From 6be21785c4721ae347c21e4b5b98e611ea246bf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 14 Apr 2016 21:15:33 +0200 Subject: [PATCH 1/2] update chap 1 to cis 1.11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/1_host_configuration.sh | 160 +++++++++++----------------------- 1 file changed, 53 insertions(+), 107 deletions(-) diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index 6a78fe0..b29abdc 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -23,62 +23,68 @@ else fi # 1.5 -check_1_5="1.5 - Remove all non-essential services from the host - Network" -# Check for listening network services. -listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN) -if [ "$listening_services" -eq 0 ]; then - warn "1.5 - Failed to get listening services for check: $check_1_5" -else - if [ "$listening_services" -gt 5 ]; then - warn "$check_1_5" - warn " * Host listening on: $listening_services ports" - else - pass "$check_1_5" - fi -fi - -# 1.6 -check_1_6="1.6 - Keep Docker up to date" +check_1_5="1.5 - Keep Docker up to date" docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \ | awk '{print $NF; exit}' | tr -d '[:alpha:]-,') docker_current_version="1.11.0" docker_current_date="2016-04-13" do_version_check "$docker_current_version" "$docker_version" if [ $? -eq 11 ]; then - warn "$check_1_6" + warn "$check_1_5" warn " * Using $docker_version, when $docker_current_version is current as of $docker_current_date" info " * Your operating system vendor may provide support and security maintenance for docker" else - pass "$check_1_6" + pass "$check_1_5" info " * Using $docker_version which is current as of $docker_current_date" info " * Check with your operating system vendor for support and security maintenance for docker" fi -# 1.7 -check_1_7="1.7 - Only allow trusted users to control Docker daemon" +# 1.6 +check_1_6="1.6 - Only allow trusted users to control Docker daemon" docker_users=$(getent group docker) -info "$check_1_7" +info "$check_1_6" for u in $docker_users; do info " * $u" done -# 1.8 -check_1_8="1.8 - Audit docker daemon" +# 1.7 +check_1_7="1.7 - Audit docker daemon - /usr/bin/docker" +file="/usr/bin/docker" command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - auditctl -l | grep /usr/bin/docker >/dev/null 2>&1 + auditctl -l | grep "$file" >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_8" + pass "$check_1_7" else - warn "$check_1_8" + warn "$check_1_7" fi else - warn "1.8 - Failed to inspect: auditctl command not found." + warn "1.7 - Failed to inspect: auditctl command not found." +fi + +# 1.8 +check_1_8="1.8 - Audit Docker files and directories - /var/lib/docker" +directory="/var/lib/docker" +if [ -d "$directory" ]; then + command -v auditctl >/dev/null 2>&1 + if [ $? -eq 0 ]; then + auditctl -l | grep $directory >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_8" + else + warn "$check_1_8" + fi + else + warn "1.8 - Failed to inspect: auditctl command not found." + fi +else + info "$check_1_8" + info " * Directory not found" fi # 1.9 -check_1_9="1.9 - Audit Docker files and directories - /var/lib/docker" -directory="/var/lib/docker" +check_1_9="1.9 - Audit Docker files and directories - /etc/docker" +directory="/etc/docker" if [ -d "$directory" ]; then command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -97,12 +103,12 @@ else fi # 1.10 -check_1_10="1.10 - Audit Docker files and directories - /etc/docker" -directory="/etc/docker" -if [ -d "$directory" ]; then +check_1_10="1.10 - Audit Docker files and directories - docker.service" +file="$(get_systemd_service_file docker.service)" +if [ -f "$file" ]; then command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - auditctl -l | grep $directory >/dev/null 2>&1 + auditctl -l | grep "$file" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_1_10" else @@ -113,16 +119,16 @@ if [ -d "$directory" ]; then fi else info "$check_1_10" - info " * Directory not found" + info " * File not found" fi # 1.11 -check_1_11="1.11 - Audit Docker files and directories - docker-registry.service" -file="$(get_systemd_service_file docker-registry.service)" -if [ -f "$file" ]; then +check_1_11="1.11 - Audit Docker files and directories - docker.socket" +file="$(get_systemd_service_file docker.socket)" +if [ -e "$file" ]; then command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - auditctl -l | grep $file >/dev/null 2>&1 + auditctl -l | grep "$file" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_1_11" else @@ -137,8 +143,8 @@ else fi # 1.12 -check_1_12="1.12 - Audit Docker files and directories - docker.service" -file="$(get_systemd_service_file docker.service)" +check_1_12="1.12 - Audit Docker files and directories - /etc/default/docker" +file="/etc/default/docker" if [ -f "$file" ]; then command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -157,9 +163,9 @@ else fi # 1.13 -check_1_13="1.13 - Audit Docker files and directories - /var/run/docker.sock" -file="/var/run/docker.sock" -if [ -e "$file" ]; then +check_1_13="1.13 - Audit Docker files and directories - /etc/docker/daemon.json" +file="/etc/docker/daemon.json" +if [ -f "$file" ]; then command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then auditctl -l | grep $file >/dev/null 2>&1 @@ -177,8 +183,8 @@ else fi # 1.14 -check_1_14="1.14 - Audit Docker files and directories - /etc/sysconfig/docker" -file="/etc/sysconfig/docker" +check_1_14="1.14 - Audit Docker files and directories - /usr/bin/docker-containerd" +file="/usr/bin/docker-containerd" if [ -f "$file" ]; then command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -197,8 +203,8 @@ else fi # 1.15 -check_1_15="1.15 - Audit Docker files and directories - /etc/sysconfig/docker-network" -file="/etc/sysconfig/docker-network" +check_1_15="1.15 - Audit Docker files and directories - /usr/bin/docker-runc" +file="/usr/bin/docker-runc" if [ -f "$file" ]; then command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -215,63 +221,3 @@ else info "$check_1_15" info " * File not found" fi - -# 1.16 -check_1_16="1.16 - Audit Docker files and directories - /etc/sysconfig/docker-registry" -file="/etc/sysconfig/docker-registry" -if [ -f "$file" ]; then - command -v auditctl >/dev/null 2>&1 - if [ $? -eq 0 ]; then - auditctl -l | grep $file >/dev/null 2>&1 - if [ $? -eq 0 ]; then - pass "$check_1_16" - else - warn "$check_1_16" - fi - else - warn "1.16 - Failed to inspect: auditctl command not found." - fi -else - info "$check_1_16" - info " * File not found" -fi - -# 1.17 -check_1_17="1.17 - Audit Docker files and directories - /etc/sysconfig/docker-storage" -file="/etc/sysconfig/docker-storage" -if [ -f "$file" ]; then - command -v auditctl >/dev/null 2>&1 - if [ $? -eq 0 ]; then - auditctl -l | grep $file >/dev/null 2>&1 - if [ $? -eq 0 ]; then - pass "$check_1_17" - else - warn "$check_1_17" - fi - else - warn "1.17 - Failed to inspect: auditctl command not found." - fi -else - info "$check_1_17" - info " * File not found" -fi - -# 1.18 -check_1_18="1.18 - Audit Docker files and directories - /etc/default/docker" -file="/etc/default/docker" -if [ -f "$file" ]; then - command -v auditctl >/dev/null 2>&1 - if [ $? -eq 0 ]; then - auditctl -l | grep $file >/dev/null 2>&1 - if [ $? -eq 0 ]; then - pass "$check_1_18" - else - warn "$check_1_18" - fi - else - warn "1.18 - Failed to inspect: auditctl command not found." - fi -else - info "$check_1_18" - info " * File not found" -fi From 1454b300a06f333968955974e522a7667d89d36e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 14 Apr 2016 21:27:24 +0200 Subject: [PATCH 2/2] add 1.4 again MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/1_host_configuration.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index b29abdc..e430853 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -22,6 +22,21 @@ else pass "$check_1_2" fi +# 1.4 +check_1_4="1.4 - Remove all non-essential services from the host - Network" +# Check for listening network services. +listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN) +if [ "$listening_services" -eq 0 ]; then + warn "1.4 - Failed to get listening services for check: $check_1_4" +else + if [ "$listening_services" -gt 5 ]; then + warn "$check_1_4" + warn " * Host listening on: $listening_services ports" +else + pass "$check_1_4" + fi +fi + # 1.5 check_1_5="1.5 - Keep Docker up to date" docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \