GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Add details about remediations measure for host configuration tests

Browse source
This commit is contained in:
Razvan Stoica 2021-03-09 21:43:25 +02:00
parent 58205d4ef5
commit c00ef4330b
3 changed files with 66 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docker-bench-security.sh
View file

@ -2,7 +2,7 @@
# ------------------------------------------------------------------------------
# Docker Bench for Security
#
# Docker, Inc. (c) 2015-
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# ------------------------------------------------------------------------------

6
output_lib.sh
View file

@ -52,7 +52,7 @@ beginjson () {
}
endjson (){
printf "\n ], \"checks\": %s, \"score\": %s, \"end\": %s \n}]" "$1" "$2" "$3" | tee -a "$logger.json" 2>/dev/null 1>&2
printf "\n ], \"checks\": %s, \"score\": %s, \"end\": %s\n}]" "$1" "$2" "$3" | tee -a "$logger.json" 2>/dev/null 1>&2
}
logjson (){
@ -103,9 +103,9 @@ resulttestjson() {
printf "\"result\": \"%s\", \"details\": \"%s: %s\", \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
# Log remediation measure
if [ ! -z "$remediation" ]; then
if [ -n "$remediation" ]; then
printf ", \"remediation\": \"%s\"" "$remediation" | tee -a "$logger.json" 2>/dev/null 1>&2
if [ ! -z "$remediationImpact" ]; then
if [ -n "$remediationImpact" ]; then
printf ", \"remediation-impact\": \"%s\"" "$remediationImpact" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
fi

64
tests/1_host_configuration.sh
View file

@ -69,6 +69,7 @@ check_1_2() {
check_1_2_1() {
local id="1.2.1"
local desc="Ensure a separate partition for containers has been created (Scored)"
local remediation="For new installations, you should create a separate partition for the /var/lib/docker mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition."
local check="$id - $desc"
starttestjson "$id" "$desc"
@ -84,6 +85,7 @@ check_1_2_1() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -114,6 +116,8 @@ check_1_2_2() {
check_1_2_3() {
local id="1.2.3"
local desc="Ensure auditing is configured for the Docker daemon (Scored)"
local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /usr/bin/dockerd -k docker. Then restart the audit daemon using the following command: service auditd restart."
local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
@ -126,7 +130,8 @@ check_1_2_3() {
currentScore=$((currentScore + 1))
else
warn "$check"
warn " * Install auditd"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -136,7 +141,8 @@ check_1_2_3() {
currentScore=$((currentScore + 1))
else
warn "$check"
warn " * Install auditd"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -146,6 +152,8 @@ check_1_2_3() {
check_1_2_4() {
local id="1.2.4"
local desc="Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored)"
local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /var/lib/docker -k docker. Then restart the audit daemon using the following command: service auditd restart."
local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
@ -159,6 +167,8 @@ check_1_2_4() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -168,6 +178,8 @@ check_1_2_4() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -183,6 +195,8 @@ check_1_2_4() {
check_1_2_5() {
local id="1.2.5"
local desc="Ensure auditing is configured for Docker files and directories - /etc/docker (Scored)"
local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /etc/docker -k docker. Then restart the audit daemon using the following command: service auditd restart."
local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
@ -196,6 +210,8 @@ check_1_2_5() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -205,6 +221,8 @@ check_1_2_5() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -220,6 +238,8 @@ fi
check_1_2_6() {
local id="1.2.6"
local desc="Ensure auditing is configured for Docker files and directories - docker.service (Scored)"
local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w $(systemctl show -p FragmentPath docker.service | sed 's/.*=//') -k docker. Then restart the audit daemon using the following command: service auditd restart."
local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
@ -233,6 +253,8 @@ check_1_2_6() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -242,6 +264,8 @@ check_1_2_6() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -257,6 +281,8 @@ check_1_2_6() {
check_1_2_7() {
local id="1.2.7"
local desc="Ensure auditing is configured for Docker files and directories - docker.socket (Scored)"
local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w $(systemctl show -p FragmentPath docker.socket | sed 's/.*=//') -k docker. Then restart the audit daemon using the following command: service auditd restart."
local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
@ -270,6 +296,8 @@ check_1_2_7() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -279,6 +307,8 @@ check_1_2_7() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -294,6 +324,8 @@ check_1_2_7() {
check_1_2_8() {
local id="1.2.8"
local desc="Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored)"
local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /etc/default/docker -k docker. Then restart the audit daemon using the following command: service auditd restart."
local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
@ -307,6 +339,8 @@ check_1_2_8() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -316,6 +350,8 @@ check_1_2_8() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -331,6 +367,8 @@ check_1_2_8() {
check_1_2_9() {
local id="1.2.9"
local desc="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Scored)"
local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /etc/sysconfig/docker -k docker. Then restart the audit daemon using the following command: service auditd restart."
local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
@ -344,6 +382,8 @@ check_1_2_9() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -353,6 +393,8 @@ check_1_2_9() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -368,6 +410,8 @@ check_1_2_9() {
check_1_2_10() {
local id="1.2.10"
local desc="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored)"
local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /etc/docker/daemon.json -k docker. Then restart the audit daemon using the following command: service auditd restart."
local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
@ -381,6 +425,8 @@ check_1_2_10() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -390,6 +436,8 @@ check_1_2_10() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -405,6 +453,8 @@ check_1_2_10() {
check_1_2_11() {
local id="1.2.11"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Scored)"
local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /usr/bin/containerd -k docker. Then restart the audit daemon using the following command: service auditd restart."
local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
@ -418,6 +468,8 @@ check_1_2_11() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -427,6 +479,8 @@ check_1_2_11() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -442,6 +496,8 @@ check_1_2_11() {
check_1_2_12() {
local id="1.2.12"
local desc="Ensure auditing is configured for Docker files and directories - /usr/sbin/runc (Scored)"
local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /usr/sbin/runc -k docker. Then restart the audit daemon using the following command: service auditd restart."
local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
@ -455,6 +511,8 @@ check_1_2_12() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -464,6 +522,8 @@ check_1_2_12() {
currentScore=$((currentScore + 1))
else
warn "$check"
info " * Remediation: $remediation"
info " * Remediation impact: $remediationImpact"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi