clone https://github.com/diogomonica/docker-bench-security.git +git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security sh docker-bench-security.sh ``` From 3616f15cba48cca3d4cc08d299a3d0f35d157e86 Mon Sep 17 00:00:00 2001 From: "Zvi \"Viz\" Effron" Date: Mon, 15 Jun 2015 11:26:13 -0700 Subject: [PATCH 10/36] Fix test 5.14 to not always pass when multiple ports are published. Signed-off-by: Zvi "Viz" Effron --- tests/5_container_runtime.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 7133b9e..35c41b5 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -319,17 +319,18 @@ else fail=0 for c in $containers; do - ip=$(docker port "$c" | awk '{print $3}' | cut -d ':' -f1) - if [ "$ip" = "0.0.0.0" ]; then - # If it's the first container, fail the test - if [ $fail -eq 0 ]; then - warn "$check_5_14" - warn " * Port being bound to wildcard IP: $ip in $c" - fail=1 - else - warn " * Port being bound to wildcard IP: $ip in $c" + for ip in $(docker port "$c" | awk '{print $3}' | cut -d ':' -f1); do + if [ "$ip" = "0.0.0.0" ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_5_14" + warn " * Port being bound to wildcard IP: $ip in $c" + fail=1 + else + warn " * Port being bound to wildcard IP: $ip in $c" + fi fi - fi + done done # We went through all the containers and found no ports bound to 0.0.0.0 if [ $fail -eq 0 ]; then From cf7b13d5ba0f550424cf25eca0189c99a8fa3684 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 15 Jun 2015 22:15:24 +0200 Subject: [PATCH 11/36] add cap_audit_control for auditctl to work MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 74de8e8..a5f6dba 100644 --- a/README.md +++ b/README.md @@ -14,11 +14,12 @@ The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by run ```sh -docker run -it --net host --pid host -v /var/lib:/var/lib \ +docker run -it --net host --pid host --cap-add audit_control \ + -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker-bench-security \ - diogomonica/docker-bench-security + docker-bench-security ``` Docker bench requires Docker 1.6.2 or later in order to run, since it depends on the `--label` to exclude the current container from being inspected. If you can't upgrade to 1.6.2, I feel free to remove the `--label` flag or run the shell script locally (see below). @@ -30,10 +31,11 @@ Additionally, there was a bug in Docker 1.6.0 that would not allow mounting `-v If you wish to build and run this container yourself, you can follow the following steps: ```sh -git clone https://github.com/diogomonica/docker-bench-security.git +git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security docker build -t docker-bench-security . -docker run -it --net host --pid host -v /var/lib:/var/lib \ +docker run -it --net host --pid host --cap-add audit_control \ + -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label security-benchmark \ From 20db7d8a4d8fc75bde30cc1af96578ffcc7485e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 15 Jun 2015 23:04:02 +0200 Subject: [PATCH 12/36] catch all -H, not only tcp:// MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/2_docker_daemon_configuration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index ed94926..af443ca 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -79,7 +79,7 @@ fi # 2.9 check_2_9="2.9 - Configure TLS authentication for Docker daemon" -pgrep -lf docker | grep "tcp://" >/dev/null 2>&1 +pgrep -lf docker | grep "\-H" >/dev/null 2>&1 if [ $? -eq 0 ]; then pgrep -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1 if [ $? -eq 0 ]; then From e8c3571a84493f4b458e0c98fa1c9abc72e83808 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diogo=20M=C3=B3nica?= Date: Tue, 16 Jun 2015 17:21:54 -0700 Subject: [PATCH 13/36] Fixed Examples --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a5f6dba..e9adc50 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ docker run -it --net host --pid host --cap-add audit_control \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker-bench-security \ - docker-bench-security + diogomonica/docker-bench-security ``` Docker bench requires Docker 1.6.2 or later in order to run, since it depends on the `--label` to exclude the current container from being inspected. If you can't upgrade to 1.6.2, I feel free to remove the `--label` flag or run the shell script locally (see below). @@ -39,7 +39,7 @@ docker run -it --net host --pid host --cap-add audit_control \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label security-benchmark \ - docker-bench-security + diogomonica/docker-bench-security ``` Also, this script can also be simply run from your base host by running: From 23a74b5bd0e7bfd746d00609db159068d4b29cc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diogo=20M=C3=B3nica?