atomic111
commented
6 years ago @mmukherjee can you provide me more information, because on my arch linux is it working. I update the Gemfile to use inspec version 2.0.0 (see #52) and i did a bundle install inside the cis-docker-benchmark
inspec version:
±> bundle exec inspec version 44d [1ec3569]
2.0.32±> bundle exec inspec exec ./
44d [1ec3569]
Profile: CIS Docker Benchmark Profile (cis-docker-benchmark)
Version: 2.0.0
Target: local://
↺ docker-5.1: Verify AppArmor Profile, if applicable
↺ Skipped control due to only_if condition.
↺ docker-5.2: Verify SELinux security options, if applicable
↺ Skipped control due to only_if condition.
✔ docker-5.22: Do not docker exec commands with privileged option
✔ should be empty
✔ docker-5.23: Do not docker exec commands with user option
✔ should be empty
↺ docker-5.27: Ensure docker commands always get the latest version of the image
↺ Ensure docker commands always get the latest version of the image
↺ docker-5.29: Do not use Docker's default bridge docker0
↺ Not implemented yet
✔ docker-3.1: Verify that docker.service file ownership is set to root:root
✔ File /usr/lib/systemd/system/docker.service should exist
✔ File /usr/lib/systemd/system/docker.service should be file
✔ File /usr/lib/systemd/system/docker.service should be owned by "root"
✔ File /usr/lib/systemd/system/docker.service should be grouped into "root"
✔ docker-3.2: Verify that docker.service file permissions are set to 644 or more restrictive
✔ File /usr/lib/systemd/system/docker.service should exist
✔ File /usr/lib/systemd/system/docker.service should be file
✔ File /usr/lib/systemd/system/docker.service should be readable by owner
✔ File /usr/lib/systemd/system/docker.service should be writable by owner
✔ File /usr/lib/systemd/system/docker.service should be readable by group
✔ File /usr/lib/systemd/system/docker.service should not be writable by group
✔ File /usr/lib/systemd/system/docker.service should be readable by other
✔ File /usr/lib/systemd/system/docker.service should not be writable by other
✔ File /usr/lib/systemd/system/docker.service should not be executable
✔ docker-3.3: Verify that docker.socket file ownership is set to root:root
✔ File /usr/lib/systemd/system/docker.socket should exist
✔ File /usr/lib/systemd/system/docker.socket should be file
✔ File /usr/lib/systemd/system/docker.socket should be owned by "root"
✔ File /usr/lib/systemd/system/docker.socket should be grouped into "root"
✔ docker-3.4: Verify that docker.socket file permissions are set to 644 or more restrictive
✔ File /usr/lib/systemd/system/docker.socket should exist
✔ File /usr/lib/systemd/system/docker.socket should be file
✔ File /usr/lib/systemd/system/docker.socket should be readable by owner
✔ File /usr/lib/systemd/system/docker.socket should be writable by owner
✔ File /usr/lib/systemd/system/docker.socket should be readable by group
✔ File /usr/lib/systemd/system/docker.socket should not be writable by group
✔ File /usr/lib/systemd/system/docker.socket should be readable by other
✔ File /usr/lib/systemd/system/docker.socket should not be writable by other
✔ File /usr/lib/systemd/system/docker.socket should not be executable
✔ docker-3.5: Verify that /etc/docker directory ownership is set to root:root
✔ File /etc/docker should exist
✔ File /etc/docker should be directory
✔ File /etc/docker should be owned by "root"
✔ File /etc/docker should be grouped into "root"
× docker-3.6: Verify that /etc/docker directory permissions are set to 755 or more restrictive (4 failed)
✔ File /etc/docker should exist
✔ File /etc/docker should be directory
✔ File /etc/docker should be readable by owner
✔ File /etc/docker should be writable by owner
✔ File /etc/docker should be executable by owner
× File /etc/docker should be readable by group
expected File /etc/docker to be readable by group
✔ File /etc/docker should not be writable by group
× File /etc/docker should be executable by group
expected File /etc/docker to be executable by group
× File /etc/docker should be readable by other
expected File /etc/docker to be readable by other
✔ File /etc/docker should not be writable by other
× File /etc/docker should be executable by other
expected File /etc/docker to be executable by other
× docker-3.7: Verify that registry certificate file ownership is set to root:root (12 failed)
× File /etc/docker/certs.d should exist
expected File /etc/docker/certs.d to exist
