From 9bf4dea52716b823d96ea1b98568d0d8f95c6b67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Wed, 15 Mar 2023 17:11:38 +0100
Subject: [PATCH 01/32] update slsa gha permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
.github/workflows/slsa.yml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/.github/workflows/slsa.yml b/.github/workflows/slsa.yml
index 6dfc96c..b5257c8 100644
--- a/.github/workflows/slsa.yml
+++ b/.github/workflows/slsa.yml
@@ -53,6 +53,10 @@ jobs:
release:
needs: [build, provenance]
+ permissions:
+ actions: read
+ id-token: write
+ contents: write
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
From c8c90ee523d30723d9710f5775ae4ee75fea3db1 Mon Sep 17 00:00:00 2001
From: andreagalle <andreagalle@hotmail.it>
Date: Wed, 12 Apr 2023 13:27:36 +0000
Subject: [PATCH 02/32] checking for the MaxAttempts=5 too at service level
---
tests/5_container_runtime.sh | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh
index bd9564b..a38589d 100644
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@@ -595,9 +595,19 @@ check_5_14() {
fail=0
maxretry_unset_containers=""
for c in $containers; do
- policy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
+ for s in $(docker service ls --format '{{.Name}}'); do
+ if docker inspect "$c" --format '{{.Name}}' | grep -q "$s"; then
+ task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}')
+ # a container name could arbitrary include a service one: it belongs to a service (created by Docker
+ # as part of the service), if the container task ID matches one of the task IDs of the service.
+ if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then
+ spolicy=$(docker inspect --format MaximumRetryCount='{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
+ fi
+ fi
+ done
+ cpolicy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
- if [ "$policy" != "MaximumRetryCount=5" ]; then
+ if [ "$cpolicy" != "MaximumRetryCount=5" ] || [ "$spolicy" != "MaxAttempts=5" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
From f97b420af91106e0f671eee467bbb17ceeb703ac Mon Sep 17 00:00:00 2001
From: andreagalle <andreagalle@hotmail.it>
Date: Wed, 12 Apr 2023 14:46:13 +0000
Subject: [PATCH 03/32] couple typos & performance improvements
---
tests/5_container_runtime.sh | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh
index a38589d..db4ea28 100644
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@@ -595,19 +595,21 @@ check_5_14() {
fail=0
maxretry_unset_containers=""
for c in $containers; do
- for s in $(docker service ls --format '{{.Name}}'); do
- if docker inspect "$c" --format '{{.Name}}' | grep -q "$s"; then
+ container_name=$(docker inspect "$c" --format '{{.Name}}')
+q for s in $(docker service ls --format '{{.Name}}'); do
+ if echo $container_name | grep -q "$s"; then
task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}')
# a container name could arbitrary include a service one: it belongs to a service (created by Docker
# as part of the service), if the container task ID matches one of the task IDs of the service.
if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then
- spolicy=$(docker inspect --format MaximumRetryCount='{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
+ spolicy=$(docker inspect --format MaxAttempts='{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
+ break
fi
fi
done
cpolicy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
- if [ "$cpolicy" != "MaximumRetryCount=5" ] || [ "$spolicy" != "MaxAttempts=5" ]; then
+ if [ "$cpolicy" != "MaximumRetryCount=5" ] && [ "$spolicy" != "MaxAttempts=5" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
From 412f514bb4bff5e29fe5d526903aa936af66215a Mon Sep 17 00:00:00 2001
From: andreagalle <andreagalle@hotmail.it>
Date: Wed, 12 Apr 2023 14:51:01 +0000
Subject: [PATCH 04/32] just a typo
---
tests/5_container_runtime.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh
index db4ea28..acb8bac 100644
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@@ -596,7 +596,7 @@ check_5_14() {
maxretry_unset_containers=""
for c in $containers; do
container_name=$(docker inspect "$c" --format '{{.Name}}')
-q for s in $(docker service ls --format '{{.Name}}'); do
+ for s in $(docker service ls --format '{{.Name}}'); do
if echo $container_name | grep -q "$s"; then
task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}')
# a container name could arbitrary include a service one: it belongs to a service (created by Docker
From 0dc2d2b1e6e32112d061a075da7610082678e63f Mon Sep 17 00:00:00 2001
From: andreagalle <andreagalle@hotmail.it>
Date: Wed, 26 Apr 2023 07:04:53 +0000
Subject: [PATCH 05/32] should fix the: Error response from daemon: This node
is not a swarm manager. issue
---
tests/5_container_runtime.sh | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh
index acb8bac..7f6fa1a 100644
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@@ -596,17 +596,19 @@ check_5_14() {
maxretry_unset_containers=""
for c in $containers; do
container_name=$(docker inspect "$c" --format '{{.Name}}')
- for s in $(docker service ls --format '{{.Name}}'); do
- if echo $container_name | grep -q "$s"; then
- task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}')
- # a container name could arbitrary include a service one: it belongs to a service (created by Docker
- # as part of the service), if the container task ID matches one of the task IDs of the service.
- if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then
- spolicy=$(docker inspect --format MaxAttempts='{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
- break
+ if [ "$(docker info --format '{{.Swarm.LocalNodeState}}')" = "active" ]; then
+ for s in $(docker service ls --format '{{.Name}}'); do
+ if echo $container_name | grep -q "$s"; then
+ task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}')
+ # a container name could arbitrary include a service one: it belongs to a service (created by Docker
+ # as part of the service), if the container task ID matches one of the task IDs of the service.
+ if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then
+ spolicy=$(docker inspect --format MaxAttempts='{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
+ break
+ fi
fi
- fi
- done
+ done
+ fi
cpolicy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
if [ "$cpolicy" != "MaximumRetryCount=5" ] && [ "$spolicy" != "MaxAttempts=5" ]; then
From 39963dad60e1b8197eda036e35f9d94c653c9476 Mon Sep 17 00:00:00 2001
From: Brad Solomon <81818815+brsolomon-deloitte@users.noreply.github.com>
Date: Fri, 2 Jun 2023 09:18:42 -0400
Subject: [PATCH 06/32] fix: allow get_docker_configuration_file_args to parse
minified json
Closes #524.
---
Dockerfile | 3 ++-
README.md | 2 ++
functions/helper_lib.sh | 12 +++++++++++-
3 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index bf72e06..6aaa8da 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,7 +7,8 @@ LABEL \
RUN apk add --no-cache iproute2 \
docker-cli \
- dumb-init
+ dumb-init \
+ jq
COPY . /usr/local/bin/
diff --git a/README.md b/README.md
index 1368c25..82d8a20 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,8 @@ cd docker-bench-security
sudo sh docker-bench-security.sh
```
+> Note: [`jq`](https://jqlang.github.io/jq/) is an optional but recommended dependency.
+
### Run with Docker
_Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405](https://github.com/docker/docker-bench-security/issues/405) for more information._
diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh
index 18b0801..d4170cc 100644
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@@ -112,12 +112,22 @@ get_docker_configuration_file() {
CONFIG_FILE='/dev/null'
}
+if command -v jq &> /dev/null; then
+ HAVE_JQ=true
+else
+ HAVE_JQ=false
+fi
+
get_docker_configuration_file_args() {
OPTION="$1"
get_docker_configuration_file
- grep "$OPTION" "$CONFIG_FILE" | sed 's/.*://g' | tr -d '" ',
+ if "$HAVE_JQ"; then
+ jq --monochrome-output --raw-output ".[\"${OPTION}\"]" "$CONFIG_FILE"
+ else
+ cat "$CONFIG_FILE" | tr -u { '\n' | tr , '\n' | tr } '\n' | grep "$OPTION" | sed 's/.*://g' | tr -d '" ',
+ fi
}
get_service_file() {
From 79407ce3611396b6896bd50cecfe934b675ad2f9 Mon Sep 17 00:00:00 2001
From: Brad Solomon <81818815+brsolomon-deloitte@users.noreply.github.com>
Date: Fri, 2 Jun 2023 17:26:21 -0400
Subject: [PATCH 07/32] remove non-universal tr -u flag
---
functions/helper_lib.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh
index d4170cc..6a348c1 100644
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@@ -126,7 +126,7 @@ get_docker_configuration_file_args() {
if "$HAVE_JQ"; then
jq --monochrome-output --raw-output ".[\"${OPTION}\"]" "$CONFIG_FILE"
else
- cat "$CONFIG_FILE" | tr -u { '\n' | tr , '\n' | tr } '\n' | grep "$OPTION" | sed 's/.*://g' | tr -d '" ',
+ cat "$CONFIG_FILE" | tr { '\n' | tr , '\n' | tr } '\n' | grep "$OPTION" | sed 's/.*://g' | tr -d '" ',
fi
}
From 523556b4ac0b7cf95901e4d3c298d498c810c255 Mon Sep 17 00:00:00 2001
From: Brad Solomon <81818815+brsolomon-deloitte@users.noreply.github.com>
Date: Fri, 2 Jun 2023 17:36:29 -0400
Subject: [PATCH 08/32] move HAVE_JQ into req_programs
---
functions/helper_lib.sh | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh
index 6a348c1..6369fbf 100644
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@@ -11,6 +11,11 @@ req_programs() {
for p in $1; do
command -v "$p" >/dev/null 2>&1 || { printf "Required program not found: %s\n" "$p"; exit 1; }
done
+ if command -v jq >/dev/null 2>&1; then
+ HAVE_JQ=true
+ else
+ HAVE_JQ=false
+ fi
if command -v ss >/dev/null 2>&1; then
netbin=ss
return
@@ -112,12 +117,6 @@ get_docker_configuration_file() {
CONFIG_FILE='/dev/null'
}
-if command -v jq &> /dev/null; then
- HAVE_JQ=true
-else
- HAVE_JQ=false
-fi
-
get_docker_configuration_file_args() {
OPTION="$1"
From 26470706924c4a3597b36adeb8d336fdb876ffbc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Fri, 2 Jun 2023 22:16:31 +0000
Subject: [PATCH 09/32] update Docker container instructions, remove
out-of-date Dockerfiles
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
.github/workflows/slsa.yml | 2 +-
Dockerfile | 8 ++---
README.md | 58 ++++++++++++++++++-------------------
distros/Dockerfile.alpine | 19 ------------
distros/Dockerfile.centos | 15 ----------
distros/Dockerfile.debian | 24 ---------------
distros/Dockerfile.openSUSE | 13 ---------
distros/Dockerfile.rhel | 18 ------------
distros/README.md | 21 --------------
docker-compose.yml | 38 ++++++++++++------------
10 files changed, 53 insertions(+), 163 deletions(-)
delete mode 100644 distros/Dockerfile.alpine
delete mode 100644 distros/Dockerfile.centos
delete mode 100644 distros/Dockerfile.debian
delete mode 100644 distros/Dockerfile.openSUSE
delete mode 100644 distros/Dockerfile.rhel
delete mode 100644 distros/README.md
diff --git a/.github/workflows/slsa.yml b/.github/workflows/slsa.yml
index b5257c8..192a6e2 100644
--- a/.github/workflows/slsa.yml
+++ b/.github/workflows/slsa.yml
@@ -24,7 +24,7 @@ jobs:
- name: Build artifacts
run: |
- find *.sh distros/* functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
+ find *.sh functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
- name: Generate hashes
shell: bash
diff --git a/Dockerfile b/Dockerfile
index 6aaa8da..b72b51a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.15
+FROM alpine:3.18
LABEL \
org.label-schema.name="docker-bench-security" \
@@ -6,9 +6,9 @@ LABEL \
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
RUN apk add --no-cache iproute2 \
- docker-cli \
- dumb-init \
- jq
+ docker-cli \
+ dumb-init \
+ jq
COPY . /usr/local/bin/
diff --git a/README.md b/README.md
index 82d8a20..522c7e4 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.5.0](https://www.cisecurity.org/benchmark/docker/).
-We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
+We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.
Release | CIS |
:---:|:---:|
@@ -30,11 +30,33 @@ sudo sh docker-bench-security.sh
### Run with Docker
+#### Building Docker image
+
+You have two options if you wish to build and run this container yourself:
+
+1. Use Docker Build:
+
+```sh
+git clone https://github.com/docker/docker-bench-security.git
+cd docker-bench-security
+docker build --no-cache -t docker-bench-security .
+```
+
+Followed by an appropriate `docker run` command as stated above.
+
+2. Use Docker Compose:
+
+```sh
+git clone https://github.com/docker/docker-bench-security.git
+cd docker-bench-security
+docker-compose run --rm docker-bench-security
+```
+
_Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405](https://github.com/docker/docker-bench-security/issues/405) for more information._
-We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
+Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
-The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container:
+### Using the container
```sh
docker run --rm --net host --pid host --userns host --cap-add audit_control \
@@ -46,7 +68,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
- docker/docker-bench-security
+ docker-bench-security
```
Don't forget to adjust the shared volumes according to your operating system.
@@ -66,7 +88,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
- docker/docker-bench-security
+ docker-bench-security
```
2. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker
@@ -81,7 +103,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
- docker/docker-bench-security
+ docker-bench-security
```
### Note
@@ -119,32 +141,10 @@ The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6` and
`sh docker-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group
-`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run allavailable checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
+`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run all available checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
`sh docker-bench-security.sh -c container_images,container_runtime` will run just the container_images and container_runtime checks
`sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`
Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.
-
-## Building Docker image
-
-You have two options if you wish to build and run this container yourself:
-
-1. Use Docker Build:
-
-```sh
-git clone https://github.com/docker/docker-bench-security.git
-cd docker-bench-security
-docker build --no-cache -t docker-bench-security .
-```
-
-Followed by an appropriate `docker run` command as stated above.
-
-2. Use Docker Compose:
-
-```sh
-git clone https://github.com/docker/docker-bench-security.git
-cd docker-bench-security
-docker-compose run --rm docker-bench-security
-```
diff --git a/distros/Dockerfile.alpine b/distros/Dockerfile.alpine
deleted file mode 100644
index ed4596a..0000000
--- a/distros/Dockerfile.alpine
+++ /dev/null
@@ -1,19 +0,0 @@
-FROM alpine:3.13
-
-LABEL \
- org.label-schema.name="docker-bench-security" \
- org.label-schema.url="https://dockerbench.com" \
- org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
-
-RUN apk add --no-cache iproute2 \
- docker-cli \
- dumb-init
-
-COPY . /usr/local/bin/
-
-HEALTHCHECK CMD exit 0
-
-WORKDIR /usr/local/bin
-
-ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]
-CMD [""]
diff --git a/distros/Dockerfile.centos b/distros/Dockerfile.centos
deleted file mode 100644
index 4c0dcfb..0000000
--- a/distros/Dockerfile.centos
+++ /dev/null
@@ -1,15 +0,0 @@
-# REPOSITORY https://github.com/fatherlinux/docker-bench-security
-
-FROM centos
-
-MAINTAINER smccarty@redhat.com
-
-RUN yum install -y docker iproute audit procps-ng; yum clean all
-
-RUN mkdir /docker-bench-security
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
diff --git a/distros/Dockerfile.debian b/distros/Dockerfile.debian
deleted file mode 100644
index 25f6496..0000000
--- a/distros/Dockerfile.debian
+++ /dev/null
@@ -1,24 +0,0 @@
-FROM debian:sid@sha256:022a3cafe84d704c272794863ca5e383667c99312358e816ad1ff6e9a41ce4f6
-
-LABEL org.label-schema.name="docker-bench-security" \
- org.label-schema.url="https://github.com/konstruktoid/docker-bench-security" \
- org.label-schema.vcs-url="https://github.com/konstruktoid/docker-bench-security.git"
-
-RUN \
- apt-get update && \
- apt-get -y upgrade && \
- apt-get -y install auditd ca-certificates docker.io \
- gawk iproute2 procps --no-install-recommends && \
- apt-get -y clean && \
- apt-get -y autoremove && \
- rm -rf /var/lib/apt/lists/* \
- /usr/share/doc /usr/share/doc-base \
- /usr/share/man /usr/share/locale /usr/share/zoneinfo
-
-RUN mkdir /docker-bench-security
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
diff --git a/distros/Dockerfile.openSUSE b/distros/Dockerfile.openSUSE
deleted file mode 100644
index d5a0add..0000000
--- a/distros/Dockerfile.openSUSE
+++ /dev/null
@@ -1,13 +0,0 @@
-# REPOSITORY https://github.com/docker/docker-bench-security
-FROM opensuse/leap:latest
-
-RUN zypper -n in audit docker iproute2 && \
- mkdir /docker-bench-security && \
- rm /usr/bin/awk && \
- cp /usr/bin/gawk /usr/bin/awk
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/bash", "docker-bench-security.sh"]
diff --git a/distros/Dockerfile.rhel b/distros/Dockerfile.rhel
deleted file mode 100644
index c1b5618..0000000
--- a/distros/Dockerfile.rhel
+++ /dev/null
@@ -1,18 +0,0 @@
-# REPOSITORY https://github.com/fatherlinux/docker-bench-security
-
-FROM rhel7
-
-MAINTAINER smccarty@redhat.com
-
-RUN yum install -y yum-utils; yum clean all
-RUN yum-config-manager --disable "*" &>/dev/null
-RUN yum-config-manager --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms
-RUN yum install -y docker iproute audit procps-ng; yum clean all
-
-RUN mkdir /docker-bench-security
-
-COPY . /docker-bench-security
-
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
diff --git a/distros/README.md b/distros/README.md
deleted file mode 100644
index be4de17..0000000
--- a/distros/README.md
+++ /dev/null
@@ -1,21 +0,0 @@
-# Distribution specific Dockerfiles
-
-## Requirements
-
-### Dockerfile name
-
-The format should be `Dockerfile.{distribution name}`.
-
-### Keep your images up-to-date
-
-Use the distribution package manager to keep your image up-to-date.
-
-### Labels
-
-Use the following labels in your Dockerfile:
-
-```
-LABEL org.label-schema.name="docker-bench-security" \
- org.label-schema.url="<YOUR GIT REPOSITORY HTTPS ADDRESS>" \
- org.label-schema.vcs-url="<YOUR REPOSITORY HTTPS GIT ADDRESS"
-```
diff --git a/docker-compose.yml b/docker-compose.yml
index 7a88f50..ce071d3 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,21 +1,21 @@
-docker-bench-security:
- # use image if you have a dedicated build step:
- # docker build --rm -t docker-bench-security .
