GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 00:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity
731 commits 3 branches 11 tags 4.9 MiB
Commit graph

57 commits

Author SHA1 Message Date
Razvan Stoica
94900eedb9 Change global variable used only locally to local variable for simplification 2021-03-09 12:42:48 +02:00
Sebastiaan van Stijn
0f3dfe70fe
Deprecate rule 2.16 for Docker > 19.03 
The upcoming 20.x docker release will always have experimental features
enabled, which will stop this test from working.

More details can be found in docker/cli##2774

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-10-02 18:01:57 +02:00
Roman Mueller
b3182ca8f5 Remove prefix of check ID 2020-06-02 15:57:33 +02:00
Thomas Sjögren
98acc66436 map desc_ to benchmark headings 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2020-05-08 12:38:08 +02:00
zawazawa0316
b16da2c2ed Fix check condition 
Signed-off-by: zawazawa0316 <37421794+zawazawa0316@users.noreply.github.com>
 2020-03-03 21:51:49 +09:00
Thomas Sjögren
269b71eed8 locate configuration file before we run the tests #410 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2019-12-17 15:03:54 +01:00
Thomas Sjögren
c8c5615061 correct grep #410 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2019-12-16 09:57:21 +01:00
Thomas Sjögren
6c6d0836a4 first pass on section 2 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2019-08-27 14:54:08 +02:00
Thomas Sjögren
326e31f403 use only year and month for version check #309 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2019-04-13 16:33:57 +02:00
Boris Gorbylev
689a5a62c5
Fixed check 2.9 
Signed-off-by: Boris Gorbylev <ekho@ekho.name>
 2019-02-21 19:15:38 +03:00
Thomas Sjögren
391e09f76a linting 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2018-11-01 10:24:36 +01:00
Mark Stemm
ec7d8ce690 Improve docker-bench-security json output 
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2018-10-11 13:39:55 -07:00
Nigel Brown
167c3507a2 Fixes incorrect reporting of TLS configuration in test 2.6 
Signed-off-by: Nigel Brown <nigel@windsock.io>
 2018-07-10 14:35:30 +01:00
Thomas Sjögren
c8894d3b26 deprecated --disable-legacy-registry 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2018-07-01 20:53:20 +02:00
Thomas Sjögren
78700f2600 consistent currentScore 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2018-07-01 20:04:20 +02:00
Thomas Sjögren
bdeaeaa05a fix 2.18 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2018-02-09 11:02:04 +01:00
Thomas Sjögren
8142de8334 convert all checks to functions 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2018-01-16 13:46:49 +01:00
Thomas Sjögren
ec4060ea2f add score and totalChecks to 2_ 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-10-23 15:39:32 +02:00
Thomas Sjögren
78b1f5dc86 check 2.x json log 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-10-10 14:46:08 +02:00
Julien Garcia Gonzalez
1d07abf659
update 2.14 2017-09-21 08:15:09 +02:00
Thomas Sjögren
dac6a62ba1 space 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-07-07 12:10:37 +02:00
Thomas Sjögren
d93bc6b075 update section 2, clean tests 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-07-07 10:23:40 +02:00
Thomas Sjögren
5d9101cfc2 .Server.Experimental pre-1.13 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-04-21 13:51:09 +02:00
Thomas Sjögren
a97bdfbe0d add note tag on informal checks 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-03-23 11:29:58 +01:00
Thomas Sjögren
754e0ed02b tlsverify implies tls 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-03-21 16:17:08 +01:00
Thomas Sjögren
91e625b8e4 Modify get_docker_configuration_file_args in order to handle daemon.json better, 
and also address missing files issue.

