GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity
898 commits 3 branches 11 tags 4.9 MiB
Commit graph

307 commits

Author SHA1 Message Date
Thomas Sjögren
b766037da8 update permission checks 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-01-23 17:26:07 +01:00
Thomas Sjögren
77617321df update info messages, not scored 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-01-23 17:06:10 +01:00
Thomas Sjögren
933f1b6da9 output formating 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-01-23 16:16:02 +01:00
Thomas Sjögren
7aa4682c87 #182 netsat 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-01-23 13:38:28 +01:00
Thomas Sjögren
95e6ac8253 #182 checks 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-01-23 13:13:48 +01:00
Thomas Sjögren
07dbba6400 #182 remove legacy code 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-01-23 12:52:31 +01:00
Thomas Sjögren
6a2176b34e #182 messages and syntax 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-01-23 12:40:32 +01:00
Thomas Sjögren
27773128f8 Merge branch 'master' into docker-benchmark-1.12.0 2017-01-23 12:14:23 +01:00
Thomas Sjögren
b3cd7a1755 Merge pull request #168 from MrSecure/fix-tls-verify 
Fixes #167 - use get_docker_cumulative_command_line_args to check TLS
 2017-01-20 12:08:12 +01:00
Thomas Sjögren
91e684da65 1.13.0 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-01-20 11:53:18 +01:00
Thomas Sjögren
67c7562937 1.12.6 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-01-11 11:44:37 +01:00
Ravi Kumar Vadapalli
6aae32f4e5 Support for 'CIS Docker Benchmark 1.12.0' 
Signed-off-by: Ravi Kumar Vadapalli <vadapalli.ravikumar@gmail.com>
 2016-12-20 20:31:58 +05:30
Thomas Sjögren
27bb58c5cb current version in 1.12.5 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-12-16 09:17:41 +01:00
Thomas Sjögren
2f6ddfd500 docker version 1.12.4 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-12-13 08:34:01 +01:00
Thomas Sjögren
7d4ee87105 bump version to 1.12.3 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-10-27 11:40:55 +02:00
Thomas Sjögren
84a764e3d8 Merge pull request #169 from kevinll/master 
fix test 2.2 check for log level
Close #166
 2016-10-13 22:26:56 +02:00
Thomas Sjögren
e45d4e3bb8 1.12.2 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-10-13 22:15:35 +02:00
Kevin Lim
89e4769877 fix test 2.2 check for log level 
Signed-off-by: Kevin Lim <kevin.lim@sap.com>
 2016-09-28 14:25:42 -07:00
Mr. Secure
ee3e8dedb3 Fixes #167 - use get_docker_cumulative_command_line_args to check TLS settings 
Additionally, split warning into 2 parts:  no TLS, TLS w/o verification

Signed-off-by: Mr. Secure <ben.github@mrsecure.org>
 2016-09-24 19:42:39 -05:00
Thomas Sjögren
adfee878b8 1.12.1 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-08-19 23:11:03 +02:00
Thomas Sjögren
fdac630c36 bump docker version to 1.12 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-07-29 18:40:40 +02:00
Thomas Sjögren
9ba6afe0f2 1.11.2 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-06-02 21:51:11 +02:00
Thomas Sjögren
80e571f759 new version 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-04-28 21:51:24 +02:00
Thomas Sjögren
81b093632a update chap 6 to cis 1.11 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-04-15 00:23:03 +02:00
Thomas Sjögren
9e94259903 update chap 5 to cis 1.11 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-04-15 00:12:00 +02:00
Thomas Sjögren
c544e417b0 update chap 4 to cis 1.11 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-04-14 23:15:16 +02:00
Thomas Sjögren
e3da5eacf0 update chap 3 to cis 1.11 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-04-14 22:57:25 +02:00
Thomas Sjögren
3cafe284dd update chap 2 to cis 1.11 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-04-14 22:25:11 +02:00
Thomas Sjögren
1454b300a0 add 1.4 again 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-04-14 21:27:24 +02:00
Thomas Sjögren
6be21785c4 update chap 1 to cis 1.11 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-04-14 21:15:33 +02:00
Thomas Sjögren
03ec1b96b7 docker_current_version 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-04-14 20:18:49 +02:00
Thomas Sjögren
8d6f1e81c2 ps flags not in output 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-03-29 23:52:39 +02:00
Thomas Sjögren
d3ff26c5fa version 1.10.3 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-03-11 22:01:32 +01:00
Thomas Sjögren
3d7f124b89 Merge pull request #118 from konstruktoid/issue117 
use stat to verify permissions
 2016-03-11 21:32:55 +01:00
Matt Fellows
4d8ffc5943 Fix spelling mistake (proccesses -> processes) 
Signed-off-by: Matt Fellows <matt.fellows@onegeek.com.au>
 2016-02-25 11:08:43 +11:00
Thomas Sjögren
94d8a611d8 1.10.2 release 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-02-23 21:24:27 +01:00
Thomas Sjögren
001811bf87 use stat to verify permissions 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-02-16 23:23:27 +01:00
Thomas Sjögren
68082d0727 current version 1.10.1 and correct date 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-02-15 20:58:19 +01:00
Thomas Sjögren
7c6a637b62 update to v1.10.0 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-02-05 20:56:25 +01:00
Thomas Sjögren
00a1270c9b inspect output changed 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-12-22 19:46:32 +01:00
Thomas Sjögren
606f70f83f flexible paths for docker.socket as well 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-12-12 16:16:50 +01:00
Thomas Sjögren
e8c6b94143 check docker.service 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-12-12 16:08:46 +01:00
Thomas Sjögren
a53e1bec44 Merge pull request #105 from andreasstieger/version-check 
Improve version check, fixes #103
 2015-12-07 20:00:03 +01:00
Andreas Stieger
e285c472d6 Support remote users and groups for group check. Fixes #104 
Grepping /etc/group discards users and grous coming from NIS, LDAP, AD.
Use getent group which covers all.

Signed-off-by: Andreas Stieger <astieger@suse.com>
 2015-12-01 16:17:48 +01:00
Andreas Stieger
3f538f537f Vendors now support docker packages, add language for #103 
Signed-off-by: Andreas Stieger <astieger@suse.com>
 2015-12-01 16:09:15 +01:00
Andreas Stieger
2c6285d4ef Improve statement of version check 1.6, fixes #103 
Add an as-of date.

Signed-off-by: Andreas Stieger <astieger@suse.com>
 2015-12-01 15:43:13 +01:00
Thomas Sjögren
80794e5638 get .service file location from systemd 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-11-27 19:26:03 +01:00
Thomas Sjögren
eda8e3a963 Merge pull request #100 from andreasstieger/cli 
Fix command line option parsing issues 
Closes #97 #98 #99
 2015-11-27 18:45:23 +01:00
Andreas Stieger
d2ba1d9f72 Fix #97, #98, #99 by using new helper functions 
Signed-off-by: Andreas Stieger <astieger@suse.com>
 2015-11-27 15:35:37 +01:00
Thomas Sjögren
2e6d3b290a latest version is 1.9.1 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-11-21 20:51:05 +01:00
Thomas Sjögren
f2f1195550 Merge pull request #91 from MrSecure/29-tcp-required 
check for TCP socket before checking for TLS
 2015-11-14 20:54:41 +01:00
Mr. Secure
f791d06cff apply TLS checks to any socket other than unix:// or fd:// 
break the docker command line arguments into one option per line,
then find all socket items (H or host), exclude the unix:// and
fd:// sockets, and if there are any left, check for TLS options

Signed-off-by: Mr. Secure <ben.github@mrsecure.org>
 2015-11-13 19:51:46 -06:00
Andreas Stieger
cd7efa2afc Fix test 3.25, correctly check for root:docker ownership, fixes #95 
Signed-off-by: Andreas Stieger <astieger@suse.com>
 2015-11-11 18:58:03 +01:00
Andreas Stieger
c5cb9cdc5c POSIX test command requires -S for UNIX domain sockets, fixes #94 
Signed-off-by: Andreas Stieger <astieger@suse.com>
 2015-11-11 18:57:58 +01:00
Thomas Sjögren
9b9f17cabc 1.9.0 released 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-11-04 18:23:25 +01:00
MrSecure
81730f536a check for TCP listener 
Signed-off-by: Mr. Secure <ben.github@mrsecure.org>
 2015-10-30 07:48:11 -05:00
Thomas Sjögren
50dc806232 current version is 1.8.2 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-10-01 21:46:33 +02:00
Csaba Palfi
831a373a61 make process count check even simpler 
Signed-off-by: Csaba Palfi <csaba@palfi.me>
 2015-08-17 17:41:47 +01:00
Csaba Palfi
d7926a0f31 make process count check a bit easier to read 
Signed-off-by: Csaba Palfi <csaba@palfi.me>
 2015-08-17 17:29:42 +01:00
Thomas Sjögren
75a7f955cc prettier Docker exec fail output 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-08-13 22:06:03 +02:00
Thomas Sjögren
5f4bfdb98c 'CapAdd=<nil>' 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-08-13 21:46:21 +02:00
Thomas Sjögren
64bc5323e6 current version is 1.8.0 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-08-13 21:35:55 +02:00
Ivan Angelov
7ada35cd90 Count unique image ids only 
Signed-off-by: Ivan Angelov <iangelov@users.noreply.github.com>
 2015-08-10 17:19:06 +02:00
Thomas Sjögren
45671a70f3 catch server versions 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-07-11 20:36:04 +02:00
Thomas Sjögren
4a289d9a15 Merge pull request #59 from konstruktoid/perm_checks 
Perm checks
 2015-07-10 02:11:10 +02:00
Thomas Sjögren
6fca0428e7 missed one tls* 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-07-10 02:10:26 +02:00
Thomas Sjögren
b3fd225df8 fix incorrect file variables 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-07-10 01:43:11 +02:00
Thomas Sjögren
8b0efa170f split cmdline 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-07-10 01:30:38 +02:00
Thomas Sjögren
3c6b0df012 handle -dev version 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-07-10 00:40:31 +02:00
Thomas Sjögren
19d3d39e50 Merge pull request #48 from jlusiardi/fix_issue_47 
Fix for issue #47.
 2015-07-01 20:16:27 +02:00
Joachim Lusiardi
fae2639313 Addition to fix for issue #47. 
Missed the potentially wrong invocations of pgrep also in section 3
of the tests. Replace "pgrep -lf" there as well.

Signed-off-by: Joachim Lusiardi <joachim@lusiardi.de>
 2015-06-29 22:27:59 +02:00
Joachim Lusiardi
fc8eefb8a6 Fix for issue #47. 
Introduces a new function in helper_lib.sh to query the command line
arguments of the running instances of a binary. This is done to get
rid of the problem of "-lf" versus "-alf" for pgrep.

Signed-off-by: Joachim Lusiardi <joachim@lusiardi.de>
 2015-06-29 22:27:34 +02:00
Thomas Sjögren
553e2d7c30 Merge remote-tracking branch 'origin/master' into shellcheck 
* origin/master:
  actually catch ssh
  update do_version_check

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

Conflicts:
	tests/1_host_configuration.sh
	tests/5_container_runtime.sh
 2015-06-23 21:17:41 +02:00
Thomas Sjögren
2907078fd2 actually catch ssh 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-21 23:11:23 +02:00
Thomas Sjögren
ef8ff4a9f3 update do_version_check 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-21 23:11:02 +02:00
Thomas Sjögren
b5c571df18 shellcheck fixes 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-21 23:03:34 +02:00
Thomas Sjögren
edf0646330 Merge pull request #40 from liron-l/master 
Fix CIS 5.8 - Reverse container port and reduce privileged port to 1024
 2015-06-21 21:45:01 +02:00
Liron Levin
b2093036df Fix CIS 5.8 - Reverse container port and reduce privileged port to 1024 
-- According to CIS, 5.8 apply to priviliged port on the host not on the
container:
`processes are not allowed to use them for various security reasons.
Docker allows a
container port to be mapped to a privileged port.`
-- Also privileged port should be less than 1024 inclusive

