From 56a7cb8779b12bb373918949b16ea14be8b4357d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 11 Jun 2015 02:17:14 +0200 Subject: [PATCH 1/3] Issue #25, dont warn if file is missing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/1_host_configuration.sh | 180 ++++++++++++++++++++++------------ 1 file changed, 120 insertions(+), 60 deletions(-) diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index 6e2b66d..d97a1ba 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -71,140 +71,200 @@ fi # 1.9 check_1_9="1.9 - Audit Docker files and directories - /var/lib/docker" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /var/lib/docker >/dev/null 2>&1 +directory="/var/lib/docker" +if [ -d "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_9" + auditctl -l | grep $directory >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_9" + else + warn "$check_1_9" + fi else - warn "$check_1_9" + warn "1.9 - Failed to inspect: auditctl command not found." fi else - warn "1.9 - Failed to inspect: auditctl command not found." + info "$check_1_9" + info " * Directory not found" fi # 1.10 check_1_10="1.10 - Audit Docker files and directories - /etc/docker" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/docker >/dev/null 2>&1 +directory="/etc/docker" +if [ -d "$directory" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_10" + auditctl -l | grep $directory >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_10" + else + warn "$check_1_10" + fi else - warn "$check_1_10" + warn "1.10 - Failed to inspect: auditctl command not found." fi else - warn "1.10 - Failed to inspect: auditctl command not found." + info "$check_1_10" + info " * Directory not found" fi # 1.11 check_1_11="1.11 - Audit Docker files and directories - docker-registry.service" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /usr/lib/systemd/system/docker-registry.service >/dev/null 2>&1 +file="/usr/lib/systemd/system/docker-registry.service" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_11" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_11" + else + warn "$check_1_11" + fi else - warn "$check_1_11" + warn "1.11 - Failed to inspect: auditctl command not found." fi else - warn "1.11 - Failed to inspect: auditctl command not found." + info "$check_1_11" + info " * File not found" fi # 1.12 check_1_12="1.12 - Audit Docker files and directories - docker.service" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /usr/lib/systemd/system/docker.service >/dev/null 2>&1 +file="/usr/lib/systemd/system/docker.service" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_12" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_12" + else + warn "$check_1_12" + fi else - warn "$check_1_12" + warn "1.12 - Failed to inspect: auditctl command not found." fi else - warn "1.12 - Failed to inspect: auditctl command not found." + info "$check_1_12" + info " * File not found" fi # 1.13 check_1_13="1.13 - Audit Docker files and directories - /var/run/docker.sock" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /var/run/docker.sock >/dev/null 2>&1 +file="/var/run/docker.sock" +if [ -e "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_13" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_13" + else + warn "$check_1_13" + fi else - warn "$check_1_13" + warn "1.13 - Failed to inspect: auditctl command not found." fi else - warn "1.13 - Failed to inspect: auditctl command not found." + info "$check_1_13" + info " * File not found" fi # 1.14 check_1_14="1.14 - Audit Docker files and directories - /etc/sysconfig/docker" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/sysconfig/docker >/dev/null 2>&1 +file="/etc/sysconfig/docker" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_14" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_14" + else + warn "$check_1_14" + fi else - warn "$check_1_14" + warn "1.14 - Failed to inspect: auditctl command not found." fi else - warn "1.14 - Failed to inspect: auditctl command not found." + info "$check_1_14" + info " * File not found" fi # 1.15 check_1_15="1.15 - Audit Docker files and directories - /etc/sysconfig/docker-network" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/sysconfig/docker-network >/dev/null 2>&1 +file="/etc/sysconfig/docker-network" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_15" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_15" + else + warn "$check_1_15" + fi else - warn "$check_1_15" + warn "1.15 - Failed to inspect: auditctl command not found." fi else - warn "1.15 - Failed to inspect: auditctl command not found." + info "$check_1_15" + info " * File not found" fi # 1.16 check_1_16="1.16 - Audit Docker files and directories - /etc/sysconfig/docker-registry" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/sysconfig/docker-registry >/dev/null 2>&1 +file="/etc/sysconfig/docker-registry" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_16" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_16" + else + warn "$check_1_16" + fi else - warn "$check_1_16" + warn "1.16 - Failed to inspect: auditctl command not found." fi else - warn "1.16 - Failed to inspect: auditctl command not found." + info "$check_1_16" + info " * File not found" fi # 1.17 check_1_17="1.17 - Audit Docker files and directories - /etc/sysconfig/docker-storage" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/sysconfig/docker-storage >/dev/null 2>&1 +file="/etc/sysconfig/docker-storage" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_17" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_17" + else + warn "$check_1_17" + fi else - warn "$check_1_17" + warn "1.17 - Failed to inspect: auditctl command not found." fi else - warn "1.17 - Failed to inspect: auditctl command not found." + info "$check_1_17" + info " * File not found" fi # 1.18 check_1_18="1.18 - Audit Docker files and directories - /etc/default/docker" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/default/docker >/dev/null 2>&1 +file="/etc/default/docker" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_18" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_18" + else + warn "$check_1_18" + fi else - warn "$check_1_18" + warn "1.18 - Failed to inspect: auditctl command not found." fi else - warn "1.18 - Failed to inspect: auditctl command not found." + info "$check_1_18" + info " * File not found" fi From f4ee80ba3e807c505595d974ca940f336c4e4e26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 11 Jun 2015 21:37:44 +0200 Subject: [PATCH 2/3] add -v /var/lib:/var/lib MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bcedb95..8351725 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by run ``` -docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ +docker run -it --net host --pid host -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker-bench-security \ diogomonica/docker-bench-security ``` @@ -30,7 +30,7 @@ If you wish to build and run this container yourself, you can follow the followi ``` git clone https://github.com/diogomonica/docker-bench-security.git cd docker-bench-security; docker build -t docker-bench-security . -docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ +docker run -it --net host --pid host -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label security-benchmark \ docker-bench-security ``` From 5c3c36c5caf94430a41d69988d79e68f0340ca98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Sun, 14 Jun 2015 23:03:11 +0200 Subject: [PATCH 3/3] New README MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- README.md | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 8351725..eb5e117 100644 --- a/README.md +++ b/README.md @@ -13,10 +13,12 @@ We packaged docker bench as a small container for your convenience. Note that th The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by running our pre-built container: -``` -docker run -it --net host --pid host -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock \ --v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker-bench-security \ -diogomonica/docker-bench-security +```sh +docker run -it --net host --pid host -v /var/lib:/var/lib \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /usr/lib/systemd:/usr/lib/systemd \ + -v /etc:/etc --label docker-bench-security \ + diogomonica/docker-bench-security ``` Docker bench requires Docker 1.6.2 or later in order to run, since it depends on the `--label` to exclude the current container from being inspected. If you can't upgrade to 1.6.2, I feel free to remove the `--label` flag or run the shell script locally (see below). @@ -27,19 +29,23 @@ Additionally, there was a bug in Docker 1.6.0 that would not allow mounting `-v If you wish to build and run this container yourself, you can follow the following steps: -``` +```sh git clone https://github.com/diogomonica/docker-bench-security.git -cd docker-bench-security; docker build -t docker-bench-security . -docker run -it --net host --pid host -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock \ --v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label security-benchmark \ -docker-bench-security +cd docker-bench-security +docker build -t docker-bench-security . +docker run -it --net host --pid host -v /var/lib:/var/lib \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /usr/lib/systemd:/usr/lib/systemd \ + -v /etc:/etc --label security-benchmark \ + docker-bench-security ``` Also, this script can also be simply run from your base host by running: -``` +```sh git clone https://github.com/diogomonica/docker-bench-security.git -cd docker-bench-security; sh docker-bench-security.sh +cd docker-bench-security +sh docker-bench-security.sh ``` This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform.