GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-05-15 22:25:29 +00:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

...

49 commits
v1.5.0 ... master

Author SHA1 Message Date
Thomas Sjögren
ff26d67f25
Merge pull request from cyphar/dist-libexec 
dist: adjust script imports to be able to use /usr/libexec
 2024-10-21 09:26:06 +02:00
Aleksa Sarai
a18798fcfa
dist: adjust script imports to be able to use /usr/libexec 
In order to make installation easier for distributions, make all script
imports based on a single variable that distributions can adjust based
on how the script is packaged for each distribution.

Ideally we would actually install the script in /usr/libexec rather than
/ in our Dockerfile, but this is a simpler fix that still lets you run
the script from the repo directory.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 2024-10-18 17:43:13 +11:00
Thomas Sjögren
5c42b8ad5f
Merge pull request from spedersen-emailage/log-level-fix 
modified get_docker_configuration_file_args jq command to remove null response
 2024-05-16 16:35:13 +02:00
Sean Pedersen
c4b7d36042 modified get_docker_configuration_file_args jq command to remove \'null\' return 2024-05-15 10:21:02 -07:00
Thomas Sjögren
23110269a6
Merge pull request from konstruktoid/issue548 
include /run in get_service_file
 2024-04-16 18:12:13 +02:00
Thomas Sjögren
c495b3a774
Merge pull request from konstruktoid/gha 
update github action
 2024-04-16 10:24:28 +02:00
Thomas Sjögren
12f085d42f
update SLSA action 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2024-04-16 08:23:14 +00:00
Thomas Sjögren
966929427e correct tests and instructions 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2024-04-16 07:32:23 +00:00
Thomas Sjögren
5d5ca0a3da
correct tests and instructions 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2024-04-16 07:29:45 +00:00
Thomas Sjögren
287fd8774b
systemctl always returns an FragmentPath 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2024-04-12 08:17:17 +00:00
Thomas Sjögren
e081393ad7
include /run in get_service_file 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2024-04-11 21:45:15 +00:00
Thomas Sjögren
820abe98c3
Merge pull request from konstruktoid/issue538 
check if restart policy is 5 or less
 2024-02-11 11:25:09 +01:00
Thomas Sjögren
ba0b402ea5
Merge pull request from martipoe/master 
Update check ID and add check groups for CIS Controls v8 (v1.6.0 - 06-14-2023)
 2023-12-20 15:41:02 +01:00
MaPoe
684512b888 feat: check groups for CIS Controls v8 IG1-3 mapped recommendations 2023-12-17 16:45:13 +01:00
MaPoe
958f5fa6c3 feat: update swarm mode check id from 7.1 to 5.1 2023-12-17 15:57:54 +01:00
Thomas Sjögren
0fd702afed
Merge pull request from UlisesGascon/fix/pin-dependency 
feat: use SHA instead of tags for base image
 2023-11-19 22:04:37 +00:00
Ulises Gascón
8bbdaf6540
feat: use SHA instead of tags for base image 2023-11-19 21:08:05 +01:00
Thomas Sjögren
4edccd7859
Merge pull request from halfluke/fix537 
fix537
 2023-10-23 09:45:55 +00:00
halfluke
8d97756c62 fix537_proper 2023-10-21 01:55:29 +01:00
halfluke
b6e4380937 fix537 2023-10-21 01:43:46 +01:00
Thomas Sjögren
7287a35a21
Merge pull request from ismailarilik/patch-1 
"above" -> "below"
 2023-10-06 07:13:44 +00:00
İsmail Arılık
5c647c1b86
"above" -> "below" 
It is not above but below.
 2023-10-06 08:51:33 +03:00
Thomas Sjögren
e680ab2465
update restart_policy w/o swarm 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2023-09-25 15:29:45 +00:00
Thomas Sjögren
ab2190819d
check if restart policy is 5 or less 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2023-09-25 09:05:44 +00:00
Thomas Sjögren
b7a5284ce4
Merge pull request from konstruktoid/v160 
Update version v1.6.0
 2023-08-25 14:38:42 +02:00
Thomas Sjögren
8da1cc26df
v1.6.0 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2023-08-25 12:37:35 +00:00
Thomas Sjögren
9120d426ce
Merge pull request from konstruktoid/issue532 
Fix image sprawl miscalculation
 2023-08-25 14:18:55 +02:00
Thomas Sjögren
26f80fb331
Fix image sprawl miscalculation 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2023-08-25 12:17:48 +00:00
Thomas Sjögren
5555c37560
Merge pull request from lekpamartin/master 
add label filtering config
 2023-07-26 17:51:28 +00:00
LEKPA Martin
8ea918620e update doc 2023-07-26 18:47:50 +02:00
Martin LEKPA
59fe573db2
update help 2023-07-25 21:38:20 +02:00
Martin LEKPA
2dfb1bac51
Update README.md 2023-07-25 21:37:03 +02:00
LEKPA Martin
223baf94d1 update doc 2023-07-21 18:53:01 +02:00
Thomas Sjögren
d9f1d02102
Merge pull request from andreagalle/issue_521_restart_policy 
Issue 521 restart policy
 2023-07-07 19:16:48 +00:00
LEKPA Martin
bfbeda9263 add label filtering config 2023-07-01 11:19:04 +02:00
Thomas Sjögren
1f9933a867
Merge pull request from konstruktoid/issue527 
tr is required, not truncate
 2023-06-13 11:55:41 +02:00
Thomas Sjögren
d6005f0211
tr is required, not truncate 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2023-06-13 09:54:22 +00:00
Thomas Sjögren
26dc83ed28
Merge pull request from konstruktoid/docker 
update Docker container instructions, remove out-of-date Dockerfiles
 2023-06-02 22:18:33 +00:00
Thomas Sjögren
2647070692
update Docker container instructions, remove out-of-date Dockerfiles 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2023-06-02 22:16:31 +00:00
Thomas Sjögren
1d29a1f405
Merge pull request from brsolomon-deloitte/bugfix/get_docker_configuration_file_args 
fix: allow get_docker_configuration_file_args to parse minified json
 2023-06-02 21:46:09 +00:00
Brad Solomon
523556b4ac move HAVE_JQ into req_programs 2023-06-02 17:36:29 -04:00
Brad Solomon
79407ce361 remove non-universal tr -u flag 2023-06-02 17:26:21 -04:00
Brad Solomon
39963dad60 fix: allow get_docker_configuration_file_args to parse minified json 
Closes .
 2023-06-02 09:18:42 -04:00
andreagalle
0dc2d2b1e6 should fix the: Error response from daemon: This node is not a swarm manager. issue 2023-04-26 07:04:53 +00:00
andreagalle
412f514bb4 just a typo 2023-04-12 14:51:01 +00:00
andreagalle
f97b420af9 couple typos & performance improvements 2023-04-12 14:46:13 +00:00
andreagalle
c8c90ee523 checking for the MaxAttempts=5 too at service level 2023-04-12 13:27:36 +00:00
Thomas Sjögren
16c235080d
Merge pull request from konstruktoid/gha 
update slsa gha permissions
 2023-03-15 17:12:35 +01:00
Thomas Sjögren
9bf4dea527
update slsa gha permissions 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2023-03-15 17:11:38 +01:00
18 changed files with 502 additions and 314 deletions

21
.github/workflows/slsa.yml vendored
View file

@ -16,15 +16,20 @@ jobs:
hashes: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
shell: bash
- name: Checkout repository
uses: actions/checkout@27135e314dd1818f797af1db9dae03a9f045786b # master
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Build artifacts
run: |
find *.sh distros/* functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
find *.sh functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
- name: Generate hashes
shell: bash
@ -33,7 +38,7 @@ jobs:
echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload ${{ env.REPOSITORY_NAME }}.sha256
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ env.REPOSITORY_NAME }}.sha256
path: ${{ env.REPOSITORY_NAME }}.sha256
@ -46,12 +51,16 @@ jobs:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
release:
permissions:
actions: read
id-token: write
contents: write
needs: [build, provenance]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
@ -60,12 +69,12 @@ jobs:
shell: bash
- name: Download ${{ env.REPOSITORY_NAME }}.sha256
uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ env.REPOSITORY_NAME }}.sha256
- name: Upload asset
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
with:
files: |
${{ env.REPOSITORY_NAME }}.sha256

7
Dockerfile
View file

@ -1,4 +1,4 @@
FROM alpine:3.15
FROM alpine:3.18@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978
LABEL \
org.label-schema.name="docker-bench-security" \
@ -6,8 +6,9 @@ LABEL \
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
RUN apk add --no-cache iproute2 \
docker-cli \
dumb-init
docker-cli \
dumb-init \
jq
COPY . /usr/local/bin/

64
README.md
View file

@ -2,12 +2,13 @@
![Docker Bench for Security running](img/benchmark_log.png)
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.5.0](https://www.cisecurity.org/benchmark/docker/).
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.6.0](https://www.cisecurity.org/benchmark/docker/).
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.
Release | CIS |
:---:|:---:|
1.6.0|1.6.0|
1.5.0|1.5.0|
1.3.6|1.4.0|
1.3.5|1.2.0|
@ -26,13 +27,37 @@ cd docker-bench-security
sudo sh docker-bench-security.sh
```
> Note: [`jq`](https://jqlang.github.io/jq/) is an optional but recommended dependency.
### Run with Docker
#### Building Docker image
You have two options if you wish to build and run this container yourself:
1. Use Docker Build:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker build --no-cache -t docker-bench-security .
```
Followed by an appropriate `docker run` command as stated below.
2. Use Docker Compose:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker-compose run --rm docker-bench-security
```
_Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405](https://github.com/docker/docker-bench-security/issues/405) for more information._
We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container:
### Using the container
```sh
docker run --rm --net host --pid host --userns host --cap-add audit_control \
@ -44,7 +69,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security
docker-bench-security
```
Don't forget to adjust the shared volumes according to your operating system.
@ -64,7 +89,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security
docker-bench-security
```
2. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker
@ -79,7 +104,7 @@ docker run --rm --net host --pid host --userns host --cap-add audit_control \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security
docker-bench-security
```
### Note
@ -99,6 +124,7 @@ Note that when distributions don't contain `auditctl`, the audit tests will chec
-e CHECK optional Comma delimited list of specific check(s) id to exclude
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
-t LABEL optional Comma delimited list of labels within a container or image to check
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
-p PRINT optional Disable the printing of remediation measures. Default: print remediation measures.
```
@ -117,32 +143,10 @@ The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6` and
`sh docker-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group
`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run allavailable checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run all available checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
`sh docker-bench-security.sh -c container_images,container_runtime` will run just the container_images and container_runtime checks
`sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`
Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.
## Building Docker image
You have two options if you wish to build and run this container yourself:
1. Use Docker Build:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker build --no-cache -t docker-bench-security .
```
Followed by an appropriate `docker run` command as stated above.
2. Use Docker Compose:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker-compose run --rm docker-bench-security
```

19
distros/Dockerfile.alpine
View file

@ -1,19 +0,0 @@
FROM alpine:3.13
LABEL \
org.label-schema.name="docker-bench-security" \
org.label-schema.url="https://dockerbench.com" \
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
RUN apk add --no-cache iproute2 \
docker-cli \
dumb-init
COPY . /usr/local/bin/
HEALTHCHECK CMD exit 0
WORKDIR /usr/local/bin
ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]
CMD [""]

15
distros/Dockerfile.centos
View file

@ -1,15 +0,0 @@
# REPOSITORY https://github.com/fatherlinux/docker-bench-security
FROM centos
MAINTAINER smccarty@redhat.com
RUN yum install -y docker iproute audit procps-ng; yum clean all
RUN mkdir /docker-bench-security
COPY . /docker-bench-security
WORKDIR /docker-bench-security
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]

24
distros/Dockerfile.debian
View file

@ -1,24 +0,0 @@
FROM debian:sid@sha256:022a3cafe84d704c272794863ca5e383667c99312358e816ad1ff6e9a41ce4f6
LABEL org.label-schema.name="docker-bench-security" \
org.label-schema.url="https://github.com/konstruktoid/docker-bench-security" \
org.label-schema.vcs-url="https://github.com/konstruktoid/docker-bench-security.git"
RUN \
apt-get update && \
apt-get -y upgrade && \
apt-get -y install auditd ca-certificates docker.io \
gawk iproute2 procps --no-install-recommends && \
apt-get -y clean && \
apt-get -y autoremove && \
rm -rf /var/lib/apt/lists/* \
/usr/share/doc /usr/share/doc-base \
/usr/share/man /usr/share/locale /usr/share/zoneinfo
RUN mkdir /docker-bench-security
COPY . /docker-bench-security
WORKDIR /docker-bench-security
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]

13
distros/Dockerfile.openSUSE
View file

@ -1,13 +0,0 @@
# REPOSITORY https://github.com/docker/docker-bench-security
FROM opensuse/leap:latest
RUN zypper -n in audit docker iproute2 && \
mkdir /docker-bench-security && \
rm /usr/bin/awk && \
cp /usr/bin/gawk /usr/bin/awk
COPY . /docker-bench-security
WORKDIR /docker-bench-security
ENTRYPOINT ["/bin/bash", "docker-bench-security.sh"]

18
distros/Dockerfile.rhel
View file

@ -1,18 +0,0 @@
# REPOSITORY https://github.com/fatherlinux/docker-bench-security
FROM rhel7
MAINTAINER smccarty@redhat.com
RUN yum install -y yum-utils; yum clean all
RUN yum-config-manager --disable "*" &>/dev/null
RUN yum-config-manager --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms
RUN yum install -y docker iproute audit procps-ng; yum clean all
RUN mkdir /docker-bench-security
COPY . /docker-bench-security
WORKDIR /docker-bench-security
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]

21
distros/README.md
View file

@ -1,21 +0,0 @@
# Distribution specific Dockerfiles
## Requirements
### Dockerfile name
The format should be `Dockerfile.{distribution name}`.
### Keep your images up-to-date
Use the distribution package manager to keep your image up-to-date.
### Labels
Use the following labels in your Dockerfile:
```
LABEL org.label-schema.name="docker-bench-security" \
org.label-schema.url="<YOUR GIT REPOSITORY HTTPS ADDRESS>" \
org.label-schema.vcs-url="<YOUR REPOSITORY HTTPS GIT ADDRESS"
```

37
docker-bench-security.sh
View file

@ -7,11 +7,13 @@
# Checks for dozens of common best-practices around deploying Docker containers in production.
# --------------------------------------------------------------------------------------------
version='1.5.0'
version='1.6.0'
LIBEXEC="." # Distributions can change this to /usr/libexec or similar.
# Load dependencies
. ./functions/functions_lib.sh
. ./functions/helper_lib.sh
. $LIBEXEC/functions/functions_lib.sh
. $LIBEXEC/functions/helper_lib.sh
# Setup the paths
this_path=$(abspath "$0") ## Path of this file including filename
@ -24,7 +26,7 @@ readonly myname
export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/"
# Check for required program(s)
req_programs 'awk docker grep stat tee tail wc xargs truncate sed'
req_programs 'awk docker grep sed stat tail tee tr wc xargs'
# Ensure we can connect to docker daemon
if ! docker ps -q >/dev/null 2>&1; then
@ -36,7 +38,7 @@ usage () {
cat <<EOF
Docker Bench for Security - Docker, Inc. (c) 2015-$(date +"%Y")
Checks for dozens of common best-practices around deploying Docker containers in production.
Based on the CIS Docker Benchmark 1.5.0.
Based on the CIS Docker Benchmark 1.6.0.
Usage: ${myname}.sh [OPTIONS]
@ -57,6 +59,7 @@ Options:
-e CHECK optional Comma delimited list of specific check(s) id to exclude
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
-t LABEL optional Comma delimited list of labels within a container or image to check
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
-p PRINT optional Print remediation measures. Default: Don't print remediation measures.
@ -90,6 +93,7 @@ do
e) checkexclude="$OPTARG" ;;
i) include="$OPTARG" ;;
x) exclude="$OPTARG" ;;
t) labels="$OPTARG" ;;
n) limit="$OPTARG" ;;
p) printremediation="1" ;;
*) usage; exit 1 ;;
@ -97,7 +101,7 @@ do
done
# Load output formating
. ./functions/output_lib.sh
. $LIBEXEC/functions/output_lib.sh
yell_info
@ -141,21 +145,26 @@ main () {
fi
done
# Format LABELS
for label in $(echo "$labels" | sed 's/,/ /g'); do
LABELS="$LABELS --filter label=$label"
done
if [ -n "$include" ]; then
pattern=$(echo "$include" | sed 's/,/|/g')
containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -E "$pattern")
images=$(docker images | sed '1d' | grep -E "$pattern" | awk '{print $3}' | grep -v "$benchimagecont")
containers=$(docker ps $LABELS| sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -E "$pattern")
images=$(docker images $LABELS| sed '1d' | grep -E "$pattern" | awk '{print $3}' | grep -v "$benchimagecont")
elif [ -n "$exclude" ]; then
pattern=$(echo "$exclude" | sed 's/,/|/g')
containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -Ev "$pattern")
images=$(docker images | sed '1d' | grep -Ev "$pattern" | awk '{print $3}' | grep -v "$benchimagecont")
containers=$(docker ps $LABELS| sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -Ev "$pattern")
images=$(docker images $LABELS| sed '1d' | grep -Ev "$pattern" | awk '{print $3}' | grep -v "$benchimagecont")
else
containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
images=$(docker images -q | grep -v "$benchcont")
containers=$(docker ps $LABELS| sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
images=$(docker images -q $LABELS| grep -v "$benchcont")
fi
for test in tests/*.sh; do
. ./"$test"
for test in $LIBEXEC/tests/*.sh; do
. "$test"
done
if [ -z "$check" ] && [ ! "$checkexclude" ]; then

38
docker-compose.yml
View file

@ -1,21 +1,21 @@
docker-bench-security:
# use image if you have a dedicated build step:
# docker build --rm -t docker-bench-security .
# image: docker-bench-security
services:
docker-bench-security:
# use image if you have a dedicated build step:
# docker build --rm -t docker-bench-security .
# image: docker-bench-security
# use build path to Dockerfile if docker-compose should build the image
build: .
# use build path to Dockerfile if docker-compose should build the image
build: .
cap_add:
- audit_control
labels:
- docker_bench_security
net: host
pid: host
stdin_open: true
tty: true
volumes:
- /var/lib:/var/lib:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /usr/lib/systemd:/usr/lib/systemd:ro
- /etc:/etc:ro
cap_add:
- audit_control
labels:
- docker_bench_security
pid: host
stdin_open: true
tty: true
volumes:
- /var/lib:/var/lib:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /usr/lib/systemd:/usr/lib/systemd:ro
- /etc:/etc:ro

253
functions/functions_lib.sh
View file

@ -180,6 +180,7 @@ container_runtime() {
check_5_29
check_5_30
check_5_31
check_5_32
check_5_end
}
@ -213,7 +214,6 @@ docker_swarm_configuration() {
check_7_7
check_7_8
check_7_9
check_7_10
check_7_end
}
@ -307,6 +307,257 @@ cis_level1() {
docker_swarm_configuration_level1
}
cis_controls_v8_ig1() {
check_1_1_2
check_1_1_3
check_2_1
check_2_13
check_2_14
check_3_1
check_3_2
check_3_3
check_3_4
check_3_5
check_3_6
check_3_7
check_3_8
check_3_9
check_3_10
check_3_11
check_3_12
check_3_13
check_3_14
check_3_15
check_3_16
check_3_17
check_3_18
check_3_19
check_3_20
check_3_21
check_3_22
check_3_23
check_3_24
check_4_8
check_4_11
check_5_5
check_5_14
check_5_18
check_5_22
check_5_23
check_5_24
check_5_25
check_5_26
check_5_32
check_7_2
check_7_6
check_7_7
check_7_8
}
cis_controls_v8_ig2() {
check_1_1_1
check_1_1_2
check_1_1_3
check_1_1_4
check_1_1_5
check_1_1_6
check_1_1_7
check_1_1_8
check_1_1_9
check_1_1_10
check_1_1_11
check_1_1_12
check_1_1_13
check_1_1_14
check_1_1_15
check_1_1_16
check_1_1_17
check_1_1_18
check_1_2_1
check_1_2_2
check_2_1
check_2_2
check_2_3
check_2_4
check_2_5
check_2_7
check_2_8
check_2_11
check_2_13
check_2_14
check_2_15
check_2_16
check_2_18
check_3_1
check_3_2
check_3_3
check_3_4
check_3_5
check_3_6
check_3_7
check_3_8
check_3_9
check_3_10
check_3_11
check_3_12
check_3_13
check_3_14
check_3_15
check_3_16
check_3_17
check_3_18
check_3_19
check_3_20
check_3_21
check_3_22
check_3_23
check_3_24
check_4_2
check_4_3
check_4_4
check_4_7
check_4_8
check_4_9
check_4_11
check_5_1
check_5_2
check_5_3
check_5_4
check_5_5
check_5_7
check_5_10
check_5_11
check_5_12
check_5_14
check_5_16
check_5_17
check_5_18
check_5_19
check_5_21
check_5_22
check_5_23
check_5_24
check_5_25
check_5_26
check_5_27
check_5_30
check_5_31
check_5_32
check_6_1
check_6_2
check_7_2
check_7_3
check_7_5
check_7_6
check_7_7
check_7_8
check_7_9
}
cis_controls_v8_ig3() {
check_1_1_1
check_1_1_2
check_1_1_3
check_1_1_4
check_1_1_5
check_1_1_6
check_1_1_7
check_1_1_8
check_1_1_9
check_1_1_10
check_1_1_11
check_1_1_12
check_1_1_13
check_1_1_14
check_1_1_15
check_1_1_16
check_1_1_17
check_1_1_18
check_1_2_1
check_1_2_2
check_2_1
check_2_2
check_2_3
check_2_4
check_2_5
check_2_7
check_2_8
check_2_11
check_2_13
check_2_14
check_2_15
check_2_16
check_2_18
check_3_1
check_3_2
check_3_3
check_3_4
check_3_5
check_3_6
check_3_7
check_3_8
check_3_9
check_3_10
check_3_11
check_3_12
check_3_13
check_3_14
check_3_15
check_3_16
check_3_17
check_3_18
check_3_19
check_3_20
check_3_21
check_3_22
check_3_23
check_3_24
check_4_2
check_4_3
check_4_4
check_4_6
check_4_7
check_4_8
check_4_9
check_4_11
check_4_12
check_5_1
check_5_2
check_5_3
check_5_4
check_5_5
check_5_7
check_5_8
check_5_9
check_5_10
check_5_11
check_5_12
check_5_14
check_5_16
check_5_17
check_5_18
check_5_19
check_5_21
check_5_22
check_5_23
check_5_24
check_5_25
check_5_26
check_5_27
check_5_30
check_5_31
check_5_32
check_6_1
check_6_2
check_7_2
check_7_3
check_7_5
check_7_6
check_7_7
check_7_8
check_7_9
}
# Community contributed
community() {
community_checks

19
functions/helper_lib.sh
View file

@ -11,6 +11,11 @@ req_programs() {
for p in $1; do
command -v "$p" >/dev/null 2>&1 || { printf "Required program not found: %s\n" "$p"; exit 1; }
done
if command -v jq >/dev/null 2>&1; then
HAVE_JQ=true
else
HAVE_JQ=false
fi
if command -v ss >/dev/null 2>&1; then
netbin=ss
return
@ -117,7 +122,11 @@ get_docker_configuration_file_args() {
get_docker_configuration_file
grep "$OPTION" "$CONFIG_FILE" | sed 's/.*://g' | tr -d '" ',
if "$HAVE_JQ"; then
jq --monochrome-output --raw-output "if has(\"${OPTION}\") then .[\"${OPTION}\"] else \"\" end" "$CONFIG_FILE"
else
cat "$CONFIG_FILE" | tr , '\n' | grep "$OPTION" | sed 's/.*://g' | tr -d '" ',
fi
}
get_service_file() {
@ -131,7 +140,11 @@ get_service_file() {
echo "/lib/systemd/system/$SERVICE"
return
fi
if systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
if find /run -name "$SERVICE" 2> /dev/null 1>&2; then
find /run -name "$SERVICE" | head -n1
return
fi
if [ "$(systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//')" != "" ]; then
systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
return
fi
@ -145,6 +158,6 @@ yell "# ------------------------------------------------------------------------
# Docker, Inc. (c) 2015-$(date +"%Y")
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.5.0.
# Based on the CIS Docker Benchmark 1.6.0.
# --------------------------------------------------------------------------------------------"
}

4
tests/1_host_configuration.sh
View file

@ -243,12 +243,12 @@ check_1_1_8() {
local id="1.1.8"
local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
local remediation
remediation="Install auditd. Add -w $(get_service_file containerd.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
remediation="Install auditd. Add -w $(get_service_file containerd.sock) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file containerd.socket)"
file="$(get_service_file containerd.sock)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then

17
tests/2_docker_daemon_configuration.sh
View file

@ -34,7 +34,7 @@ check_2_2() {
logcheckresult "PASS"
return
fi
if get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
if [[ $(get_docker_configuration_file_args 'icc' | grep "false") ]] && [[ $(get_docker_configuration_file_args 'icc' | grep "false") != "null" ]] ; then
pass -s "$check"
logcheckresult "PASS"
return
@ -93,7 +93,7 @@ check_2_4() {
logcheckresult "WARN"
return
fi
if get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
if [[ $(get_docker_configuration_file_args 'iptables' | grep "false") ]] && [[ $(get_docker_configuration_file_args 'iptables' | grep "false") != "null" ]] ; then
warn -s "$check"
logcheckresult "WARN"
return
@ -115,12 +115,7 @@ check_2_5() {
logcheckresult "WARN"
return
fi
if ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if [[ $(get_docker_configuration_file_args 'insecure-registries' | grep -v '\[]') ]] && [[ $(get_docker_configuration_file_args 'insecure-registries' | grep -v '\[]') != "null" ]] ; then
warn -s "$check"
logcheckresult "WARN"
return
@ -187,7 +182,7 @@ check_2_8() {
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
if [[ $(get_docker_configuration_file_args 'default-ulimits' | grep -v '{}') ]] && [[ $(get_docker_configuration_file_args 'default-ulimits' | grep -v '{}') != "null" ]] ; then
pass -c "$check"
logcheckresult "PASS"
return
@ -210,7 +205,7 @@ check_2_9() {
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
if [[ $(get_docker_configuration_file_args 'userns-remap' | grep -v '""') ]] && [[ $(get_docker_configuration_file_args 'userns-remap' | grep -v '""') != "null" ]] ; then
pass -s "$check"
logcheckresult "PASS"
return
@ -278,7 +273,7 @@ check_2_12() {
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
if [[ $(get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]') ]] && [[ $(get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]') != "null" ]] ; then
pass -s "$check"
logcheckresult "PASS"
return

195
tests/5_container_runtime.sh
View file

@ -21,11 +21,28 @@ check_running_containers() {
}
check_5_1() {
local id="5.1"
local desc="Ensure swarm mode is not Enabled, if not needed (Automated)"
local remediation="If swarm mode has been enabled on a system in error, you should run the command: docker swarm leave"
local remediationImpact="Disabling swarm mode will impact the operation of Docker Enterprise components if these are in use."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_5_2() {
if [ -z "$containers" ]; then
return
fi
local id="5.1"
local id="5.2"
local desc="Ensure that, if applicable, an AppArmor Profile is enabled (Automated)"
local remediation="If AppArmor is applicable for your Linux OS, you should enable it. Alternatively, Docker's default AppArmor policy can be used."
local remediationImpact="The container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container."
@ -59,12 +76,12 @@ check_5_1() {
logcheckresult "WARN" "Containers with no AppArmorProfile" "$no_apparmor_containers"
}
check_5_2() {
check_5_3() {
if [ -z "$containers" ]; then
return
fi
local id="5.2"
local id="5.3"
local desc="Ensure that, if applicable, SELinux security options are set (Automated)"
local remediation="Set the SELinux State. Set the SELinux Policy. Create or import a SELinux policy template for Docker containers. Start Docker in daemon mode with SELinux enabled. Start your Docker container using the security options."
local remediationImpact="Any restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers."
@ -98,12 +115,12 @@ check_5_2() {
logcheckresult "WARN" "Containers with no SecurityOptions" "$no_securityoptions_containers"
}
check_5_3() {
check_5_4() {
if [ -z "$containers" ]; then
return
fi
local id="5.3"
local id="5.4"
local desc="Ensure that Linux kernel capabilities are restricted within containers (Automated)"
local remediation="You could remove all the currently configured capabilities and then restore only the ones you specifically use: docker run --cap-drop=all --cap-add={<Capability 1>,<Capability 2>} <Run arguments> <Container Image Name or ID> <Command>"
local remediationImpact="Restrictions on processes within a container are based on which Linux capabilities are in force. Removal of the NET_RAW capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities."
@ -141,12 +158,12 @@ check_5_3() {
logcheckresult "WARN" "Capabilities added for containers" "$caps_containers"
}
check_5_4() {
check_5_5() {
if [ -z "$containers" ]; then
return
fi
local id="5.4"
local id="5.5"
local desc="Ensure that privileged containers are not used (Automated)"
local remediation="You should not run containers with the --privileged flag."
local remediationImpact="If you start a container without the --privileged flag, it will not have excessive default capabilities."
@ -180,12 +197,12 @@ check_5_4() {
logcheckresult "WARN" "Containers running in privileged mode" "$privileged_containers"
}
check_5_5() {
check_5_6() {
if [ -z "$containers" ]; then
return
fi
local id="5.5"
local id="5.6"
local desc="Ensure sensitive host system directories are not mounted on containers (Automated)"
local remediation="You should not mount directories which are security sensitive on the host within containers, especially in read-write mode."
local remediationImpact="None."
@ -238,12 +255,12 @@ check_5_5() {
logcheckresult "WARN" "Containers with sensitive directories mounted" "$sensitive_mount_containers"
}
check_5_6() {
check_5_7() {
if [ -z "$containers" ]; then
return
fi
local id="5.6"
local id="5.7"
local desc="Ensure sshd is not run within containers (Automated)"
local remediation="Uninstall the SSH daemon from the container and use docker exec to enter a container on the remote host."
local remediationImpact="None."
@ -271,7 +288,7 @@ check_5_6() {
fi
exec_check=$(docker exec "$c" ps -el 2>/dev/null)
if [ $? -eq 255 ]; then
if [ $? -eq 265 ]; then
if [ $printcheck -eq 0 ]; then
warn -s "$check"
printcheck=1
@ -291,12 +308,12 @@ check_5_6() {
logcheckresult "WARN" "Containers with sshd/docker exec failures" "$ssh_exec_containers"
}
check_5_7() {
check_5_8() {
if [ -z "$containers" ]; then
return
fi
local id="5.7"
local id="5.8"
local desc="Ensure privileged ports are not mapped within containers (Automated)"
local remediation="You should not map container ports to privileged host ports when starting a container. You should also, ensure that there is no such container to host privileged port mapping declarations in the Dockerfile."
local remediationImpact="None."
@ -311,7 +328,7 @@ check_5_7() {
# iterate through port range (line delimited)
for port in $ports; do
if [ -n "$port" ] && [ "$port" -lt 1024 ]; then
if [ -n "$port" ] && [ "$port" -lt 1025 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
@ -334,12 +351,12 @@ check_5_7() {
logcheckresult "WARN" "Containers using privileged ports" "$privileged_port_containers"
}
check_5_8() {
check_5_9() {
if [ -z "$containers" ]; then
return
fi
local id="5.8"
local id="5.9"
local desc="Ensure that only needed ports are open on the container (Manual)"
local remediation="You should ensure that the Dockerfile for each container image only exposes needed ports."
local remediationImpact="None."
@ -376,12 +393,12 @@ check_5_8() {
logcheckresult "WARN" "Containers with open ports" "$open_port_containers"
}
check_5_9() {
check_5_10() {
if [ -z "$containers" ]; then
return
fi
local id="5.9"
local id="5.10"
local desc="Ensure that the host's network namespace is not shared (Automated)"
local remediation="You should not pass the --net=host option when starting any container."
local remediationImpact="None."
@ -415,12 +432,12 @@ check_5_9() {
logcheckresult "WARN" "Containers running with networking mode 'host'" "$net_host_containers"
}
check_5_10() {
check_5_11() {
if [ -z "$containers" ]; then
return
fi
local id="5.10"
local id="5.11"
local desc="Ensure that the memory usage for containers is limited (Automated)"
local remediation="You should run the container with only as much memory as it requires by using the --memory argument."
local remediationImpact="If correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources."
@ -457,12 +474,12 @@ check_5_10() {
logcheckresult "WARN" "Container running without memory restrictions" "$mem_unlimited_containers"
}
check_5_11() {
check_5_12() {
if [ -z "$containers" ]; then
return
fi
local id="5.11"
local id="5.12"
local desc="Ensure that CPU priority is set appropriately on containers (Automated)"
local remediation="You should manage the CPU runtime between your containers dependent on their priority within your organization. To do so start the container using the --cpu-shares argument."
local remediationImpact="If you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrainted, CPU shares do not place any restrictions on individual resources."
@ -502,12 +519,12 @@ check_5_11() {
logcheckresult "WARN" "Containers running without CPU restrictions" "$cpu_unlimited_containers"
}
check_5_12() {
check_5_13() {
if [ -z "$containers" ]; then
return
fi
local id="5.12"
local id="5.13"
local desc="Ensure that the container's root filesystem is mounted as read only (Automated)"
local remediation="You should add a --read-only flag at a container's runtime to enforce the container's root filesystem being mounted as read only."
local remediationImpact="Enabling --read-only at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use."
@ -541,12 +558,12 @@ check_5_12() {
logcheckresult "WARN" "Containers running with root FS mounted R/W" "$fsroot_mount_containers"
}
check_5_13() {
check_5_14() {
if [ -z "$containers" ]; then
return
fi
local id="5.13"
local id="5.14"
local desc="Ensure that incoming container traffic is bound to a specific host interface (Automated)"
local remediation="You should bind the container port to a specific host interface on the desired host port. Example: docker run --detach --publish 10.2.3.4:49153:80 nginx In this example, the container port 80 is bound to the host port on 49153 and would accept incoming connection only from the 10.2.3.4 external interface."
local remediationImpact="None."
@ -580,12 +597,12 @@ check_5_13() {
logcheckresult "WARN" "Containers with port bound to wildcard IP" "$incoming_unbound_containers"
}
check_5_14() {
check_5_15() {
if [ -z "$containers" ]; then
return
fi
local id="5.14"
local id="5.15"
local desc="Ensure that the 'on-failure' container restart policy is set to '5' (Automated)"
local remediation="If you wish a container to be automatically restarted, a sample command is docker run --detach --restart=on-failure:5 nginx"
local remediationImpact="If this option is set, a container will only attempt to restart itself 5 times."
@ -595,18 +612,34 @@ check_5_14() {
fail=0
maxretry_unset_containers=""
for c in $containers; do
policy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
container_name=$(docker inspect "$c" --format '{{.Name}}')
if [ "$(docker info --format '{{.Swarm.LocalNodeState}}')" = "active" ]; then
for s in $(docker service ls --format '{{.Name}}'); do
if echo $container_name | grep -q "$s"; then
task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}')
# a container name could arbitrary include a service one: it belongs to a service (created by Docker
# as part of the service), if the container task ID matches one of the task IDs of the service.
if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then
restart_policy=$(docker inspect --format '{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
break
fi
fi
done
fi
if docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c" &>/dev/null; then
