GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 08:42:33 +01:00
Code Issues Projects Releases Packages Wiki Activity
91 commits 3 branches 11 tags 4.9 MiB
Commit graph

91 commits

This branch
This branch
All branches
Author SHA1 Message Date
Liron Levin
09cf68d8e8 Some Docker daemon configuration vulnerabilities (secion 2) does not work in ubuntu 
Apparently in ubuntu pgrep -lf docker does not return the docker process
input parameter.
Thus, all the test that validate command line parameter (e.g., tls
setup, ulimits) does not work.
After replacing pgrep with ps ax all checks are working correctly.

Tested on:
Kernetl version: 3.16.0-37-generic
Ubuntu version: 14.04.1-Ubuntu

Signed-off-by: liron-l <levinlir@gmail.com>
 2015-06-22 16:55:19 +03:00
Thomas Sjögren
62a903246c Merge pull request #43 from konstruktoid/contrib_b 
tests tree
 2015-06-21 22:08:19 +02:00
Thomas Sjögren
072df180aa tests tree 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-21 22:07:07 +02:00
Thomas Sjögren
edf0646330 Merge pull request #40 from liron-l/master 
Fix CIS 5.8 - Reverse container port and reduce privileged port to 1024
 2015-06-21 21:45:01 +02:00
Liron Levin
ddc7553e7a Merge branch 'master' of github.com:liron-l/docker-bench-security 
Signed-off-by: Liron Levin <liron@twistlock.com>
 2015-06-21 07:26:39 +03:00
Liron Levin
b2093036df Fix CIS 5.8 - Reverse container port and reduce privileged port to 1024 
-- According to CIS, 5.8 apply to priviliged port on the host not on the
container:
`processes are not allowed to use them for various security reasons.
Docker allows a
container port to be mapped to a privileged port.`
-- Also privileged port should be less than 1024 inclusive

Signed-off-by: liron-l <levinlir@gmail.com>
Signed-off-by: Liron Levin <liron@twistlock.com>
 2015-06-21 07:25:24 +03:00
liron-l
0602870be5 Fix CIS 5.8 - Reverse container port and reduce privileged port to 1024 
-- According to CIS, 5.8 apply to priviliged port on the host not on the
container:
`processes are not allowed to use them for various security reasons.
Docker allows a
container port to be mapped to a privileged port.`
-- Also privileged port should be less than 1024 inclusive

Signed-off-by: liron-l <levinlir@gmail.com>
 2015-06-21 07:19:28 +03:00
Thomas Sjögren
b8afe35a5b Merge pull request #42 from konstruktoid/contrib 
CONTRIBUTING.md
 2015-06-19 23:55:05 +02:00
Thomas Sjögren
b808610b45 simplify dir tree 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-19 23:52:01 +02:00
Thomas Sjögren
0b32b8aa22 codecheck w shellcheck, checkbashisms 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-19 23:47:27 +02:00
Thomas Sjögren
3d2565742a same build instructions everywhere 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-19 23:46:43 +02:00
Thomas Sjögren
2a0241d839 Merge pull request #41 from konstruktoid/exclude_container 
consistent labeling
 2015-06-19 23:34:36 +02:00
Thomas Sjögren
2dbfdd112f consistent labeling 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-19 23:31:44 +02:00
Thomas Sjögren
d9bb6ce936 Merge pull request #39 from konstruktoid/issue_31 
Change from ls to stat, fix permissions
 2015-06-19 22:48:32 +02:00
Thomas Sjögren
1e0ef4cf97 crt dir and permissions 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-18 00:32:20 +02:00
Thomas Sjögren
0c61ddb6dd from ls to stat 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-17 23:52:53 +02:00
Thomas Sjögren
3059cef2c3 444 is read-only 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-17 23:52:23 +02:00
Thomas Sjögren
70b8d33cef replace ls with stat when checking owner and perms 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-17 23:25:01 +02:00
Thomas Sjögren
820bb581b7 add stat. reorder 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-17 23:23:59 +02:00
Diogo Mónica
23a74b5bd0 Fixing local running of container in README 2015-06-17 11:25:52 -07:00
Diogo Mónica
e8c3571a84 Fixed Examples 2015-06-16 17:21:54 -07:00
Thomas Sjögren
158c5cf1ac Merge pull request #36 from konstruktoid/issue_33 
catch all -H, not only tcp://
 2015-06-15 23:34:23 +02:00
Thomas Sjögren
20db7d8a4d catch all -H, not only tcp:// 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-15 23:04:02 +02:00
Thomas Sjögren
49070a4af1 Merge pull request #35 from konstruktoid/cap_audit 
add cap_audit_control for auditctl to work
 2015-06-15 22:19:41 +02:00
Thomas Sjögren
cf7b13d5ba add cap_audit_control for auditctl to work 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-15 22:15:24 +02:00
Thomas Sjögren
af47962bc8 Merge pull request #26 from konstruktoid/issue_25 
Issue #25, dont warn if file is missing and add /var/lib
 2015-06-15 22:03:46 +02:00
Thomas Sjögren
eca8471c71 Merge branch 'master' of github.com:konstruktoid/docker-bench-security into issue_25 
* 'master' of github.com:konstruktoid/docker-bench-security:
  Fix test 5.14 to not always pass when multiple ports are published.
  change to docker repository
  make readme codeblocks prettier
  Add first version of CONTRIBUTING.md
  Issue #24, remove -U, -u
  use official alpine image as the base
  Make the main script an executable for if I want to run it on my host