- # image: docker-bench-security
+services:
+ docker-bench-security:
+ # use image if you have a dedicated build step:
+ # docker build --rm -t docker-bench-security .
+ # image: docker-bench-security
- # use build path to Dockerfile if docker-compose should build the image
- build: .
+ # use build path to Dockerfile if docker-compose should build the image
+ build: .
- cap_add:
- - audit_control
- labels:
- - docker_bench_security
- net: host
- pid: host
- stdin_open: true
- tty: true
- volumes:
- - /var/lib:/var/lib:ro
- - /var/run/docker.sock:/var/run/docker.sock:ro
- - /usr/lib/systemd:/usr/lib/systemd:ro
- - /etc:/etc:ro
+ cap_add:
+ - audit_control
+ labels:
+ - docker_bench_security
+ pid: host
+ stdin_open: true
+ tty: true
+ volumes:
+ - /var/lib:/var/lib:ro
+ - /var/run/docker.sock:/var/run/docker.sock:ro
+ - /usr/lib/systemd:/usr/lib/systemd:ro
+ - /etc:/etc:ro
From d6005f02111ca2cbdee7c247cdc2547b2d30bc2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Tue, 13 Jun 2023 09:54:22 +0000
Subject: [PATCH 10/32] tr is required, not truncate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
docker-bench-security.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index abf23d3..c3ee781 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -24,7 +24,7 @@ readonly myname
export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/"
# Check for required program(s)
-req_programs 'awk docker grep stat tee tail wc xargs truncate sed'
+req_programs 'awk docker grep sed stat tail tee tr wc xargs'
# Ensure we can connect to docker daemon
if ! docker ps -q >/dev/null 2>&1; then
From bfbeda92638bdba6b12d7cb2c3ed90919b01247e Mon Sep 17 00:00:00 2001
From: LEKPA Martin <lekpamartin@yahoo.fr>
Date: Sat, 1 Jul 2023 11:19:04 +0200
Subject: [PATCH 11/32] add label filtering config
---
docker-bench-security.sh | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index c3ee781..c9831af 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -57,6 +57,7 @@ Options:
-e CHECK optional Comma delimited list of specific check(s) id to exclude
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
+ -t LABEL optional Comma delimited list of labels within a container or image to exclude from check
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
-p PRINT optional Print remediation measures. Default: Don't print remediation measures.
@@ -90,6 +91,7 @@ do
e) checkexclude="$OPTARG" ;;
i) include="$OPTARG" ;;
x) exclude="$OPTARG" ;;
+ t) labels="$OPTARG" ;;
n) limit="$OPTARG" ;;
p) printremediation="1" ;;
*) usage; exit 1 ;;
@@ -141,17 +143,22 @@ main () {
fi
done
+ # Format LABELS
+ for label in $(echo "$labels" | sed 's/,/ /g'); do
+ LABELS="$LABELS --filter label=$label"
+ done
+
if [ -n "$include" ]; then
pattern=$(echo "$include" | sed 's/,/|/g')
- containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -E "$pattern")
- images=$(docker images | sed '1d' | grep -E "$pattern" | awk '{print $3}' | grep -v "$benchimagecont")
+ containers=$(docker ps $LABELS| sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -E "$pattern")
+ images=$(docker images $LABELS| sed '1d' | grep -E "$pattern" | awk '{print $3}' | grep -v "$benchimagecont")
elif [ -n "$exclude" ]; then
pattern=$(echo "$exclude" | sed 's/,/|/g')
- containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -Ev "$pattern")
- images=$(docker images | sed '1d' | grep -Ev "$pattern" | awk '{print $3}' | grep -v "$benchimagecont")
+ containers=$(docker ps $LABELS| sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -Ev "$pattern")
+ images=$(docker images $LABELS| sed '1d' | grep -Ev "$pattern" | awk '{print $3}' | grep -v "$benchimagecont")
else
- containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
- images=$(docker images -q | grep -v "$benchcont")
+ containers=$(docker ps $LABELS| sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
+ images=$(docker images -q $LABELS| grep -v "$benchcont")
fi
for test in tests/*.sh; do
From 223baf94d13949a287e100044006496c1b34d706 Mon Sep 17 00:00:00 2001
From: LEKPA Martin <lekpamartin@yahoo.fr>
Date: Fri, 21 Jul 2023 18:53:01 +0200
Subject: [PATCH 12/32] update doc
---
README.md | 1 +
docker-bench-security.sh | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 522c7e4..6ef250f 100644
--- a/README.md
+++ b/README.md
@@ -123,6 +123,7 @@ Note that when distributions don't contain `auditctl`, the audit tests will chec
-e CHECK optional Comma delimited list of specific check(s) id to exclude
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
+ -t LABEL optional Comma delimited list of labels within a container or image to include from check
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
-p PRINT optional Disable the printing of remediation measures. Default: print remediation measures.
```
diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index c9831af..37b4d9d 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -57,7 +57,7 @@ Options:
-e CHECK optional Comma delimited list of specific check(s) id to exclude
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
- -t LABEL optional Comma delimited list of labels within a container or image to exclude from check
+ -t LABEL optional Comma delimited list of labels within a container or image to include from check
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
-p PRINT optional Print remediation measures. Default: Don't print remediation measures.
From 2dfb1bac51a9a8c87ce51e3fab1c136dc5e04b22 Mon Sep 17 00:00:00 2001
From: Martin LEKPA <lekpamartin@yahoo.fr>
Date: Tue, 25 Jul 2023 21:37:03 +0200
Subject: [PATCH 13/32] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 6ef250f..49e383a 100644
--- a/README.md
+++ b/README.md
@@ -123,7 +123,7 @@ Note that when distributions don't contain `auditctl`, the audit tests will chec
-e CHECK optional Comma delimited list of specific check(s) id to exclude
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
- -t LABEL optional Comma delimited list of labels within a container or image to include from check
+ -t LABEL optional Comma delimited list of labels within a container or image to exclude from check
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
-p PRINT optional Disable the printing of remediation measures. Default: print remediation measures.
```
From 59fe573db2456649dd2c6d1673768f0873c6379d Mon Sep 17 00:00:00 2001
From: Martin LEKPA <lekpamartin@yahoo.fr>
Date: Tue, 25 Jul 2023 21:38:20 +0200
Subject: [PATCH 14/32] update help
---
docker-bench-security.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index 37b4d9d..c9831af 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -57,7 +57,7 @@ Options:
-e CHECK optional Comma delimited list of specific check(s) id to exclude
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
- -t LABEL optional Comma delimited list of labels within a container or image to include from check
+ -t LABEL optional Comma delimited list of labels within a container or image to exclude from check
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
-p PRINT optional Print remediation measures. Default: Don't print remediation measures.
From 8ea918620e5ee59597878b080b3ed0a47945a034 Mon Sep 17 00:00:00 2001
From: LEKPA Martin <lekpamartin@yahoo.fr>
Date: Wed, 26 Jul 2023 18:47:50 +0200
Subject: [PATCH 15/32] update doc
---
README.md | 2 +-
docker-bench-security.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 49e383a..9f9019e 100644
--- a/README.md
+++ b/README.md
@@ -123,7 +123,7 @@ Note that when distributions don't contain `auditctl`, the audit tests will chec
-e CHECK optional Comma delimited list of specific check(s) id to exclude
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
- -t LABEL optional Comma delimited list of labels within a container or image to exclude from check
+ -t LABEL optional Comma delimited list of labels within a container or image to check
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
-p PRINT optional Disable the printing of remediation measures. Default: print remediation measures.
```
diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index c9831af..0dc77f4 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -57,7 +57,7 @@ Options:
-e CHECK optional Comma delimited list of specific check(s) id to exclude
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
- -t LABEL optional Comma delimited list of labels within a container or image to exclude from check
+ -t LABEL optional Comma delimited list of labels within a container or image to check
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
-p PRINT optional Print remediation measures. Default: Don't print remediation measures.
From 26f80fb331471621018832a09f6fee8054e7483c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Fri, 25 Aug 2023 12:17:48 +0000
Subject: [PATCH 16/32] Fix image sprawl miscalculation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
tests/6_docker_security_operations.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/6_docker_security_operations.sh b/tests/6_docker_security_operations.sh
index ed96e5d..8bc1efb 100644
--- a/tests/6_docker_security_operations.sh
+++ b/tests/6_docker_security_operations.sh
@@ -20,7 +20,7 @@ check_6_1() {
images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
active_images=0
- for c in $(docker inspect --format "{{.Image}}" "$(docker ps -qa)" 2>/dev/null); do
+ for c in $(docker inspect --format "{{.Image}}" $(docker ps -qa) 2>/dev/null); do
if docker images --no-trunc -a | grep "$c" > /dev/null ; then
active_images=$(( active_images += 1 ))
fi
From 8da1cc26df500c1b12ce98f8aa7767c01405c749 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Fri, 25 Aug 2023 12:37:35 +0000
Subject: [PATCH 17/32] v1.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
README.md | 3 ++-
docker-bench-security.sh | 4 ++--
functions/helper_lib.sh | 2 +-
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index 9f9019e..c4d512e 100644
--- a/README.md
+++ b/README.md
@@ -2,12 +2,13 @@
-The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.5.0](https://www.cisecurity.org/benchmark/docker/).