restart_policy=$(docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
fi
if [ "$policy" != "MaximumRetryCount=5" ]; then
if [ "$restart_policy" -gt "5" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * MaximumRetryCount is not set to 5: $c"
warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fail=1
continue
fi
warn " * MaximumRetryCount is not set to 5: $c"
warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fi
done
@ -616,15 +649,15 @@ check_5_14() {
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers"
logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5 or less" "$maxretry_unset_containers"
}
check_5_15() {
check_5_16() {
if [ -z "$containers" ]; then
return
fi
local id="5.15"
local id="5.16"
local desc="Ensure that the host's process namespace is not shared (Automated)"
local remediation="You should not start a container with the --pid=host argument."
local remediationImpact="Container processes cannot see processes on the host system."
@ -658,12 +691,12 @@ check_5_15() {
logcheckresult "WARN" "Containers sharing host PID namespace" "$pidns_shared_containers"
}
check_5_16() {
check_5_17() {
if [ -z "$containers" ]; then
return
fi
local id="5.16"
local id="5.17"
local desc="Ensure that the host's IPC namespace is not shared (Automated)"
local remediation="You should not start a container with the --ipc=host argument."
local remediationImpact="Shared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace."
@ -697,12 +730,12 @@ check_5_16() {
logcheckresult "WARN" "Containers sharing host IPC namespace" "$ipcns_shared_containers"
}
check_5_17() {
check_5_18() {
if [ -z "$containers" ]; then
return
fi
local id="5.17"
local id="5.18"
local desc="Ensure that host devices are not directly exposed to containers (Manual)"
local remediation="You should not directly expose host devices to containers. If you do need to expose host devices to containers, you should use granular permissions as appropriate to your organization."
local remediationImpact="You would not be able to use host devices directly within containers."
@ -736,12 +769,12 @@ check_5_17() {
logcheckresult "INFO" "Containers with host devices exposed directly" "$hostdev_exposed_containers"
}
check_5_18() {
check_5_19() {
if [ -z "$containers" ]; then
return
fi
local id="5.18"
local id="5.19"
local desc="Ensure that the default ulimit is overwritten at runtime if needed (Manual)"
local remediation="You should only override the default ulimit settings if needed in a specific case."
local remediationImpact="If ulimits are not set correctly, overutilization by individual containers could make the host system unusable."
@ -775,12 +808,12 @@ check_5_18() {
logcheckresult "INFO" "Containers with no default ulimit override" "$no_ulimit_containers"
}
check_5_19() {
check_5_20() {
if [ -z "$containers" ]; then
return
fi
local id="5.19"
local id="5.20"
local desc="Ensure mount propagation mode is not set to shared (Automated)"
local remediation="Do not mount volumes in shared mode propagation."
local remediationImpact="None."
@ -813,12 +846,12 @@ check_5_19() {
logcheckresult "WARN" "Containers with shared mount propagation" "$mountprop_shared_containers"
}
check_5_20() {
check_5_21() {
if [ -z "$containers" ]; then
return
fi
local id="5.20"
local id="5.21"
local desc="Ensure that the host's UTS namespace is not shared (Automated)"
local remediation="You should not start a container with the --uts=host argument."
local remediationImpact="None."
@ -852,12 +885,12 @@ check_5_20() {
logcheckresult "WARN" "Containers sharing host UTS namespace" "$utcns_shared_containers"
}
check_5_21() {
check_5_22() {
if [ -z "$containers" ]; then
return
fi
local id="5.21"
local id="5.22"
local desc="Ensure the default seccomp profile is not Disabled (Automated)"
local remediation="By default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile."
local remediationImpact="With Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of -- cap-add passed to the container."
@ -890,31 +923,15 @@ check_5_21() {
logcheckresult "WARN" "Containers with default seccomp profile disabled" "$seccomp_disabled_containers"
}
check_5_22() {
if [ -z "$containers" ]; then
return
fi
local id="5.22"
local desc="Ensure that docker exec commands are not used with the privileged option (Automated)"
local remediation="You should not use the --privileged option in docker exec commands."
local remediationImpact="If you need enhanced capabilities within a container, then run it with all the permissions it requires. These should be specified individually."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "NOTE"
}
check_5_23() {
if [ -z "$containers" ]; then
return
fi
local id="5.23"
local desc="Ensure that docker exec commands are not used with the user=root option (Manual)"
local remediation="You should not use the --user=root option in docker exec commands."
local remediationImpact="None."
local desc="Ensure that docker exec commands are not used with the privileged option (Automated)"
local remediation="You should not use the --privileged option in docker exec commands."
local remediationImpact="If you need enhanced capabilities within a container, then run it with all the permissions it requires. These should be specified individually."
local check="$id - $desc"
starttestjson "$id" "$desc"
@ -928,6 +945,22 @@ check_5_24() {
fi
local id="5.24"
local desc="Ensure that docker exec commands are not used with the user=root option (Manual)"
local remediation="You should not use the --user=root option in docker exec commands."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "NOTE"
}
check_5_25() {
if [ -z "$containers" ]; then
return
fi
local id="5.25"
local desc="Ensure that cgroup usage is confirmed (Automated)"
local remediation="You should not use the --cgroup-parent option within the docker run command unless strictly required."
local remediationImpact="None."
@ -961,11 +994,11 @@ check_5_24() {
logcheckresult "WARN" "Containers using unexpected cgroup" "$unexpected_cgroup_containers"
}
check_5_25() {
check_5_26() {
if [ -z "$containers" ]; then
return
fi
local id="5.25"
local id="5.26"
local desc="Ensure that the container is restricted from acquiring additional privileges (Automated)"
local remediation="You should start your container with the options: docker run --rm -it --security-opt=no-new-privileges ubuntu bash"
local remediationImpact="The no_new_priv option prevents LSMs like SELinux from allowing processes to acquire new privileges."
@ -1006,12 +1039,12 @@ check_5_25() {
logcheckresult "WARN" "Containers without restricted privileges" "$addprivs_containers"
}
check_5_26() {
check_5_27() {
if [ -z "$containers" ]; then
return
fi
local id="5.26"
local id="5.27"
local desc="Ensure that container health is checked at runtime (Automated)"
local remediation="You should run the container using the --health-cmd parameter."
local remediationImpact="None."
@ -1041,12 +1074,12 @@ check_5_26() {
logcheckresult "WARN" "Containers without health check" "$nohealthcheck_containers"
}
check_5_27() {
check_5_28() {
if [ -z "$containers" ]; then
return
fi
local id="5.27"
local id="5.28"
local desc="Ensure that Docker commands always make use of the latest version of their image (Manual)"
local remediation="You should use proper version pinning mechanisms (the <latest> tag which is assigned by default is still vulnerable to caching attacks) to avoid extracting cached older versions. Version pinning mechanisms should be used for base images, packages, and entire images. You can customize version pinning rules according to your requirements."
local remediationImpact="None."
@ -1057,12 +1090,12 @@ check_5_27() {
logcheckresult "INFO"
}
check_5_28() {
check_5_29() {
if [ -z "$containers" ]; then
return
fi
local id="5.28"
local id="5.29"
local desc="Ensure that the PIDs cgroup limit is used (Automated)"
local remediation="Use --pids-limit flag with an appropriate value when launching the container."
local remediationImpact="Set the PIDs limit value as appropriate. Incorrect values might leave containers unusable."
@ -1096,12 +1129,12 @@ check_5_28() {
logcheckresult "WARN" "Containers without PIDs cgroup limit" "$nopids_limit_containers"
}
check_5_29() {
check_5_30() {
if [ -z "$containers" ]; then
return
fi
local id="5.29"
local id="5.30"
local desc="Ensure that Docker's default bridge 'docker0' is not used (Manual)"
local remediation="You should follow the Docker documentation and set up a user-defined network. All the containers should be run in this network."
local remediationImpact="User-defined networks need to be configured and managed in line with organizational security policy."
@ -1145,12 +1178,12 @@ check_5_29() {
logcheckresult "INFO" "Containers using docker0 network" "$docker_network_containers"
}
check_5_30() {
check_5_31() {
if [ -z "$containers" ]; then
return
fi
local id="5.30"
local id="5.31"
local desc="Ensure that the host's user namespaces are not shared (Automated)"
local remediation="You should not share user namespaces between host and containers."
local remediationImpact="None."
@ -1182,12 +1215,12 @@ check_5_30() {
logcheckresult "WARN" "Containers sharing host user namespace" "$hostns_shared_containers"
}
check_5_31() {
check_5_32() {
if [ -z "$containers" ]; then
return
fi
local id="5.31"
local id="5.32"
local desc="Ensure that the Docker socket is not mounted inside any containers (Automated)"
local remediation="You should ensure that no containers mount docker.sock as a volume."
local remediationImpact="None."