× File /etc/docker/certs.d should be directory
expected `File /etc/docker/certs.d.directory?` to return true, got false
× File /etc/docker/certs.d should be owned by "root"
expected `File /etc/docker/certs.d.owned_by?("root")` to return true, got false
× File /etc/docker/certs.d should be grouped into "root"
expected `File /etc/docker/certs.d.grouped_into?("root")` to return true, got false
× File /etc/docker/certs.d/registry_hostname:port should exist
expected File /etc/docker/certs.d/registry_hostname:port to exist
× File /etc/docker/certs.d/registry_hostname:port should be directory
expected `File /etc/docker/certs.d/registry_hostname:port.directory?` to return true, got false
× File /etc/docker/certs.d/registry_hostname:port should be owned by "root"
expected `File /etc/docker/certs.d/registry_hostname:port.owned_by?("root")` to return true, got false
× File /etc/docker/certs.d/registry_hostname:port should be grouped into "root"
expected `File /etc/docker/certs.d/registry_hostname:port.grouped_into?("root")` to return true, got false
× File /etc/docker/certs.d/registry_hostname:port/ca.crt should exist
expected File /etc/docker/certs.d/registry_hostname:port/ca.crt to exist
× File /etc/docker/certs.d/registry_hostname:port/ca.crt should be file
expected `File /etc/docker/certs.d/registry_hostname:port/ca.crt.file?` to return true, got false
× File /etc/docker/certs.d/registry_hostname:port/ca.crt should be owned by "root"
expected `File /etc/docker/certs.d/registry_hostname:port/ca.crt.owned_by?("root")` to return true, got false
× File /etc/docker/certs.d/registry_hostname:port/ca.crt should be grouped into "root"
expected `File /etc/docker/certs.d/registry_hostname:port/ca.crt.grouped_into?("root")` to return true, got false
× docker-3.8: Verify that registry certificate file permissions are set to 444 or more restrictive (3 failed)
× File /etc/docker/certs.d/registry_hostname:port/ca.crt should exist
expected File /etc/docker/certs.d/registry_hostname:port/ca.crt to exist
× File /etc/docker/certs.d/registry_hostname:port/ca.crt should be file
expected `File /etc/docker/certs.d/registry_hostname:port/ca.crt.file?` to return true, got false
× File /etc/docker/certs.d/registry_hostname:port/ca.crt should be readable
expected File /etc/docker/certs.d/registry_hostname:port/ca.crt to be readable
✔ File /etc/docker/certs.d/registry_hostname:port/ca.crt should not be executable
✔ File /etc/docker/certs.d/registry_hostname:port/ca.crt should not be writable
× docker-3.9: Verify that TLS CA certificate file ownership is set to root:root (4 failed)
× File should exist
expected File to exist
× File should be file
expected `File .file?` to return true, got false
× File should be owned by "root"
expected `File .owned_by?("root")` to return true, got false
× File should be grouped into "root"
expected `File .grouped_into?("root")` to return true, got false
× docker-3.10: Verify that TLS CA certificate file permissions are set to 444 or more restrictive (3 failed)
× File should exist
expected File to exist
× File should be file
expected `File .file?` to return true, got false
× File should be readable
expected File to be readable
✔ File should not be executable
✔ File should not be writable
× docker-3.11: Verify that Docker server certificate file ownership is set to root:root (4 failed)
× File should exist
expected File to exist
× File should be file
expected `File .file?` to return true, got false
× File should be owned by "root"
expected `File .owned_by?("root")` to return true, got false
× File should be grouped into "root"
expected `File .grouped_into?("root")` to return true, got false
× docker-3.12: Verify that Docker server certificate file permissions are set to 444 or more restrictive (3 failed)
× File should exist
expected File to exist
× File should be file
expected `File .file?` to return true, got false
× File should be readable
expected File to be readable
✔ File should not be executable
✔ File should not be writable
× docker-3.13: Verify that Docker server certificate key file ownership is set to root:root (4 failed)
× File should exist
expected File to exist
× File should be file
expected `File .file?` to return true, got false
× File should be owned by "root"
expected `File .owned_by?("root")` to return true, got false
× File should be grouped into "root"
expected `File .grouped_into?("root")` to return true, got false