+The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.6.0](https://www.cisecurity.org/benchmark/docker/).
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.
Release | CIS |
:---:|:---:|
+1.6.0|1.6.0|
1.5.0|1.5.0|
1.3.6|1.4.0|
1.3.5|1.2.0|
diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index 0dc77f4..d91d995 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -7,7 +7,7 @@
# Checks for dozens of common best-practices around deploying Docker containers in production.
# --------------------------------------------------------------------------------------------
-version='1.5.0'
+version='1.6.0'
# Load dependencies
. ./functions/functions_lib.sh
@@ -36,7 +36,7 @@ usage () {
cat <<EOF
Docker Bench for Security - Docker, Inc. (c) 2015-$(date +"%Y")
Checks for dozens of common best-practices around deploying Docker containers in production.
-Based on the CIS Docker Benchmark 1.5.0.
+Based on the CIS Docker Benchmark 1.6.0.
Usage: ${myname}.sh [OPTIONS]
diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh
index 6369fbf..005cd9c 100644
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@@ -154,6 +154,6 @@ yell "# ------------------------------------------------------------------------
# Docker, Inc. (c) 2015-$(date +"%Y")
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
-# Based on the CIS Docker Benchmark 1.5.0.
+# Based on the CIS Docker Benchmark 1.6.0.
# --------------------------------------------------------------------------------------------"
}
From ab2190819de91dc09978d3db01577940aaf20af1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Mon, 25 Sep 2023 09:05:44 +0000
Subject: [PATCH 18/32] check if restart policy is 5 or less
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
tests/5_container_runtime.sh | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh
index 7f6fa1a..bccdf61 100644
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@@ -600,27 +600,27 @@ check_5_14() {
for s in $(docker service ls --format '{{.Name}}'); do
if echo $container_name | grep -q "$s"; then
task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}')
- # a container name could arbitrary include a service one: it belongs to a service (created by Docker
+ # a container name could arbitrary include a service one: it belongs to a service (created by Docker
# as part of the service), if the container task ID matches one of the task IDs of the service.
if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then
- spolicy=$(docker inspect --format MaxAttempts='{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
+ restart_policy=$(docker inspect --format '{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
break
fi
fi
done
fi
- cpolicy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
+ restart_policy=$(docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
- if [ "$cpolicy" != "MaximumRetryCount=5" ] && [ "$spolicy" != "MaxAttempts=5" ]; then
+ if [ "$restart_policy" -gt "5" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
- warn " * MaximumRetryCount is not set to 5: $c"
+ warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fail=1
continue
fi
- warn " * MaximumRetryCount is not set to 5: $c"
+ warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fi
done
@@ -630,7 +630,7 @@ check_5_14() {
logcheckresult "PASS"
return
fi
- logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers"
+ logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5 or less" "$maxretry_unset_containers"
}
check_5_15() {
From e680ab2465be8f8381fedb0b7dac2c6eef6334a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Mon, 25 Sep 2023 15:29:45 +0000
Subject: [PATCH 19/32] update restart_policy w/o swarm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
tests/5_container_runtime.sh | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh
index bccdf61..7e8ed07 100644
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@@ -609,7 +609,9 @@ check_5_14() {
fi
done
fi
- restart_policy=$(docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
+ if docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c" &>/dev/null; then
+ restart_policy=$(docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
+ fi
if [ "$restart_policy" -gt "5" ]; then
# If it's the first container, fail the test
From 5c647c1b866d7f09a5ba977e5759c9a11b2f67b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=B0smail=20Ar=C4=B1l=C4=B1k?= <arilik.ismail@gmail.com>
Date: Fri, 6 Oct 2023 08:51:33 +0300
Subject: [PATCH 20/32] "above" -> "below"
It is not above but below.
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index c4d512e..dd3e73e 100644
--- a/README.md
+++ b/README.md
@@ -43,7 +43,7 @@ cd docker-bench-security
docker build --no-cache -t docker-bench-security .
```
-Followed by an appropriate `docker run` command as stated above.
+Followed by an appropriate `docker run` command as stated below.
2. Use Docker Compose:
From b6e4380937dd3b9d14566b533de6b8f9570240d1 Mon Sep 17 00:00:00 2001
From: halfluke <halfluke@gmail.com>
Date: Sat, 21 Oct 2023 01:43:46 +0100
Subject: [PATCH 21/32] fix537
---
functions/helper_lib.sh | 6 +++---
tests/2_docker_daemon_configuration.sh | 17 ++++++-----------
2 files changed, 9 insertions(+), 14 deletions(-)
diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh
index 005cd9c..6b3fd80 100644
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@@ -110,8 +110,8 @@ get_docker_configuration_file() {
CONFIG_FILE="$FILE"
return
fi
- if [ -f '/etc/docker/daemon.json' ]; then
- CONFIG_FILE='/etc/docker/daemon.json'
+ if [ -f '/home/kali/SUKA/daemon.json' ]; then
+ CONFIG_FILE='/home/kali/SUKA/daemon.json'
return
fi
CONFIG_FILE='/dev/null'
@@ -125,7 +125,7 @@ get_docker_configuration_file_args() {
if "$HAVE_JQ"; then
jq --monochrome-output --raw-output ".[\"${OPTION}\"]" "$CONFIG_FILE"
else
- cat "$CONFIG_FILE" | tr { '\n' | tr , '\n' | tr } '\n' | grep "$OPTION" | sed 's/.*://g' | tr -d '" ',
+ cat "$CONFIG_FILE" | tr , '\n' | grep "$OPTION" | sed 's/.*://g' | tr -d '" ',
fi
}
diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh
index cc187d6..000381f 100644
--- a/tests/2_docker_daemon_configuration.sh
+++ b/tests/2_docker_daemon_configuration.sh
@@ -34,7 +34,7 @@ check_2_2() {
logcheckresult "PASS"
return
fi
- if get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
+ if [[ $(get_docker_configuration_file_args 'icc' | grep "false") ]] && [[ $(get_docker_configuration_file_args 'icc' | grep "false") != "null" ]] ; then
pass -s "$check"
logcheckresult "PASS"
return
@@ -93,7 +93,7 @@ check_2_4() {
logcheckresult "WARN"
return
fi
- if get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
+ if [[ $(get_docker_configuration_file_args 'iptables' | grep "false") ]] && [[ $(get_docker_configuration_file_args 'iptables' | grep "false") != "null" ]] ; then
warn -s "$check"
logcheckresult "WARN"
return
@@ -115,12 +115,7 @@ check_2_5() {
logcheckresult "WARN"
return
fi
- if ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
- if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
- pass -s "$check"
- logcheckresult "PASS"
- return
- fi
+ if [[ $(get_docker_configuration_file_args 'insecure-registries' | grep -v '\[]') ]] && [[ $(get_docker_configuration_file_args 'insecure-registries' | grep -v '\[]') != "null" ]] ; then
warn -s "$check"
logcheckresult "WARN"
return
@@ -187,7 +182,7 @@ check_2_8() {
local check="$id - $desc"
starttestjson "$id" "$desc"
- if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
+ if [[ $(get_docker_configuration_file_args 'default-ulimits' | grep -v '{}') ]] && [[ $(get_docker_configuration_file_args 'default-ulimits' | grep -v '{}') != "null" ]] ; then
pass -c "$check"
logcheckresult "PASS"
return
@@ -210,7 +205,7 @@ check_2_9() {
local check="$id - $desc"
starttestjson "$id" "$desc"
- if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
+ if [[ $(get_docker_configuration_file_args 'userns-remap' | grep -v '""') ]] && [[ $(get_docker_configuration_file_args 'userns-remap' | grep -v '""') != "null" ]] ; then
pass -s "$check"
logcheckresult "PASS"
return
@@ -278,7 +273,7 @@ check_2_12() {
local check="$id - $desc"
starttestjson "$id" "$desc"
- if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
+ if [[ $(get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]') ]] && [[ $(get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]') != "null" ]] ; then
pass -s "$check"
logcheckresult "PASS"
return
From 8d97756c62715c5a0c9bce9e0b69ce57cdbb3e23 Mon Sep 17 00:00:00 2001
From: halfluke <halfluke@gmail.com>
Date: Sat, 21 Oct 2023 01:55:29 +0100
Subject: [PATCH 22/32] fix537_proper
---
functions/helper_lib.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh
index 6b3fd80..963b149 100644
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@@ -110,8 +110,8 @@ get_docker_configuration_file() {
CONFIG_FILE="$FILE"
return
fi
- if [ -f '/home/kali/SUKA/daemon.json' ]; then
- CONFIG_FILE='/home/kali/SUKA/daemon.json'
+ if [ -f '/etc/docker/daemon.json' ]; then
+ CONFIG_FILE='/etc/docker/daemon.json'
return
fi
CONFIG_FILE='/dev/null'
From 8bbdaf65401ce7425561b6adcf165dfa72a9a4ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= <ulisesgascongonzalez@gmail.com>
Date: Sun, 19 Nov 2023 21:08:05 +0100
Subject: [PATCH 23/32] feat: use SHA instead of tags for base image
---
Dockerfile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Dockerfile b/Dockerfile
index b72b51a..10f9f0f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.18
+FROM alpine:3.18@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978
LABEL \
org.label-schema.name="docker-bench-security" \
From 958f5fa6c378fc8f9a73e7f89204ed434cf09d2a Mon Sep 17 00:00:00 2001
From: MaPoe <7961300-mapoe@users.noreply.gitlab.com>
Date: Sun, 17 Dec 2023 15:57:54 +0100
Subject: [PATCH 24/32] feat: update swarm mode check id from 7.1 to 5.1
---
functions/functions_lib.sh | 2 +-
tests/5_container_runtime.sh | 169 ++++++++++++++------------
tests/7_docker_swarm_configuration.sh | 49 +++-----
3 files changed, 110 insertions(+), 110 deletions(-)
diff --git a/functions/functions_lib.sh b/functions/functions_lib.sh
index e1697d5..65f5d0a 100644
--- a/functions/functions_lib.sh
+++ b/functions/functions_lib.sh
@@ -180,6 +180,7 @@ container_runtime() {
check_5_29
check_5_30
check_5_31
+ check_5_32
check_5_end
}
@@ -213,7 +214,6 @@ docker_swarm_configuration() {
check_7_7
check_7_8
check_7_9
- check_7_10
check_7_end
}
diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh
index 7f6fa1a..e904c9b 100644
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@@ -21,11 +21,28 @@ check_running_containers() {
}
check_5_1() {
+ local id="5.1"
+ local desc="Ensure swarm mode is not Enabled, if not needed (Automated)"
+ local remediation="If swarm mode has been enabled on a system in error, you should run the command: docker swarm leave"
+ local remediationImpact="Disabling swarm mode will impact the operation of Docker Enterprise components if these are in use."
+ local check="$id - $desc"
+ starttestjson "$id" "$desc"
+
+ if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
+ pass -s "$check"
+ logcheckresult "PASS"
+ return
+ fi
+ warn -s "$check"
+ logcheckresult "WARN"
+}
+
+check_5_2() {
if [ -z "$containers" ]; then
return
fi
- local id="5.1"
+ local id="5.2"
local desc="Ensure that, if applicable, an AppArmor Profile is enabled (Automated)"
local remediation="If AppArmor is applicable for your Linux OS, you should enable it. Alternatively, Docker's default AppArmor policy can be used."
local remediationImpact="The container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container."
@@ -59,12 +76,12 @@ check_5_1() {
logcheckresult "WARN" "Containers with no AppArmorProfile" "$no_apparmor_containers"
}
-check_5_2() {
+check_5_3() {
if [ -z "$containers" ]; then
return
fi
- local id="5.2"
+ local id="5.3"
local desc="Ensure that, if applicable, SELinux security options are set (Automated)"
local remediation="Set the SELinux State. Set the SELinux Policy. Create or import a SELinux policy template for Docker containers. Start Docker in daemon mode with SELinux enabled. Start your Docker container using the security options."
local remediationImpact="Any restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers."
@@ -98,12 +115,12 @@ check_5_2() {
logcheckresult "WARN" "Containers with no SecurityOptions" "$no_securityoptions_containers"
}
-check_5_3() {
+check_5_4() {
if [ -z "$containers" ]; then
return
fi
- local id="5.3"
+ local id="5.4"
local desc="Ensure that Linux kernel capabilities are restricted within containers (Automated)"
local remediation="You could remove all the currently configured capabilities and then restore only the ones you specifically use: docker run --cap-drop=all --cap-add={<Capability 1>,<Capability 2>} <Run arguments> <Container Image Name or ID> <Command>"
local remediationImpact="Restrictions on processes within a container are based on which Linux capabilities are in force. Removal of the NET_RAW capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities."
@@ -141,12 +158,12 @@ check_5_3() {
logcheckresult "WARN" "Capabilities added for containers" "$caps_containers"
}
-check_5_4() {
+check_5_5() {
if [ -z "$containers" ]; then
return
fi
- local id="5.4"
+ local id="5.5"
local desc="Ensure that privileged containers are not used (Automated)"
local remediation="You should not run containers with the --privileged flag."
local remediationImpact="If you start a container without the --privileged flag, it will not have excessive default capabilities."
@@ -180,12 +197,12 @@ check_5_4() {
logcheckresult "WARN" "Containers running in privileged mode" "$privileged_containers"
}
-check_5_5() {
+check_5_6() {
if [ -z "$containers" ]; then
return
fi
- local id="5.5"
+ local id="5.6"
local desc="Ensure sensitive host system directories are not mounted on containers (Automated)"
local remediation="You should not mount directories which are security sensitive on the host within containers, especially in read-write mode."
local remediationImpact="None."
@@ -238,12 +255,12 @@ check_5_5() {
logcheckresult "WARN" "Containers with sensitive directories mounted" "$sensitive_mount_containers"
}
-check_5_6() {
+check_5_7() {
if [ -z "$containers" ]; then
return
fi
- local id="5.6"
+ local id="5.7"
local desc="Ensure sshd is not run within containers (Automated)"
local remediation="Uninstall the SSH daemon from the container and use docker exec to enter a container on the remote host."
local remediationImpact="None."
@@ -271,7 +288,7 @@ check_5_6() {
fi
exec_check=$(docker exec "$c" ps -el 2>/dev/null)
- if [ $? -eq 255 ]; then
+ if [ $? -eq 265 ]; then
if [ $printcheck -eq 0 ]; then
warn -s "$check"
printcheck=1
@@ -291,12 +308,12 @@ check_5_6() {
logcheckresult "WARN" "Containers with sshd/docker exec failures" "$ssh_exec_containers"
}
-check_5_7() {
+check_5_8() {
if [ -z "$containers" ]; then
return
fi
- local id="5.7"
+ local id="5.8"
local desc="Ensure privileged ports are not mapped within containers (Automated)"
local remediation="You should not map container ports to privileged host ports when starting a container. You should also, ensure that there is no such container to host privileged port mapping declarations in the Dockerfile."
local remediationImpact="None."
@@ -311,7 +328,7 @@ check_5_7() {
# iterate through port range (line delimited)
for port in $ports; do
- if [ -n "$port" ] && [ "$port" -lt 1024 ]; then
+ if [ -n "$port" ] && [ "$port" -lt 1025 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
@@ -334,12 +351,12 @@ check_5_7() {
logcheckresult "WARN" "Containers using privileged ports" "$privileged_port_containers"
}
-check_5_8() {
+check_5_9() {
if [ -z "$containers" ]; then
return
fi
- local id="5.8"
+ local id="5.9"
local desc="Ensure that only needed ports are open on the container (Manual)"
local remediation="You should ensure that the Dockerfile for each container image only exposes needed ports."
local remediationImpact="None."
@@ -376,12 +393,12 @@ check_5_8() {
logcheckresult "WARN" "Containers with open ports" "$open_port_containers"
}
-check_5_9() {
+check_5_10() {
if [ -z "$containers" ]; then
return
fi
- local id="5.9"
+ local id="5.10"
local desc="Ensure that the host's network namespace is not shared (Automated)"
local remediation="You should not pass the --net=host option when starting any container."
local remediationImpact="None."
@@ -415,12 +432,12 @@ check_5_9() {
logcheckresult "WARN" "Containers running with networking mode 'host'" "$net_host_containers"
}
-check_5_10() {
+check_5_11() {
if [ -z "$containers" ]; then
return
fi
- local id="5.10"
+ local id="5.11"
local desc="Ensure that the memory usage for containers is limited (Automated)"
local remediation="You should run the container with only as much memory as it requires by using the --memory argument."
local remediationImpact="If correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources."
@@ -457,12 +474,12 @@ check_5_10() {
logcheckresult "WARN" "Container running without memory restrictions" "$mem_unlimited_containers"
}
-check_5_11() {
+check_5_12() {
if [ -z "$containers" ]; then
return
fi
- local id="5.11"
+ local id="5.12"
local desc="Ensure that CPU priority is set appropriately on containers (Automated)"
local remediation="You should manage the CPU runtime between your containers dependent on their priority within your organization. To do so start the container using the --cpu-shares argument."
local remediationImpact="If you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrainted, CPU shares do not place any restrictions on individual resources."
@@ -502,12 +519,12 @@ check_5_11() {
logcheckresult "WARN" "Containers running without CPU restrictions" "$cpu_unlimited_containers"
}
-check_5_12() {
+check_5_13() {
if [ -z "$containers" ]; then
return
fi
- local id="5.12"
+ local id="5.13"
local desc="Ensure that the container's root filesystem is mounted as read only (Automated)"
local remediation="You should add a --read-only flag at a container's runtime to enforce the container's root filesystem being mounted as read only."
local remediationImpact="Enabling --read-only at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use."
