Permalink
Browse files

First version of the CIS Docker Benchmark v1.0.0

  • Loading branch information...
diogomonica committed May 11, 2015
1 parent 4873078 commit 18d5a13240a1fe65e80d83d4341f98a471e2264a
View
@@ -0,0 +1 @@
+*.log
View
@@ -0,0 +1,11 @@
+FROM gliderlabs/alpine:3.1
+
+RUN apk --update add docker
+
+RUN mkdir /docker_security_benchmark
+
+COPY . /docker_security_benchmark
+
+WORKDIR /docker_security_benchmark
+
+ENTRYPOINT ["/bin/sh", "docker_security_benchmark.sh"]
View
0 README
No changes.
View
@@ -0,0 +1,36 @@
+# Docker Security Benchmark Checker
+
+The Docker Security Benchmark Checker is a script that checks for all the automatable tests included in the [CIS Docker 1.6 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post.
+
+We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
+
+## Running the benchmark
+
+We packaged this benchmark as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
+
+The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by running our pre-built container:
+
+
+```
+docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \
+-v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc diogomonica/docker-security-benchmark
+```
+
+## Building the benchmark
+
+If you wish to build and run this container yourself, you can follow the following steps:
+
+```
+# git clone https://github.com/diogomonica/docker-security-benchmark.git
+# cd docker-security-benchmark; docker build -t docker-security-benchmark .
+# docker run run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc docker-security-benchmark
+```
+
+Also, this script can also be simply run from your base host by running:
+
+```
+# git clone https://github.com/diogomonica/docker-security-benchmark.git
+# cd docker-security-benchmark; sh docker_security_benchmark.sh
+```
+
+This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform.
@@ -0,0 +1,80 @@
+#!/bin/sh
+# ------------------------------------------------------------------------------
+# CIS Docker 1.6 Benchmark v1.0.0 checker
+#
+# Docker, Inc. (c) 2015
+#
+# Provides automated tests for the CIS Docker 1.6 Benchmark:
+# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
+#
+# ------------------------------------------------------------------------------
+
+# Load dependencies
+. ./output_lib.sh
+. ./helper_lib.sh
+
+# Setup the paths
+this_path=$(abspath $0) ## Path of this file including filenamel
+dir_name=`dirname ${this_path}` ## Dir where this file is
+myname=`basename ${this_path}` ## file name of this script.
+logger="${myname}.log"
+
+
+# Check for required program(s)
+req_progs='docker netstat grep awk'
+for p in $req_progs; do
+ command -v $p >/dev/null 2>&1 || { printf "$p command not found.\n"; exit 1; }
+done
+
+# Ensure we can connect to docker daemon
+`docker ps -q >/dev/null 2>&1`
+if [ $? -ne 0 ]; then
+ printf "Error connecting to docker daemon (does docker ps work?)\n"
+ exit 1
+fi
+
+usage () {
+ printf "
+ usage: $myname [options]
+
+ -h optional Print this help message\n"
+ exit 1
+}
+
+yell "# ------------------------------------------------------------------------------
+# CIS Docker 1.6 Benchmark v1.0.0 checker
+#
+# Docker, Inc. (c) 2015
+#
+# Provides automated tests for the CIS Docker 1.6 Benchmark:
+# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
+# ------------------------------------------------------------------------------"
+
+logit "Initializing `date`\n"
+
+# Warn if not root
+ID=`id -u`
+if test "x$ID" != "x0"; then
+ warn "Some tests might require root to run"
+ sleep 3
+fi
+
+# Get the flags
+while getopts :hlfi: args
+do
+ case $args in
+ h) usage ;;
+ l) logger="$OPTARG" ;;
+ *) usage ;;
+ esac
+done
+
+# Load all the tests from tests/ and run them
+main () {
+ for test in tests/*.sh
+ do
+ . ./$test
+ done
+}
+
+main "$@"
View
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# Returns the absolute path of a given string
+abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; }
+
+# Compares versions of software of the format X.Y.Z
+do_version_check() {
+ [ "$1" = "$2" ] && return 10
+
+ ver1front=`printf $1 | cut -d "." -f -1`
+ ver1back=`printf $1 | cut -d "." -f 2-`
+ ver2front=`printf $2 | cut -d "." -f -1`
+ ver2back=`printf $2 | cut -d "." -f 2-`
+
+ if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then
+ [ "$ver1front" -gt "$ver2front" ] && return 11
+ [ "$ver1front" -lt "$ver2front" ] && return 9
+
+ [ "$ver1front" = "$1" ] || [ -z "$ver1back" ] && ver1back=0
+ [ "$ver2front" = "$2" ] || [ -z "$ver2back" ] && ver2back=0
+ do_version_check "$ver1back" "$ver2back"
+ return $?
+ else
+ [ "$1" -gt "$2" ] && return 11 || return 9
+ fi
+}
+
+# Compares two strings and returns 0 if the second is a substring of the first
+contains() {
+ string="$1"
+ substring="$2"
+ if test "${string#*$substring}" != "$string"
+ then
+ return 0 # $substring is in $string
+ else
+ return 1 # $substring is not in $string
+ fi
+}
View
@@ -0,0 +1,25 @@
+bldred='\033[1;31m'
+bldgrn='\033[1;32m'
+bldblu='\033[1;34m'
+bldylw='\033[1;33m' # Yellow
+txtrst='\033[0m'
+
+logit () {
+ printf "$1\n" | tee -a $logger
+}
+
+info () {
+ printf '%b' "${bldblu}[INFO]${txtrst} $1\n" | tee -a $logger
+}
+
+pass () {
+ printf '%b' "${bldgrn}[PASS]${txtrst} $1\n" | tee -a $logger
+}
+
+warn () {
+ printf '%b' "${bldred}[WARN]${txtrst} $1\n" | tee -a $logger
+}
+
+yell () {
+ printf '%b' "${bldylw}$1${txtrst}\n"
+}
Oops, something went wrong.

0 comments on commit 18d5a13

Please sign in to comment.