× docker-3.14: Verify that Docker server certificate key file permissions are set to 444 or more restrictive (3 failed)
× File should exist
expected File to exist
× File should be file
expected `File .file?` to return true, got false
× File should be readable
expected File to be readable
✔ File should not be executable
✔ File should not be writable
× docker-3.15: Verify that Docker socket file ownership is set to root:docker (4 failed)
× File /var/run/docker.sock should exist
expected File /var/run/docker.sock to exist
× File /var/run/docker.sock should be socket
expected `File /var/run/docker.sock.socket?` to return true, got false
× File /var/run/docker.sock should be owned by "root"
expected `File /var/run/docker.sock.owned_by?("root")` to return true, got false
× File /var/run/docker.sock should be grouped into "docker"
expected `File /var/run/docker.sock.grouped_into?("docker")` to return true, got false
× docker-3.16: Verify that Docker socket file permissions are set to 660 or more restrictive (6 failed)
× File /var/run/docker.sock should exist
expected File /var/run/docker.sock to exist
× File /var/run/docker.sock should be socket
expected `File /var/run/docker.sock.socket?` to return true, got false
× File /var/run/docker.sock should be readable by owner
expected File /var/run/docker.sock to be readable by owner
× File /var/run/docker.sock should be writable by owner
expected File /var/run/docker.sock to be writable by owner
✔ File /var/run/docker.sock should not be executable by owner
× File /var/run/docker.sock should be readable by group
expected File /var/run/docker.sock to be readable by group
× File /var/run/docker.sock should be writable by group
expected File /var/run/docker.sock to be writable by group
✔ File /var/run/docker.sock should not be executable by group
✔ File /var/run/docker.sock should not be readable by other
✔ File /var/run/docker.sock should not be writable by other
✔ File /var/run/docker.sock should not be executable by other
× docker-3.17: Verify that daemon.json file ownership is set to root:root (4 failed)
× File /etc/docker/daemon.json should exist
expected File /etc/docker/daemon.json to exist
× File /etc/docker/daemon.json should be file
expected `File /etc/docker/daemon.json.file?` to return true, got false
× File /etc/docker/daemon.json should be owned by "root"
expected `File /etc/docker/daemon.json.owned_by?("root")` to return true, got false
× File /etc/docker/daemon.json should be grouped into "root"
expected `File /etc/docker/daemon.json.grouped_into?("root")` to return true, got false
× docker-3.18: Verify that /etc/docker/daemon.json file permissions are set to 644 or more restrictive (6 failed)
× File /etc/docker/daemon.json should exist
expected File /etc/docker/daemon.json to exist
× File /etc/docker/daemon.json should be file
expected `File /etc/docker/daemon.json.file?` to return true, got false
× File /etc/docker/daemon.json should be readable by owner
expected File /etc/docker/daemon.json to be readable by owner
× File /etc/docker/daemon.json should be writable by owner
expected File /etc/docker/daemon.json to be writable by owner
✔ File /etc/docker/daemon.json should not be executable by owner
× File /etc/docker/daemon.json should be readable by group
expected File /etc/docker/daemon.json to be readable by group
✔ File /etc/docker/daemon.json should not be writable by group
✔ File /etc/docker/daemon.json should not be executable by group
× File /etc/docker/daemon.json should be readable by other
expected File /etc/docker/daemon.json to be readable by other
✔ File /etc/docker/daemon.json should not be writable by other
✔ File /etc/docker/daemon.json should not be executable by other
× docker-3.19: Verify that /etc/default/docker file ownership is set to root:root (4 failed)
× File /etc/default/docker should exist
expected File /etc/default/docker to exist
× File /etc/default/docker should be file
expected `File /etc/default/docker.file?` to return true, got false
× File /etc/default/docker should be owned by "root"
expected `File /etc/default/docker.owned_by?("root")` to return true, got false
× File /etc/default/docker should be grouped into "root"
expected `File /etc/default/docker.grouped_into?("root")` to return true, got false
× docker-3.20: Verify that /etc/default/docker file permissions are set to 644 or more restrictive (6 failed)
× File /etc/default/docker should exist