= Date: Wed, 17 Jun 2015 11:25:52 -0700 Subject: [PATCH 14/36] Fixing local running of container in README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e9adc50..a1602ad 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ docker run -it --net host --pid host --cap-add audit_control \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label security-benchmark \ - diogomonica/docker-bench-security + docker-bench-security ``` Also, this script can also be simply run from your base host by running: From 820bb581b7a64f2aedf203b88fe2651f6ecf96da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 17 Jun 2015 23:23:59 +0200 Subject: [PATCH 15/36] add stat. reorder MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- docker-bench-security.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index d2cb12c..18bb973 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -21,7 +21,7 @@ export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/ logger="${myname}.log" # Check for required program(s) -req_progs='docker netstat grep awk' +req_progs='awk docker grep netstat stat' for p in $req_progs; do command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; } done From 70b8d33cefa04241f2dc51dc4ce0070212c1c1b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 17 Jun 2015 23:25:01 +0200 Subject: [PATCH 16/36] replace ls with stat when checking owner and perms MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/3_docker_daemon_configuration_files.sh | 57 +++++++------------- 1 file changed, 19 insertions(+), 38 deletions(-) diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 36e49ab..7f23371 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -7,8 +7,7 @@ info "3 - Docker Daemon Configuration Files" check_3_1="3.1 - Verify that docker.service file ownership is set to root:root" file="/usr/lib/systemd/system/docker.service" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_1" else warn "$check_3_1" @@ -23,8 +22,7 @@ fi check_3_2="3.2 - Verify that docker.service file permissions are set to 644" file="/usr/lib/systemd/system/docker.service" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_2" else warn "$check_3_2" @@ -39,8 +37,7 @@ fi check_3_3="3.3 - Verify that docker-registry.service file ownership is set to root:root" file="/usr/lib/systemd/system/docker-registry.service" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_3" else warn "$check_3_3" @@ -55,8 +52,7 @@ fi check_3_4="3.4 - Verify that docker-registry.service file permissions are set to 644" file="/usr/lib/systemd/system/docker-registry.service" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_4" else warn "$check_3_4" @@ -71,8 +67,7 @@ fi check_3_5="3.5 - Verify that docker.socket file ownership is set to root:root" file="/usr/lib/systemd/system/docker.socket" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_5" else warn "$check_3_5" @@ -87,8 +82,7 @@ fi check_3_6="3.6 - Verify that docker.socket file permissions are set to 644" file="/usr/lib/systemd/system/docker.socket" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_6" else warn "$check_3_6" @@ -103,8 +97,7 @@ fi check_3_7="3.7 - Verify that Docker environment file ownership is set to root:root " file="/etc/sysconfig/docker" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_7" else warn "$check_3_7" @@ -119,8 +112,7 @@ fi check_3_8="3.8 - Verify that Docker environment file permissions are set to 644" file="/etc/sysconfig/docker" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_8" else warn "$check_3_8" @@ -135,8 +127,7 @@ fi check_3_9="3.9 - Verify that docker-network environment file ownership is set to root:root" file="/etc/sysconfig/docker-network" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_9" else warn "$check_3_9" @@ -151,8 +142,7 @@ fi check_3_10="3.10 - Verify that docker-network environment file permissions are set to 644" file="/etc/sysconfig/docker-network" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_10" else warn "$check_3_10" @@ -167,8 +157,7 @@ fi check_3_11="3.11 - Verify that docker-registry environment file ownership is set to root:root" file="/etc/sysconfig/docker-registry" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_11" else warn "$check_3_11" @@ -183,8 +172,7 @@ fi check_3_12="3.12 - Verify