Closes #231
Closes #232

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-03-21 14:49:42 +01:00
Thomas Sjögren
260a3a76f1 Merge pull request #225 from andreasstieger/netstat 
2.17: correct netstat usage and filtering
 2017-02-24 13:26:48 +01:00
Andreas Stieger
c30a43c1fd 2.17: account for :::2377 netstat output 
Fixes #224 - no. 4

Signed-off-by: Andreas Stieger <astieger@suse.com>
 2017-02-24 13:24:02 +01:00
Andreas Stieger
421c6dd866 2.17: may incorrectly match 5 digit port numbers 
Fixes #224 - no. 3

Signed-off-by: Andreas Stieger <astieger@suse.com>
 2017-02-24 13:23:57 +01:00
Andreas Stieger
7c66b6373a 2.17: grep -e recognizes IPv4 separator any character - escape 
Fixes #224 - no. 2

Signed-off-by: Andreas Stieger <astieger@suse.com>
 2017-02-24 13:23:48 +01:00
Andreas Stieger
c15dc6c568 2.17: netstat non-numeric output may not interpreted correctly 
The port may be aliased in /etc/services
Fixes #224 - no. 1

Signed-off-by: Andreas Stieger <astieger@suse.com>
 2017-02-24 13:23:33 +01:00
Thomas Sjögren
3d87e6d743 Merge pull request #218 from konstruktoid/issue_157 
Check configuration file settings
 2017-02-24 11:28:50 +01:00
Thomas Sjögren
011ec950e9 use docker info, as all other tests 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-02-23 17:07:33 +01:00
Thomas Sjögren
7787fc0ec9 correct check_2_21, closes #221 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-02-23 17:01:47 +01:00
Thomas Sjögren
7575020fd5 check config file settings 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-02-23 16:33:53 +01:00
Thomas Sjögren
584847e5b4 update swarm tests 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-02-22 10:11:44 +01:00
Thomas Sjögren
7d992029e6 remove code, if CMD instead of exit code 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-02-17 15:03:29 +01:00
Thomas Sjögren
69435a0b3e update section 2 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-01-24 13:41:30 +01:00
Thomas Sjögren
77617321df update info messages, not scored 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-01-23 17:06:10 +01:00
Thomas Sjögren
7aa4682c87 #182 netsat 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-01-23 13:38:28 +01:00
Thomas Sjögren
95e6ac8253 #182 checks 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2017-01-23 13:13:48 +01:00
Thomas Sjögren
27773128f8 Merge branch 'master' into docker-benchmark-1.12.0 2017-01-23 12:14:23 +01:00
Thomas Sjögren
b3cd7a1755 Merge pull request #168 from MrSecure/fix-tls-verify 
Fixes #167 - use get_docker_cumulative_command_line_args to check TLS
 2017-01-20 12:08:12 +01:00
Ravi Kumar Vadapalli
6aae32f4e5 Support for 'CIS Docker Benchmark 1.12.0' 
Signed-off-by: Ravi Kumar Vadapalli <vadapalli.ravikumar@gmail.com>
 2016-12-20 20:31:58 +05:30
Kevin Lim
89e4769877 fix test 2.2 check for log level 
Signed-off-by: Kevin Lim <kevin.lim@sap.com>
 2016-09-28 14:25:42 -07:00
Mr. Secure
ee3e8dedb3 Fixes #167 - use get_docker_cumulative_command_line_args to check TLS settings 
Additionally, split warning into 2 parts:  no TLS, TLS w/o verification

Signed-off-by: Mr. Secure <ben.github@mrsecure.org>
 2016-09-24 19:42:39 -05:00
Thomas Sjögren
3cafe284dd update chap 2 to cis 1.11 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2016-04-14 22:25:11 +02:00
Andreas Stieger
d2ba1d9f72 Fix #97, #98, #99 by using new helper functions 
Signed-off-by: Andreas Stieger <astieger@suse.com>
 2015-11-27 15:35:37 +01:00
Mr. Secure
f791d06cff apply TLS checks to any socket other than unix:// or fd:// 
break the docker command line arguments into one option per line,
then find all socket items (H or host), exclude the unix:// and
fd:// sockets, and if there are any left, check for TLS options

Signed-off-by: Mr. Secure <ben.github@mrsecure.org>
 2015-11-13 19:51:46 -06:00
MrSecure
81730f536a check for TCP listener 
Signed-off-by: Mr. Secure <ben.github@mrsecure.org>
 2015-10-30 07:48:11 -05:00