Merge pull request #132 from konstruktoid/cis_1.11_1

update chap 1 to cis 1.11

tests/1_host_configuration.sh

@@ -22,63 +22,84 @@ else
   pass "$check_1_2"
 fi
 
-# 1.5
-check_1_5="1.5  - Remove all non-essential services from the host - Network"
+# 1.4
+check_1_4="1.4  - Remove all non-essential services from the host - Network"
 # Check for listening network services.
 listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
 if [ "$listening_services" -eq 0 ]; then
-  warn "1.5  - Failed to get listening services for check: $check_1_5"
+  warn "1.4  - Failed to get listening services for check: $check_1_4"
 else
   if [ "$listening_services" -gt 5 ]; then
-    warn "$check_1_5"
+    warn "$check_1_4"
     warn "     * Host listening on: $listening_services ports"
-  else
-    pass "$check_1_5"
+else
+    pass "$check_1_4"
   fi
 fi
 
-# 1.6
-check_1_6="1.6  - Keep Docker up to date"
+# 1.5
+check_1_5="1.5  - Keep Docker up to date"
 docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \
   | awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
 docker_current_version="1.11.0"
 docker_current_date="2016-04-13"
 do_version_check "$docker_current_version" "$docker_version"
 if [ $? -eq 11 ]; then
-  warn "$check_1_6"
+  warn "$check_1_5"
   warn "      * Using $docker_version, when $docker_current_version is current as of $docker_current_date"
   info "      * Your operating system vendor may provide support and security maintenance for docker"
 else
-  pass "$check_1_6"
+  pass "$check_1_5"
   info "      * Using $docker_version which is current as of $docker_current_date"
   info "      * Check with your operating system vendor for support and security maintenance for docker"
 fi
 
-# 1.7
-check_1_7="1.7  - Only allow trusted users to control Docker daemon"
+# 1.6
+check_1_6="1.6  - Only allow trusted users to control Docker daemon"
 docker_users=$(getent group docker)
-info "$check_1_7"
+info "$check_1_6"
 for u in $docker_users; do
   info "     * $u"
 done
 
-# 1.8
-check_1_8="1.8  - Audit docker daemon"
+# 1.7
+check_1_7="1.7  - Audit docker daemon - /usr/bin/docker"
+file="/usr/bin/docker"
 command -v auditctl >/dev/null 2>&1
 if [ $? -eq 0 ]; then
-  auditctl -l | grep /usr/bin/docker >/dev/null 2>&1
+  auditctl -l | grep "$file" >/dev/null 2>&1
   if [ $? -eq 0 ]; then
-    pass "$check_1_8"
+    pass "$check_1_7"
   else
-    warn "$check_1_8"
+    warn "$check_1_7"
   fi
 else
-  warn "1.8  - Failed to inspect: auditctl command not found."
+  warn "1.7  - Failed to inspect: auditctl command not found."
+fi
+
+# 1.8
+check_1_8="1.8  - Audit Docker files and directories - /var/lib/docker"
+directory="/var/lib/docker"
+if [ -d "$directory" ]; then
+  command -v auditctl >/dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    auditctl -l | grep $directory >/dev/null 2>&1
+    if [ $? -eq 0 ]; then
+      pass "$check_1_8"
+    else
+      warn "$check_1_8"
+    fi
+  else
+    warn "1.8  - Failed to inspect: auditctl command not found."
+  fi
+else
+  info "$check_1_8"
+  info "     * Directory not found"
 fi
 
 # 1.9
-check_1_9="1.9  - Audit Docker files and directories - /var/lib/docker"
-directory="/var/lib/docker"
+check_1_9="1.9  - Audit Docker files and directories - /etc/docker"
+directory="/etc/docker"
 if [ -d "$directory" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
@@ -97,12 +118,12 @@ else
 fi
 
 # 1.10
-check_1_10="1.10 - Audit Docker files and directories - /etc/docker"
-directory="/etc/docker"
-if [ -d "$directory" ]; then
+check_1_10="1.10 - Audit Docker files and directories - docker.service"
+file="$(get_systemd_service_file docker.service)"
+if [ -f "$file" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
-    auditctl -l | grep $directory >/dev/null 2>&1
+    auditctl -l | grep "$file" >/dev/null 2>&1
     if [ $? -eq 0 ]; then
       pass "$check_1_10"
     else
@@ -113,16 +134,16 @@ if [ -d "$directory" ]; then
   fi
 else
   info "$check_1_10"
-  info "     * Directory not found"
+  info "     * File not found"
 fi
 
