From e3da5eacf0090d0447fe8c62cce10df3b9bee4da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
 <konstruktoid@users.noreply.github.com>
Date: Thu, 14 Apr 2016 22:57:25 +0200
Subject: [PATCH] update chap 3 to cis 1.11
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
 tests/3_docker_daemon_configuration_files.sh | 338 +++++++------------
 1 file changed, 124 insertions(+), 214 deletions(-)

diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh
index 7c141a0..b869747 100644
--- a/tests/3_docker_daemon_configuration_files.sh
+++ b/tests/3_docker_daemon_configuration_files.sh
@@ -34,8 +34,8 @@ else
 fi
 
 # 3.3
-check_3_3="3.3  - Verify that docker-registry.service file ownership is set to root:root"
-file="$(get_systemd_service_file docker-registry.service)"
+check_3_3="3.3  - Verify that docker.socket file ownership is set to root:root"
+file="$(get_systemd_service_file docker.socket)"
 if [ -f "$file" ]; then
   if [ "$(stat -c %u%g $file)" -eq 00 ]; then
     pass "$check_3_3"
@@ -49,8 +49,8 @@ else
 fi
 
 # 3.4
-check_3_4="3.4  - Verify that docker-registry.service file permissions are set to 644"
-file="$(get_systemd_service_file docker-registry.service)"
+check_3_4="3.4  - Verify that docker.socket file permissions are set to 644"
+file="$(get_systemd_service_file docker.socket)"
 if [ -f "$file" ]; then
   if [ "$(stat -c %a $file)" -eq 644 ]; then
     pass "$check_3_4"
@@ -64,189 +64,39 @@ else
 fi
 
 # 3.5
-check_3_5="3.5  - Verify that docker.socket file ownership is set to root:root"
-file="$(get_systemd_service_file docker.socket)"
-if [ -f "$file" ]; then
-  if [ "$(stat -c %u%g $file)" -eq 00 ]; then
-    pass "$check_3_5"
-  else
-    warn "$check_3_5"
-    warn "     * Wrong ownership for $file"
-  fi
-else
-  info "$check_3_5"
-  info "     * File not found"
-fi
-
-# 3.6
-check_3_6="3.6  - Verify that docker.socket file permissions are set to 644"
-file="$(get_systemd_service_file docker.socket)"
-if [ -f "$file" ]; then
-  if [ "$(stat -c %a $file)" -eq 644 ]; then
-    pass "$check_3_6"
-  else
-    warn "$check_3_6"
-    warn "     * Wrong permissions for $file"
-  fi
-else
-  info "$check_3_6"
-  info "     * File not found"
-fi
-
-# 3.7
-check_3_7="3.7  - Verify that Docker environment file ownership is set to root:root "
-file="/etc/sysconfig/docker"
-if [ -f "$file" ]; then
-  if [ "$(stat -c %u%g $file)" -eq 00 ]; then
-    pass "$check_3_7"
-  else
-    warn "$check_3_7"
-    warn "     * Wrong ownership for $file"
-  fi
-else
-  info "$check_3_7"
-  info "     * File not found"
-fi
-
-# 3.8
-check_3_8="3.8  - Verify that Docker environment file permissions are set to 644"
-file="/etc/sysconfig/docker"
-if [ -f "$file" ]; then
-  if [ "$(stat -c %a $file)" -eq 644 ]; then
-    pass "$check_3_8"
-  else
-    warn "$check_3_8"
-    warn "     * Wrong permissions for $file"
-  fi
-else
-  info "$check_3_8"
-  info "     * File not found"
-fi
-
-# 3.9
-check_3_9="3.9  - Verify that docker-network environment file ownership is set to root:root"
-file="/etc/sysconfig/docker-network"
-if [ -f "$file" ]; then
-  if [ "$(stat -c %u%g $file)" -eq 00 ]; then
-    pass "$check_3_9"
-  else
-    warn "$check_3_9"
-    warn "     * Wrong ownership for $file"
-  fi
-else
-  info "$check_3_9"
-  info "     * File not found"
-fi
-
-# 3.10
-check_3_10="3.10 - Verify that docker-network environment file permissions are set to 644"
-file="/etc/sysconfig/docker-network"
-if [ -f "$file" ]; then
-  if [ "$(stat -c %a $file)" -eq 644 ]; then
-    pass "$check_3_10"
-  else
-    warn "$check_3_10"
-    warn "     * Wrong permissions for $file"
-  fi
-else
-  info "$check_3_10"
-  info "     * File not found"
-fi
-
-# 3.11
-check_3_11="3.11 - Verify that docker-registry environment file ownership is set to root:root"
-file="/etc/sysconfig/docker-registry"
-if [ -f "$file" ]; then
-  if [ "$(stat -c %u%g $file)" -eq 00 ]; then
-    pass "$check_3_11"
-  else
-    warn "$check_3_11"
-    warn "     * Wrong ownership for $file"
-  fi
-else
-  info "$check_3_11"
-  info "     * File not found"
-fi
-
-# 3.12
-check_3_12="3.12 - Verify that docker-registry environment file permissions are set to 644"
-file="/etc/sysconfig/docker-registry"
-if [ -f "$file" ]; then
-  if [ "$(stat -c %a $file)" -eq 644 ]; then
-    pass "$check_3_12"
-  else
-    warn "$check_3_12"
-    warn "     * Wrong permissions for $file"
-  fi
-else
-  info "$check_3_12"
-  info "     * File not found"
-fi
-
-# 3.13
-check_3_13="3.13 - Verify that docker-storage environment file ownership is set to root:root"
-file="/etc/sysconfig/docker-storage"
-if [ -f "$file" ]; then
-  if [ "$(stat -c %u%g $file)" -eq 00 ]; then
-    pass "$check_3_13"
-  else
-    warn "$check_3_13"
-    warn "     * Wrong ownership for $file"
-  fi
-else
-  info "$check_3_13"
-  info "     * File not found"
-fi
-
-# 3.14
-check_3_14="3.14 - Verify that docker-storage environment file permissions are set to 644"
-file="/etc/sysconfig/docker-storage"
-if [ -f "$file" ]; then
-  if [ "$(stat -c %a $file)" -eq 644 ]; then
-    pass "$check_3_14"
-  else
-    warn "$check_3_14"
-    warn "     * Wrong permissions for $file"
-  fi
-else
-  info "$check_3_14"
-  info "     * File not found"
-fi
-
-# 3.15
-check_3_15="3.15 - Verify that /etc/docker directory ownership is set to root:root"
+check_3_5="3.5  - Verify that /etc/docker directory ownership is set to root:root"
 directory="/etc/docker"
 if [ -d "$directory" ]; then
   if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
-    pass "$check_3_15"
+    pass "$check_3_5"
   else
-    warn "$check_3_15"
+    warn "$check_3_5"
     warn "     * Wrong ownership for $directory"
   fi
 else
-  info "$check_3_15"
+  info "$check_3_5"
   info "     * Directory not found"
 fi
 
-# 3.16
-check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755"
+# 3.6
+check_3_6="3.6  - Verify that /etc/docker directory permissions are set to 755"
 directory="/etc/docker"
 if [ -d "$directory" ]; then
   if [ "$(stat -c %a $directory)" -eq 755 ]; then
-    pass "$check_3_16"
+    pass "$check_3_6"
   elif [ "$(stat -c %a $directory)" -eq 700 ]; then
-    pass "$check_3_16"
+    pass "$check_3_6"
   else
-    warn "$check_3_16"
+    warn "$check_3_6"
     warn "     * Wrong permissions for $directory"
   fi
 else
-  info "$check_3_16"
+  info "$check_3_6"
   info "     * Directory not found"
 fi
 
