GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-06-18 20:59:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

...

14 commits
v1.6.1 ... master

Author SHA1 Message Date
Thomas Sjögren
ff26d67f25
Merge pull request from cyphar/dist-libexec 
dist: adjust script imports to be able to use /usr/libexec
 2024-10-21 09:26:06 +02:00
Aleksa Sarai
a18798fcfa
dist: adjust script imports to be able to use /usr/libexec 
In order to make installation easier for distributions, make all script
imports based on a single variable that distributions can adjust based
on how the script is packaged for each distribution.

Ideally we would actually install the script in /usr/libexec rather than
/ in our Dockerfile, but this is a simpler fix that still lets you run
the script from the repo directory.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 2024-10-18 17:43:13 +11:00
Thomas Sjögren
5c42b8ad5f
Merge pull request from spedersen-emailage/log-level-fix 
modified get_docker_configuration_file_args jq command to remove null response
 2024-05-16 16:35:13 +02:00
Sean Pedersen
c4b7d36042 modified get_docker_configuration_file_args jq command to remove \'null\' return 2024-05-15 10:21:02 -07:00
Thomas Sjögren
23110269a6
Merge pull request from konstruktoid/issue548 
include /run in get_service_file
 2024-04-16 18:12:13 +02:00
Thomas Sjögren
c495b3a774
Merge pull request from konstruktoid/gha 
update github action
 2024-04-16 10:24:28 +02:00
Thomas Sjögren
12f085d42f
update SLSA action 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2024-04-16 08:23:14 +00:00
Thomas Sjögren
966929427e correct tests and instructions 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2024-04-16 07:32:23 +00:00
Thomas Sjögren
5d5ca0a3da
correct tests and instructions 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2024-04-16 07:29:45 +00:00
Thomas Sjögren
287fd8774b
systemctl always returns an FragmentPath 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2024-04-12 08:17:17 +00:00
Thomas Sjögren
e081393ad7
include /run in get_service_file 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2024-04-11 21:45:15 +00:00
Thomas Sjögren
820abe98c3
Merge pull request from konstruktoid/issue538 
check if restart policy is 5 or less
 2024-02-11 11:25:09 +01:00
Thomas Sjögren
e680ab2465
update restart_policy w/o swarm 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2023-09-25 15:29:45 +00:00
Thomas Sjögren
ab2190819d
check if restart policy is 5 or less 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2023-09-25 09:05:44 +00:00
5 changed files with 35 additions and 22 deletions

17
.github/workflows/slsa.yml vendored
View file

@ -16,11 +16,16 @@ jobs:
hashes: ${{ steps.hash.outputs.hashes }} hashes: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV - run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
shell: bash shell: bash
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@27135e314dd1818f797af1db9dae03a9f045786b # master uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Build artifacts - name: Build artifacts
run: | run: |
@ -33,7 +38,7 @@ jobs:
echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT" echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload ${{ env.REPOSITORY_NAME }}.sha256 - name: Upload ${{ env.REPOSITORY_NAME }}.sha256
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with: with:
name: ${{ env.REPOSITORY_NAME }}.sha256 name: ${{ env.REPOSITORY_NAME }}.sha256
path: ${{ env.REPOSITORY_NAME }}.sha256 path: ${{ env.REPOSITORY_NAME }}.sha256
@ -46,17 +51,17 @@ jobs:
actions: read actions: read
id-token: write id-token: write
contents: write contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
with: with:
base64-subjects: "${{ needs.build.outputs.hashes }}" base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }} upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
release: release:
needs: [build, provenance]
permissions: permissions:
actions: read actions: read
id-token: write id-token: write
contents: write contents: write
needs: [build, provenance]
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/') if: startsWith(github.ref, 'refs/tags/')
steps: steps:
@ -64,12 +69,12 @@ jobs:
shell: bash shell: bash
- name: Download ${{ env.REPOSITORY_NAME }}.sha256 - name: Download ${{ env.REPOSITORY_NAME }}.sha256
uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1 uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with: with:
name: ${{ env.REPOSITORY_NAME }}.sha256 name: ${{ env.REPOSITORY_NAME }}.sha256
- name: Upload asset - name: Upload asset
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
with: with:
files: | files: |
${{ env.REPOSITORY_NAME }}.sha256 ${{ env.REPOSITORY_NAME }}.sha256

