diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index fb8260b..f8a1b87 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -20,7 +20,7 @@ check_1_1() { # 1.1.1 check_1_1_1() { id_1_1_1="1.1.1" - desc_1_1_1="Ensure the container host has been Hardened" + desc_1_1_1="Ensure the container host has been Hardened (Not Scored)" check_1_1_1="$id_1_1_1 - $desc_1_1_1" starttestjson "$id_1_1_1" "$desc_1_1_1" @@ -33,7 +33,7 @@ check_1_1_1() { # 1.1.2 check_1_1_2() { id_1_1_2="1.1.2" - desc_1_1_2="Ensure Docker is up to date" + desc_1_1_2="Ensure that the version of Docker is up to date (Not Scored)" check_1_1_2="$id_1_1_2 - $desc_1_1_2" starttestjson "$id_1_1_2" "$desc_1_1_2" @@ -68,7 +68,7 @@ check_1_2() { # 1.2.1 check_1_2_1() { id_1_2_1="1.2.1" - desc_1_2_1="Ensure a separate partition for containers has been created" + desc_1_2_1="Ensure a separate partition for containers has been created (Scored)" check_1_2_1="$id_1_2_1 - $desc_1_2_1" starttestjson "$id_1_2_1" "$desc_1_2_1" @@ -88,7 +88,7 @@ check_1_2_1() { # 1.2.2 check_1_2_2() { id_1_2_2="1.2.2" - desc_1_2_2="Ensure only trusted users are allowed to control Docker daemon" + desc_1_2_2="Ensure only trusted users are allowed to control Docker daemon (Scored)" check_1_2_2="$id_1_2_2 - $desc_1_2_2" starttestjson "$id_1_2_2" "$desc_1_2_2" @@ -105,7 +105,7 @@ check_1_2_2() { # 1.2.3 check_1_2_3() { id_1_2_3="1.2.3" - desc_1_2_3="Ensure auditing is configured for the Docker daemon" + desc_1_2_3="Ensure auditing is configured for the Docker daemon (Scored)" check_1_2_3="$id_1_2_3 - $desc_1_2_3" starttestjson "$id_1_2_3" "$desc_1_2_3" @@ -135,7 +135,7 @@ check_1_2_3() { # 1.2.4 check_1_2_4() { id_1_2_4="1.2.4" - desc_1_2_4="Ensure auditing is configured for Docker files and directories - /var/lib/docker" + desc_1_2_4="Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored)" check_1_2_4="$id_1_2_4 - $desc_1_2_4" starttestjson "$id_1_2_4" "$desc_1_2_4" @@ -172,7 +172,7 @@ check_1_2_4() { # 1.2.5 check_1_2_5() { id_1_2_5="1.2.5" - desc_1_2_5="Ensure auditing is configured for Docker files and directories - /etc/docker" + desc_1_2_5="Ensure auditing is configured for Docker files and directories - /etc/docker (Scored)" check_1_2_5="$id_1_2_5 - $desc_1_2_5" starttestjson "$id_1_2_5" "$desc_1_2_5" @@ -209,7 +209,7 @@ fi # 1.2.6 check_1_2_6() { id_1_2_6="1.2.6" - desc_1_2_6="Ensure auditing is configured for Docker files and directories - docker.service" + desc_1_2_6="Ensure auditing is configured for Docker files and directories - docker.service (Scored)" check_1_2_6="$id_1_2_6 - $desc_1_2_6" starttestjson "$id_1_2_6" "$desc_1_2_6" @@ -246,7 +246,7 @@ check_1_2_6() { # 1.2.7 check_1_2_7() { id_1_2_7="1.2.7" - desc_1_2_7="Ensure auditing is configured for Docker files and directories - docker.socket" + desc_1_2_7="Ensure auditing is configured for Docker files and directories - docker.socket (Scored)" check_1_2_7="$id_1_2_7 - $desc_1_2_7" starttestjson "$id_1_2_7" "$desc_1_2_7" @@ -283,7 +283,7 @@ check_1_2_7() { # 1.2.8 check_1_2_8() { id_1_2_8="1.2.8" - desc_1_2_8="Ensure auditing is configured for Docker files and directories - /etc/default/docker" + desc_1_2_8="Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored)" check_1_2_8="$id_1_2_8 - $desc_1_2_8" starttestjson "$id_1_2_8" "$desc_1_2_8" @@ -320,7 +320,7 @@ check_1_2_8() { # 1.2.9 check_1_2_9() { id_1_2_9="1.2.9" - desc_1_2_9="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker" + desc_1_2_9="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Scored)" check_1_2_9="$id_1_2_9 - $desc_1_2_9" starttestjson "$id_1_2_9" "$desc_1_2_9" @@ -357,7 +357,7 @@ check_1_2_9() { # 1.2.10 check_1_2_10() { id_1_2_10="1.2.10" - desc_1_2_10="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json" + desc_1_2_10="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored)" check_1_2_10="$id_1_2_10 - $desc_1_2_10" starttestjson "$id_1_2_10" "$desc_1_2_10" @@ -394,7 +394,7 @@ check_1_2_10() { # 1.2.11 check_1_2_11() { id_1_2_11="1.2.11" - desc_1_2_11="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd" + desc_1_2_11="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Scored)" check_1_2_11="$id_1_2_11 - $desc_1_2_11" starttestjson "$id_1_2_11" "$desc_1_2_11" @@ -431,7 +431,7 @@ check_1_2_11() { # 1.2.12 check_1_2_12() { id_1_2_12="1.2.12" - desc_1_2_12="Ensure auditing is configured