-# 3.17
-check_3_17="3.17 - Verify that registry certificate file ownership is set to root:root"
+# 3.7
+check_3_7="3.7  - Verify that registry certificate file ownership is set to root:root"
 directory="/etc/docker/certs.d/"
 if [ -d "$directory" ]; then
   fail=0
@@ -258,18 +108,18 @@ if [ -d "$directory" ]; then
     fi
   done
   if [ $fail -eq 1 ]; then
-    warn "$check_3_17"
+    warn "$check_3_7"
     warn "     * Wrong ownership for $directory"
   else
-    pass "$check_3_17"
+    pass "$check_3_7"
   fi
 else
-  info "$check_3_17"
+  info "$check_3_7"
   info "     * Directory not found"
 fi
 
-# 3.18
-check_3_18="3.18 - Verify that registry certificate file permissions are set to 444"
+# 3.8
+check_3_8="3.8  - Verify that registry certificate file permissions are set to 444"
 directory="/etc/docker/certs.d/"
 if [ -d "$directory" ]; then
   fail=0
@@ -280,135 +130,195 @@ if [ -d "$directory" ]; then
     fi
   done
   if [ $fail -eq 1 ]; then
-    warn "$check_3_18"
+    warn "$check_3_8"
     warn "     * Wrong permissions for $directory"
   else
-    pass "$check_3_18"
+    pass "$check_3_8"
   fi
 else
-  info "$check_3_18"
+  info "$check_3_8"
   info "     * Directory not found"
 fi
 
-# 3.19
-check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root"
+# 3.9
+check_3_9="3.9  - Verify that TLS CA certificate file ownership is set to root:root"
 tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 if [ -f "$tlscacert" ]; then
   if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
-    pass "$check_3_19"
+    pass "$check_3_9"
   else
-    warn "$check_3_19"
+    warn "$check_3_9"
     warn "     * Wrong ownership for $tlscacert"
   fi
 else
-  info "$check_3_19"
+  info "$check_3_9"
   info "     * No TLS CA certificate found"
 fi
 
-# 3.20
-check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 444"
+# 3.10
+check_3_10="3.10 - Verify that TLS CA certificate file permissions are set to 444"
 tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 if [ -f "$tlscacert" ]; then
   perms=$(ls -ld "$tlscacert" | awk '{print $1}')
   if [ "$perms" = "-r--r--r--" ]; then
-    pass "$check_3_20"
+    pass "$check_3_10"
   else
-    warn "$check_3_20"
+    warn "$check_3_10"
     warn "     * Wrong permissions for $tlscacert"
   fi
 else
-  info "$check_3_20"
+  info "$check_3_10"
   info "     * No TLS CA certificate found"
 fi
 
-# 3.21
-check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root"
+# 3.11
+check_3_11="3.11 - Verify that Docker server certificate file ownership is set to root:root"
 tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 if [ -f "$tlscert" ]; then
   if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
-    pass "$check_3_21"
+    pass "$check_3_11"
   else
-    warn "$check_3_21"
+    warn "$check_3_11"
     warn "     * Wrong ownership for $tlscert"
   fi
 else
-  info "$check_3_21"
+  info "$check_3_11"
   info "     * No TLS Server certificate found"
 fi
 
-# 3.22
-check_3_22="3.22 - Verify that Docker server certificate file permissions are set to 444"
+# 3.12
+check_3_12="3.12 - Verify that Docker server certificate file permissions are set to 444"
 tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 if [ -f "$tlscert" ]; then
   perms=$(ls -ld "$tlscert" | awk '{print $1}')
   if [ "$perms" = "-r--r--r--" ]; then
-    pass "$check_3_22"
+    pass "$check_3_12"
   else
-    warn "$check_3_22"
+    warn "$check_3_12"
     warn "     * Wrong permissions for $tlscert"
   fi
 else
-  info "$check_3_22"
+  info "$check_3_12"
   info "     * No TLS Server certificate found"
 fi
 
