cbd07bb051
align tests to CIS Benchmark 1.5.0
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2023-03-06 12:59:56 +01:00
683c5a92b5
fix socket check
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2021-07-12 15:22:12 +02:00
6f574b07c1
initial commit of tests/3_docker_daemon_configuration_files.sh v1.3.1
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2021-05-25 20:49:45 +02:00
d0443cc817
Bug fixing and improving source code readability
2021-03-29 15:22:14 +03:00
f31e60c379
Add more remediation stuff
2021-03-22 09:43:56 +02:00
7144b947de
Tests update
2021-03-16 10:05:49 +02:00
6c586b4e08
Print remediation measures at the end of the logs
2021-03-10 21:47:52 +02:00
94900eedb9
Change global variable used only locally to local variable for simplification
2021-03-09 12:42:48 +02:00
f8c9b0fd5b
Replace multiple -eq with -le
...
Replace multiple -eq with -le for file permission checks. Except for line 228 which uses slightly different logic so is -ge.
Signed-off-by: Niall T 19202716+jammasterj89@users.noreply.github.com
2021-01-15 11:20:59 +00:00
47e4cc173c
Fix check_2 to -le 644
...
Issue #459 raised that check_2 was only checking for 644 or 600 permissions, this now checks for anything less than or equal to 644.
Signed-off-by: Niall T 19202716+jammasterj89@users.noreply.github.com
2021-01-15 10:29:11 +00:00
98acc66436
map desc_ to benchmark headings
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2020-05-08 12:38:08 +02:00
d42fedc370
fix(sh): check default ubuntu locations of docker.service and docker.socket files
...
Signed-off-by: Ilya Dus <ilyadoos@gmail.com>
2020-04-10 16:26:25 +03:00
ddad135d13
shellcheck
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2019-10-16 09:49:18 +02:00
d680213a7b
fix /etc/sysconfig/docker
...
closes #397
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2019-10-04 14:50:48 +02:00
17c6262d2f
formating
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2019-08-28 12:14:35 +02:00
f968597051
first pass on section 3
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2019-08-27 15:13:19 +02:00
391e09f76a
linting
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2018-11-01 10:24:36 +01:00
ec7d8ce690
Improve docker-bench-security json output
...
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-10-11 13:39:55 -07:00
773625a894
ref #325 daemon.json permissions
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2018-09-27 09:49:32 +02:00
78700f2600
consistent currentScore
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2018-07-01 20:04:20 +02:00
8142de8334
convert all checks to functions
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2018-01-16 13:46:49 +01:00
f9be3996f4
add score and totalChecks to 3_
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2017-10-23 15:39:52 +02:00
7a1b813cdc
check 3.x json log
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2017-10-13 09:53:15 +02:00
44e46c63c3
spaces
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2017-07-07 13:06:23 +02:00
03974c0854
update titles and tests
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2017-07-07 10:37:09 +02:00
17ee45ba94
test tls get_docker_configuration_file_args
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2017-03-23 15:28:06 +01:00
6105ff6641
use stat when checking permissions
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2017-03-22 15:23:04 +01:00
91e625b8e4
Modify get_docker_configuration_file_args in order to handle daemon.json better,
...
and also address missing files issue.
Closes #231
Closes #232
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2017-03-21 14:49:42 +01:00
91eb958dd3
get file locations from config file
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2017-02-23 16:33:54 +01:00
b766037da8
update permission checks
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2017-01-23 17:26:07 +01:00
e3da5eacf0
update chap 3 to cis 1.11
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2016-04-14 22:57:25 +02:00
001811bf87
use stat to verify permissions
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2016-02-16 23:23:27 +01:00
606f70f83f
flexible paths for docker.socket as well
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-12-12 16:16:50 +01:00
e8c6b94143
check docker.service
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-12-12 16:08:46 +01:00
80794e5638
get .service file location from systemd
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-11-27 19:26:03 +01:00
d2ba1d9f72
Fix #97 , #98 , #99 by using new helper functions
...
Signed-off-by: Andreas Stieger <astieger@suse.com>
2015-11-27 15:35:37 +01:00
cd7efa2afc
Fix test 3.25, correctly check for root:docker ownership, fixes #95
...
Signed-off-by: Andreas Stieger <astieger@suse.com>
2015-11-11 18:58:03 +01:00
c5cb9cdc5c
POSIX test command requires -S for UNIX domain sockets, fixes #94
...
Signed-off-by: Andreas Stieger <astieger@suse.com>
2015-11-11 18:57:58 +01:00
6fca0428e7
missed one tls*
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-07-10 02:10:26 +02:00
b3fd225df8
fix incorrect file variables
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-07-10 01:43:11 +02:00
8b0efa170f
split cmdline
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-07-10 01:30:38 +02:00
fae2639313
Addition to fix for issue #47 .
...
Missed the potentially wrong invocations of pgrep also in section 3
of the tests. Replace "pgrep -lf" there as well.
Signed-off-by: Joachim Lusiardi <joachim@lusiardi.de>
2015-06-29 22:27:59 +02:00
1e0ef4cf97
crt dir and permissions
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-18 00:32:20 +02:00
0c61ddb6dd
from ls to stat
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-17 23:52:53 +02:00
3059cef2c3
444 is read-only
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-17 23:52:23 +02:00
70b8d33cef
replace ls with stat when checking owner and perms
...
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2015-06-17 23:25:01 +02:00
f4aab9c8c5
Double quote to prevent globbing and word splitting.
...
Do not use legacy backticks.
Proper use of printf
Do not use wc -l with grep, instead use grep -c
Use pgrep
Signed-off-by: Werner Buck <wernerbuck@gmail.com>
2015-05-31 12:26:37 +02:00
03ac3f5bd3
Make ifs style be consistent
2015-05-14 20:26:32 -07:00
18d5a13240
First version of the CIS Docker Benchmark v1.0.0
2015-05-13 15:26:45 -07:00
Thomas Sjögren
Razvan Stoica
jammasterj89
Ilya Dus
Mark Stemm
Andreas Stieger
Joachim Lusiardi
Werner Buck
Diogo Monica