Signed-off-by: liron-l <levinlir@gmail.com>
Signed-off-by: Liron Levin <liron@twistlock.com>
 2015-06-21 07:25:24 +03:00
Thomas Sjögren
1e0ef4cf97 crt dir and permissions 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-18 00:32:20 +02:00
Thomas Sjögren
0c61ddb6dd from ls to stat 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-17 23:52:53 +02:00
Thomas Sjögren
3059cef2c3 444 is read-only 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-17 23:52:23 +02:00
Thomas Sjögren
70b8d33cef replace ls with stat when checking owner and perms 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-17 23:25:01 +02:00
Thomas Sjögren
20db7d8a4d catch all -H, not only tcp:// 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-15 23:04:02 +02:00
Thomas Sjögren
eca8471c71 Merge branch 'master' of github.com:konstruktoid/docker-bench-security into issue_25 
* 'master' of github.com:konstruktoid/docker-bench-security:
  Fix test 5.14 to not always pass when multiple ports are published.
  change to docker repository
  make readme codeblocks prettier
  Add first version of CONTRIBUTING.md
  Issue #24, remove -U, -u
  use official alpine image as the base
  Make the main script an executable for if I want to run it on my host

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

Conflicts:
	README.md
 2015-06-15 22:01:48 +02:00
Zvi "Viz" Effron
3616f15cba Fix test 5.14 to not always pass when multiple ports are published. 
Signed-off-by: Zvi "Viz" Effron <zeffron@riotgames.com>
 2015-06-15 11:26:13 -07:00
Diogo Mónica
67711b52d3 Merge pull request #27 from konstruktoid/issue_24 
Issue #24, remove -U, -u
 2015-06-10 18:29:29 -07:00
Thomas Sjögren
2d25ddbcaf Issue #24, remove -U, -u 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-11 02:35:54 +02:00
Thomas Sjögren
56a7cb8779 Issue #25, dont warn if file is missing 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-11 02:17:14 +02:00
Jessica Frazelle
0231a7f5de Make the main script an executable for if I want to run it on my host 
Fix image sprawl to work

Fix port range

Signed-off-by: Jessica Frazelle <princess@docker.com>
 2015-06-09 00:10:44 -07:00
Thomas Sjögren
b6a4bd7504 dont echo the grep result 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:51:47 +02:00
Thomas Sjögren
2e92ed5a01 exec_check had extra space 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:46:58 +02:00
Thomas Sjögren
787f4325b2 update 5.7 exec_check to new style 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:44:37 +02:00
Thomas Sjögren
e29a886254 warn if only -lt half of the images are in use 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:37:28 +02:00
Thomas Sjögren
8ff1dc25ee docker_version variable 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:36:55 +02:00
Thomas Sjögren
9cccfa6902 get the correct number of images 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:20:03 +02:00
Werner Buck
f4aab9c8c5 Double quote to prevent globbing and word splitting. 
Do not use legacy backticks.
Proper use of printf
Do not use wc -l with grep, instead use grep -c
Use pgrep

Signed-off-by: Werner Buck <wernerbuck@gmail.com>
 2015-05-31 12:26:37 +02:00
Thomas Sjögren
643beee453 fail=1 when Docker exec fails 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-05-30 13:03:01 +02:00
Thomas Sjögren
d964e084fc no need for cat when grepping 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-05-30 13:02:37 +02:00
Thomas Sjögren
d02a7f8c0e Add Docker do_version_check 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-05-30 13:02:08 +02:00
Thomas Sjögren
7082102612 add ps variable and limit output to root 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-05-30 13:01:19 +02:00
Diogo Monica
4194b1e65c Adding double quotes to 2015-05-25 20:31:46 -07:00
Diogo Monica
03ac3f5bd3 Make ifs style be consistent 2015-05-14 20:26:32 -07:00
Diogo Monica
8d06000296 Fixed running containers calculation 2015-05-13 19:43:12 -07:00
Diogo Monica
1c795f146e Added filtering to ignore security-benchmark container 2015-05-13 19:22:39 -07:00
Diogo Monica
1ebf49c35a Fixed the script to ignore containers with label security-benchmark 2015-05-13 17:08:12 -07:00
Diogo Monica
e63766e945 Added more empty modes. This does not seem to be consistent 2015-05-13 16:13:03 -07:00
Diogo Monica
18d5a13240 First version of the CIS Docker Benchmark v1.0.0 2015-05-13 15:26:45 -07:00