Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Item 2.6 on v1.3.5 showing daemon not listening on tcp #410

Closed
zshrine opened this issue Dec 13, 2019 · 13 comments
Closed

Item 2.6 on v1.3.5 showing daemon not listening on tcp #410

zshrine opened this issue Dec 13, 2019 · 13 comments

Comments

@zshrine
Copy link

@zshrine zshrine commented Dec 13, 2019

Hi,

While running the scan, my result for 2.6 is as per below.
{"id": "2.6", "desc": "Ensure TLS authentication for Docker daemon is configured", "result": "INFO", "details": "Docker daemon not listening on TCP"},

But my daemon.json has been configured to listen on tcp.

"hosts": ["unix:///var/run/docker.sock", "tcp://xx.xx.xx.xx:2376"], 
"tls": true,
"tlsverify": true,
"tlscacert":"/var/lib/docker/certs/ca.pem",
"tlscert":"/var/lib/docker/certs/server-cert.pem",
"tlskey":"/var/lib/docker/certs/server-key.pem",

I noticed that in 2_docker_daemon_configuration.sh, line, 153, the $CONFIG_FILE will always be null. Seems like u need to call the method get_docker_configuration_file_args to set the variable.

Also, seems like encapsulating the grep command with square brackets will regard the command as string instead. I tested with below.

$ if [ grep -i 'tcp://'"$CONFIG_FILE" 2>/dev/null 1>&2 ]; then echo hello; fi
$ if grep -i 'tcp://'"$CONFIG_FILE" 2>/dev/null 1>&2 ; then echo hello; fi
hello

I modified 2_docker_daemon_configuration.sh as per below to get the result I want.

echo "config file is $CONFIG_FILE"
get_docker_configuration_file_args "NA"
echo "config file is $CONFIG_FILE again"
  totalChecks=$((totalChecks + 1))
  if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2 || \
    [ $(get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://') >/dev/null 2>&1 ]; then
echo "passed the first if?";

My log result is as per below:

# ./docker-bench-security.sh -l 2.6.log -c check_2_6
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------

Initializing Thu Dec 12 14:40:33 +08 2019

config file is
config file is /etc/docker/daemon.json again
passed the first if?
[PASS] 2.6  - Ensure TLS authentication for Docker daemon is configured

[INFO] Checks: 1
[INFO] Score: 1

Thanks!

@konstruktoid

This comment has been minimized.

Copy link
Collaborator

@konstruktoid konstruktoid commented Dec 13, 2019

Thanks again, will check.

konstruktoid added a commit to konstruktoid/docker-bench-security that referenced this issue Dec 16, 2019
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
@konstruktoid

This comment has been minimized.

Copy link
Collaborator

@konstruktoid konstruktoid commented Dec 16, 2019

Can you test #411?

@zshrine

This comment has been minimized.

Copy link
Author

@zshrine zshrine commented Dec 17, 2019

Seems like $CONFIG_FILE is still empty.

$ ls /etc/docker/daemon.json
/etc/docker/daemon.json
$ ./docker-bench-security.sh -c check_2_6
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------

Initializing Tue Dec 17 15:39:42 +08 2019

grep: : No such file or directory
[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
[INFO]      * Docker daemon not listening on TCP

[INFO] Checks: 1
[INFO] Score: 0
@konstruktoid

This comment has been minimized.

Copy link
Collaborator

@konstruktoid konstruktoid commented Dec 17, 2019

$CONFIG_FILE is not set when using the -c flag.

@zshrine

This comment has been minimized.

Copy link
Author

@zshrine zshrine commented Dec 17, 2019

Ok. Tested a full scan, it is working. Thanks!

@konstruktoid

This comment has been minimized.

Copy link
Collaborator

@konstruktoid konstruktoid commented Dec 17, 2019

You're welcome, but I don't know why it's not working when using -c.

konstruktoid added a commit that referenced this issue Dec 17, 2019
correct grep #410
@zshrine

This comment has been minimized.

Copy link
Author

@zshrine zshrine commented Dec 17, 2019

$CONFIG_FILE is set with this method get_docker_configuration_file_args. The first occurrence of this method being called is in check_2_1.

My guess is that probably $CONFIG_FILE was already set in the previous methods for check_2_6 to work.

Since the first condition for check_2_6 is if grep -qi 'tcp://' "$CONFIG_FILE" || \ and is reliant on the variable $CONFIG_FILE.

@konstruktoid

This comment has been minimized.

Copy link
Collaborator

@konstruktoid konstruktoid commented Dec 17, 2019

True, but $CONFIG_FILE is set at https://github.com/docker/docker-bench-security/blob/master/helper_lib.sh#L85-L96 and helper_lib.sh is always included, and there's not difference from using -c or not.

@zshrine

This comment has been minimized.

Copy link
Author

@zshrine zshrine commented Dec 17, 2019

I think running helper_lib.sh just declares the method, it does not actually run the method. I did a small test. Maybe you want to try doing an echo inside one of the methods to prove this?

$. helper_lib.sh
$echo $CONFIG_FILE

$echo $auditrules
/etc/audit/audit.rules
konstruktoid added a commit to konstruktoid/docker-bench-security that referenced this issue Dec 17, 2019
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
@konstruktoid

This comment has been minimized.

Copy link
Collaborator

@konstruktoid konstruktoid commented Dec 17, 2019

You're correct again, added so that we get the configuration file before the tests.

@zshrine

This comment has been minimized.

Copy link
Author

@zshrine zshrine commented Dec 18, 2019

Glad I was able to help. This project helped me out a lot too. :)

@konstruktoid

This comment has been minimized.

Copy link
Collaborator

@konstruktoid konstruktoid commented Dec 18, 2019

Thank you @zshrine :)

konstruktoid added a commit that referenced this issue Dec 18, 2019
locate configuration file before we run the tests #410
@konstruktoid

This comment has been minimized.

Copy link
Collaborator

@konstruktoid konstruktoid commented Dec 27, 2019

Closing since it seems to work after merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.