-# 3.23
-check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root"
+# 3.13
+check_3_13="3.13 - Verify that Docker server key file ownership is set to root:root"
 tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 if [ -f "$tlskey" ]; then
   if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
-    pass "$check_3_23"
+    pass "$check_3_13"
   else
-    warn "$check_3_23"
+    warn "$check_3_13"
     warn "     * Wrong ownership for $tlskey"
   fi
 else
-  info "$check_3_23"
+  info "$check_3_13"
   info "     * No TLS Key found"
 fi
 
-# 3.24
-check_3_24="3.24 - Verify that Docker server key file permissions are set to 400"
+# 3.14
+check_3_14="3.14 - Verify that Docker server key file permissions are set to 400"
 tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 if [ -f "$tlskey" ]; then
   perms=$(ls -ld "$tlskey" | awk '{print $1}')
   if [ "$perms" = "-r--------" ]; then
-    pass "$check_3_24"
+    pass "$check_3_14"
   else
-    warn "$check_3_24"
+    warn "$check_3_14"
     warn "     * Wrong permissions for $tlskey"
   fi
 else
-  info "$check_3_24"
+  info "$check_3_14"
   info "     * No TLS Key found"
 fi
 
-# 3.25
-check_3_25="3.25 - Verify that Docker socket file ownership is set to root:docker"
+# 3.15
+check_3_15="3.15 - Verify that Docker socket file ownership is set to root:docker"
 file="/var/run/docker.sock"
 if [ -S "$file" ]; then
   if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
-    pass "$check_3_25"
+    pass "$check_3_15"
   else
-    warn "$check_3_25"
+    warn "$check_3_15"
     warn "     * Wrong ownership for $file"
   fi
 else
-  info "$check_3_25"
+  info "$check_3_15"
   info "     * File not found"
 fi
 
-# 3.26
-check_3_26="3.26 - Verify that Docker socket file permissions are set to 660"
+# 3.16
+check_3_16="3.16 - Verify that Docker socket file permissions are set to 660"
 file="/var/run/docker.sock"
 if [ -S "$file" ]; then
   if [ "$(stat -c %a $file)" -eq 660 ]; then
-    pass "$check_3_26"
+    pass "$check_3_16"
   else
-    warn "$check_3_26"
+    warn "$check_3_16"
     warn "     * Wrong permissions for $file"
   fi
 else
-  info "$check_3_26"
+  info "$check_3_16"
+  info "     * File not found"
+fi
+
+# 3.17
+check_3_17="3.17 - Verify that daemon.json file ownership is set to root:root"
+file="/etc/docker/daemon.json"
+if [ -f "$file" ]; then
+  if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
+    pass "$check_3_17"
+  else
+    warn "$check_3_17"
+    warn "     * Wrong ownership for $file"
+  fi
+else
+  info "$check_3_17"
+  info "     * File not found"
+fi
+
+# 3.18
+check_3_18="3.18 - Verify that daemon.json file permissions are set to 644"
+file="/etc/docker/daemon.json"
+if [ -f "$file" ]; then
+  if [ "$(stat -c %a $file)" -eq 644 ]; then
+    pass "$check_3_18"
+  else
+    warn "$check_3_18"
+    warn "     * Wrong permissions for $file"
+  fi
+else
+  info "$check_3_18"
+  info "     * File not found"
+fi
+
+# 3.19
+check_3_19="3.19 - Verify that /etc/default/docker file ownership is set to root:root"
+file="/etc/default/docker"
+if [ -f "$file" ]; then
+  if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
+    pass "$check_3_19"
+  else
+    warn "$check_3_19"
+    warn "     * Wrong ownership for $file"
+  fi
+else
+  info "$check_3_19"
+  info "     * File not found"
+fi
+
+# 3.20
+check_3_20="3.20 - Verify that /etc/default/docker file permissions are set to 644"
+file="/etc/default/docker"
+if [ -f "$file" ]; then
+  if [ "$(stat -c %a $file)" -eq 644 ]; then
+    pass "$check_3_20"
+  else
+    warn "$check_3_20"
+    warn "     * Wrong permissions for $file"
+  fi
+else
+  info "$check_3_20"
   info "     * File not found"
 fi