@@ -541,12 +558,12 @@ check_5_12() {
logcheckresult "WARN" "Containers running with root FS mounted R/W" "$fsroot_mount_containers"
}
-check_5_13() {
+check_5_14() {
if [ -z "$containers" ]; then
return
fi
- local id="5.13"
+ local id="5.14"
local desc="Ensure that incoming container traffic is bound to a specific host interface (Automated)"
local remediation="You should bind the container port to a specific host interface on the desired host port. Example: docker run --detach --publish 10.2.3.4:49153:80 nginx In this example, the container port 80 is bound to the host port on 49153 and would accept incoming connection only from the 10.2.3.4 external interface."
local remediationImpact="None."
@@ -580,12 +597,12 @@ check_5_13() {
logcheckresult "WARN" "Containers with port bound to wildcard IP" "$incoming_unbound_containers"
}
-check_5_14() {
+check_5_15() {
if [ -z "$containers" ]; then
return
fi
- local id="5.14"
+ local id="5.15"
local desc="Ensure that the 'on-failure' container restart policy is set to '5' (Automated)"
local remediation="If you wish a container to be automatically restarted, a sample command is docker run --detach --restart=on-failure:5 nginx"
local remediationImpact="If this option is set, a container will only attempt to restart itself 5 times."
@@ -633,12 +650,12 @@ check_5_14() {
logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers"
}
-check_5_15() {
+check_5_16() {
if [ -z "$containers" ]; then
return
fi
- local id="5.15"
+ local id="5.16"
local desc="Ensure that the host's process namespace is not shared (Automated)"
local remediation="You should not start a container with the --pid=host argument."
local remediationImpact="Container processes cannot see processes on the host system."
@@ -672,12 +689,12 @@ check_5_15() {
logcheckresult "WARN" "Containers sharing host PID namespace" "$pidns_shared_containers"
}
-check_5_16() {
+check_5_17() {
if [ -z "$containers" ]; then
return
fi
- local id="5.16"
+ local id="5.17"
local desc="Ensure that the host's IPC namespace is not shared (Automated)"
local remediation="You should not start a container with the --ipc=host argument."
local remediationImpact="Shared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace."
@@ -711,12 +728,12 @@ check_5_16() {
logcheckresult "WARN" "Containers sharing host IPC namespace" "$ipcns_shared_containers"
}
-check_5_17() {
+check_5_18() {
if [ -z "$containers" ]; then
return
fi
- local id="5.17"
+ local id="5.18"
local desc="Ensure that host devices are not directly exposed to containers (Manual)"
local remediation="You should not directly expose host devices to containers. If you do need to expose host devices to containers, you should use granular permissions as appropriate to your organization."
local remediationImpact="You would not be able to use host devices directly within containers."
@@ -750,12 +767,12 @@ check_5_17() {
logcheckresult "INFO" "Containers with host devices exposed directly" "$hostdev_exposed_containers"
}
-check_5_18() {
+check_5_19() {
if [ -z "$containers" ]; then
return
fi
- local id="5.18"
+ local id="5.19"
local desc="Ensure that the default ulimit is overwritten at runtime if needed (Manual)"
local remediation="You should only override the default ulimit settings if needed in a specific case."
local remediationImpact="If ulimits are not set correctly, overutilization by individual containers could make the host system unusable."
@@ -789,12 +806,12 @@ check_5_18() {
logcheckresult "INFO" "Containers with no default ulimit override" "$no_ulimit_containers"
}
-check_5_19() {
+check_5_20() {
if [ -z "$containers" ]; then
return
fi
- local id="5.19"
+ local id="5.20"
local desc="Ensure mount propagation mode is not set to shared (Automated)"
local remediation="Do not mount volumes in shared mode propagation."
local remediationImpact="None."
@@ -827,12 +844,12 @@ check_5_19() {
logcheckresult "WARN" "Containers with shared mount propagation" "$mountprop_shared_containers"
}
-check_5_20() {
+check_5_21() {
if [ -z "$containers" ]; then
return
fi
- local id="5.20"
+ local id="5.21"
local desc="Ensure that the host's UTS namespace is not shared (Automated)"
local remediation="You should not start a container with the --uts=host argument."
local remediationImpact="None."
@@ -866,12 +883,12 @@ check_5_20() {
logcheckresult "WARN" "Containers sharing host UTS namespace" "$utcns_shared_containers"
}
-check_5_21() {
+check_5_22() {
if [ -z "$containers" ]; then
return
fi
- local id="5.21"
+ local id="5.22"
local desc="Ensure the default seccomp profile is not Disabled (Automated)"
local remediation="By default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile."
local remediationImpact="With Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of -- cap-add passed to the container."
@@ -904,31 +921,15 @@ check_5_21() {
logcheckresult "WARN" "Containers with default seccomp profile disabled" "$seccomp_disabled_containers"
}
-check_5_22() {
- if [ -z "$containers" ]; then
- return
- fi
-
- local id="5.22"
- local desc="Ensure that docker exec commands are not used with the privileged option (Automated)"
- local remediation="You should not use the --privileged option in docker exec commands."
- local remediationImpact="If you need enhanced capabilities within a container, then run it with all the permissions it requires. These should be specified individually."
- local check="$id - $desc"
- starttestjson "$id" "$desc"
-
- note -c "$check"
- logcheckresult "NOTE"
-}
-
check_5_23() {
if [ -z "$containers" ]; then
return
fi
local id="5.23"
- local desc="Ensure that docker exec commands are not used with the user=root option (Manual)"
- local remediation="You should not use the --user=root option in docker exec commands."
- local remediationImpact="None."
+ local desc="Ensure that docker exec commands are not used with the privileged option (Automated)"
+ local remediation="You should not use the --privileged option in docker exec commands."
+ local remediationImpact="If you need enhanced capabilities within a container, then run it with all the permissions it requires. These should be specified individually."
local check="$id - $desc"
starttestjson "$id" "$desc"
@@ -942,6 +943,22 @@ check_5_24() {
fi
local id="5.24"
+ local desc="Ensure that docker exec commands are not used with the user=root option (Manual)"
+ local remediation="You should not use the --user=root option in docker exec commands."
+ local remediationImpact="None."
+ local check="$id - $desc"
+ starttestjson "$id" "$desc"
+
+ note -c "$check"
+ logcheckresult "NOTE"
+}
+
+check_5_25() {
+ if [ -z "$containers" ]; then
+ return
+ fi
+
+ local id="5.25"
local desc="Ensure that cgroup usage is confirmed (Automated)"
local remediation="You should not use the --cgroup-parent option within the docker run command unless strictly required."
local remediationImpact="None."
@@ -975,11 +992,11 @@ check_5_24() {
logcheckresult "WARN" "Containers using unexpected cgroup" "$unexpected_cgroup_containers"
}
-check_5_25() {
+check_5_26() {
if [ -z "$containers" ]; then
return
fi
- local id="5.25"
+ local id="5.26"
local desc="Ensure that the container is restricted from acquiring additional privileges (Automated)"
local remediation="You should start your container with the options: docker run --rm -it --security-opt=no-new-privileges ubuntu bash"
local remediationImpact="The no_new_priv option prevents LSMs like SELinux from allowing processes to acquire new privileges."
@@ -1020,12 +1037,12 @@ check_5_25() {
logcheckresult "WARN" "Containers without restricted privileges" "$addprivs_containers"
}
-check_5_26() {
+check_5_27() {
if [ -z "$containers" ]; then
return
fi
- local id="5.26"
+ local id="5.27"
local desc="Ensure that container health is checked at runtime (Automated)"
local remediation="You should run the container using the --health-cmd parameter."
local remediationImpact="None."
@@ -1055,12 +1072,12 @@ check_5_26() {
logcheckresult "WARN" "Containers without health check" "$nohealthcheck_containers"
}
-check_5_27() {
+check_5_28() {
if [ -z "$containers" ]; then
return
fi
- local id="5.27"
+ local id="5.28"
local desc="Ensure that Docker commands always make use of the latest version of their image (Manual)"
local remediation="You should use proper version pinning mechanisms (the <latest> tag which is assigned by default is still vulnerable to caching attacks) to avoid extracting cached older versions. Version pinning mechanisms should be used for base images, packages, and entire images. You can customize version pinning rules according to your requirements."
local remediationImpact="None."
@@ -1071,12 +1088,12 @@ check_5_27() {
logcheckresult "INFO"
}
-check_5_28() {
+check_5_29() {
if [ -z "$containers" ]; then
return
fi
- local id="5.28"
+ local id="5.29"
local desc="Ensure that the PIDs cgroup limit is used (Automated)"
local remediation="Use --pids-limit flag with an appropriate value when launching the container."
local remediationImpact="Set the PIDs limit value as appropriate. Incorrect values might leave containers unusable."
@@ -1110,12 +1127,12 @@ check_5_28() {
logcheckresult "WARN" "Containers without PIDs cgroup limit" "$nopids_limit_containers"
}
-check_5_29() {
+check_5_30() {
if [ -z "$containers" ]; then
return
fi
- local id="5.29"
+ local id="5.30"
local desc="Ensure that Docker's default bridge 'docker0' is not used (Manual)"
local remediation="You should follow the Docker documentation and set up a user-defined network. All the containers should be run in this network."
local remediationImpact="User-defined networks need to be configured and managed in line with organizational security policy."