for Docker files and directories - /usr/sbin/runc" + desc_1_2_12="Ensure auditing is configured for Docker files and directories - /usr/sbin/runc (Scored)" check_1_2_12="$id_1_2_12 - $desc_1_2_12" starttestjson "$id_1_2_12" "$desc_1_2_12" diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index acf4eb8..66cbd6c 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -12,7 +12,7 @@ check_2() { # 2.1 check_2_1() { id_2_1="2.1" - desc_2_1="Ensure network traffic is restricted between containers on the default bridge" + desc_2_1="Ensure network traffic is restricted between containers on the default bridge (Scored)" check_2_1="$id_2_1 - $desc_2_1" starttestjson "$id_2_1" "$desc_2_1" @@ -35,7 +35,7 @@ check_2_1() { # 2.2 check_2_2() { id_2_2="2.2" - desc_2_2="Ensure the logging level is set to 'info'" + desc_2_2="Ensure the logging level is set to 'info' (Scored)" check_2_2="$id_2_2 - $desc_2_2" starttestjson "$id_2_2" "$desc_2_2" @@ -74,7 +74,7 @@ check_2_2() { # 2.3 check_2_3() { id_2_3="2.3" - desc_2_3="Ensure Docker is allowed to make changes to iptables" + desc_2_3="Ensure Docker is allowed to make changes to iptables (Scored)" check_2_3="$id_2_3 - $desc_2_3" starttestjson "$id_2_3" "$desc_2_3" @@ -97,7 +97,7 @@ check_2_3() { # 2.4 check_2_4() { id_2_4="2.4" - desc_2_4="Ensure insecure registries are not used" + desc_2_4="Ensure insecure registries are not used (Scored)" check_2_4="$id_2_4 - $desc_2_4" starttestjson "$id_2_4" "$desc_2_4" @@ -126,7 +126,7 @@ check_2_4() { # 2.5 check_2_5() { id_2_5="2.5" - desc_2_5="Ensure aufs storage driver is not used" + desc_2_5="Ensure aufs storage driver is not used (Scored)" check_2_5="$id_2_5 - $desc_2_5" starttestjson "$id_2_5" "$desc_2_5" @@ -145,7 +145,7 @@ check_2_5() { # 2.6 check_2_6() { id_2_6="2.6" - desc_2_6="Ensure TLS authentication for Docker daemon is configured" + desc_2_6="Ensure TLS authentication for Docker daemon is configured (Scored)" check_2_6="$id_2_6 - $desc_2_6" starttestjson "$id_2_6" "$desc_2_6" @@ -180,7 +180,7 @@ check_2_6() { # 2.7 check_2_7() { id_2_7="2.7" - desc_2_7="Ensure the default ulimit is configured appropriately" + desc_2_7="Ensure the default ulimit is configured appropriately (Not Scored)" check_2_7="$id_2_7 - $desc_2_7" starttestjson "$id_2_7" "$desc_2_7" @@ -204,7 +204,7 @@ check_2_7() { # 2.8 check_2_8() { id_2_8="2.8" - desc_2_8="Enable user namespace support" + desc_2_8="Enable user namespace support (Scored)" check_2_8="$id_2_8 - $desc_2_8" starttestjson "$id_2_8" "$desc_2_8" @@ -227,7 +227,7 @@ check_2_8() { # 2.9 check_2_9() { id_2_9="2.9" - desc_2_9="Ensure the default cgroup usage has been confirmed" + desc_2_9="Ensure the default cgroup usage has been confirmed (Scored)" check_2_9="$id_2_9 - $desc_2_9" starttestjson "$id_2_9" "$desc_2_9" @@ -252,7 +252,7 @@ check_2_9() { # 2.10 check_2_10() { id_2_10="2.10" - desc_2_10="Ensure base device size is not changed until needed" + desc_2_10="Ensure base device size is not changed until needed (Scored)" check_2_10="$id_2_10 - $desc_2_10" starttestjson "$id_2_10" "$desc_2_10" @@ -275,7 +275,7 @@ check_2_10() { # 2.11 check_2_11() { id_2_11="2.11" - desc_2_11="Ensure that authorization for Docker client commands is enabled" + desc_2_11="Ensure that authorization for Docker client commands is enabled (Scored)" check_2_11="$id_2_11 - $desc_2_11" starttestjson "$id_2_11" "$desc_2_11" @@ -298,7 +298,7 @@ check_2_11() { # 2.12 check_2_12() { id_2_12="2.12" - desc_2_12="Ensure centralized and remote logging is configured" + desc_2_12="2.12 Ensure centralized and remote logging is configured (Scored)" check_2_12="$id_2_12 - $desc_2_12" starttestjson "$id_2_12" "$desc_2_12" @@ -317,7 +317,7 @@ check_2_12() { # 2.13 check_2_13() { id_2_13="2.13" - desc_2_13="Ensure live restore is Enabled" + desc_2_13="Ensure live restore is enabled (Scored)" check_2_13="$id_2_13 - $desc_2_13" starttestjson "$id_2_13" "$desc_2_13" @@ -346,7 +346,7 @@ check_2_13() { # 2.14 check_2_14() { id_2_14="2.14" - desc_2_14="Ensure Userland Proxy is Disabled" + desc_2_14="Ensure Userland Proxy is Disabled (Scored)" check_2_14="$id_2_14 - $desc_2_14" starttestjson "$id_2_14" "$desc_2_14" @@ -369,7 +369,7 @@ check_2_14() { # 2.15 check_2_15() { id_2_15="2.15" - desc_2_15="Ensure that a daemon-wide custom seccomp profile is applied if appropriate" + desc_2_15="Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Not