#!/bin/bash
check_1() {
logit ""
local id="1"
local desc="Host Configuration"
checkHeader="$id - $desc"
info "$checkHeader"
startsectionjson "$id" "$desc"
}
check_1_1() {
local id="1.1"
local desc="Linux Hosts Specific Configuration"
local check="$id - $desc"
info "$check"
}
check_1_1_1() {
local id="1.1.1"
local desc="Ensure a separate partition for containers has been created (Automated)"
local remediation="For new installations, you should create a separate partition for the /var/lib/docker mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
docker_root_dir=$(docker info -f '{{ .DockerRootDir }}')
if docker info | grep -q userns ; then
docker_root_dir=$(readlink -f "$docker_root_dir/..")
fi
if mountpoint -q -- "$docker_root_dir" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_1_1_2() {
local id="1.1.2"
local desc="Ensure only trusted users are allowed to control Docker daemon (Automated)"
local remediation="You should remove any untrusted users from the docker group using command sudo gpasswd -d <your-user> docker or add trusted users to the docker group using command sudo usermod -aG docker <your-user>. You should not create a mapping of sensitive directories from the host to container volumes."
local remediationImpact="Only trust user are allow to build and execute containers as normal user."
local check="$id - $desc"
starttestjson "$id" "$desc"
docker_users=$(grep 'docker' /etc/group)
if command -v getent >/dev/null 2>&1; then
docker_users=$(getent group docker)
fi
docker_users=$(printf "%s" "$docker_users" | awk -F: '{print $4}')
local doubtfulusers=""
if [ -n "$dockertrustusers" ]; then
for u in $(printf "%s" "$docker_users" | sed "s/,/ /g"); do
if ! printf "%s" "$dockertrustusers" | grep -q "$u" ; then
doubtfulusers="$u"
if [ -n "${doubtfulusers}" ]; then
doubtfulusers="${doubtfulusers},$u"
fi
fi
done
else
info -c "$check"
info " * Users: $docker_users"
logcheckresult "INFO" "doubtfulusers" "$docker_users"
fi
if [ -n "${doubtfulusers}" ]; then
warn -s "$check"
warn " * Doubtful users: $doubtfulusers"
logcheckresult "WARN" "doubtfulusers" "$doubtfulusers"
fi
if [ -z "${doubtfulusers}" ] && [ -n "${dockertrustusers}" ]; then
pass -s "$check"
logcheckresult "PASS"
fi
}
check_1_1_3() {
local id="1.1.3"
local desc="Ensure auditing is configured for the Docker daemon (Automated)"
local remediation="Install auditd. Add -w /usr/bin/dockerd -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/dockerd"
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_1_1_4() {
local id="1.1.4"
local desc="Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)"
local remediation="Install auditd. Add -a exit,always -F path=/run/containerd -F perm=war -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/run/containerd"
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_1_1_5() {
local id="1.1.5"
local desc="Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)"
local remediation="Install auditd. Add -w /var/lib/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/var/lib/docker"
if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_1_1_6() {
local id="1.1.6"
local desc="Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)"
local remediation="Install auditd. Add -w /etc/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/etc/docker"
if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_1_1_7() {
local id="1.1.7"
local desc="Ensure auditing is configured for Docker files and directories - docker.service (Automated)"
local remediation
remediation="Install auditd. Add -w $(get_service_file docker.service) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file docker.service)"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_8() {
local id="1.1.8"
local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
local remediation
remediation="Install auditd. Add -w $(get_service_file containerd.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file containerd.socket)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_9() {
local id="1.1.9"
local desc="Ensure auditing is configured for Docker files and directories - docker.socket (Automated)"
local remediation
remediation="Install auditd. Add -w $(get_service_file docker.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file docker.socket)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_10() {
local id="1.1.10"
local desc="Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)"
local remediation="Install auditd. Add -w /etc/default/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/default/docker"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_11() {
local id="1.1.11"
local desc="Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)"
local remediation="Install auditd. Add -w /etc/docker/daemon.json -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_12() {
local id="1.1.12"
local desc="1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)"
local remediation="Install auditd. Add -w /etc/containerd/config.toml -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/containerd/config.toml"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_13() {
local id="1.1.13"
local desc="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)"
local remediation="Install auditd. Add -w /etc/sysconfig/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_14() {
local id="1.1.14"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)"
local remediation="Install auditd. Add -w /usr/bin/containerd -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/containerd"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_15() {
local id="1.1.15"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)"
local remediation="Install auditd. Add -w /usr/bin/containerd-shim -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/containerd-shim"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_16() {
local id="1.1.16"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)"
local remediation="Install auditd. Add -w /usr/bin/containerd-shim-runc-v1 -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/containerd-shim-runc-v1"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_17() {
local id="1.1.17"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)"
local remediation="Install auditd. Add -w /usr/bin/containerd-shim-runc-v2 -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/containerd-shim-runc-v2"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_18() {
local id="1.1.18"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)"
local remediation="Install auditd. Add -w /usr/bin/runc -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/runc"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_2() {
local id="1.2"
local desc="General Configuration"
local check="$id - $desc"
info "$check"
}
check_1_2_1() {
local id="1.2.1"
local desc="Ensure the container host has been Hardened (Manual)"
local remediation="You may consider various Security Benchmarks for your container host."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_1_2_2() {
local id="1.2.2"
local desc="Ensure that the version of Docker is up to date (Manual)"
local remediation="You should monitor versions of Docker releases and make sure your software is updated as required."
local remediationImpact="You should perform a risk assessment regarding Docker version updates and review how they may impact your operations."
local check="$id - $desc"
starttestjson "$id" "$desc"
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))"
do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then
pass -c "$check"
info " * Using $docker_version, verify is it up to date as deemed necessary"
logcheckresult "INFO" "Using $docker_version"
return
fi
pass -c "$check"
info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker"
logcheckresult "PASS" "Using $docker_version"
}
check_1_end() {
endsectionjson
}