@@ -1159,12 +1176,12 @@ check_5_29() {
logcheckresult "INFO" "Containers using docker0 network" "$docker_network_containers"
}
-check_5_30() {
+check_5_31() {
if [ -z "$containers" ]; then
return
fi
- local id="5.30"
+ local id="5.31"
local desc="Ensure that the host's user namespaces are not shared (Automated)"
local remediation="You should not share user namespaces between host and containers."
local remediationImpact="None."
@@ -1196,12 +1213,12 @@ check_5_30() {
logcheckresult "WARN" "Containers sharing host user namespace" "$hostns_shared_containers"
}
-check_5_31() {
+check_5_32() {
if [ -z "$containers" ]; then
return
fi
- local id="5.31"
+ local id="5.32"
local desc="Ensure that the Docker socket is not mounted inside any containers (Automated)"
local remediation="You should ensure that no containers mount docker.sock as a volume."
local remediationImpact="None."
diff --git a/tests/7_docker_swarm_configuration.sh b/tests/7_docker_swarm_configuration.sh
index c7370f0..ce4c69d 100644
--- a/tests/7_docker_swarm_configuration.sh
+++ b/tests/7_docker_swarm_configuration.sh
@@ -11,23 +11,6 @@ check_7() {
check_7_1() {
local id="7.1"
- local desc="Ensure swarm mode is not Enabled, if not needed (Automated)"
- local remediation="If swarm mode has been enabled on a system in error, you should run the command: docker swarm leave"
- local remediationImpact="Disabling swarm mode will impact the operation of Docker Enterprise components if these are in use."
- local check="$id - $desc"
- starttestjson "$id" "$desc"
-
- if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
- pass -s "$check"
- logcheckresult "PASS"
- return
- fi
- warn -s "$check"
- logcheckresult "WARN"
-}
-
-check_7_2() {
- local id="7.2"
local desc="Ensure that the minimum number of manager nodes have been created in a swarm (Automated)"
local remediation="If an excessive number of managers is configured, the excess nodes can be demoted to workers using command: docker node demote <manager node ID to be demoted>"
local remediationImpact="None."
@@ -49,8 +32,8 @@ check_7_2() {
logcheckresult "PASS"
}
-check_7_3() {
- local id="7.3"
+check_7_2() {
+ local id="7.2"
local desc="Ensure that swarm services are bound to a specific host interface (Automated)"
local remediation="Resolving this issues requires re-initialization of the swarm, specifying a specific interface for the --listen-addr parameter."
local remediationImpact="None."
@@ -72,8 +55,8 @@ check_7_3() {
logcheckresult "PASS"
}
-check_7_4() {
- local id="7.4"
+check_7_3() {
+ local id="7.3"
local desc="Ensure that all Docker swarm overlay networks are encrypted (Automated)"
local remediation="You should create overlay networks the with --opt encrypted flag."
local remediationImpact="None."
@@ -103,8 +86,8 @@ check_7_4() {
logcheckresult "WARN" "Unencrypted overlay networks:" "$unencrypted_networks"
}
-check_7_5() {
- local id="7.5"
+check_7_4() {
+ local id="7.4"
local desc="Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual)"
local remediation="You should follow the docker secret documentation and use it to manage secrets effectively."
local remediationImpact="None."
@@ -125,8 +108,8 @@ check_7_5() {
logcheckresult "PASS"
}
-check_7_6() {
- local id="7.6"
+check_7_5() {
+ local id="7.5"
local desc="Ensure that swarm manager is run in auto-lock mode (Automated)"
local remediation="If you are initializing a swarm, use the command: docker swarm init --autolock. If you want to set --autolock on an existing swarm manager node, use the command: docker swarm update --autolock."
local remediationImpact="A swarm in auto-lock mode will not recover from a restart without manual intervention from an administrator to enter the unlock key. This may not always be desirable, and should be reviewed at a policy level."
@@ -147,8 +130,8 @@ check_7_6() {
logcheckresult "PASS"
}
-check_7_7() {
- local id="7.7"
+check_7_6() {
+ local id="7.6"
local desc="Ensure that the swarm manager auto-lock key is rotated periodically (Manual)"
local remediation="You should run the command docker swarm unlock-key --rotate to rotate the keys. To facilitate auditing of this recommendation, you should maintain key rotation records and ensure that you establish a pre-defined frequency for key rotation."
local remediationImpact="None."
@@ -164,8 +147,8 @@ check_7_7() {
logcheckresult "PASS"
}
-check_7_8() {
- local id="7.8"
+check_7_7() {
+ local id="7.7"
local desc="Ensure that node certificates are rotated as appropriate (Manual)"
local remediation="You should run the command docker swarm update --cert-expiry 48h to set the desired expiry time on the node certificate."
local remediationImpact="None."
@@ -186,8 +169,8 @@ check_7_8() {
logcheckresult "PASS"
}
-check_7_9() {
- local id="7.9"
+check_7_8() {
+ local id="7.8"
local desc="Ensure that CA certificates are rotated as appropriate (Manual)"
local remediation="You should run the command docker swarm ca --rotate to rotate a certificate."
local remediationImpact="None."
@@ -203,8 +186,8 @@ check_7_9() {
logcheckresult "PASS"
}
-check_7_10() {
- local id="7.10"
+check_7_9() {
+ local id="7.9"
local desc="Ensure that management plane traffic is separated from data plane traffic (Manual)"
local remediation="You should initialize the swarm with dedicated interfaces for management and data planes respectively. Example: docker swarm init --advertise-addr=192.168.0.1 --data-path-addr=17.1.0.3"
local remediationImpact="This requires two network interfaces per node."
From 684512b888e43e4b862892f4f9e31142cbe888c1 Mon Sep 17 00:00:00 2001
From: MaPoe <7961300-mapoe@users.noreply.gitlab.com>
Date: Sun, 17 Dec 2023 16:45:13 +0100
Subject: [PATCH 25/32] feat: check groups for CIS Controls v8 IG1-3 mapped
recommendations
---
functions/functions_lib.sh | 251 +++++++++++++++++++++++++++++++++++++
1 file changed, 251 insertions(+)
diff --git a/functions/functions_lib.sh b/functions/functions_lib.sh
index 65f5d0a..1f9606c 100644
--- a/functions/functions_lib.sh
+++ b/functions/functions_lib.sh
@@ -307,6 +307,257 @@ cis_level1() {
docker_swarm_configuration_level1
}
+cis_controls_v8_ig1() {
+ check_1_1_2
+ check_1_1_3
+ check_2_1
+ check_2_13
+ check_2_14
+ check_3_1
+ check_3_2
+ check_3_3
+ check_3_4
+ check_3_5
+ check_3_6
+ check_3_7
+ check_3_8
+ check_3_9
+ check_3_10
+ check_3_11
+ check_3_12
+ check_3_13
+ check_3_14
+ check_3_15
+ check_3_16
+ check_3_17
+ check_3_18
+ check_3_19
+ check_3_20
+ check_3_21
+ check_3_22
+ check_3_23
+ check_3_24
+ check_4_8
+ check_4_11
+ check_5_5
+ check_5_14
+ check_5_18
+ check_5_22
+ check_5_23
+ check_5_24
+ check_5_25
+ check_5_26
+ check_5_32
+ check_7_2
+ check_7_6
+ check_7_7
+ check_7_8
+}
+
+cis_controls_v8_ig2() {
+ check_1_1_1
+ check_1_1_2
+ check_1_1_3
+ check_1_1_4
+ check_1_1_5
+ check_1_1_6
+ check_1_1_7
+ check_1_1_8
+ check_1_1_9
+ check_1_1_10
+ check_1_1_11
+ check_1_1_12
+ check_1_1_13
+ check_1_1_14
+ check_1_1_15
+ check_1_1_16
+ check_1_1_17
+ check_1_1_18
+ check_1_2_1
+ check_1_2_2
+ check_2_1
+ check_2_2
+ check_2_3
+ check_2_4
+ check_2_5
+ check_2_7
+ check_2_8
+ check_2_11
+ check_2_13
+ check_2_14
+ check_2_15
+ check_2_16
+ check_2_18
+ check_3_1
+ check_3_2
+ check_3_3
+ check_3_4
+ check_3_5
+ check_3_6
+ check_3_7
+ check_3_8
+ check_3_9
+ check_3_10
+ check_3_11
+ check_3_12
+ check_3_13
+ check_3_14
+ check_3_15
+ check_3_16
+ check_3_17
+ check_3_18
+ check_3_19
+ check_3_20
+ check_3_21
+ check_3_22
+ check_3_23
+ check_3_24
+ check_4_2
+ check_4_3
+ check_4_4
+ check_4_7
+ check_4_8
+ check_4_9
+ check_4_11
+ check_5_1
+ check_5_2
+ check_5_3
+ check_5_4
+ check_5_5
+ check_5_7
+ check_5_10
+ check_5_11
+ check_5_12
+ check_5_14
+ check_5_16
+ check_5_17
+ check_5_18
+ check_5_19
+ check_5_21
+ check_5_22
+ check_5_23
+ check_5_24
+ check_5_25
+ check_5_26
+ check_5_27
+ check_5_30
+ check_5_31
+ check_5_32
+ check_6_1
+ check_6_2
+ check_7_2
+ check_7_3
+ check_7_5
+ check_7_6
+ check_7_7
+ check_7_8
+ check_7_9
+}
+
+cis_controls_v8_ig3() {
+ check_1_1_1
+ check_1_1_2
+ check_1_1_3
+ check_1_1_4
+ check_1_1_5
+ check_1_1_6
+ check_1_1_7
+ check_1_1_8
+ check_1_1_9
+ check_1_1_10
+ check_1_1_11
+ check_1_1_12
+ check_1_1_13
+ check_1_1_14
+ check_1_1_15
+ check_1_1_16
+ check_1_1_17
+ check_1_1_18
+ check_1_2_1
+ check_1_2_2
+ check_2_1
+ check_2_2
+ check_2_3
+ check_2_4
+ check_2_5
+ check_2_7
+ check_2_8
+ check_2_11
+ check_2_13
+ check_2_14
+ check_2_15
+ check_2_16
+ check_2_18
+ check_3_1
+ check_3_2
+ check_3_3
+ check_3_4
+ check_3_5
+ check_3_6
+ check_3_7
+ check_3_8