Scored)" check_2_15="$id_2_15 - $desc_2_15" starttestjson "$id_2_15" "$desc_2_15" @@ -388,7 +388,7 @@ check_2_15() { # 2.16 check_2_16() { id_2_16="2.16" - desc_2_16="Ensure that experimental features are not implemented in production" + desc_2_16="Ensure that experimental features are not implemented in production (Scored)" check_2_16="$id_2_16 - $desc_2_16" starttestjson "$id_2_16" "$desc_2_16" @@ -407,7 +407,7 @@ check_2_16() { # 2.17 check_2_17() { id_2_17="2.17" - desc_2_17="Ensure containers are restricted from acquiring new privileges" + desc_2_17="Ensure containers are restricted from acquiring new privileges (Scored)" check_2_17="$id_2_17 - $desc_2_17" starttestjson "$id_2_17" "$desc_2_17" diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 9a91f93..3d29598 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -12,7 +12,7 @@ check_3() { # 3.1 check_3_1() { id_3_1="3.1" - desc_3_1="Ensure that docker.service file ownership is set to root:root" + desc_3_1="Ensure that the docker.service file ownership is set to root:root (Scored)" check_3_1="$id_3_1 - $desc_3_1" starttestjson "$id_3_1" "$desc_3_1" @@ -40,7 +40,7 @@ check_3_1() { # 3.2 check_3_2() { id_3_2="3.2" - desc_3_2="Ensure that docker.service file permissions are appropriately set" + desc_3_2="Ensure that docker.service file permissions are appropriately set (Scored)" check_3_2="$id_3_2 - $desc_3_2" starttestjson "$id_3_2" "$desc_3_2" @@ -68,7 +68,7 @@ check_3_2() { # 3.3 check_3_3() { id_3_3="3.3" - desc_3_3="Ensure that docker.socket file ownership is set to root:root" + desc_3_3="Ensure that docker.socket file ownership is set to root:root (Scored)" check_3_3="$id_3_3 - $desc_3_3" starttestjson "$id_3_3" "$desc_3_3" @@ -96,7 +96,7 @@ check_3_3() { # 3.4 check_3_4() { id_3_4="3.4" - desc_3_4="Ensure that docker.socket file permissions are set to 644 or more restrictive" + desc_3_4="Ensure that docker.socket file permissions are set to 644 or more restrictive (Scored)" check_3_4="$id_3_4 - $desc_3_4" starttestjson "$id_3_4" "$desc_3_4" @@ -124,7 +124,7 @@ check_3_4() { # 3.5 check_3_5() { id_3_5="3.5" - desc_3_5="Ensure that /etc/docker directory ownership is set to root:root" + desc_3_5="Ensure that the /etc/docker directory ownership is set to root:root (Scored)" check_3_5="$id_3_5 - $desc_3_5" starttestjson "$id_3_5" "$desc_3_5" @@ -152,7 +152,7 @@ check_3_5() { # 3.6 check_3_6() { id_3_6="3.6" - desc_3_6="Ensure that /etc/docker directory permissions are set to 755 or more restrictive" + desc_3_6="Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Scored)" check_3_6="$id_3_6 - $desc_3_6" starttestjson "$id_3_6" "$desc_3_6" @@ -180,7 +180,7 @@ check_3_6() { # 3.7 check_3_7() { id_3_7="3.7" - desc_3_7="Ensure that registry certificate file ownership is set to root:root" + desc_3_7="Ensure that registry certificate file ownership is set to root:root (Scored)" check_3_7="$id_3_7 - $desc_3_7" starttestjson "$id_3_7" "$desc_3_7" @@ -215,7 +215,7 @@ check_3_7() { # 3.8 check_3_8() { id_3_8="3.8" - desc_3_8="Ensure that registry certificate file permissions are set to 444 or more restrictive" + desc_3_8="Ensure that registry certificate file permissions are set to 444 or more restrictively (Scored)" check_3_8="$id_3_8 - $desc_3_8" starttestjson "$id_3_8" "$desc_3_8" @@ -250,7 +250,7 @@ check_3_8() { # 3.9 check_3_9() { id_3_9="3.9" - desc_3_9="Ensure that TLS CA certificate file ownership is set to root:root" + desc_3_9="Ensure that TLS CA certificate file ownership is set to root:root (Scored)" check_3_9="$id_3_9 - $desc_3_9" starttestjson "$id_3_9" "$desc_3_9" @@ -282,7 +282,7 @@ check_3_9() { # 3.10 check_3_10() { id_3_10="3.10" - desc_3_10="Ensure that TLS CA certificate file permissions are set to 444 or more restrictive" + desc_3_10="Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Scored)" check_3_10="$id_3_10 - $desc_3_10" starttestjson "$id_3_10" "$desc_3_10" @@ -314,7 +314,7 @@ check_3_10() { # 3.11 check_3_11() { id_3_11="3.11" - desc_3_11="Ensure that Docker server certificate file ownership is set to root:root" + desc_3_11="Ensure that Docker server certificate file ownership is set to root:root (Scored)" check_3_11="$id_3_11 - $desc_3_11" starttestjson "$id_3_11" "$desc_3_11" @@ -346,7 +346,7 @@ check_3_11() { # 3.12 check_3_12() { id_3_12="3.12" - desc_3_12="Ensure