that docker-registry environment file permissions are set to 644" file="/etc/sysconfig/docker-registry" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_12" else warn "$check_3_12" @@ -199,8 +187,7 @@ fi check_3_13="3.13 - Verify that docker-storage environment file ownership is set to root:root" file="/etc/sysconfig/docker-storage" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_13" else warn "$check_3_13" @@ -215,8 +202,7 @@ fi check_3_14="3.14 - Verify that docker-storage environment file permissions are set to 644" file="/etc/sysconfig/docker-storage" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_14" else warn "$check_3_14" @@ -231,8 +217,7 @@ fi check_3_15="3.15 - Verify that /etc/docker directory ownership is set to root:root" directory="/etc/docker" if [ -d "$directory" ]; then - ls -ld "$directory" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $directory)" -eq 00 ]; then pass "$check_3_15" else warn "$check_3_15" @@ -310,8 +295,7 @@ fi check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root" tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlscacert" ]; then - ls -ld "$tlscacert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_19" else warn "$check_3_19" @@ -342,8 +326,7 @@ fi check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root" tlscert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlscert" ]; then - ls -ld "$tlscert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_21" else warn "$check_3_21" @@ -374,8 +357,7 @@ fi check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root" tlskey=$(pgrep -lf docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlskey" ]; then - ls -ld "$tlskey" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_23" else warn "$check_3_23" @@ -406,8 +388,7 @@ fi check_3_25="3.25 - Verify that Docker socket file ownership is set to root:docker" file="/var/run/docker.sock" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root docker" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_25" else warn "$check_3_25" From 3059cef2c3f3ec39d8f8ff4d34f9271ec0016cc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 17 Jun 2015 23:52:23 +0200 Subject: [PATCH 17/36] 444 is read-only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/3_docker_daemon_configuration_files.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 7f23371..33db6bc 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -276,7 +276,7 @@ if [ -d "$directory" ]; then fail=0 perms=$(ls -lL "$directory"/*.crt | awk '{print $1}') for p in $perms; do - if [ "$p" != "-rw-r--r--." -a "$p" = "-rw-------." ]; then + if [ "$p" != "-r--r--r--." -a "$p" = "-r--------." ]; then fail=1 fi done @@ -311,7 +311,7 @@ check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 44 tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlscacert" ]; then perms=$(ls -ld "$tlscacert" | awk '{print $1}') - if [ "$perms" = "-rw-r--r--" ]; then + if [ "$perms" = "-r--r--r--" ]; then pass "$check_3_20" else warn "$check_3_20" @@ -342,7 +342,7 @@ check_3_22="3.22 - Verify that Docker server certificate file permissions are se tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlscert" ]; then perms=$(ls -ld "$tlscert" | awk '{print $1}') - if [ "$perms" = "-rw-r--r--" ]; then + if [ "$perms" = "-r--r--r--" ]; then pass "$check_3_22" else warn "$check_3_22" From 0c61ddb6dd396efc27c2a644bfa73b3d1439419a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 17 Jun 2015 23:52:53 +0200 Subject: [PATCH 18/36] from ls to stat MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/3_docker_daemon_configuration_files.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 33db6bc..67c870a 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -232,10 +232,9 @@ fi check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755" directory="/etc/docker" if [ -d "$directory" ]; then - perms=$(ls -ld $directory | awk '{print $1}') - if [ "$perms" = "drwxr-xr-x." ]; then + if [ "$(stat -c %a $directory)" -eq 755 ]; then pass "$check_3_16" - elif [ "$perms" = "drwx------" ]; then + elif [ "$(stat -c %a $directory)" -eq 700 ]; then pass "$check_3_16" else warn "$check_3_16" From 1e0ef4cf97f787727b21eb11f2ab142f7f603e19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 18 Jun 2015 00:32:20 +0200 Subject: [PATCH 19/36] crt dir and permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/3_docker_daemon_configuration_files.