GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-02-23 16:36:39 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #202 from konstruktoid/113_1

Browse source 
1.13 Section 1
This commit is contained in:
Thomas Sjögren 2017-01-24 09:47:37 +01:00 committed by GitHub
commit d21e8ee0bb
2 changed files with 78 additions and 103 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
docker-bench-security.sh
View file

@ -1,11 +1,11 @@
#!/bin/sh #!/bin/sh
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Docker Bench for Security v1.2.0 # Docker Bench for Security v1.3.0
# #
# Docker, Inc. (c) 2015- # Docker, Inc. (c) 2015-
# #
# Checks for dozens of common best-practices around deploying Docker containers in production. # Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker 1.12 Benchmark. # Inspired by the CIS Docker 1.13 Benchmark.
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Load dependencies # Load dependencies
@ -57,12 +57,12 @@ if [ -z "$logger" ]; then
fi fi
yell "# ------------------------------------------------------------------------------ yell "# ------------------------------------------------------------------------------
# Docker Bench for Security v1.2.0 # Docker Bench for Security v1.3.0
# #
# Docker, Inc. (c) 2015- # Docker, Inc. (c) 2015-
# #
# Checks for dozens of common best-practices around deploying Docker containers in production. # Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker 1.12 Benchmark. # Inspired by the CIS Docker 1.13 Benchmark.
# ------------------------------------------------------------------------------" # ------------------------------------------------------------------------------"
# Warn if not root # Warn if not root