that Docker server certificate file permissions are set to 444 or more restrictive" + desc_3_12="Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Scored)" check_3_12="$id_3_12 - $desc_3_12" starttestjson "$id_3_12" "$desc_3_12" @@ -378,7 +378,7 @@ check_3_12() { # 3.13 check_3_13() { id_3_13="3.13" - desc_3_13="Ensure that Docker server certificate key file ownership is set to root:root" + desc_3_13="Ensure that the Docker server certificate key file ownership is set to root:root (Scored)" check_3_13="$id_3_13 - $desc_3_13" starttestjson "$id_3_13" "$desc_3_13" @@ -410,7 +410,7 @@ check_3_13() { # 3.14 check_3_14() { id_3_14="3.14" - desc_3_14="Ensure that Docker server certificate key file permissions are set to 400" + desc_3_14="Ensure that the Docker server certificate key file permissions are set to 400 (Scored)" check_3_14="$id_3_14 - $desc_3_14" starttestjson "$id_3_14" "$desc_3_14" @@ -442,7 +442,7 @@ check_3_14() { # 3.15 check_3_15() { id_3_15="3.15" - desc_3_15="Ensure that Docker socket file ownership is set to root:docker" + desc_3_15="Ensure that the Docker socket file ownership is set to root:docker (Scored)" check_3_15="$id_3_15 - $desc_3_15" starttestjson "$id_3_15" "$desc_3_15" @@ -470,7 +470,7 @@ check_3_15() { # 3.16 check_3_16() { id_3_16="3.16" - desc_3_16="Ensure that Docker socket file permissions are set to 660 or more restrictive" + desc_3_16="Ensure that the Docker socket file permissions are set to 660 or more restrictively (Scored)" check_3_16="$id_3_16 - $desc_3_16" starttestjson "$id_3_16" "$desc_3_16" @@ -498,7 +498,7 @@ check_3_16() { # 3.17 check_3_17() { id_3_17="3.17" - desc_3_17="Ensure that daemon.json file ownership is set to root:root" + desc_3_17="Ensure that the daemon.json file ownership is set to root:root (Scored)" check_3_17="$id_3_17 - $desc_3_17" starttestjson "$id_3_17" "$desc_3_17" @@ -526,7 +526,7 @@ check_3_17() { # 3.18 check_3_18() { id_3_18="3.18" - desc_3_18="Ensure that daemon.json file permissions are set to 644 or more restrictive" + desc_3_18="Ensure that daemon.json file permissions are set to 644 or more restrictive (Scored)" check_3_18="$id_3_18 - $desc_3_18" starttestjson "$id_3_18" "$desc_3_18" @@ -554,7 +554,7 @@ check_3_18() { # 3.19 check_3_19() { id_3_19="3.19" - desc_3_19="Ensure that /etc/default/docker file ownership is set to root:root" + desc_3_19="Ensure that the /etc/default/docker file ownership is set to root:root (Scored)" check_3_19="$id_3_19 - $desc_3_19" starttestjson "$id_3_19" "$desc_3_19" @@ -582,7 +582,7 @@ check_3_19() { # 3.20 check_3_20() { id_3_20="3.20" - desc_3_20="Ensure that the /etc/sysconfig/docker file ownership is set to root:root" + desc_3_20="Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Scored)" check_3_20="$id_3_20 - $desc_3_20" starttestjson "$id_3_20" "$desc_3_20" @@ -610,7 +610,7 @@ check_3_20() { # 3.21 check_3_21() { id_3_21="3.21" - desc_3_21="Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive" + desc_3_21="Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Scored)" check_3_21="$id_3_21 - $desc_3_21" starttestjson "$id_3_21" "$desc_3_21" @@ -638,7 +638,7 @@ check_3_21() { # 3.22 check_3_22() { id_3_22="3.22" - desc_3_22="Ensure that /etc/default/docker file permissions are set to 644 or more restrictive" + desc_3_22="Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Scored)" check_3_22="$id_3_22 - $desc_3_22" starttestjson "$id_3_22" "$desc_3_22" diff --git a/tests/4_container_images.sh b/tests/4_container_images.sh index 79fc605..485655e 100644 --- a/tests/4_container_images.sh +++ b/tests/4_container_images.sh @@ -12,7 +12,7 @@ check_4() { # 4.1 check_4_1() { id_4_1="4.1" - desc_4_1="Ensure a user for the container has been created" + desc_4_1="Ensure that a user for the container has been created (Scored)" check_4_1="$id_4_1 - $desc_4_1" starttestjson "$id_4_1" "$desc_4_1" @@ -64,7 +64,7 @@ check_4_1() { # 4.2 check_4_2() { id_4_2="4.2" - desc_4_2="Ensure that containers use only trusted base images" + desc_4_2="Ensure that containers use only trusted base images (Not Scored)" check_4_2="$id_4_2 - $desc_4_2" starttestjson "$id_4_2" "$desc_4_2" @@ -77,7 +77,7 @@ check_4_2() { # 4.3 check_4_3() { id_4_3="4.3" - desc_4_3="Ensure that unnecessary packages are not installed in the container" + desc_4_3="Ensure that unnecessary packages are not