expected File /etc/default/docker to exist
× File /etc/default/docker should be file
expected `File /etc/default/docker.file?` to return true, got false
× File /etc/default/docker should be readable by owner
expected File /etc/default/docker to be readable by owner
× File /etc/default/docker should be writable by owner
expected File /etc/default/docker to be writable by owner
✔ File /etc/default/docker should not be executable by owner
× File /etc/default/docker should be readable by group
expected File /etc/default/docker to be readable by group
✔ File /etc/default/docker should not be writable by group
✔ File /etc/default/docker should not be executable by group
× File /etc/default/docker should be readable by other
expected File /etc/default/docker to be readable by other
✔ File /etc/default/docker should not be writable by other
✔ File /etc/default/docker should not be executable by other
× docker-4.2: Use trusted base images for containers
× Environment variable DOCKER_CONTENT_TRUST content should eq "1"
expected: "1"
got: nil
(compared using ==)
↺ docker-4.3: Do not install unnecessary packages in the container
↺ Do not install unnecessary packages in the container
↺ docker-4.4: Rebuild the images to include security patches
↺ Rebuild the images to include security patches
× docker-4.5: Enable Content trust for Docker
× Environment variable DOCKER_CONTENT_TRUST content should eq "1"
expected: "1"
got: nil
(compared using ==)
↺ docker-4.8: Remove setuid and setgid permissions in the images
↺ Use DevSec Linux Baseline in Container
↺ docker-4.10: Do not store secrets in Dockerfiles
↺ Manually verify that you have not used secrets in images
↺ docker-4.11: Install verified packages only
↺ Manually verify that you installed verified packages
↺ docker-2.1: Restrict network traffic between containers
↺ No such file: /etc/docker/daemon.json
↺ docker-2.2: Set the logging level
↺ No such file: /etc/docker/daemon.json
↺ docker-2.3: Allow Docker to make changes to iptables
↺ No such file: /etc/docker/daemon.json
↺ docker-2.4: Do not use insecure registries
↺ No such file: /etc/docker/daemon.json
↺ docker-2.5: Do not use the aufs storage driver
↺ No such file: /etc/docker/daemon.json
↺ docker-2.6: Configure TLS authentication for Docker daemon
↺ No such file: /etc/docker/daemon.json
↺ docker-2.7: Set default ulimit as appropriate
↺ No such file: /etc/docker/daemon.json
↺ docker-2.8: Enable user namespace support (4 failed) (1 skipped)
↺ No such file: /etc/docker/daemon.json
× File /etc/subuid should exist
expected File /etc/subuid to exist
× File /etc/subuid should be file
expected `File /etc/subuid.file?` to return true, got false
× File /etc/subgid should exist
expected File /etc/subgid to exist
× File /etc/subgid should be file
expected `File /etc/subgid.file?` to return true, got false
↺ docker-2.9: Confirm default cgroup usage
↺ No such file: /etc/docker/daemon.json
↺ docker-2.10: Do not change base device size until needed
↺ No such file: /etc/docker/daemon.json
↺ docker-2.11: Use authorization plugin
↺ No such file: /etc/docker/daemon.json
↺ docker-2.12: Configure centralized and remote logging
↺ No such file: /etc/docker/daemon.json
↺ docker-2.13: Disable operations on legacy registry (v1)
↺ No such file: /etc/docker/daemon.json
↺ docker-2.14: Enable live restore
↺ No such file: /etc/docker/daemon.json
× docker-2.15: Do not enable swarm mode, if not needed
× #<Hashie::Mash> Swarm.LocalNodeState
undefined method `LocalNodeState' for nil:NilClass
↺ docker-2.16: Control the number of manager nodes in a swarm
↺ Skipped control due to only_if condition.
↺ docker-2.17: Bind swarm services to a specific host interface
↺ Skipped control due to only_if condition.
↺ docker-2.18: Disable Userland Proxy (1 failed) (1 skipped)
↺ No such file: /etc/docker/daemon.json
× [] should include "userland-proxy=false"
expected [] to include "userland-proxy=false"
↺ docker-2.19: Encrypt data exchanged between containers on different nodes on the overlay network
↺ Skipped control due to only_if condition.
↺ docker-2.20: Apply a daemon-wide custom seccomp profile, if needed
↺ No such file: /etc/docker/daemon.json
× docker-2.21: Avoid experimental features in production
× should eq "false"
expected: "false"
got: ""
(compared using ==)
↺ docker-2.22: Use Docker's secret management commands for managing secrets in a Swarm cluster
↺ Skipped control due to only_if condition.