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 67c870a..1f9cfe9 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -250,7 +250,7 @@ check_3_17="3.17 - Verify that registry certificate file ownership is set to roo directory="/etc/docker/certs.d/" if [ -d "$directory" ]; then fail=0 - owners=$(ls -lL "$directory"/*.crt | awk '{print "$3", "$4"}') + owners=$(ls -lL $directory | grep ".crt" | awk '{print $3, $4}') for p in $owners; do printf "%s" "$p" | grep "root" >/dev/null 2>&1 if [ $? -ne 0 ]; then @@ -273,7 +273,7 @@ check_3_18="3.18 - Verify that registry certificate file permissions are set to directory="/etc/docker/certs.d/" if [ -d "$directory" ]; then fail=0 - perms=$(ls -lL "$directory"/*.crt | awk '{print $1}') + perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}') for p in $perms; do if [ "$p" != "-r--r--r--." -a "$p" = "-r--------." ]; then fail=1 From 2dbfdd112f118f90a975e293cf23eb1443b662ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 19 Jun 2015 23:31:44 +0200 Subject: [PATCH 20/36] consistent labeling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- README.md | 2 +- docker-bench-security.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a1602ad..5ed00ec 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ docker run -it --net host --pid host --cap-add audit_control \ -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ - -v /etc:/etc --label security-benchmark \ + -v /etc:/etc --label docker-bench-security \ docker-bench-security ``` diff --git a/docker-bench-security.sh b/docker-bench-security.sh index 18bb973..690c41f 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -73,11 +73,11 @@ done main () { # List all running containers containers=$(docker ps -q) - # If there is a container with label docker-bench, memorize it: + # If there is a container with label docker-bench-security, memorize it: benchcont="nil" for c in $containers; do labels=$(docker inspect --format '{{ .Config.Labels }}' "$c") - contains "$labels" "docker-bench" && benchcont="$c" + contains "$labels" "docker-bench-security" && benchcont="$c" done # List all running containers except docker-bench containers=$(docker ps -q | grep -v "$benchcont") From 3d2565742a16392e08d8d42dafd67956480d875e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 19 Jun 2015 23:46:43 +0200 Subject: [PATCH 21/36] same build instructions everywhere MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- CONTRIBUTING.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 36d2d2f..1b9fe4f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -19,12 +19,15 @@ The only thing you need to hack on Docker Bench for Security is a POSIX 2004 com You can build the container that wraps the docker-bench for security: ```sh ✗ git clone git@github.com:docker/docker-bench-security.git -✗ docker build -t diogomonica/docker-bench-security . +✗ cd docker-bench-security +✗ docker build -t docker-bench-security . ``` Or you can simply run the shell script locally: ```sh +✗ git clone git@github.com:docker/docker-bench-security.git +✗ cd docker-bench-security ✗ sh docker-bench-security.sh ``` From 0b32b8aa220e3f4e6fe1c84ca7bdc1faef39de79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 19 Jun 2015 23:47:27 +0200 Subject: [PATCH 22/36] codecheck w shellcheck, checkbashisms MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1b9fe4f..ae2c13b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -46,6 +46,6 @@ tests └── 6_docker_security_operations.sh ``` -To modify the Docker Bench for Security you should first clone the repository, make your changes, and then sign off on your commits. After that feel free to send us a pull-request with the changes. +To modify the Docker Bench for Security you should first clone the repository, make your changes, check your code with `shellcheck`, `checkbashisms` or similar tools, and then sign off on your commits. After that feel free to send us a pull-request with the changes. While this tool is inspired in the CIS Docker 1.6 Benchmark, feel free to add new tests. We will try to turn dockerbench.com into a list of good community benchmarks for both security and performance, and we would love community contributions. From b808610b459af93903568c6900b3bf898e6bd58a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 19 Jun 2015 23:52:01 +0200 Subject: [PATCH 23/36] simplify dir tree MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- CONTRIBUTING.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ae2c13b..b3bda6c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -36,8 +36,7 @@ The Docker Bench has the main script called `docker-bench-security.sh`. This is The tests are split in 6 different files: ```sh -✗ docker-bench-security git:(master) ✗ tree tests -tests +✗ tests ├── 1_host_configuration.sh ├── 2_docker_daemon_configuration.sh ├── 3_docker_daemon_configuration_files.sh From 0602870be5ea087770ea7da1992a090a142dfe3f Mon Sep 17 00:00:00 2001 From: liron-l Date: Thu, 18 Jun 2015 13:21:57 +0300 Subject: [PATCH 24/36] Fix CIS 5.8 - Reverse container port and reduce privileged port to 1024 -- According to CIS, 5.8 apply to priviliged port on the host not on the container: `processes are not allowed to use them for various security reasons. Docker allows a container port to be mapped to a privileged port.` -- Also privileged port should be less than 1024 inclusive Signed-off-by: liron-l --- tests/5_container_runtime.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 35c41b5..9f581bf 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -201,11 +201,12 @@ else fail=0 for c in $containers; do - ports=$(docker port "$c" | awk '{print $1}' | cut -d '/' -f1) + # Port format is private port -> ip: public port + ports=$(docker port "$c" | awk '{print $0}' | cut -d ':' -f2) # iterate through port range (line delimited) for port in $ports; do - if [ ! -z "$port" ] && [ "0$port" -lt 1025 ]; then + if [ ! -z "$port" ] && [ "0$port" -lt 1024 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_8" From b2093036dfb74aa21f326f4e44aa35c7381eef67 Mon Sep 17 00:00:00 2001 From: Liron Levin Date: Thu, 18 Jun 2015 13:21:57 +0300 Subject: [PATCH 25/36] Fix CIS 5.8 - Reverse container port and reduce privileged port to 1024 -- According to CIS, 5.8 apply to priviliged port on the host not on the container: `processes are not allowed to use them for various security reasons. Docker allows a container port to be mapped to a privileged port.` -- Also privileged port should be less than 1024 inclusive Signed-off-by: liron-l Signed-off-by: Liron Levin --- tests/5_container_runtime.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 35c41b5..9f581bf 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -201,11 +201,12 @@ else fail=0 for c in $containers; do - ports=$(docker port "$c" | awk '{print $1}' | cut -d '/' -f1) + # Port format is private port -> ip: public port + ports=$(docker port "$c" | awk '{print $0}' | cut -d ':' -f2) # iterate through port range (line delimited) for port in $ports; do - if [ ! -z "$port" ] && [ "0$port" -lt 1025 ]; then + if [ ! -z "$port" ] && [ "0$port" -lt 1024 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_8" From 072df180aa216f0bcdf2720d54234751d536d1b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Sun, 21 Jun 2015 22:07:07 +0200 Subject: [PATCH 26/36] tests tree MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- CONTRIBUTING.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b3bda6c..e933130 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -36,7 +36,8 @@ The Docker Bench has the main script called `docker-bench-security.sh`. This is The tests are split in 6 different files: ```sh -✗ tests +✗ tree tests/ +tests/ ├── 1_host_configuration.sh ├── 2_docker_daemon_configuration.sh ├── 3_docker_daemon_configuration_files.sh From b5c571df188cb095f3387f35bb375d026a5d18c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Sun, 21 Jun 2015 23:03:34 +0200 Subject: [PATCH 27/36] shellcheck fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/1_host_configuration.sh | 2 +- tests/5_container_runtime.sh | 2 +- tests/6_docker_security_operations.sh | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index d97a1ba..35188e6 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -40,7 +40,7 @@ fi # 1.6 check_1_6="1.6 - Keep Docker up to date" docker_version=$(docker version | grep 'Server version' | awk '{print $3}') -do_version_check 1.6.2 $docker_version +do_version_check 1.6.2 "$docker_version" if [ $? -eq 11 ]; then warn "$check_1_6" else diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 9f581bf..7284249 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -180,7 +180,7 @@ else fi processes=$(docker exec "$c" ps -el 2>/dev/null | grep -c sshd | awk '{print $1}') - if [ $processes -gt 1 ]; then + if [ "$processes" -gt 1 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_7" diff --git a/tests/6_docker_security_operations.sh b/tests/6_docker_security_operations.sh index 3165986..28d6916 100644 --- a/tests/6_docker_security_operations.sh +++ b/tests/6_docker_security_operations.sh @@ -40,7 +40,7 @@ images=$(docker