installed in the container (Not Scored)" check_4_3="$id_4_3 - $desc_4_3" starttestjson "$id_4_3" "$desc_4_3" @@ -90,7 +90,7 @@ check_4_3() { # 4.4 check_4_4() { id_4_4="4.4" - desc_4_4="Ensure images are scanned and rebuilt to include security patches" + desc_4_4="Ensure images are scanned and rebuilt to include security patches (Not Scored)" check_4_4="$id_4_4 - $desc_4_4" starttestjson "$id_4_4" "$desc_4_4" @@ -103,7 +103,7 @@ check_4_4() { # 4.5 check_4_5() { id_4_5="4.5" - desc_4_5="Ensure Content trust for Docker is Enabled" + desc_4_5="Ensure Content trust for Docker is Enabled (Scored)" check_4_5="$id_4_5 - $desc_4_5" starttestjson "$id_4_5" "$desc_4_5" @@ -122,7 +122,7 @@ check_4_5() { # 4.6 check_4_6() { id_4_6="4.6" - desc_4_6="Ensure that HEALTHCHECK instructions have been added to container images" + desc_4_6="Ensure that HEALTHCHECK instructions have been added to container images (Scored)" check_4_6="$id_4_6 - $desc_4_6" starttestjson "$id_4_6" "$desc_4_6" @@ -155,7 +155,7 @@ check_4_6() { # 4.7 check_4_7() { id_4_7="4.7" - desc_4_7="Ensure update instructions are not use alone in the Dockerfile" + desc_4_7="Ensure update instructions are not use alone in the Dockerfile (Not Scored)" check_4_7="$id_4_7 - $desc_4_7" starttestjson "$id_4_7" "$desc_4_7" @@ -188,7 +188,7 @@ check_4_7() { # 4.8 check_4_8() { id_4_8="4.8" - desc_4_8="Ensure setuid and setgid permissions are removed" + desc_4_8="Ensure setuid and setgid permissions are removed (Not Scored)" check_4_8="$id_4_8 - $desc_4_8" starttestjson "$id_4_8" "$desc_4_8" @@ -201,7 +201,7 @@ check_4_8() { # 4.9 check_4_9() { id_4_9="4.9" - desc_4_9="Ensure that COPY is used instead of ADD in Dockerfiles" + desc_4_9="Ensure that COPY is used instead of ADD in Dockerfiles (Not Scored)" check_4_9="$id_4_9 - $desc_4_9" starttestjson "$id_4_9" "$desc_4_9" @@ -235,7 +235,7 @@ check_4_9() { # 4.10 check_4_10() { id_4_10="4.10" - desc_4_10="Ensure secrets are not stored in Dockerfiles" + desc_4_10="Ensure secrets are not stored in Dockerfiles (Not Scored)" check_4_10="$id_4_10 - $desc_4_10" starttestjson "$id_4_10" "$desc_4_10" @@ -248,7 +248,7 @@ check_4_10() { # 4.11 check_4_11() { id_4_11="4.11" - desc_4_11="Ensure only verified packages are installed" + desc_4_11="Ensure only verified packages are are installed (Not Scored)" check_4_11="$id_4_11 - $desc_4_11" starttestjson "$id_4_11" "$desc_4_11" diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index b3a8e2f..a42be93 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -29,7 +29,7 @@ check_5_1() { fi id_5_1="5.1" - desc_5_1="Ensure that, if applicable, an AppArmor Profile is enabled " + desc_5_1="Ensure that, if applicable, an AppArmor Profile is enabled (Scored)" check_5_1="$id_5_1 - $desc_5_1" starttestjson "$id_5_1" "$desc_5_1" @@ -71,7 +71,7 @@ check_5_2() { fi id_5_2="5.2" - desc_5_2="Ensure that, if applicable, SELinux security options are set" + desc_5_2="Ensure that, if applicable, SELinux security options are set (Scored)" check_5_2="$id_5_2 - $desc_5_2" starttestjson "$id_5_2" "$desc_5_2" @@ -113,7 +113,7 @@ check_5_3() { fi id_5_3="5.3" - desc_5_3="Ensure Linux Kernel Capabilities are restricted within containers" + desc_5_3="Ensure that Linux kernel capabilities are restricted within containers (Scored)" check_5_3="$id_5_3 - $desc_5_3" starttestjson "$id_5_3" "$desc_5_3" @@ -158,7 +158,7 @@ check_5_4() { fi id_5_4="5.4" - desc_5_4="Ensure that privileged containers are not used" + desc_5_4="Ensure that privileged containers are not used (Scored)" check_5_4="$id_5_4 - $desc_5_4" starttestjson "$id_5_4" "$desc_5_4" @@ -200,7 +200,7 @@ check_5_5() { fi id_5_5="5.5" - desc_5_5="Ensure sensitive host system directories are not mounted on containers" + desc_5_5="Ensure sensitive host system directories are not mounted on containers (Scored)" check_5_5="$id_5_5 - $desc_5_5" starttestjson "$id_5_5" "$desc_5_5" @@ -262,7 +262,7 @@ check_5_6() { fi id_5_6="5.6" - desc_5_6="Ensure sshd is not run within containers" + desc_5_6="Ensure sshd is not run within containers (Scored)" check_5_6="$id_5_6 - $desc_5_6" starttestjson "$id_5_6" "$desc_5_6" @@ -318,7 +318,7 @@ check_5_7() { fi id_5_7="5.7" - desc_5_7="Ensure privileged ports are not mapped within containers" + desc_5_7="Ensure privileged ports are not mapped within containers (Scored)" check_5_7="$id_5_7 - $desc_5_7" starttestjson "$id_5_7" "$desc_5_7" @@ -364,7 +364,7 @@ check_5_8() { fi id_5_8="5.8" - desc_5_8="Ensure that only needed ports are open on the container" + desc_5_8="Ensure that only needed ports are open on the container (Not Scored)" check_5_8="$id_5_8 - $desc_5_8" starttestjson "$id_5_8" "$desc_5_8" @@ -381,7 +381,7 @@ check_5_9() { fi id_5_9="5.9" - desc_5_9="Ensure the host's network namespace is not shared" + desc_5_9="Ensure that the host's network namespace is not shared (Scored)" check_5_9="$id_5_9 - $desc_5_9" starttestjson "$id_5_9" "$desc_5_9" @@ -423,7 +423,7 @@ check_5_10() { fi id_5_10="5.10" - desc_5_10="Ensure that the memory usage for containers is limited" + desc_5_10="Ensure that the memory usage for containers is limited (Scored)" check_5_10="$id_5_10 - $desc_5_10" starttestjson "$id_5_10" "$desc_5_10" @@ -469,7 +469,7 @@ check_5_11() { fi id_5_11="5.11" - desc_5_11="Ensure CPU priority is set appropriately on the container" + desc_5_11="Ensure that CPU priority is set appropriately on containers (Scored)" check_5_11="$id_5_11 - $desc_5_11" starttestjson "$id_5_11" "$desc_5_11" @@ -515,7 +515,7 @@ check_5_12() { fi id_5_12="5.12" - desc_5_12="Ensure that the container's root filesystem is mounted as read only" + desc_5_12="Ensure that the container's root filesystem is mounted as read only (Scored)" check_5_12="$id_5_12 - $desc_5_12" starttestjson "$id_5_12" "$desc_5_12" @@ -557,7 +557,7 @@ check_5_13() { fi id_5_13="5.13" - desc_5_13="Ensure that incoming container traffic is bound to a specific host interface" + desc_5_13="Ensure that incoming container traffic is bound to a specific host interface (Scored)" check_5_13="$id_5_13 - $desc_5_13" starttestjson "$id_5_13" "$desc_5_13" @@ -599,7 +599,7 @@ check_5_14() { fi id_5_14="5.14" - desc_5_14="Ensure that the 'on-failure' container restart policy is set to '5'" + desc_5_14="Ensure that the 'on-failure' container restart policy is set to '5' (Scored)" check_5_14="$id_5_14 - $desc_5_14" starttestjson "$id_5_14" "$desc_5_14" @@ -641,7 +641,7 @@ check_5_15() { fi id_5_15="5.15" - desc_5_15="Ensure the host's process namespace is not shared" + desc_5_15="Ensure that the host's process namespace is not shared (Scored)" check_5_15="$id_5_15 - $desc_5_15" starttestjson "$id_5_15" "$desc_5_15" @@ -683,7 +683,7 @@ check_5_16() { fi id_5_16="5.16" - desc_5_16="Ensure the host's IPC namespace is not shared" + desc_5_16="Ensure that the host's IPC namespace is not shared (Scored)" check_5_16="$id_5_16 - $desc_5_16" starttestjson "$id_5_16" "$desc_5_16" @@ -725,7 +725,7 @@ check_5_17() { fi id_5_17="5.17" - desc_5_17="Ensure that host devices are not directly exposed to containers" + desc_5_17="Ensure that host devices are not directly exposed to containers (Not Scored)" check_5_17="$id_5_17 - $desc_5_17" starttestjson "$id_5_17" "$desc_5_17" @@ -767,7 +767,7 @@ check_5_18() { fi id_5_18="5.18" - desc_5_18="Ensure that the default ulimit is overwritten at runtime if needed" + desc_5_18="Ensure that the default ulimit is overwritten at runtime if needed (Not Scored)" check_5_18="$id_5_18 - $desc_5_18" starttestjson "$id_5_18" "$desc_5_18" @@ -809,7 +809,7 @@ check_5_19() { fi id_5_19="5.19" - desc_5_19="Ensure mount propagation mode is not set to shared" + desc_5_19="Ensure mount propagation mode is not set to shared (Scored)" check_5_19="$id_5_19 - $desc_5_19" starttestjson "$id_5_19" "$desc_5_19" @@ -850,7 +850,7 @@ check_5_20() { fi id_5_20="5.20" - desc_5_20="Ensure the host's UTS namespace is not shared" + desc_5_20="Ensure that the host's UTS namespace is not shared (Scored)" check_5_20="$id_5_20 - $desc_5_20" starttestjson "$id_5_20" "$desc_5_20" @@ -892,7 +892,7 @@ check_5_21() { fi id_5_21="5.21" - desc_5_21="Ensure the default seccomp profile is not Disabled" + desc_5_21="Ensurethe default seccomp profile is not Disabled (Scored)" check_5_21="$id_5_21 - $desc_5_21" starttestjson "$id_5_21" "$desc_5_21" @@ -933,7 +933,7 @@ check_5_22() { fi id_5_22="5.22" - desc_5_22="Ensure docker exec commands are not used with privileged option" + desc_5_22="Ensure that docker exec commands are not used with the privileged option (Scored)" check_5_22="$id_5_22 - $desc_5_22" starttestjson "$id_5_22" "$desc_5_22" @@ -950,7 +950,7 @@ check_5_23() { fi id_5_23="5.23" - desc_5_23="Ensure that docker exec commands are