From ab2190819de91dc09978d3db01577940aaf20af1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Mon, 25 Sep 2023 09:05:44 +0000
Subject: [PATCH 1/9] check if restart policy is 5 or less
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
tests/5_container_runtime.sh | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh
index 7f6fa1a..bccdf61 100644
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@@ -600,27 +600,27 @@ check_5_14() {
for s in $(docker service ls --format '{{.Name}}'); do
if echo $container_name | grep -q "$s"; then
task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}')
- # a container name could arbitrary include a service one: it belongs to a service (created by Docker
+ # a container name could arbitrary include a service one: it belongs to a service (created by Docker
# as part of the service), if the container task ID matches one of the task IDs of the service.
if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then
- spolicy=$(docker inspect --format MaxAttempts='{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
+ restart_policy=$(docker inspect --format '{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
break
fi
fi
done
fi
- cpolicy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
+ restart_policy=$(docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
- if [ "$cpolicy" != "MaximumRetryCount=5" ] && [ "$spolicy" != "MaxAttempts=5" ]; then
+ if [ "$restart_policy" -gt "5" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
- warn " * MaximumRetryCount is not set to 5: $c"
+ warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fail=1
continue
fi
- warn " * MaximumRetryCount is not set to 5: $c"
+ warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fi
done
@@ -630,7 +630,7 @@ check_5_14() {
logcheckresult "PASS"
return
fi
- logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers"
+ logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5 or less" "$maxretry_unset_containers"
}
check_5_15() {
From e680ab2465be8f8381fedb0b7dac2c6eef6334a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Mon, 25 Sep 2023 15:29:45 +0000
Subject: [PATCH 2/9] update restart_policy w/o swarm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
tests/5_container_runtime.sh | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh
index bccdf61..7e8ed07 100644
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@@ -609,7 +609,9 @@ check_5_14() {
fi
done
fi
- restart_policy=$(docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
+ if docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c" &>/dev/null; then
+ restart_policy=$(docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
+ fi
if [ "$restart_policy" -gt "5" ]; then
# If it's the first container, fail the test
From e081393ad752277958e9f7aedb3287cdc30502a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Thu, 11 Apr 2024 21:45:15 +0000
Subject: [PATCH 3/9] include /run in get_service_file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
functions/helper_lib.sh | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh
index 963b149..63bdd33 100644
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@@ -144,6 +144,10 @@ get_service_file() {
systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
return
fi
+ if find /run -name "$SERVICE" 2> /dev/null 1>&2; then
+ find /run -name "$SERVICE" | head -n1
+ return
+ fi
echo "/usr/lib/systemd/system/$SERVICE"
}
From 287fd8774bc2245addcb6f6f9eec1c3891890b1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Fri, 12 Apr 2024 08:17:17 +0000
Subject: [PATCH 4/9] systemctl always returns an FragmentPath
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
functions/helper_lib.sh | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh
index 63bdd33..740fdcf 100644
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@@ -140,14 +140,14 @@ get_service_file() {
echo "/lib/systemd/system/$SERVICE"
return
fi
- if systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
- systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
- return
- fi
if find /run -name "$SERVICE" 2> /dev/null 1>&2; then
find /run -name "$SERVICE" | head -n1
return
fi
+ if [ "$(systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//')" != "" ]; then
+ systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
+ return
+ fi
echo "/usr/lib/systemd/system/$SERVICE"
}
From 5d5ca0a3da8fa8e7f9a71569b5d3be99895410e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Tue, 16 Apr 2024 07:29:45 +0000
Subject: [PATCH 5/9] correct tests and instructions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
tests/1_host_configuration.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh
index 86247a8..4435b50 100644
--- a/tests/1_host_configuration.sh
+++ b/tests/1_host_configuration.sh
@@ -243,12 +243,12 @@ check_1_1_8() {
local id="1.1.8"
local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
local remediation
- remediation="Install auditd. Add -w $(get_service_file containerd.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
+ remediation="Install auditd. Add -w $(get_service_file containerd.sock) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
- file="$(get_service_file containerd.socket)"
+ file="$(get_service_file containerd.sock)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