+ check_3_9
+ check_3_10
+ check_3_11
+ check_3_12
+ check_3_13
+ check_3_14
+ check_3_15
+ check_3_16
+ check_3_17
+ check_3_18
+ check_3_19
+ check_3_20
+ check_3_21
+ check_3_22
+ check_3_23
+ check_3_24
+ check_4_2
+ check_4_3
+ check_4_4
+ check_4_6
+ check_4_7
+ check_4_8
+ check_4_9
+ check_4_11
+ check_4_12
+ check_5_1
+ check_5_2
+ check_5_3
+ check_5_4
+ check_5_5
+ check_5_7
+ check_5_8
+ check_5_9
+ check_5_10
+ check_5_11
+ check_5_12
+ check_5_14
+ check_5_16
+ check_5_17
+ check_5_18
+ check_5_19
+ check_5_21
+ check_5_22
+ check_5_23
+ check_5_24
+ check_5_25
+ check_5_26
+ check_5_27
+ check_5_30
+ check_5_31
+ check_5_32
+ check_6_1
+ check_6_2
+ check_7_2
+ check_7_3
+ check_7_5
+ check_7_6
+ check_7_7
+ check_7_8
+ check_7_9
+}
+
# Community contributed
community() {
community_checks
From e081393ad752277958e9f7aedb3287cdc30502a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Thu, 11 Apr 2024 21:45:15 +0000
Subject: [PATCH 26/32] include /run in get_service_file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
functions/helper_lib.sh | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh
index 963b149..63bdd33 100644
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@@ -144,6 +144,10 @@ get_service_file() {
systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
return
fi
+ if find /run -name "$SERVICE" 2> /dev/null 1>&2; then
+ find /run -name "$SERVICE" | head -n1
+ return
+ fi
echo "/usr/lib/systemd/system/$SERVICE"
}
From 287fd8774bc2245addcb6f6f9eec1c3891890b1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Fri, 12 Apr 2024 08:17:17 +0000
Subject: [PATCH 27/32] systemctl always returns an FragmentPath
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
functions/helper_lib.sh | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh
index 63bdd33..740fdcf 100644
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@@ -140,14 +140,14 @@ get_service_file() {
echo "/lib/systemd/system/$SERVICE"
return
fi
- if systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
- systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
- return
- fi
if find /run -name "$SERVICE" 2> /dev/null 1>&2; then
find /run -name "$SERVICE" | head -n1
return
fi
+ if [ "$(systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//')" != "" ]; then
+ systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
+ return
+ fi
echo "/usr/lib/systemd/system/$SERVICE"
}
From 5d5ca0a3da8fa8e7f9a71569b5d3be99895410e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Tue, 16 Apr 2024 07:29:45 +0000
Subject: [PATCH 28/32] correct tests and instructions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
tests/1_host_configuration.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh
index 86247a8..4435b50 100644
--- a/tests/1_host_configuration.sh
+++ b/tests/1_host_configuration.sh
@@ -243,12 +243,12 @@ check_1_1_8() {
local id="1.1.8"
local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
local remediation
- remediation="Install auditd. Add -w $(get_service_file containerd.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
+ remediation="Install auditd. Add -w $(get_service_file containerd.sock) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
- file="$(get_service_file containerd.socket)"
+ file="$(get_service_file containerd.sock)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
From 966929427e9d31c255cea95cdefde7f6cda58a69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Tue, 16 Apr 2024 07:29:45 +0000
Subject: [PATCH 29/32] correct tests and instructions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
tests/1_host_configuration.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh
index 86247a8..4435b50 100644
--- a/tests/1_host_configuration.sh
+++ b/tests/1_host_configuration.sh
@@ -243,12 +243,12 @@ check_1_1_8() {
local id="1.1.8"
local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
local remediation
- remediation="Install auditd. Add -w $(get_service_file containerd.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
+ remediation="Install auditd. Add -w $(get_service_file containerd.sock) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
- file="$(get_service_file containerd.socket)"
+ file="$(get_service_file containerd.sock)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
From 12f085d42f9b38dd723dbf3fb6c2f7b7377836a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Tue, 16 Apr 2024 08:23:14 +0000
Subject: [PATCH 30/32] update SLSA action
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
.github/workflows/slsa.yml | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/.github/workflows/slsa.yml b/.github/workflows/slsa.yml
index 192a6e2..28c8ac9 100644
--- a/.github/workflows/slsa.yml
+++ b/.github/workflows/slsa.yml
@@ -16,11 +16,16 @@ jobs:
hashes: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ with:
+ egress-policy: audit
+
- run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
shell: bash
- name: Checkout repository
- uses: actions/checkout@27135e314dd1818f797af1db9dae03a9f045786b # master
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Build artifacts
run: |
@@ -33,7 +38,7 @@ jobs:
echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload ${{ env.REPOSITORY_NAME }}.sha256
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+ uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ env.REPOSITORY_NAME }}.sha256
path: ${{ env.REPOSITORY_NAME }}.sha256
@@ -46,17 +51,17 @@ jobs:
actions: read
id-token: write
contents: write
- uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
+ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
release:
- needs: [build, provenance]
permissions:
actions: read
id-token: write
contents: write
+ needs: [build, provenance]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
@@ -64,12 +69,12 @@ jobs:
shell: bash
- name: Download ${{ env.REPOSITORY_NAME }}.sha256
- uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1
+ uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ env.REPOSITORY_NAME }}.sha256
- name: Upload asset
- uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+ uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
with:
files: |
${{ env.REPOSITORY_NAME }}.sha256
From c4b7d36042fc7141a432b8b30dae26dad32e8ba8 Mon Sep 17 00:00:00 2001
From: Sean Pedersen <92553912+spedersen-emailage@users.noreply.github.com>
Date: Wed, 15 May 2024 10:21:02 -0700
Subject: [PATCH 31/32] modified get_docker_configuration_file_args jq command
to remove \'null\' return
---
functions/helper_lib.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh
index 740fdcf..d8b8f46 100644
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@@ -123,7 +123,7 @@ get_docker_configuration_file_args() {
get_docker_configuration_file
if "$HAVE_JQ"; then
- jq --monochrome-output --raw-output ".[\"${OPTION}\"]" "$CONFIG_FILE"
+ jq --monochrome-output --raw-output "if has(\"${OPTION}\") then .[\"${OPTION}\"] else \"\" end" "$CONFIG_FILE"
else
cat "$CONFIG_FILE" | tr , '\n' | grep "$OPTION" | sed 's/.*://g' | tr -d '" ',
fi
From a18798fcfa8e35181a51310f2a153c96006b8346 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Fri, 18 Oct 2024 13:17:01 +1100
Subject: [PATCH 32/32] dist: adjust script imports to be able to use
/usr/libexec
In order to make installation easier for distributions, make all script
imports based on a single variable that distributions can adjust based
on how the script is packaged for each distribution.
Ideally we would actually install the script in /usr/libexec rather than
/ in our Dockerfile, but this is a simpler fix that still lets you run
the script from the repo directory.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
docker-bench-security.sh | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index d91d995..d4041a8 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -9,9 +9,11 @@
version='1.6.0'
+LIBEXEC="." # Distributions can change this to /usr/libexec or similar.
+
# Load dependencies
-. ./functions/functions_lib.sh
-. ./functions/helper_lib.sh
+. $LIBEXEC/functions/functions_lib.sh
+. $LIBEXEC/functions/helper_lib.sh
# Setup the paths
this_path=$(abspath "$0") ## Path of this file including filename
@@ -99,7 +101,7 @@ do
done
# Load output formating
-. ./functions/output_lib.sh
+. $LIBEXEC/functions/output_lib.sh
yell_info
@@ -161,8 +163,8 @@ main () {
images=$(docker images -q $LABELS| grep -v "$benchcont")
fi
- for test in tests/*.sh; do
- . ./"$test"
+ for test in $LIBEXEC/tests/*.sh; do
+ . "$test"
done
if [ -z "$check" ] && [ ! "$checkexclude" ]; then