not used with the user=root option" + desc_5_23="Ensure that docker exec commands are not used with the user=root option (Not Scored)" check_5_23="$id_5_23 - $desc_5_23" starttestjson "$id_5_23" "$desc_5_23" @@ -967,7 +967,7 @@ check_5_24() { fi id_5_24="5.24" - desc_5_24="Ensure that cgroup usage is confirmed" + desc_5_24="Ensure that cgroup usage is confirmed (Scored)" check_5_24="$id_5_24 - $desc_5_24" starttestjson "$id_5_24" "$desc_5_24" @@ -1008,7 +1008,7 @@ check_5_25() { return fi id_5_25="5.25" - desc_5_25="Ensure that the container is restricted from acquiring additional privileges" + desc_5_25="Ensure that the container is restricted from acquiring additional privileges (Scored)" check_5_25="$id_5_25 - $desc_5_25" starttestjson "$id_5_25" "$desc_5_25" @@ -1048,7 +1048,7 @@ check_5_26() { fi id_5_26="5.26" - desc_5_26="Ensure that container health is checked at runtime" + desc_5_26="Ensure that container health is checked at runtime (Scored)" check_5_26="$id_5_26 - $desc_5_26" starttestjson "$id_5_26" "$desc_5_26" @@ -1086,7 +1086,7 @@ check_5_27() { fi id_5_27="5.27" - desc_5_27="Ensure that Docker commands always make use of the latest version of their image" + desc_5_27="Ensure that Docker commands always make use of the latest version of their image (Not Scored)" check_5_27="$id_5_27 - $desc_5_27" starttestjson "$id_5_27" "$desc_5_27" @@ -1103,7 +1103,7 @@ check_5_28() { fi id_5_28="5.28" - desc_5_28="Ensure that the PIDs cgroup limit is used" + desc_5_28="Ensure that the PIDs cgroup limit is used (Scored)" check_5_28="$id_5_28 - $desc_5_28" starttestjson "$id_5_28" "$desc_5_28" @@ -1145,7 +1145,7 @@ check_5_29() { fi id_5_29="5.29" - desc_5_29="Ensure that Docker's default bridge 'docker0' is not used" + desc_5_29="Ensure that Docker's default bridge "docker0" is not used (Not Scored)" check_5_29="$id_5_29 - $desc_5_29" starttestjson "$id_5_29" "$desc_5_29" @@ -1198,7 +1198,7 @@ check_5_30() { fi id_5_30="5.30" - desc_5_30="Ensure that the host's user namespaces are not shared" + desc_5_30="Ensure that the host's user namespaces are not shared (Scored)" check_5_30="$id_5_30 - $desc_5_30" starttestjson "$id_5_30" "$desc_5_30" @@ -1238,7 +1238,7 @@ check_5_31() { fi id_5_31="5.31" - desc_5_31="Ensure that the Docker socket is not mounted inside any containers" + desc_5_31="Ensure that the Docker socket is not mounted inside any containers (Scored)" check_5_31="$id_5_31 - $desc_5_31" starttestjson "$id_5_31" "$desc_5_31" diff --git a/tests/6_docker_security_operations.sh b/tests/6_docker_security_operations.sh index 9216e80..ce9b257 100644 --- a/tests/6_docker_security_operations.sh +++ b/tests/6_docker_security_operations.sh @@ -12,7 +12,7 @@ check_6() { # 6.1 check_6_1() { id_6_1="6.1" - desc_6_1="Ensure that image sprawl is avoided" + desc_6_1="Ensure that image sprawl is avoided (Not Scored)" check_6_1="$id_6_1 - $desc_6_1" starttestjson "$id_6_1" "$desc_6_1" @@ -39,7 +39,7 @@ check_6_1() { # 6.2 check_6_2() { id_6_2="6.2" - desc_6_2="Ensure that container sprawl is avoided" + desc_6_2="Ensure that container sprawl is avoided (Not Scored)" check_6_2="$id_6_2 - $desc_6_2" starttestjson "$id_6_2" "$desc_6_2" diff --git a/tests/7_docker_swarm_configuration.sh b/tests/7_docker_swarm_configuration.sh index 00d340f..f7bc7ab 100644 --- a/tests/7_docker_swarm_configuration.sh +++ b/tests/7_docker_swarm_configuration.sh @@ -12,7 +12,7 @@ check_7() { # 7.1 check_7_1() { id_7_1="7.1" - desc_7_1="Ensure swarm mode is not Enabled, if not needed" + desc_7_1="Ensure swarm mode is not Enabled, if not needed (Scored)" check_7_1="$id_7_1 - $desc_7_1" starttestjson "$id_7_1" "$desc_7_1" @@ -31,7 +31,7 @@ check_7_1() { # 7.2 check_7_2() { id_7_2="7.2" - desc_7_2="Ensure that the minimum number of manager nodes have been created in a swarm" + desc_7_2="Ensure that the minimum number of manager nodes have been created in a swarm (Scored)" check_7_2="$id_7_2 - $desc_7_2" starttestjson "$id_7_2" "$desc_7_2" @@ -57,7 +57,7 @@ check_7_2() { # 7.3 check_7_3() { id_7_3="7.3" - desc_7_3="Ensure that swarm services are bound to a specific host interface" + desc_7_3="Ensure that swarm services are bound to a specific host interface (Scored)" check_7_3="$id_7_3 - $desc_7_3" starttestjson "$id_7_3" "$desc_7_3" @@ -83,7 +83,7 @@ check_7_3() { # 7.4 check_7_4() { id_7_4="7.4" - desc_7_4="Ensure