images -q | wc -l | awk '{print $1}') active_images=0 for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do - if docker images --no-trunc -a | grep $c > /dev/null ; then + if docker images --no-trunc -a | grep "$c" > /dev/null ; then active_images=$(( active_images += 1 )) fi done @@ -61,7 +61,7 @@ fi check_6_7="6.7 - Avoid container sprawl" total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}') running_containers=$(docker ps -q | wc -l | awk '{print $1}') -diff="$(($total_containers - $running_containers))" +diff="$((total_containers - running_containers))" if [ "$diff" -gt 25 ]; then warn "$check_6_7" warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" From ef8ff4a9f3760a5cbb72399e3e60a015c4dc4f91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Sun, 21 Jun 2015 23:11:02 +0200 Subject: [PATCH 28/36] update do_version_check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/1_host_configuration.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index d97a1ba..9d0b72d 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -40,9 +40,11 @@ fi # 1.6 check_1_6="1.6 - Keep Docker up to date" docker_version=$(docker version | grep 'Server version' | awk '{print $3}') -do_version_check 1.6.2 $docker_version +docker_current_version="1.7.0" +do_version_check "$docker_current_version" "$docker_version" if [ $? -eq 11 ]; then warn "$check_1_6" + warn " * Using $docker_version, when $docker_current_version is current." else pass "$check_1_6" fi From 2907078fd2285ebebd1241e947bc1298e7e5064a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Sun, 21 Jun 2015 23:11:23 +0200 Subject: [PATCH 29/36] actually catch ssh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/5_container_runtime.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 9f581bf..c6e6f66 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -180,7 +180,7 @@ else fi processes=$(docker exec "$c" ps -el 2>/dev/null | grep -c sshd | awk '{print $1}') - if [ $processes -gt 1 ]; then + if [ "$processes" -ge 1 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_7" From 641bf4e8644449e11e65074d92f9d748128d295a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 23 Jun 2015 21:32:35 +0200 Subject: [PATCH 30/36] keep the image up-to-date MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index a552ef4..0449c05 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,8 @@ FROM alpine:3.1 -RUN apk --update add docker +RUN apk update && \ + apk upgrade && \ + apk --update add docker RUN mkdir /docker-bench-security From a324c22e3ca1c43445fbb13f08679518d529420b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 23 Jun 2015 22:45:43 +0200 Subject: [PATCH 31/36] distro specific readme MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- distros/README.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 distros/README.md diff --git a/distros/README.md b/distros/README.md new file mode 100644 index 0000000..8d9f5e3 --- /dev/null +++ b/distros/README.md @@ -0,0 +1,35 @@ +# Distribution specific Dockerfiles + +## Requirements + +### Keep your images up-to-date +Use the distribution package manager to keep your image up-to-date. + +### REPOSITORY +Add a `REPOSITORY` comment with the URL to your GitHub repository where the Dockerfile is present. +`# REPOSITORY ` + +### MAINTAINER +Add the `MAINTAINER` instruction and your contact details, GitHub aliases are acceptable. + +## Example Dockerfile + +```sh +# REPOSITORY https://github.com/docker/docker-bench-security + +MAINTAINER dockerbench.com + +FROM alpine:3.1 + +RUN apk update && \ + apk upgrade && \ + apk --update add docker + +RUN mkdir /docker-bench-security + +COPY . /docker-bench-security + +WORKDIR /docker-bench-security + +ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"] +``` From 2a9d8a0da746cc0761c7b0d71427aa6d88f3befe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 23 Jun 2015 22:46:03 +0200 Subject: [PATCH 32/36] distro specific example MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- distros/Dockerfile.alpine | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 distros/Dockerfile.alpine diff --git a/distros/Dockerfile.alpine b/distros/Dockerfile.alpine new file mode 100644 index 0000000..76260c6 --- /dev/null +++ b/distros/Dockerfile.alpine @@ -0,0 +1,17 @@ +# REPOSITORY https://github.com/docker/docker-bench-security + +MAINTAINER dockerbench.com + +FROM alpine:3.1 + +RUN apk update && \ + apk upgrade && \ + apk --update add docker + +RUN mkdir /docker-bench-security + +COPY . /docker-bench-security + +WORKDIR /docker-bench-security + +ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"] From e2cd15bf52c64809fd3d7e2209a13ab7cf446286 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 23 Jun 2015 22:48:37 +0200 Subject: [PATCH 33/36] Dockerfile name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- distros/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/distros/README.md b/distros/README.md index 8d9f5e3..7414672 100644 --- a/distros/README.md +++ b/distros/README.md @@ -2,6 +2,9 @@ ## Requirements +### Dockerfile name +The format should be `Dockerfile.