173
tests/1_host_configuration.sh
View file

@ -13,81 +13,96 @@ else
fi fi
# 1.2 # 1.2
check_1_2="1.2 - Use an updated Linux Kernel" check_1_2="1.2 - Harden the container host"
kernel_version=$(uname -r | cut -d "-" -f 1) info "$check_1_2"
do_version_check 3.10 "$kernel_version"
if [ $? -eq 11 ]; then
warn "$check_1_2"
else
pass "$check_1_2"
fi
# 1.3 # 1.3
check_1_3="1.3 - Harden the container host" check_1_3="1.3 - Keep Docker up to date"
info "$check_1_3"
# 1.4
check_1_4="1.4 - Remove all non-essential services from the host - Network"
# Check for listening network services.
listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
if [ "$listening_services" -eq 0 ]; then
info "1.4 - Failed to get listening services for check: $check_1_4"
else
if [ "$listening_services" -gt 5 ]; then
info "$check_1_4"
info " * Host listening on: $listening_services ports"
else
pass "$check_1_4"
fi
fi
# 1.5
check_1_5="1.5 - Keep Docker up to date"
docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \ docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,') | awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
docker_current_version="1.13.0" docker_current_version="1.13.0"
docker_current_date="2017-01-18" docker_current_date="2017-01-18"
do_version_check "$docker_current_version" "$docker_version" do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then if [ $? -eq 11 ]; then
info "$check_1_5" info "$check_1_3"
info " * Using $docker_version, when $docker_current_version is current as of $docker_current_date" info " * Using $docker_version, when $docker_current_version is current as of $docker_current_date"
info " * Your operating system vendor may provide support and security maintenance for docker" info " * Your operating system vendor may provide support and security maintenance for Docker"
else else
pass "$check_1_5" pass "$check_1_3"
info " * Using $docker_version which is current as of $docker_current_date" info " * Using $docker_version which is current as of $docker_current_date"
info " * Check with your operating system vendor for support and security maintenance for docker" info " * Check with your operating system vendor for support and security maintenance for Docker"
fi fi
# 1.6 # 1.4
check_1_6="1.6 - Only allow trusted users to control Docker daemon" check_1_4="1.4 - Only allow trusted users to control Docker daemon"
docker_users=$(getent group docker) docker_users=$(getent group docker)
info "$check_1_6" info "$check_1_4"
for u in $docker_users; do for u in $docker_users; do
info " * $u" info " * $u"
done done
# 1.7 # 1.5
check_1_7="1.7 - Audit docker daemon - /usr/bin/docker" check_1_5="1.5 - Audit docker daemon - /usr/bin/docker"
file="/usr/bin/docker" file="/usr/bin/docker"
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep "$file" >/dev/null 2>&1 auditctl -l | grep "$file" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_7" pass "$check_1_5"
else else
warn "$check_1_7" warn "$check_1_5"
fi fi
else else
warn "1.7 - Failed to inspect: auditctl command not found." warn "1.5 - Failed to inspect: auditctl command not found."
fi fi
# 1.8 # 1.6
check_1_8="1.8 - Audit Docker files and directories - /var/lib/docker" check_1_6="1.6 - Audit Docker files and directories - /var/lib/docker"
directory="/var/lib/docker" directory="/var/lib/docker"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep $directory >/dev/null 2>&1 auditctl -l | grep $directory >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_6"
else
warn "$check_1_6"
fi
else
warn "1.6 - Failed to inspect: auditctl command not found."
fi
else
info "$check_1_6"
info " * Directory not found"
fi
# 1.7
check_1_7="1.7 - Audit Docker files and directories - /etc/docker"
directory="/etc/docker"
if [ -d "$directory" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep $directory >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_7"
else
warn "$check_1_7"
fi
else
warn "1.7 - Failed to inspect: auditctl command not found."
fi
else
info "$check_1_7"
info " * Directory not found"
fi
# 1.8
check_1_8="1.8 - Audit Docker files and directories - docker.service"
file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep "$file" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_8" pass "$check_1_8"
else else
@ -98,16 +113,16 @@ if [ -d "$directory" ]; then
fi fi
else else
info "$check_1_8" info "$check_1_8"
info " * Directory not found" info " * File not found"
fi fi
# 1.9 # 1.9
check_1_9="1.9 - Audit Docker files and directories - /etc/docker" check_1_9="1.9 - Audit Docker files and directories - docker.socket"
directory="/etc/docker" file="$(get_systemd_service_file docker.socket)"
if [ -d "$directory" ]; then if [ -e "$file" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep $directory >/dev/null 2>&1 auditctl -l | grep "$file" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_9" pass "$check_1_9"
else else
@ -118,16 +133,16 @@ if [ -d "$directory" ]; then
fi fi
else else
info "$check_1_9" info "$check_1_9"
info " * Directory not found" info " * File not found"
fi fi
# 1.10 # 1.10
check_1_10="1.10 - Audit Docker files and directories - docker.service" check_1_10="1.10 - Audit Docker files and directories - /etc/default/docker"
file="$(get_systemd_service_file docker.service)" file="/etc/default/docker"
if [ -f "$file" ]; then if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep "$file" >/dev/null 2>&1 auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_10" pass "$check_1_10"
else else
@ -142,12 +157,12 @@ else
fi fi
# 1.11 # 1.11
check_1_11="1.11 - Audit Docker files and directories - docker.socket" check_1_11="1.11 - Audit Docker files and directories - /etc/docker/daemon.json"
file="$(get_systemd_service_file docker.socket)" file="/etc/docker/daemon.json"
if [ -e "$file" ]; then if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep "$file" >/dev/null 2>&1 auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_11" pass "$check_1_11"
else else
@ -162,8 +177,8 @@ else
fi fi
# 1.12 # 1.12
check_1_12="1.12 - Audit Docker files and directories - /etc/default/docker" check_1_12="1.12 - Audit Docker files and directories - /usr/bin/docker-containerd"
file="/etc/default/docker" file="/usr/bin/docker-containerd"
if [ -f "$file" ]; then if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -182,8 +197,8 @@ else
fi fi
# 1.13 # 1.13
check_1_13="1.13 - Audit Docker files and directories - /etc/docker/daemon.json" check_1_13="1.13 - Audit Docker files and directories - /usr/bin/docker-runc"
file="/etc/docker/daemon.json" file="/usr/bin/docker-runc"
if [ -f "$file" ]; then if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -200,43 +215,3 @@ else
info "$check_1_13" info "$check_1_13"
info " * File not found" info " * File not found"
fi fi
# 1.14
check_1_14="1.14 - Audit Docker files and directories - /usr/bin/docker-containerd"
file="/usr/bin/docker-containerd"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_14"
else
warn "$check_1_14"
fi
else
warn "1.14 - Failed to inspect: auditctl command not found."
fi
else
info "$check_1_14"
info " * File not found"
fi
# 1.15
check_1_15="1.15 - Audit Docker files and directories - /usr/bin/docker-runc"
file="/usr/bin/docker-runc"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_15"
else
warn "$check_1_15"
fi
else
warn "1.15 - Failed to inspect: auditctl command not found."
fi
else
info "$check_1_15"
info " * File not found"
fi