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

Conflicts:
	README.md
 2015-06-15 22:01:48 +02:00
Diogo Mónica
0cbb99d1f1 Merge pull request #34 from CtrlZvi/5.14_multiport_support 
Fix test 5.14 to not always pass when multiple ports are published.
 2015-06-15 11:44:55 -07:00
Zvi "Viz" Effron
3616f15cba Fix test 5.14 to not always pass when multiple ports are published. 
Signed-off-by: Zvi "Viz" Effron <zeffron@riotgames.com>
 2015-06-15 11:26:13 -07:00
Diogo Mónica
0e7967e9b0 Merge pull request #32 from konstruktoid/docker_pull 
change to docker repository
 2015-06-14 14:56:06 -07:00
Thomas Sjögren
41a0f63013 change to docker repository 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-14 23:54:15 +02:00
Thomas Sjögren
5c3c36c5ca New README 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-14 23:03:11 +02:00
Diogo Mónica
f3f5636ac9 Merge pull request #30 from docker/add-contributing 
Add first version of CONTRIBUTING.md
 2015-06-12 15:53:09 -07:00
Diogo Mónica
00b2c55589 Merge pull request #29 from jfrazelle/make-readme-codeblocks-prettier 
make readme codeblocks prettier
 2015-06-11 16:56:00 -07:00
Jessica Frazelle
de92a18648 make readme codeblocks prettier 
Signed-off-by: Jessica Frazelle <princess@docker.com>
 2015-06-11 16:54:23 -07:00
Diogo Monica
ebcbf9a231 Add first version of CONTRIBUTING.md 2015-06-11 16:26:49 -07:00
Thomas Sjögren
f4ee80ba3e add -v /var/lib:/var/lib 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-11 21:37:44 +02:00
Diogo Mónica
67711b52d3 Merge pull request #27 from konstruktoid/issue_24 
Issue #24, remove -U, -u
 2015-06-10 18:29:29 -07:00
Diogo Mónica
eed841c201 Merge pull request #23 from jfrazelle/make-executable 
Make the main script an executable for if I want to run it on my host
 2015-06-10 18:25:33 -07:00
Thomas Sjögren
2d25ddbcaf Issue #24, remove -U, -u 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-11 02:35:54 +02:00
Thomas Sjögren
56a7cb8779 Issue #25, dont warn if file is missing 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-11 02:17:14 +02:00
Jessica Frazelle
b24a9d15b9 use official alpine image as the base 
Signed-off-by: Jessica Frazelle <princess@docker.com>
 2015-06-09 00:11:03 -07:00
Jessica Frazelle
0231a7f5de Make the main script an executable for if I want to run it on my host 
Fix image sprawl to work

Fix port range

Signed-off-by: Jessica Frazelle <princess@docker.com>
 2015-06-09 00:10:44 -07:00
Diogo Mónica
d48d691ec2 Merge pull request #18 from konstruktoid/misc 
docker version, correct number of images, clean 2.7 output, ...
 2015-06-01 15:57:04 -07:00
Diogo Mónica
645cb34a75 Merge pull request #16 from konstruktoid/clean_ps 
remove unused ps_ variables
 2015-06-01 15:56:46 -07:00
Thomas Sjögren
b6a4bd7504 dont echo the grep result 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:51:47 +02:00
Thomas Sjögren
2e92ed5a01 exec_check had extra space 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:46:58 +02:00
Thomas Sjögren
787f4325b2 update 5.7 exec_check to new style 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:44:37 +02:00
Thomas Sjögren
e29a886254 warn if only -lt half of the images are in use 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:37:28 +02:00
Thomas Sjögren
8ff1dc25ee docker_version variable 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:36:55 +02:00