{distribution name}`. + ### Keep your images up-to-date Use the distribution package manager to keep your image up-to-date. From 7afc408e49fd72a434e1be82521bf78221381ce6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 26 Jun 2015 02:18:56 +0200 Subject: [PATCH 34/36] remove Dockerfile from readme MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- distros/README.md | 22 +--------------------- 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/distros/README.md b/distros/README.md index 7414672..a5686e1 100644 --- a/distros/README.md +++ b/distros/README.md @@ -15,24 +15,4 @@ Add a `REPOSITORY` comment with the URL to your GitHub repository where the Dock ### MAINTAINER Add the `MAINTAINER` instruction and your contact details, GitHub aliases are acceptable. -## Example Dockerfile - -```sh -# REPOSITORY https://github.com/docker/docker-bench-security - -MAINTAINER dockerbench.com - -FROM alpine:3.1 - -RUN apk update && \ - apk upgrade && \ - apk --update add docker - -RUN mkdir /docker-bench-security - -COPY . /docker-bench-security - -WORKDIR /docker-bench-security - -ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"] -``` +For an example Dockerfile, please refer to `Dockerfile.alpine`. From 7efb4b1d95da5cff01025e354e420defb0b066ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diogo=20M=C3=B3nica?= Date: Sun, 28 Jun 2015 11:00:37 -0700 Subject: [PATCH 35/36] Update README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5ed00ec..ca3371f 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ![Docker Bench for Security running](https://github.com/diogomonica/docker-bench-security/raw/master/benchmark_log.png?raw=true "Docker Bench for Security running") -The Docker Bench for Security is a script that checks for all the automatable tests included in the [CIS Docker 1.6 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post. +The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the [CIS Docker 1.6 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post. We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark. @@ -10,7 +10,7 @@ We are making this available as an open-source utility so the Docker community c We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host. -The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by running our pre-built container: +The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container: ```sh From f18f5edff060cbc7ebdb70c17253f3890b8fc780 Mon Sep 17 00:00:00 2001 From: Diogo Monica Date: Sun, 28 Jun 2015 11:04:53 -0700 Subject: [PATCH 36/36] Change the scripts header to mention Docker Benchmark for Security --- docker-bench-security.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index 690c41f..e1e6503 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -1,10 +1,11 @@ #!/bin/sh # ------------------------------------------------------------------------------ -# CIS Docker 1.6 Benchmark v1.0.0 checker +# Docker Bench for Security v1.0.0 # # Docker, Inc. (c) 2015 # -# Provides automated tests for the CIS Docker 1.6 Benchmark: +# Checks for dozens of common best-practices around deploying Docker containers in production. +# Inspired by the CIS Docker 1.6 Benchmark: # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf # # ------------------------------------------------------------------------------ @@ -42,11 +43,12 @@ usage () { } yell "# ------------------------------------------------------------------------------ -# CIS Docker 1.6 Benchmark v1.0.0 checker +# Docker Bench for Security v1.0.0 # # Docker, Inc. (c) 2015 # -# Provides automated tests for the CIS Docker 1.6 Benchmark: +# Checks for dozens of common best-practices around deploying Docker containers in production. +# Inspired by the CIS Docker 1.6 Benchmark: # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf # ------------------------------------------------------------------------------"