Support for 'CIS Docker Benchmark 1.12.0'#182
Conversation
Signed-off-by: Ravi Kumar Vadapalli <vadapalli.ravikumar@gmail.com>
|
Thanks a lot @vadapalliravikumar! I'll go through it all in detail and update when CIS 1.13 is available, which should be Soon™ |
| pass "$check_5_28" | ||
| fi | ||
|
|
||
| # 5.29 |
There was a problem hiding this comment.
This results in
[WARN] 5.29 - Do not use Docker's default bridge docker0
[WARN] * container in docker0 network: 16794ef13b98785b74c08775d3580b44cb7648f140a3cd3871e7d05f9512d852 219607ecdfe3a37161fcba50ae92c54dd1d6c12f465a434a9cec48e58e9eb61e
were the IDs and not names are presented on a single line.
| warn " * Docker sock shared: $c" | ||
| fail=1 | ||
| else | ||
| warn " * Docekr sock shared: $c" |
|
|
||
| # 2.16 | ||
| check_2_16="2.16 - Control the number of manager nodes in a swarm" | ||
| docker node ls 2>/dev/null | grep "Leader" >/dev/null 2>&1 |
There was a problem hiding this comment.
This doesn't count the actual number of leaders.
| info "$check_4_7" | ||
| fi | ||
| imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null` | ||
| info " update instruction found in history of $imgName" |
There was a problem hiding this comment.
Should start with capital letter.
| info "$check_4_9" | ||
| fi | ||
| imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null` | ||
| info " found ADD in docker history of $imgName" |
There was a problem hiding this comment.
Should start with capital letter.
| # If it's the first container, fail the test | ||
| if [ $fail -eq 0 ]; then | ||
| warn "$check_5_28" | ||
| warn " * pidslimit not set: $c" |
There was a problem hiding this comment.
Should start with capital letter.
| warn " * pidslimit not set: $c" | ||
| fail=1 | ||
| else | ||
| warn " * pidslimit not set: $c" |
There was a problem hiding this comment.
Should start with capital letter.
| fail=1 | ||
| fi | ||
| for c in $docker0Containers; do | ||
| warn " * container in docker0 network: $c" |
There was a problem hiding this comment.
Should start with capital letter.
| fi | ||
|
|
||
| # 2.17 | ||
| check_2_17="2.17 - Bind swarm services to a specific host interface" |
There was a problem hiding this comment.
This does not check if a specific host interface is used.
$ netstat -tl | grep 2377
tcp 0 0 10.2.3.41:2377 *:* LISTEN
| warn "$check_4_6" | ||
| fi | ||
| imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null` | ||
| warn " No Healthcheck found : $imgName" |
There was a problem hiding this comment.
Use consistent warning and info messages. Start with a * and capital letter.
|
@vadapalliravikumar please see the comments, could you update your PR? |
|
Please sign your commits following these rules: $ git clone -b "docker-benchmark-1.12.0" git@github.com:vadapalliravikumar/docker-bench-security.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842354447304
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -fAmending updates the existing PR. You DO NOT need to open a new one. |
|
Merging and we'll go from there, so you can get credit for the work you've done. |
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
|
Thank you for merging the changes. Sorry about not being able to manage time to address the comments before the merge. |
|
You're welcome @vadapalliravikumar, take care. |
3 participants
Signed-off-by: Ravi Kumar Vadapalli vadapalli.ravikumar@gmail.com
The code changes are to support 'CIS Docker 1.12.0 Benchmark'. 17 new recommendations have been added in 1.12.0 benchmark. 12 out of these 17 have tests have been included in these code changes.
Tested in Ubuntu16.04 with GNU bash 4.3.46. Checked the changes with shellcheck & checkbashims.