2
tests/6_docker_security_operations.sh
View file

@ -20,7 +20,7 @@ check_6_1() {
images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
active_images=0
for c in $(docker inspect --format "{{.Image}}" "$(docker ps -qa)" 2>/dev/null); do
for c in $(docker inspect --format "{{.Image}}" $(docker ps -qa) 2>/dev/null); do
if docker images --no-trunc -a | grep "$c" > /dev/null ; then
active_images=$(( active_images += 1 ))
fi

49
tests/7_docker_swarm_configuration.sh
View file

@ -11,23 +11,6 @@ check_7() {
check_7_1() {
local id="7.1"
local desc="Ensure swarm mode is not Enabled, if not needed (Automated)"
local remediation="If swarm mode has been enabled on a system in error, you should run the command: docker swarm leave"
local remediationImpact="Disabling swarm mode will impact the operation of Docker Enterprise components if these are in use."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_7_2() {
local id="7.2"
local desc="Ensure that the minimum number of manager nodes have been created in a swarm (Automated)"
local remediation="If an excessive number of managers is configured, the excess nodes can be demoted to workers using command: docker node demote <manager node ID to be demoted>"
local remediationImpact="None."
@ -49,8 +32,8 @@ check_7_2() {
logcheckresult "PASS"
}
check_7_3() {
local id="7.3"
check_7_2() {
local id="7.2"
local desc="Ensure that swarm services are bound to a specific host interface (Automated)"
local remediation="Resolving this issues requires re-initialization of the swarm, specifying a specific interface for the --listen-addr parameter."
local remediationImpact="None."
@ -72,8 +55,8 @@ check_7_3() {
logcheckresult "PASS"
}
check_7_4() {
local id="7.4"
check_7_3() {
local id="7.3"
local desc="Ensure that all Docker swarm overlay networks are encrypted (Automated)"
local remediation="You should create overlay networks the with --opt encrypted flag."
local remediationImpact="None."
@ -103,8 +86,8 @@ check_7_4() {
logcheckresult "WARN" "Unencrypted overlay networks:" "$unencrypted_networks"
}
check_7_5() {
local id="7.5"
check_7_4() {
local id="7.4"
local desc="Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual)"
local remediation="You should follow the docker secret documentation and use it to manage secrets effectively."
local remediationImpact="None."
@ -125,8 +108,8 @@ check_7_5() {
logcheckresult "PASS"
}
check_7_6() {
local id="7.6"
check_7_5() {
local id="7.5"
local desc="Ensure that swarm manager is run in auto-lock mode (Automated)"
local remediation="If you are initializing a swarm, use the command: docker swarm init --autolock. If you want to set --autolock on an existing swarm manager node, use the command: docker swarm update --autolock."
local remediationImpact="A swarm in auto-lock mode will not recover from a restart without manual intervention from an administrator to enter the unlock key. This may not always be desirable, and should be reviewed at a policy level."
@ -147,8 +130,8 @@ check_7_6() {
logcheckresult "PASS"
}
check_7_7() {
local id="7.7"
check_7_6() {
local id="7.6"
local desc="Ensure that the swarm manager auto-lock key is rotated periodically (Manual)"
local remediation="You should run the command docker swarm unlock-key --rotate to rotate the keys. To facilitate auditing of this recommendation, you should maintain key rotation records and ensure that you establish a pre-defined frequency for key rotation."
local remediationImpact="None."
@ -164,8 +147,8 @@ check_7_7() {
logcheckresult "PASS"
}
check_7_8() {
local id="7.8"
check_7_7() {
local id="7.7"
local desc="Ensure that node certificates are rotated as appropriate (Manual)"
local remediation="You should run the command docker swarm update --cert-expiry 48h to set the desired expiry time on the node certificate."
local remediationImpact="None."
@ -186,8 +169,8 @@ check_7_8() {
logcheckresult "PASS"
}
check_7_9() {
local id="7.9"
check_7_8() {
local id="7.8"
local desc="Ensure that CA certificates are rotated as appropriate (Manual)"
local remediation="You should run the command docker swarm ca --rotate to rotate a certificate."
local remediationImpact="None."
@ -203,8 +186,8 @@ check_7_9() {
logcheckresult "PASS"
}
check_7_10() {
local id="7.10"
check_7_9() {
local id="7.9"
local desc="Ensure that management plane traffic is separated from data plane traffic (Manual)"
local remediation="You should initialize the swarm with dedicated interfaces for management and data planes respectively. Example: docker swarm init --advertise-addr=192.168.0.1 --data-path-addr=17.1.0.3"
local remediationImpact="This requires two network interfaces per node."