12
docker-bench-security.sh
View file

@ -9,9 +9,11 @@
version='1.6.0' version='1.6.0'
LIBEXEC="." # Distributions can change this to /usr/libexec or similar.
# Load dependencies # Load dependencies
. ./functions/functions_lib.sh . $LIBEXEC/functions/functions_lib.sh
. ./functions/helper_lib.sh . $LIBEXEC/functions/helper_lib.sh
# Setup the paths # Setup the paths
this_path=$(abspath "$0") ## Path of this file including filename this_path=$(abspath "$0") ## Path of this file including filename
@ -99,7 +101,7 @@ do
done done
# Load output formating # Load output formating
. ./functions/output_lib.sh . $LIBEXEC/functions/output_lib.sh
yell_info yell_info
@ -161,8 +163,8 @@ main () {
images=$(docker images -q $LABELS| grep -v "$benchcont") images=$(docker images -q $LABELS| grep -v "$benchcont")
fi fi
for test in tests/*.sh; do for test in $LIBEXEC/tests/*.sh; do
. ./"$test" . "$test"
done done
if [ -z "$check" ] && [ ! "$checkexclude" ]; then if [ -z "$check" ] && [ ! "$checkexclude" ]; then

8
functions/helper_lib.sh
View file

@ -123,7 +123,7 @@ get_docker_configuration_file_args() {
get_docker_configuration_file get_docker_configuration_file
if "$HAVE_JQ"; then if "$HAVE_JQ"; then
jq --monochrome-output --raw-output ".[\"${OPTION}\"]" "$CONFIG_FILE" jq --monochrome-output --raw-output "if has(\"${OPTION}\") then .[\"${OPTION}\"] else \"\" end" "$CONFIG_FILE"
else else
cat "$CONFIG_FILE" | tr , '\n' | grep "$OPTION" | sed 's/.*://g' | tr -d '" ', cat "$CONFIG_FILE" | tr , '\n' | grep "$OPTION" | sed 's/.*://g' | tr -d '" ',
fi fi
@ -140,7 +140,11 @@ get_service_file() {
echo "/lib/systemd/system/$SERVICE" echo "/lib/systemd/system/$SERVICE"
return return
fi fi
if systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then if find /run -name "$SERVICE" 2> /dev/null 1>&2; then
find /run -name "$SERVICE" | head -n1
return
fi
if [ "$(systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//')" != "" ]; then
systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//' systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
return return
fi fi

4
tests/1_host_configuration.sh
View file

@ -243,12 +243,12 @@ check_1_1_8() {
local id="1.1.8" local id="1.1.8"
local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)" local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
local remediation local remediation
remediation="Install auditd. Add -w $(get_service_file containerd.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart." remediation="Install auditd. Add -w $(get_service_file containerd.sock) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions." local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc" local check="$id - $desc"
starttestjson "$id" "$desc" starttestjson "$id" "$desc"
file="$(get_service_file containerd.socket)" file="$(get_service_file containerd.sock)"
if [ -e "$file" ]; then if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then

16
tests/5_container_runtime.sh
View file

@ -617,27 +617,29 @@ check_5_15() {
for s in $(docker service ls --format '{{.Name}}'); do for s in $(docker service ls --format '{{.Name}}'); do
if echo $container_name | grep -q "$s"; then if echo $container_name | grep -q "$s"; then
task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}') task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}')
# a container name could arbitrary include a service one: it belongs to a service (created by Docker # a container name could arbitrary include a service one: it belongs to a service (created by Docker
# as part of the service), if the container task ID matches one of the task IDs of the service. # as part of the service), if the container task ID matches one of the task IDs of the service.
if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then
spolicy=$(docker inspect --format MaxAttempts='{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s") restart_policy=$(docker inspect --format '{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
break break
fi fi
fi fi
done done
fi fi
cpolicy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c") if docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c" &>/dev/null; then
restart_policy=$(docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
fi
if [ "$cpolicy" != "MaximumRetryCount=5" ] && [ "$spolicy" != "MaxAttempts=5" ]; then if [ "$restart_policy" -gt "5" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn -s "$check" warn -s "$check"
warn " * MaximumRetryCount is not set to 5: $c" warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c" maxretry_unset_containers="$maxretry_unset_containers $c"
fail=1 fail=1
continue continue
fi fi
warn " * MaximumRetryCount is not set to 5: $c" warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c" maxretry_unset_containers="$maxretry_unset_containers $c"
fi fi
done done
@ -647,7 +649,7 @@ check_5_15() {
logcheckresult "PASS" logcheckresult "PASS"
return return
fi fi
logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers" logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5 or less" "$maxretry_unset_containers"
} }
check_5_16() { check_5_16() {