Merge pull request #559 from cyphar/dist-libexec

dist: adjust script imports to be able to use /usr/libexec

.github/workflows/slsa.yml

@@ -16,11 +16,16 @@ jobs:
       hashes: ${{ steps.hash.outputs.hashes }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
         shell: bash
 
       - name: Checkout repository
-        uses: actions/checkout@27135e314dd1818f797af1db9dae03a9f045786b # master
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Build artifacts
         run: |
@@ -33,7 +38,7 @@ jobs:
           echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT"
 
       - name: Upload ${{ env.REPOSITORY_NAME }}.sha256
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: ${{ env.REPOSITORY_NAME }}.sha256
           path: ${{ env.REPOSITORY_NAME }}.sha256
@@ -46,17 +51,17 @@ jobs:
       actions: read
       id-token: write
       contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
     with:
       base64-subjects: "${{ needs.build.outputs.hashes }}"
       upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
 
   release:
-    needs: [build, provenance]
     permissions:
       actions: read
       id-token: write
       contents: write
+    needs: [build, provenance]
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/')
     steps:
@@ -64,12 +69,12 @@ jobs:
         shell: bash
 
       - name: Download ${{ env.REPOSITORY_NAME }}.sha256
-        uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:
           name: ${{ env.REPOSITORY_NAME }}.sha256
 
       - name: Upload asset
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
         with:
           files: |
             ${{ env.REPOSITORY_NAME }}.sha256

docker-bench-security.sh

@@ -9,9 +9,11 @@
 
 version='1.6.0'
 
+LIBEXEC="." # Distributions can change this to /usr/libexec or similar.
+
 # Load dependencies
-. ./functions/functions_lib.sh
-. ./functions/helper_lib.sh
+. $LIBEXEC/functions/functions_lib.sh
+. $LIBEXEC/functions/helper_lib.sh
 
 # Setup the paths
 this_path=$(abspath "$0")       ## Path of this file including filename
@@ -99,7 +101,7 @@ do
 done
 
 # Load output formating
-. ./functions/output_lib.sh
+. $LIBEXEC/functions/output_lib.sh
 
 yell_info
 
@@ -161,8 +163,8 @@ main () {
     images=$(docker images -q $LABELS| grep -v "$benchcont")
   fi
 
-  for test in tests/*.sh; do
-    . ./"$test"
+  for test in $LIBEXEC/tests/*.sh; do
+    . "$test"
   done
 
   if [ -z "$check" ] && [ ! "$checkexclude" ]; then

functions/helper_lib.sh

@@ -123,7 +123,7 @@ get_docker_configuration_file_args() {
   get_docker_configuration_file
 
   if "$HAVE_JQ"; then
-    jq --monochrome-output --raw-output ".[\"${OPTION}\"]" "$CONFIG_FILE"
+    jq --monochrome-output --raw-output "if has(\"${OPTION}\") then .[\"${OPTION}\"] else \"\" end" "$CONFIG_FILE"
   else
     cat "$CONFIG_FILE" | tr , '\n' | grep "$OPTION" | sed 's/.*://g' | tr -d '" ',
   fi
@@ -140,7 +140,11 @@ get_service_file() {
     echo "/lib/systemd/system/$SERVICE"
     return
   fi
-  if systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
+  if find /run -name "$SERVICE" 2> /dev/null 1>&2; then
+    find /run -name "$SERVICE" | head -n1
+    return
+  fi
+  if [ "$(systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//')" != "" ]; then
     systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
     return
   fi

tests/1_host_configuration.sh

@@ -243,12 +243,12 @@ check_1_1_8() {
   local id="1.1.8"
   local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
   local remediation
-  remediation="Install auditd. Add -w $(get_service_file containerd.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
+  remediation="Install auditd. Add -w $(get_service_file containerd.sock) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
   local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
   local check="$id - $desc"
   starttestjson "$id" "$desc"
 
-  file="$(get_service_file containerd.socket)"
+  file="$(get_service_file containerd.sock)"
   if [ -e "$file" ]; then
     if command -v auditctl >/dev/null 2>&1; then
       if auditctl -l | grep "$file" >/dev/null 2>&1; then

tests/5_container_runtime.sh

@@ -617,27 +617,29 @@ check_5_15() {
       for s in $(docker service ls --format '{{.Name}}'); do
         if echo $container_name | grep -q "$s"; then
           task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}')
-          # a container name could arbitrary include a service one: it belongs to a service (created by Docker 
+          # a container name could arbitrary include a service one: it belongs to a service (created by Docker
           # as part of the service), if the container task ID matches one of the task IDs of the service.
           if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then
-            spolicy=$(docker inspect --format MaxAttempts='{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
+            restart_policy=$(docker inspect --format '{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
             break
           fi
         fi
       done
     fi
-    cpolicy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
+    if docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c" &>/dev/null; then
+      restart_policy=$(docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
+    fi
 
-    if [ "$cpolicy" != "MaximumRetryCount=5" ] && [ "$spolicy" != "MaxAttempts=5" ]; then
+    if [ "$restart_policy" -gt "5" ]; then
       # If it's the first container, fail the test
       if [ $fail -eq 0 ]; then
         warn -s "$check"
-        warn "      * MaximumRetryCount is not set to 5: $c"
+        warn "      * MaximumRetryCount is not set to 5 or less: $c"
         maxretry_unset_containers="$maxretry_unset_containers $c"
         fail=1
         continue
       fi
-      warn "      * MaximumRetryCount is not set to 5: $c"
+      warn "      * MaximumRetryCount is not set to 5 or less: $c"
       maxretry_unset_containers="$maxretry_unset_containers $c"
     fi
   done
@@ -647,7 +649,7 @@ check_5_15() {
     logcheckresult "PASS"
     return
   fi
-  logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers"
+  logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5 or less" "$maxretry_unset_containers"
 }
 
 check_5_16() {