diff --git a/docker-bench-security.sh b/docker-bench-security.sh index b284929..dc2ba9e 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -1,11 +1,11 @@ #!/bin/sh # ------------------------------------------------------------------------------ -# Docker Bench for Security v1.2.0 +# Docker Bench for Security v1.3.0 # # Docker, Inc. (c) 2015- # # Checks for dozens of common best-practices around deploying Docker containers in production. -# Inspired by the CIS Docker 1.12 Benchmark. +# Inspired by the CIS Docker 1.13 Benchmark. # ------------------------------------------------------------------------------ # Load dependencies @@ -57,12 +57,12 @@ if [ -z "$logger" ]; then fi yell "# ------------------------------------------------------------------------------ -# Docker Bench for Security v1.2.0 +# Docker Bench for Security v1.3.0 # # Docker, Inc. (c) 2015- # # Checks for dozens of common best-practices around deploying Docker containers in production. -# Inspired by the CIS Docker 1.12 Benchmark. +# Inspired by the CIS Docker 1.13 Benchmark. # ------------------------------------------------------------------------------" # Warn if not root diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index a72ba86..8e7e931 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -13,81 +13,96 @@ else fi # 1.2 -check_1_2="1.2 - Use an updated Linux Kernel" -kernel_version=$(uname -r | cut -d "-" -f 1) -do_version_check 3.10 "$kernel_version" -if [ $? -eq 11 ]; then - warn "$check_1_2" -else - pass "$check_1_2" -fi +check_1_2="1.2 - Harden the container host" +info "$check_1_2" # 1.3 -check_1_3="1.3 - Harden the container host" -info "$check_1_3" - -# 1.4 -check_1_4="1.4 - Remove all non-essential services from the host - Network" -# Check for listening network services. -listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN) -if [ "$listening_services" -eq 0 ]; then - info "1.4 - Failed to get listening services for check: $check_1_4" -else - if [ "$listening_services" -gt 5 ]; then - info "$check_1_4" - info " * Host listening on: $listening_services ports" -else - pass "$check_1_4" - fi -fi - -# 1.5 -check_1_5="1.5 - Keep Docker up to date" +check_1_3="1.3 - Keep Docker up to date" docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \ | awk '{print $NF; exit}' | tr -d '[:alpha:]-,') docker_current_version="1.13.0" docker_current_date="2017-01-18" do_version_check "$docker_current_version" "$docker_version" if [ $? -eq 11 ]; then - info "$check_1_5" + info "$check_1_3" info " * Using $docker_version, when $docker_current_version is current as of $docker_current_date" - info " * Your operating system vendor may provide support and security maintenance for docker" + info " * Your operating system vendor may provide support and security maintenance for Docker" else - pass "$check_1_5" + pass "$check_1_3" info " * Using $docker_version which is current as of $docker_current_date" - info " * Check with your operating system vendor for support and security maintenance for docker" + info " * Check with your operating system vendor for support and security maintenance for Docker" fi -# 1.6 -check_1_6="1.6 - Only allow trusted users to control Docker daemon" +# 1.4 +check_1_4="1.4 - Only allow trusted users to control Docker daemon" docker_users=$(getent group docker) -info "$check_1_6" +info "$check_1_4" for u in $docker_users; do info " * $u" done -# 1.7 -check_1_7="1.7 - Audit docker daemon - /usr/bin/docker" +# 1.5 +check_1_5="1.5 - Audit docker daemon - /usr/bin/docker" file="/usr/bin/docker" command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then auditctl -l | grep "$file" >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_7" + pass "$check_1_5" else - warn "$check_1_7" + warn "$check_1_5" fi else - warn "1.7 - Failed to inspect: auditctl command not found." + warn "1.5 - Failed to inspect: auditctl command not found." fi -# 1.8 -check_1_8="1.8 - Audit Docker files and directories - /var/lib/docker" +# 1.6 +check_1_6="1.6 - Audit Docker files and directories - /var/lib/docker" directory="/var/lib/docker" if [ -d "$directory" ]; then command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then auditctl -l | grep $directory >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_6" + else + warn "$check_1_6" + fi + else + warn "1.6 - Failed to inspect: auditctl command not found." + fi +else + info "$check_1_6" + info " * Directory not found" +fi + +# 1.7 +check_1_7="1.7 - Audit Docker files and directories - /etc/docker" +directory="/etc/docker" +if [ -d "$directory" ]; then + command -v auditctl >/dev/null 2>&1 + if [ $? -eq 0 ]; then + auditctl -l | grep $directory >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_7" + else + warn "$check_1_7" + fi + else + warn "1.7 - Failed to inspect: auditctl command not found." + fi +else + info "$check_1_7" + info " * Directory not found" +fi + +# 1.8 +check_1_8="1.8 - Audit Docker files and directories - docker.service" +file="$(get_systemd_service_file docker.service)" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 + if [ $? -eq 0 ]; then + auditctl -l | grep "$file" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_1_8" else @@ -98,16 +113,16 @@ if [ -d "$directory" ]; then fi else info "$check_1_8" - info " * Directory not found" + info " * File not found" fi # 1.9 -check_1_9="1.9 - Audit Docker files and directories - /etc/docker" -directory="/etc/docker" -if [ -d "$directory" ]; then +check_1_9="1.9 - Audit Docker files and directories - docker.socket" +file="$(get_systemd_service_file docker.socket)" +if [ -e "$file" ]; then command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - auditctl -l | grep $directory >/dev/null 2>&1 + auditctl -l | grep "$file" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_1_9" else @@ -118,16 +133,16 @@ if [ -d "$directory" ]; then fi else info "$check_1_9" - info " * Directory not found" + info " * File not found" fi # 1.10 -check_1_10="1.10 - Audit Docker files and directories - docker.service" -file="$(get_systemd_service_file docker.service)" +check_1_10="1.10 - Audit Docker files and directories - /etc/default/docker" +file="/etc/default/docker" if [ -f "$file" ]; then command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - auditctl -l | grep "$file" >/dev/null 2>&1 + auditctl -l | grep $file >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_1_10" else @@ -142,12 +157,12 @@ else fi # 1.11 -check_1_11="1.11 - Audit Docker files and directories - docker.socket" -file="$(get_systemd_service_file docker.socket)" -if [ -e "$file" ]; then +check_1_11="1.11 - Audit Docker files and directories - /etc/docker/daemon.json" +file="/etc/docker/daemon.json" +if [ -f "$file" ]; then command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - auditctl -l | grep "$file" >/dev/null 2>&1 + auditctl -l | grep $file >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_1_11" else @@ -162,8 +177,8 @@ else fi # 1.12 -check_1_12="1.12 - Audit Docker files and directories - /etc/default/docker" -file="/etc/default/docker" +check_1_12="1.12 - Audit Docker files and directories - /usr/bin/docker-containerd" +file="/usr/bin/docker-containerd" if [ -f "$file" ]; then command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -182,8 +197,8 @@ else fi # 1.13 -check_1_13="1.13 - Audit Docker files and directories - /etc/docker/daemon.json" -file="/etc/docker/daemon.json" +check_1_13="1.13 - Audit Docker files and directories - /usr/bin/docker-runc" +file="/usr/bin/docker-runc" if [ -f "$file" ]; then command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -200,43 +215,3 @@ else info "$check_1_13" info " * File not found" fi - -# 1.14 -check_1_14="1.14 - Audit Docker files and directories - /usr/bin/docker-containerd" -file="/usr/bin/docker-containerd" -if [ -f "$file" ]; then - command -v auditctl >/dev/null 2>&1 - if [ $? -eq 0 ]; then - auditctl -l | grep $file >/dev/null 2>&1 - if [ $? -eq 0 ]; then - pass "$check_1_14" - else - warn "$check_1_14" - fi - else - warn "1.14 - Failed to inspect: auditctl command not found." - fi -else - info "$check_1_14" - info " * File not found" -fi - -# 1.15 -check_1_15="1.15 - Audit Docker files and directories - /usr/bin/docker-runc" -file="/usr/bin/docker-runc" -if [ -f "$file" ]; then - command -v auditctl >/dev/null 2>&1 - if [ $? -eq 0 ]; then - auditctl -l | grep $file >/dev/null 2>&1 - if [ $? -eq 0 ]; then - pass "$check_1_15" - else - warn "$check_1_15" - fi - else - warn "1.15 - Failed to inspect: auditctl command not found." - fi -else - info "$check_1_15" - info " * File not found" -fi