GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2024-11-01 08:31:44 +01:00
Code Issues Projects Releases Packages Wiki Activity
897 commits 3 branches 11 tags 4.9 MiB
Commit graph

98 commits

Author SHA1 Message Date
Aleksa Sarai
a18798fcfa
dist: adjust script imports to be able to use /usr/libexec 
In order to make installation easier for distributions, make all script
imports based on a single variable that distributions can adjust based
on how the script is packaged for each distribution.

Ideally we would actually install the script in /usr/libexec rather than
/ in our Dockerfile, but this is a simpler fix that still lets you run
the script from the repo directory.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 2024-10-18 17:43:13 +11:00
Thomas Sjögren
8da1cc26df
v1.6.0 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2023-08-25 12:37:35 +00:00
LEKPA Martin
8ea918620e update doc 2023-07-26 18:47:50 +02:00
Martin LEKPA
59fe573db2
update help 2023-07-25 21:38:20 +02:00
LEKPA Martin
223baf94d1 update doc 2023-07-21 18:53:01 +02:00
LEKPA Martin
bfbeda9263 add label filtering config 2023-07-01 11:19:04 +02:00
Thomas Sjögren
d6005f0211
tr is required, not truncate 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2023-06-13 09:54:22 +00:00
Thomas Sjögren
e82fa2cf5d
update version and add version table 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2023-03-06 13:11:02 +01:00
Gavin Porter
b29f676bbb Fix sed commands for BSD sed 2022-07-19 11:11:19 +12:00
Thomas Sjögren
3cfa505ecc update version information 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2022-03-07 13:39:45 +01:00
Thomas Sjögren
cff5d7f32c wording and set printremediation="0" 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2021-05-25 20:44:18 +02:00
Razvan Stoica
d0443cc817 Bug fixing and improving source code readability 2021-03-29 15:22:14 +03:00
Razvan Stoica
86985f854f Overwrite the json log at each run. Beautify the json log. 2021-03-28 11:08:15 +03:00
Razvan Stoica
4b68c2e040 Rename logs without the .sh extension 2021-03-27 09:36:10 +02:00
Razvan Stoica
c8721c90fa Displays the correct current time 2021-03-19 13:51:31 +02:00
Razvan Stoica
68bcd14fb3 Increase version 2021-03-17 14:05:48 +02:00
Razvan Stoica
091b4b954a Add option to specify trusted users. Add option to disable the printing of remediation measures. 2021-03-16 10:11:29 +02:00
Razvan Stoica
ed23f2d285 Change default log locations 2021-03-11 13:24:58 +02:00
Razvan Stoica
59a63dd49a Print more details in help message 2021-03-11 10:21:13 +02:00
Razvan Stoica
b3a36e8d94 Print Section B only if it contains remediation measures 2021-03-11 09:26:31 +02:00
Razvan Stoica
6c586b4e08 Print remediation measures at the end of the logs 2021-03-10 21:47:52 +02:00
Razvan Stoica
2132b03b92 Usage instructions aligned between the README.md and docker-bench-security.sh files 2021-03-10 10:01:18 +02:00
Razvan Stoica
c00ef4330b Add details about remediations measure for host configuration tests 2021-03-09 21:43:25 +02:00
Razvan Stoica
58205d4ef5 Add new programs to the list of required programs 2021-03-09 17:50:00 +02:00
Razvan Stoica
519f20befd Append JSON logs when run multiple times 2021-03-09 16:06:38 +02:00
Razvan Stoica
8e0daa11de Print date and time in ISO 8601 UTC format 2021-03-09 13:27:32 +02:00
Mark Stemm
4cfb58f675 Limit the number of reported items 
In some evironments, there may be a very large number of images,
containers, etc not satisfying a given test. For example, in one
environment, we saw *378k* images not satisfying 4.6, mostly because
the customer was never cleaning up old images.