↺ docker-2.23: Run swarm manager in auto-lock mode
↺ Skipped control due to only_if condition.
× host-1.1: Create a separate partition for containers
× Mount /var/lib/docker should be mounted
Mount /var/lib/docker is not mounted
↺ host-1.2: Use the updated Linux Kernel
↺ Skipped control due to only_if condition.
↺ host-1.3: Harden the container host
↺ Harden the container host. Use the Dev-Sec Hardening Framework
↺ host-1.4: Remove all non-essential services from the host
↺ Remove all non-essential services from the host. Use the Dev-Sec Hardening Framework
× host-1.5: Keep Docker up to date (2 failed)
× Docker Host version.Client.Version
undefined method `Version' for nil:NilClass
× Docker Host version.Server.Version
undefined method `Version' for nil:NilClass
× host-1.6: Only allow trusted users to control Docker daemon (1 failed)
✔ Group docker should exist
× #<Inspec::Resources::EtcGroupView:0x00005590d9410810> users should include "vagrant"
expected ["user"] to include "vagrant"
× host-1.7: Audit docker daemon (4 failed)
× Auditd Rules lines should include "-w /usr/bin/docker -p rwxa -k docker"
expected [] to include "-w /usr/bin/docker -p rwxa -k docker"
× Service auditd should be installed
expected that `Service auditd` is installed
× Service auditd should be enabled
expected that `Service auditd` is enabled
× Service auditd should be running
expected that `Service auditd` is running
× host-1.8: Audit Docker files and directories - /var/lib/docker
× Auditd Rules lines should include "-w /var/lib/docker/ -p rwxa -k docker"
expected [] to include "-w /var/lib/docker/ -p rwxa -k docker"
× host-1.9: Audit Docker files and directories - /etc/docker
× Auditd Rules lines should include "-w /etc/docker/ -p rwxa -k docker"
expected [] to include "-w /etc/docker/ -p rwxa -k docker"
× host-1.10: Audit Docker files and directories - docker.service
× Auditd Rules lines should include "-w /usr/lib/systemd/system/docker.service -p rwxa -k docker"
expected [] to include "-w /usr/lib/systemd/system/docker.service -p rwxa -k docker"
× host-1.11: Audit Docker files and directories - docker.socket
× Auditd Rules lines should include "-w /usr/lib/systemd/system/docker.socket -p rwxa -k docker"
expected [] to include "-w /usr/lib/systemd/system/docker.socket -p rwxa -k docker"
× host-1.12: Audit Docker files and directories - /etc/default/docker
× Auditd Rules lines should include "-w /etc/default/docker -p rwxa -k docker"
expected [] to include "-w /etc/default/docker -p rwxa -k docker"
× host-1.13: Audit Docker files and directories - /etc/docker/daemon.json
× Auditd Rules lines should include "-w /etc/docker/daemon.json -p rwxa -k docker"
expected [] to include "-w /etc/docker/daemon.json -p rwxa -k docker"
× host-1.14: Audit Docker files and directories - /usr/bin/docker-containerd
× Auditd Rules lines should include "-w /usr/bin/docker-containerd -p rwxa -k docker"
expected [] to include "-w /usr/bin/docker-containerd -p rwxa -k docker"
× host-1.15: Audit Docker files and directories - /usr/bin/docker-runc
× Auditd Rules lines should include "-w /usr/bin/docker-runc -p rwxa -k docker"
expected [] to include "-w /usr/bin/docker-runc -p rwxa -k docker"
↺ docker-6.1: Perform regular security audits of your host system and containers
↺ Perform regular security audits of your host system and containers
↺ docker-6.2: Monitor Docker containers usage, performance and metering
↺ Monitor Docker containers usage, performance and metering
↺ docker-6.3: Backup container data
↺ Backup container data
✔ host-6.4: Avoid image sprawl
✔ [] should be empty
✔ host-6.5: Avoid container sprawl
✔ 0 should be <= 25
Profile Summary: 9 successful controls, 33 control failures, 34 controls skipped
Test Summary: 65 successful, 95 failures, 36 skipped
aschmidt75
chris-rock
..so I updated my inspec version so as to move ahead from this issue
Just so that you know, I used a
chef gem update inspeccommand to update my inspec gem. Post which, I had to manually edit the/opt/chefdk/bin/inspecfile to update the inspec versions.What am I missing?