that all Docker swarm overlay networks are encrypted" + desc_7_4="Ensure that all Docker swarm overlay networks are encrypted (Scored)" check_7_4="$id_7_4 - $desc_7_4" starttestjson "$id_7_4" "$desc_7_4" @@ -116,7 +116,7 @@ check_7_4() { # 7.5 check_7_5() { id_7_5="7.5" - desc_7_5="Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster" + desc_7_5="Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Not Scored)" check_7_5="$id_7_5 - $desc_7_5" starttestjson "$id_7_5" "$desc_7_5" @@ -141,7 +141,7 @@ check_7_5() { # 7.6 check_7_6() { id_7_6="7.6" - desc_7_6="Ensure that swarm manager is run in auto-lock mode" + desc_7_6="Ensure that swarm manager is run in auto-lock mode (Scored)" check_7_6="$id_7_6 - $desc_7_6" starttestjson "$id_7_6" "$desc_7_6" @@ -166,7 +166,7 @@ check_7_6() { # 7.7 check_7_7() { id_7_7="7.7" - desc_7_7="Ensure that the swarm manager auto-lock key is rotated periodically" + desc_7_7="Ensure that the swarm manager auto-lock key is rotated periodically (Not Scored)" check_7_7="$id_7_7 - $desc_7_7" starttestjson "$id_7_7" "$desc_7_7" @@ -185,7 +185,7 @@ check_7_7() { # 7.8 check_7_8() { id_7_8="7.8" - desc_7_8="Ensure that node certificates are rotated as appropriate" + desc_7_8="Ensure that node certificates are rotated as appropriate (Not Scored)" check_7_8="$id_7_8 - $desc_7_8" starttestjson "$id_7_8" "$desc_7_8" @@ -210,7 +210,7 @@ check_7_8() { # 7.9 check_7_9() { id_7_9="7.9" - desc_7_9="Ensure that CA certificates are rotated as appropriate" + desc_7_9="Ensure that CA certificates are rotated as appropriate (Not Scored)" check_7_9="$id_7_9 - $desc_7_9" starttestjson "$id_7_9" "$desc_7_9" @@ -229,7 +229,7 @@ check_7_9() { # 7.10 check_7_10() { id_7_10="7.10" - desc_7_10="Ensure that management plane traffic is separated from data plane traffic" + desc_7_10="Ensure that management plane traffic is separated from data plane traffic (Not Scored)" check_7_10="$id_7_10 - $desc_7_10" starttestjson "$id_7_10" "$desc_7_10" diff --git a/tests/8_docker_enterprise_configuration.sh b/tests/8_docker_enterprise_configuration.sh index ad064d0..9fce978 100644 --- a/tests/8_docker_enterprise_configuration.sh +++ b/tests/8_docker_enterprise_configuration.sh @@ -36,7 +36,7 @@ check_8_1_1() { fi id_8_1_1="8.1.1" - desc_8_1_1="Configure the LDAP authentication service" + desc_8_1_1="Configure the LDAP authentication service (Scored)" check_8_1_1="$id_8_1_1 - $desc_8_1_1" starttestjson "$id_8_1_1" "$desc_8_1_1" @@ -53,7 +53,7 @@ check_8_1_2() { fi id_8_1_2="8.1.2" - desc_8_1_2="Use external certificates" + desc_8_1_2="Use external certificates (Scored)" check_8_1_2="$id_8_1_2 - $desc_8_1_2" starttestjson "$id_8_1_2" "$desc_8_1_2" @@ -70,7 +70,7 @@ check_8_1_3() { fi id_8_1_3="8.1.3" - desc_8_1_3="Enforce the use of client certificate bundles for unprivileged users" + desc_8_1_3="Enforce the use of client certificate bundles for unprivileged users (Not Scored)" check_8_1_3="$id_8_1_3 - $desc_8_1_3" starttestjson "$id_8_1_3" "$desc_8_1_3" @@ -87,7 +87,7 @@ check_8_1_4() { fi id_8_1_4="8.1.4" - desc_8_1_4="Configure applicable cluster role-based access control policies" + desc_8_1_4="Configure applicable cluster role-based access control policies (Not Scored)" check_8_1_4="$id_8_1_4 - $desc_8_1_4" starttestjson "$id_8_1_4" "$desc_8_1_4" @@ -104,7 +104,7 @@ check_8_1_5() { fi id_8_1_5="8.1.5" - desc_8_1_5="Enable signed image enforcement" + desc_8_1_5="Enable signed image enforcement (Scored)" check_8_1_5="$id_8_1_5 - $desc_8_1_5" starttestjson "$id_8_1_5" "$desc_8_1_5" @@ -121,7 +121,7 @@ check_8_1_6() { fi id_8_1_6="8.1.6" - desc_8_1_6="Set the Per-User Session Limit to a value of '3' or lower" + desc_8_1_6="Set the Per-User Session Limit to a value of '3' or lower (Scored)" check_8_1_6="$id_8_1_6 - $desc_8_1_6" starttestjson "$id_8_1_6" "$desc_8_1_6" @@ -138,7 +138,7 @@ check_8_1_7() { fi id_8_1_7="8.1.7" - desc_8_1_7="Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively" + desc_8_1_7="Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively (Scored)" check_8_1_7="$id_8_1_7 - $desc_8_1_7" starttestjson "$id_8_1_7" "$desc_8_1_7" @@ -166,7 +166,7 @@ check_8_2_1() { fi id_8_2_1="8.2.1" - desc_8_2_1="Enable image vulnerability scanning" + desc_8_2_1="Enable image vulnerability scanning (Scored)" check_8_2_1="$id_8_2_1 - $desc_8_2_1" starttestjson "$id_8_2_1" "$desc_8_2_1"