 # 1.11
-check_1_11="1.11 - Audit Docker files and directories - docker-registry.service"
-file="$(get_systemd_service_file docker-registry.service)"
-if [ -f "$file" ]; then
+check_1_11="1.11 - Audit Docker files and directories - docker.socket"
+file="$(get_systemd_service_file docker.socket)"
+if [ -e "$file" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
-    auditctl -l | grep $file >/dev/null 2>&1
+    auditctl -l | grep "$file" >/dev/null 2>&1
     if [ $? -eq 0 ]; then
       pass "$check_1_11"
     else
@@ -137,8 +158,8 @@ else
 fi
 
 # 1.12
-check_1_12="1.12 - Audit Docker files and directories - docker.service"
-file="$(get_systemd_service_file docker.service)"
+check_1_12="1.12 - Audit Docker files and directories - /etc/default/docker"
+file="/etc/default/docker"
 if [ -f "$file" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
@@ -157,9 +178,9 @@ else
 fi
 
 # 1.13
-check_1_13="1.13 - Audit Docker files and directories - /var/run/docker.sock"
-file="/var/run/docker.sock"
-if [ -e "$file" ]; then
+check_1_13="1.13 - Audit Docker files and directories - /etc/docker/daemon.json"
+file="/etc/docker/daemon.json"
+if [ -f "$file" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
     auditctl -l | grep $file >/dev/null 2>&1
@@ -177,8 +198,8 @@ else
 fi
 
 # 1.14
-check_1_14="1.14 - Audit Docker files and directories - /etc/sysconfig/docker"
-file="/etc/sysconfig/docker"
+check_1_14="1.14 - Audit Docker files and directories - /usr/bin/docker-containerd"
+file="/usr/bin/docker-containerd"
 if [ -f "$file" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
@@ -197,8 +218,8 @@ else
 fi
 
 # 1.15
-check_1_15="1.15 - Audit Docker files and directories - /etc/sysconfig/docker-network"
-file="/etc/sysconfig/docker-network"
+check_1_15="1.15 - Audit Docker files and directories - /usr/bin/docker-runc"
+file="/usr/bin/docker-runc"
 if [ -f "$file" ]; then
   command -v auditctl >/dev/null 2>&1
   if [ $? -eq 0 ]; then
@@ -215,63 +236,3 @@ else
   info "$check_1_15"
   info "     * File not found"
 fi
-
-# 1.16
-check_1_16="1.16 - Audit Docker files and directories - /etc/sysconfig/docker-registry"
-file="/etc/sysconfig/docker-registry"
-if [ -f "$file" ]; then
-  command -v auditctl >/dev/null 2>&1
-  if [ $? -eq 0 ]; then
-    auditctl -l | grep $file >/dev/null 2>&1
-    if [ $? -eq 0 ]; then
-      pass "$check_1_16"
-    else
-      warn "$check_1_16"
-    fi
-  else
-    warn "1.16 - Failed to inspect: auditctl command not found."
-  fi
-else
-  info "$check_1_16"
-  info "     * File not found"
-fi
-
-# 1.17
-check_1_17="1.17 - Audit Docker files and directories - /etc/sysconfig/docker-storage"
-file="/etc/sysconfig/docker-storage"
-if [ -f "$file" ]; then
-  command -v auditctl >/dev/null 2>&1
-  if [ $? -eq 0 ]; then
-    auditctl -l | grep $file >/dev/null 2>&1
-    if [ $? -eq 0 ]; then
-      pass "$check_1_17"
-    else
-      warn "$check_1_17"
-    fi
-  else
-    warn "1.17 - Failed to inspect: auditctl command not found."
-  fi
-else
-  info "$check_1_17"
-  info "     * File not found"
-fi
-
-# 1.18
-check_1_18="1.18 - Audit Docker files and directories - /etc/default/docker"
-file="/etc/default/docker"
-if [ -f "$file" ]; then
-  command -v auditctl >/dev/null 2>&1
-  if [ $? -eq 0 ]; then
-    auditctl -l | grep $file >/dev/null 2>&1
-    if [ $? -eq 0 ]; then
-      pass "$check_1_18"
-    else
-      warn "$check_1_18"
-    fi
-  else
-    warn "1.18 - Failed to inspect: auditctl command not found."
-  fi
-else
-  info "$check_1_18"
-  info "     * File not found"
-fi