To avoid overly long lists of items, add a new option "-n LIMIT" that
limits the number of items included in JSON output. When the limit is
reached, the list will be truncated and a trailing (truncated) will be
added. Here's an example:

```
{"id": "5.9", "desc": "Ensure the host's network namespace is not
shared", "result": "WARN", "details": "Containers running with
networking mode 'host':  k8s_POD_storage-provisioner_kube-system_ef960ef5-62c5-11e9-802f-08002719228f_0
k8s_POD_kube-proxy-xfln8_kube-system_ee70c4c3-62c5-11e9-802f-08002719228f_0 (truncated)",
"items":
["k8s_POD_storage-provisioner_kube-system_ef960ef5-62c5-11e9-802f-08002719228f_0","k8s_POD_kube-proxy-xfln8_kube-system_ee70c4c3-62c5-11e9-802f-08002719228f_0","(truncated)"]},
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-07-10 13:00:29 -07:00
Thomas Sjögren
8aec461d46 more flexible binary usage, better support for mac os 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2020-05-08 13:09:52 +02:00
Thomas Sjögren
11da147df9
Merge pull request #407 from Intermax-Cloudsourcing/allow-include-checks-mixing 
fix: allow combining include and exclude
 2020-01-29 12:07:32 +00:00
wilmardo
4054055546 fix: uncomment PATH variable 
Signed-off-by: wilmardo <info@wilmardenouden.nl>
 2020-01-29 10:31:15 +01:00
Thomas Sjögren
269b71eed8 locate configuration file before we run the tests #410 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2019-12-17 15:03:54 +01:00
wilmardo
155c739fc9 feat: all mixes of include and excludes are now supported 
Signed-off-by: wilmardo <info@wilmardenouden.nl>
 2019-12-09 15:19:17 +01:00
wilmardo
91d36b62f9 refact: removes variable, use result directly in loop 
Signed-off-by: wilmardo <info@wilmardenouden.nl>
 2019-12-05 16:20:47 +01:00
wilmardo
cf9baa76ae feat: improve sed match 
Signed-off-by: wilmardo <info@wilmardenouden.nl>
 2019-12-05 15:51:14 +01:00
wilmardo
1b37a1e6bc fix: allow combining include and exclude 
Signed-off-by: wilmardo <info@wilmardenouden.nl>
 2019-12-04 15:35:11 +01:00
jammasterj89
d2963b4c42
Reorder of sed command on images 
Ensure sed command is first when filtering on images to ensure the description row is removed correctly.

Signed-off-by: Niall T <jammasterj89@gmail.com>
 2019-12-04 11:14:43 +00:00
Thomas Sjögren
ddad135d13 shellcheck 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2019-10-16 09:49:18 +02:00
Aurélien Gasser
577e9f5edb support whitespace in PATH 
Signed-off-by: Aurélien Gasser <aurelien.gasser@gmail.com>
 2019-10-07 10:32:58 -04:00
jammasterj89
f4e33ee54e
Fixed exclude flag issue with functions_lib.sh 
Include the all text named functions within functions_lib.sh call if the -e flag is set.

Signed-off-by: Niall T <jammasterj89@gmail.com>
 2019-09-02 13:22:28 +01:00
Thomas Sjögren
d1934b614e
Merge pull request #390 from jammasterj89/master 
Issue #383 ability to exclude images
Closes #383, #369
 2019-08-29 15:10:53 +02:00
jammasterj89
3d02432bc8
Removed whitespace 
Signed-off-by: Niall T <jammasterj89@gmail.com>
 2019-08-29 13:48:24 +01:00
jammasterj89
c53157e184 Remove -t parameter 
$images now set via -i and -x parameters

Signed-off-by: Niall T <jammasterj89@gmail.com>
 2019-08-29 13:37:41 +01:00
jammasterj89
7f29aebd71 Added $images to $exclude 
Added $images $exclude logic so now containers and images are excluded.
Added new $benchimagecont for images to replicate the $benchcont for containers.

Signed-off-by: Niall T <jammasterj89@gmail.com>
 2019-08-29 13:37:35 +01:00
Thomas Sjögren
227f2faa5b bump version to 1.3.5 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2019-08-26 14:11:10 +02:00
kakakakakku
c560b044e4 Updated README.md 
Signed-off-by: Yoshiaki Yoshida <y.yoshida22@gmail.com>
 2019-01-17 21:04:46 +09:00
Anthony Roger
1dd7956760 feat: add the ability to select the images to be check from registry in order to integrate in ci 
Signed-off-by: Anthony Roger <aroger@softwaymedical.fr>
 2018-12-11 14:39:16 +01:00
Thomas Sjögren
9d9da6d375 exclude docker-bench-security container #286 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2018-11-23 10:50:34 +01:00
Cheng-Li Jerry Ma
304094cbb2 Fix -e option totalChecks and currentScore always 0 
Signed-off-by: Cheng-Li Jerry Ma <chengli.ma@gmail.com>
 2018-11-08 15:35:20 -07:00
Cheng-Li Jerry Ma
37ccf4dbcf Fix -e option last entry is not excluded in docker 
Signed-off-by: Cheng-Li Jerry Ma <chengli.ma@gmail.com>
 2018-11-08 15:34:55 -07:00
Cheng-Li Jerry Ma
db8a8c0d96 Fix -e option always skipping check_1, check_2, check_3 and ... 
this also caused the output json to be malformed without proper grouping/nesting

Signed-off-by: Cheng-Li Jerry Ma <chengli.ma@gmail.com>
 2018-11-08 15:33:23 -07:00