diff --git a/.github/workflows/slsa.yml b/.github/workflows/slsa.yml
index 192a6e2..28c8ac9 100644
--- a/.github/workflows/slsa.yml
+++ b/.github/workflows/slsa.yml
@@ -16,11 +16,16 @@ jobs:
hashes: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ with:
+ egress-policy: audit
+
- run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
shell: bash
- name: Checkout repository
- uses: actions/checkout@27135e314dd1818f797af1db9dae03a9f045786b # master
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Build artifacts
run: |
@@ -33,7 +38,7 @@ jobs:
echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload ${{ env.REPOSITORY_NAME }}.sha256
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+ uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ env.REPOSITORY_NAME }}.sha256
path: ${{ env.REPOSITORY_NAME }}.sha256
@@ -46,17 +51,17 @@ jobs:
actions: read
id-token: write
contents: write
- uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
+ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
release:
- needs: [build, provenance]
permissions:
actions: read
id-token: write
contents: write
+ needs: [build, provenance]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
@@ -64,12 +69,12 @@ jobs:
shell: bash
- name: Download ${{ env.REPOSITORY_NAME }}.sha256
- uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1
+ uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ env.REPOSITORY_NAME }}.sha256
- name: Upload asset
- uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+ uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
with:
files: |
${{ env.REPOSITORY_NAME }}.sha256
diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index d91d995..d4041a8 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -9,9 +9,11 @@
version='1.6.0'
+LIBEXEC="." # Distributions can change this to /usr/libexec or similar.
+
# Load dependencies
-. ./functions/functions_lib.sh
-. ./functions/helper_lib.sh
+. $LIBEXEC/functions/functions_lib.sh
+. $LIBEXEC/functions/helper_lib.sh
# Setup the paths
this_path=$(abspath "$0") ## Path of this file including filename
@@ -99,7 +101,7 @@ do
done
# Load output formating
-. ./functions/output_lib.sh
+. $LIBEXEC/functions/output_lib.sh
yell_info
@@ -161,8 +163,8 @@ main () {
images=$(docker images -q $LABELS| grep -v "$benchcont")
fi
- for test in tests/*.sh; do
- . ./"$test"
+ for test in $LIBEXEC/tests/*.sh; do
+ . "$test"
done
if [ -z "$check" ] && [ ! "$checkexclude" ]; then
diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh
index 963b149..d8b8f46 100644
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@@ -123,7 +123,7 @@ get_docker_configuration_file_args() {
get_docker_configuration_file
if "$HAVE_JQ"; then
- jq --monochrome-output --raw-output ".[\"${OPTION}\"]" "$CONFIG_FILE"
+ jq --monochrome-output --raw-output "if has(\"${OPTION}\") then .[\"${OPTION}\"] else \"\" end" "$CONFIG_FILE"
else
cat "$CONFIG_FILE" | tr , '\n' | grep "$OPTION" | sed 's/.*://g' | tr -d '" ',
fi
@@ -140,7 +140,11 @@ get_service_file() {
echo "/lib/systemd/system/$SERVICE"
return
fi
- if systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
+ if find /run -name "$SERVICE" 2> /dev/null 1>&2; then
+ find /run -name "$SERVICE" | head -n1
+ return
+ fi
+ if [ "$(systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//')" != "" ]; then
systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
return
fi
diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh
index 86247a8..4435b50 100644
--- a/tests/1_host_configuration.sh
+++ b/tests/1_host_configuration.sh
@@ -243,12 +243,12 @@ check_1_1_8() {
local id="1.1.8"
local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
local remediation
- remediation="Install auditd. Add -w $(get_service_file containerd.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
+ remediation="Install auditd. Add -w $(get_service_file containerd.sock) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
- file="$(get_service_file containerd.socket)"
+ file="$(get_service_file containerd.sock)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh
index e904c9b..93ee77f 100644
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@@ -617,27 +617,29 @@ check_5_15() {
for s in $(docker service ls --format '{{.Name}}'); do
if echo $container_name | grep -q "$s"; then
task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}')
- # a container name could arbitrary include a service one: it belongs to a service (created by Docker
+ # a container name could arbitrary include a service one: it belongs to a service (created by Docker
# as part of the service), if the container task ID matches one of the task IDs of the service.
if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then
- spolicy=$(docker inspect --format MaxAttempts='{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
+ restart_policy=$(docker inspect --format '{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
break
fi
fi
done
fi
- cpolicy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
+ if docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c" &>/dev/null; then
+ restart_policy=$(docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
+ fi
- if [ "$cpolicy" != "MaximumRetryCount=5" ] && [ "$spolicy" != "MaxAttempts=5" ]; then
+ if [ "$restart_policy" -gt "5" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
- warn " * MaximumRetryCount is not set to 5: $c"
+ warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fail=1
continue
fi
- warn " * MaximumRetryCount is not set to 5: $c"
+ warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fi
done
@@ -647,7 +649,7 @@ check_5_15() {
logcheckresult "PASS"
return
fi
- logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers"
+ logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5 or less" "$maxretry_unset_containers"
}
check_5_16() {