GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #26 from konstruktoid/issue_25

Browse source 
Issue #25, dont warn if file is missing and add /var/lib
This commit is contained in:
Thomas Sjögren 2015-06-15 22:03:46 +02:00
commit af47962bc8
2 changed files with 122 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -14,7 +14,7 @@ The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by run
```sh
docker run -it --net host --pid host \
docker run -it --net host --pid host -v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /etc:/etc --label docker-bench-security \
@ -33,7 +33,7 @@ If you wish to build and run this container yourself, you can follow the followi
git clone https://github.com/diogomonica/docker-bench-security.git
cd docker-bench-security
docker build -t docker-bench-security .
docker run -it --net host --pid host \
docker run -it --net host --pid host -v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /etc:/etc --label security-benchmark \

180
tests/1_host_configuration.sh
View file

@ -71,140 +71,200 @@ fi
# 1.9
check_1_9="1.9 - Audit Docker files and directories - /var/lib/docker"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /var/lib/docker >/dev/null 2>&1
directory="/var/lib/docker"
if [ -d "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_9"
auditctl -l | grep $directory >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_9"
else
warn "$check_1_9"
fi
else
warn "$check_1_9"
warn "1.9 - Failed to inspect: auditctl command not found."
fi
else
warn "1.9 - Failed to inspect: auditctl command not found."
info "$check_1_9"
info " * Directory not found"
fi
# 1.10
check_1_10="1.10 - Audit Docker files and directories - /etc/docker"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /etc/docker >/dev/null 2>&1
directory="/etc/docker"
if [ -d "$directory" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_10"
auditctl -l | grep $directory >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_10"
else
warn "$check_1_10"
fi
else
warn "$check_1_10"
warn "1.10 - Failed to inspect: auditctl command not found."
fi
else
warn "1.10 - Failed to inspect: auditctl command not found."
info "$check_1_10"
info " * Directory not found"
fi
# 1.11
check_1_11="1.11 - Audit Docker files and directories - docker-registry.service"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /usr/lib/systemd/system/docker-registry.service >/dev/null 2>&1
file="/usr/lib/systemd/system/docker-registry.service"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_11"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_11"
else
warn "$check_1_11"
fi
else
warn "$check_1_11"
warn "1.11 - Failed to inspect: auditctl command not found."
fi
else
warn "1.11 - Failed to inspect: auditctl command not found."
info "$check_1_11"
info " * File not found"
fi
# 1.12
check_1_12="1.12 - Audit Docker files and directories - docker.service"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /usr/lib/systemd/system/docker.service >/dev/null 2>&1
file="/usr/lib/systemd/system/docker.service"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_12"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_12"
else
warn "$check_1_12"
fi
else
warn "$check_1_12"
warn "1.12 - Failed to inspect: auditctl command not found."
fi
else
warn "1.12 - Failed to inspect: auditctl command not found."
info "$check_1_12"
info " * File not found"
fi
# 1.13
check_1_13="1.13 - Audit Docker files and directories - /var/run/docker.sock"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /var/run/docker.sock >/dev/null 2>&1
file="/var/run/docker.sock"
if [ -e "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_13"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_13"
else
warn "$check_1_13"
fi
else
warn "$check_1_13"
warn "1.13 - Failed to inspect: auditctl command not found."
fi
else
warn "1.13 - Failed to inspect: auditctl command not found."
info "$check_1_13"
info " * File not found"
fi
# 1.14
check_1_14="1.14 - Audit Docker files and directories - /etc/sysconfig/docker"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /etc/sysconfig/docker >/dev/null 2>&1
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_14"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_14"
else
warn "$check_1_14"
fi
else
warn "$check_1_14"
warn "1.14 - Failed to inspect: auditctl command not found."
fi
else
warn "1.14 - Failed to inspect: auditctl command not found."
info "$check_1_14"
info " * File not found"
fi
# 1.15
check_1_15="1.15 - Audit Docker files and directories - /etc/sysconfig/docker-network"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /etc/sysconfig/docker-network >/dev/null 2>&1
file="/etc/sysconfig/docker-network"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_15"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_15"
else
warn "$check_1_15"
fi
else
warn "$check_1_15"
warn "1.15 - Failed to inspect: auditctl command not found."
fi
else
warn "1.15 - Failed to inspect: auditctl command not found."
info "$check_1_15"
info " * File not found"
fi
# 1.16
check_1_16="1.16 - Audit Docker files and directories - /etc/sysconfig/docker-registry"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /etc/sysconfig/docker-registry >/dev/null 2>&1
file="/etc/sysconfig/docker-registry"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_16"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_16"
else
warn "$check_1_16"
fi
else
warn "$check_1_16"
warn "1.16 - Failed to inspect: auditctl command not found."
fi
else
warn "1.16 - Failed to inspect: auditctl command not found."
info "$check_1_16"
info " * File not found"
fi
# 1.17
check_1_17="1.17 - Audit Docker files and directories - /etc/sysconfig/docker-storage"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /etc/sysconfig/docker-storage >/dev/null 2>&1
file="/etc/sysconfig/docker-storage"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_17"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_17"
else
warn "$check_1_17"
fi
else
warn "$check_1_17"
warn "1.17 - Failed to inspect: auditctl command not found."
fi
else
warn "1.17 - Failed to inspect: auditctl command not found."
info "$check_1_17"
info " * File not found"
fi
# 1.18
check_1_18="1.18 - Audit Docker files and directories - /etc/default/docker"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /etc/default/docker >/dev/null 2>&1
file="/etc/default/docker"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_18"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_18"
else
warn "$check_1_18"
fi
else
warn "$check_1_18"
warn "1.18 - Failed to inspect: auditctl command not found."
fi
else
warn "1.18 - Failed to inspect: auditctl command not found."
info "$check_1_18"
info " * File not found"
fi