Small improvement of user experience

[razvanstoica89]

Add details about remediation measures for host configuration tests

[konstruktoid]

Thanks @razvanstoica89, and it was a humble title you picked, calling this PR "small".

[konstruktoid]

Loads of updates 👍
Will test as soon as possible.

[konstruktoid]

Can you poke me @razvanstoica89 when you believe you are finished with this PR so I can start testing?
No need to test if it's a work in progress.

[razvanstoica89]

Yes of course. Thanks

[konstruktoid]

the json file doesnt seem to be valid.

$ jq log/docker-bench-security.sh.log.json 
jq: error: docker/0 is not defined at <top-level>, line 1:
log/docker-bench-security.sh.log.json    
jq: error: bench/0 is not defined at <top-level>, line 1:
log/docker-bench-security.sh.log.json           
jq: error: security/0 is not defined at <top-level>, line 1:
log/docker-bench-security.sh.log.json                 
jq: 3 compile errors

[konstruktoid]

Since you've created the log directory, perhaps rename without the .sh extension

[razvanstoica89]

the json file doesnt seem to be valid.

$ jq log/docker-bench-security.sh.log.json 
jq: error: docker/0 is not defined at <top-level>, line 1:
log/docker-bench-security.sh.log.json    
jq: error: bench/0 is not defined at <top-level>, line 1:
log/docker-bench-security.sh.log.json           
jq: error: security/0 is not defined at <top-level>, line 1:
log/docker-bench-security.sh.log.json                 
jq: 3 compile errors

Looks like you're trying to validate that the string "log/docker-bench-security.sh.log.json" is a valid json.
I think a better approach is cat log/docker-bench-security.log.json | jq empty.

As far as I know the only way you can get an invalid json log is to stop the script manually while it is running. Even if you run it again, you will be left with an invalid json log.

[konstruktoid]

Running a standrd installation without any containers:

Section A - Check results

[INFO] 1 - Host Configuration
[INFO] 1.1 - General Configuration
[NOTE] 1.1.1  - Ensure the container host has been Hardened (Not Scored)
[INFO] -c
[INFO]        * Using 20.10.5, verify is it up to date as deemed necessary
[INFO]        * Your operating system vendor may provide support and security maintenance for Docker
[INFO] 1.2 - Linux Hosts Specific Configuration
WARNING: No swap limit support
[WARN] -s
[INFO] -c
[INFO]       * Users: vagrant
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[INFO] -c
[INFO]        * File not found
[INFO] -c
[INFO]         * File not found
[WARN] -s
[INFO] -c
[INFO]         * File not found

[INFO] 2 - Docker daemon configuration 
[WARN] -s
[PASS] -s
[PASS] -s
[PASS] -s
[PASS] -s
[INFO] -c
[INFO]      * Docker daemon not listening on TCP
[INFO] -c
[INFO]      * Default ulimit doesn't appear to be set
[WARN] -s
[PASS] -s

[konstruktoid]

Looks like you're trying to validate that the string "log/docker-bench-security.sh.log.json" is a valid json.
I think a better approach is cat log/docker-bench-security.log.json | jq empty.

You are correct, cat log/docker-bench-security.log.json | jq -r works.

[razvanstoica89]

Did you manage to test the changes I made?

[konstruktoid]

Did you manage to test the changes I made?

Yeah, but #467 (comment) still exists.

[razvanstoica89]

Did you manage to test the changes I made?

Yeah, but #467 (comment) still exists.

Yes. You are right. By d0443cc I solved the problem reported in #467 (comment) but I didn't let you know.

[konstruktoid]

~$ git clone https://github.com/docker/docker-bench-security
Cloning into 'docker-bench-security'...
[...]
~$ cd docker-bench-security/
~$ git checkout -b razvanstoica89-master master
[...]
~$ git pull git://github.com/razvanstoica89/docker-bench-security.git master
[...]
~$ git log | grep -A3 d0443c
commit d0443cc817cf17452f41510954e450a320b59c6a
Author: Razvan Stoica <razvan.stoica89@gmail.com>
Date:   Mon Mar 29 15:22:14 2021 +0300
~$ curl -sSL get.docker.com | sh
[...]
$ sudo bash ./docker-bench-security.sh
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.3.6
#
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# --------------------------------------------------------------------------------------------

Initializing 2021-04-08T20:42:29+00:00


Section A - Check results

[INFO] 1 - Host Configuration
[INFO] 1.1 - General Configuration
[NOTE] 1.1.1  - Ensure the container host has been Hardened (Not Scored)
[PASS] -c
[INFO]        * Using 20.10.5, verify is it up to date as deemed necessary
[INFO] 1.2 - Linux Hosts Specific Configuration
WARNING: No swap limit support
[WARN] -s
[INFO] -c
[INFO]       * Users:
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[INFO] -c
[INFO]        * File not found
[INFO] -c
[INFO]         * File not found
[WARN] -s
[INFO] -c
[INFO]         * File not found

[INFO] 2 - Docker daemon configuration
[WARN] -s
[PASS] -s
[PASS] -s
[PASS] -s
[PASS] -s
[INFO] -c
[INFO]      * Docker daemon not listening on TCP

[razvanstoica89]

Please test it using the sudo sh ./docker-bench-security.sh command as recommended in the original README.md file.

[konstruktoid]

sh is linked to bash on multiple distributions.

$ sudo sh ./docker-bench-security.sh
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.3.6
#
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# --------------------------------------------------------------------------------------------

Initializing 2021-04-09T09:52:09+00:00


Section A - Check results

[INFO] 1 - Host Configuration
[INFO] 1.1 - General Configuration
[NOTE] 1.1.1  - Ensure the container host has been Hardened (Not Scored)
[PASS] -c
[INFO]        * Using 20.10.5, verify is it up to date as deemed necessary
[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] -s
[INFO] -c
[INFO]       * Users: 
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[INFO] -c
[INFO]        * File not found
[INFO] -c
[INFO]        * File not found
[INFO] -c
[INFO]         * File not found
[WARN] -s
[INFO] -c
[INFO]         * File not found

[INFO] 2 - Docker daemon configuration
[WARN] -s
[PASS] -s
[PASS] -s
[PASS] -s
[PASS] -s
[INFO] -c
[INFO]      * Docker daemon not listening on TCP
^C
$ ls -l $(which sh)
lrwxrwxrwx. 1 root root 4 Jan 12 08:24 /usr/bin/sh -> bash
$ cat /etc/redhat-release 
CentOS Stream release 8
$ 

[razvanstoica89]

I think I managed to fix this bug #467 (comment)

[konstruktoid]

Looks good, but I'm not sure about those impact statements.
E.g. [INFO] 5.31 - You should ensure that no containers mount docker.sock as a volume. Impact: None. Mounting docker.sock is basically server ownership.

[razvanstoica89]

These impact statements refer to the impact of the implementation of remedial measures.
Not to the impact that the lack of implementation of remedial measures has.

Keep in mind that in very few situations or use cases, you want to mount docker.sock even if it is definitely not recommended.
Example: Portainer.io

[konstruktoid]

"None." is fine, since it's the remediationImpact we're talking about, why not just change "Impact" to "Remedation Impact"?

[razvanstoica89]

You are right. It's better None. I'm rolling back my last change. Please excuse my mistake.

[konstruktoid]

I meant to change this Impact to Remediation Impact as in the json file.

[razvanstoica89]

@konstruktoid Thanks for the feedback. I made this change.

[konstruktoid]

Looks good!
And thanks for this massive, massive contribution.