From 966929427e9d31c255cea95cdefde7f6cda58a69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Tue, 16 Apr 2024 07:29:45 +0000
Subject: [PATCH 6/9] correct tests and instructions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
tests/1_host_configuration.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh
index 86247a8..4435b50 100644
--- a/tests/1_host_configuration.sh
+++ b/tests/1_host_configuration.sh
@@ -243,12 +243,12 @@ check_1_1_8() {
local id="1.1.8"
local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
local remediation
- remediation="Install auditd. Add -w $(get_service_file containerd.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
+ remediation="Install auditd. Add -w $(get_service_file containerd.sock) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
- file="$(get_service_file containerd.socket)"
+ file="$(get_service_file containerd.sock)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
From 12f085d42f9b38dd723dbf3fb6c2f7b7377836a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
<konstruktoid@users.noreply.github.com>
Date: Tue, 16 Apr 2024 08:23:14 +0000
Subject: [PATCH 7/9] update SLSA action
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
.github/workflows/slsa.yml | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/.github/workflows/slsa.yml b/.github/workflows/slsa.yml
index 192a6e2..28c8ac9 100644
--- a/.github/workflows/slsa.yml
+++ b/.github/workflows/slsa.yml
@@ -16,11 +16,16 @@ jobs:
hashes: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ with:
+ egress-policy: audit
+
- run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
shell: bash
- name: Checkout repository
- uses: actions/checkout@27135e314dd1818f797af1db9dae03a9f045786b # master
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Build artifacts
run: |
@@ -33,7 +38,7 @@ jobs:
echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload ${{ env.REPOSITORY_NAME }}.sha256
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+ uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ env.REPOSITORY_NAME }}.sha256
path: ${{ env.REPOSITORY_NAME }}.sha256
@@ -46,17 +51,17 @@ jobs:
actions: read
id-token: write
contents: write
- uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
+ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
release:
- needs: [build, provenance]
permissions:
actions: read
id-token: write
contents: write
+ needs: [build, provenance]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
@@ -64,12 +69,12 @@ jobs:
shell: bash
- name: Download ${{ env.REPOSITORY_NAME }}.sha256
- uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1
+ uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ env.REPOSITORY_NAME }}.sha256
- name: Upload asset
- uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+ uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
with:
files: |
${{ env.REPOSITORY_NAME }}.sha256
From c4b7d36042fc7141a432b8b30dae26dad32e8ba8 Mon Sep 17 00:00:00 2001
From: Sean Pedersen <92553912+spedersen-emailage@users.noreply.github.com>
Date: Wed, 15 May 2024 10:21:02 -0700
Subject: [PATCH 8/9] modified get_docker_configuration_file_args jq command to
remove \'null\' return
---
functions/helper_lib.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh
index 740fdcf..d8b8f46 100644
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@@ -123,7 +123,7 @@ get_docker_configuration_file_args() {
get_docker_configuration_file
if "$HAVE_JQ"; then
- jq --monochrome-output --raw-output ".[\"${OPTION}\"]" "$CONFIG_FILE"
+ jq --monochrome-output --raw-output "if has(\"${OPTION}\") then .[\"${OPTION}\"] else \"\" end" "$CONFIG_FILE"
else
cat "$CONFIG_FILE" | tr , '\n' | grep "$OPTION" | sed 's/.*://g' | tr -d '" ',
fi
From a18798fcfa8e35181a51310f2a153c96006b8346 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Fri, 18 Oct 2024 13:17:01 +1100
Subject: [PATCH 9/9] dist: adjust script imports to be able to use
/usr/libexec
In order to make installation easier for distributions, make all script
imports based on a single variable that distributions can adjust based
on how the script is packaged for each distribution.
Ideally we would actually install the script in /usr/libexec rather than
/ in our Dockerfile, but this is a simpler fix that still lets you run
the script from the repo directory.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
docker-bench-security.sh | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index d91d995..d4041a8 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -9,9 +9,11 @@
version='1.6.0'
+LIBEXEC="." # Distributions can change this to /usr/libexec or similar.
+
# Load dependencies
-. ./functions/functions_lib.sh
-. ./functions/helper_lib.sh
+. $LIBEXEC/functions/functions_lib.sh
+. $LIBEXEC/functions/helper_lib.sh
# Setup the paths
this_path=$(abspath "$0") ## Path of this file including filename
@@ -99,7 +101,7 @@ do
done
# Load output formating
-. ./functions/output_lib.sh
+. $LIBEXEC/functions/output_lib.sh
yell_info
@@ -161,8 +163,8 @@ main () {
images=$(docker images -q $LABELS| grep -v "$benchcont")
fi
- for test in tests/*.sh; do
- . ./"$test"
+ for test in $LIBEXEC/tests/*.sh; do
+ . "$test"
done
if [ -z "$check" ] && [ ! "$checkexclude" ]; then