konstruktoid
commented
3 years ago Thanks @razvanstoica89, and it was a humble title you picked, calling this PR "small".
Closed razvanstoica89 closed 3 years ago
konstruktoid
commented
3 years ago Thanks @razvanstoica89, and it was a humble title you picked, calling this PR "small".
konstruktoid
commented
3 years ago Loads of updates 👍 Will test as soon as possible.
konstruktoid
commented
3 years ago Can you poke me @razvanstoica89 when you believe you are finished with this PR so I can start testing? No need to test if it's a work in progress.
razvanstoica89
commented
3 years ago Yes of course. Thanks
razvanstoica89
commented
3 years ago @konstruktoid Let me know if you want me to make any changes or if you find any bugs. In the coming days i will add more remediation stuff. After that I will finish this pull-request.
razvanstoica89
commented
3 years ago @konstruktoid I think I'm done with this PR.
konstruktoid
commented
3 years ago Will start testing as soon as possible.
konstruktoid
commented
3 years ago the json file doesnt seem to be valid.
$ jq log/docker-bench-security.sh.log.json
jq: error: docker/0 is not defined at <top-level>, line 1:
log/docker-bench-security.sh.log.json
jq: error: bench/0 is not defined at <top-level>, line 1:
log/docker-bench-security.sh.log.json
jq: error: security/0 is not defined at <top-level>, line 1:
log/docker-bench-security.sh.log.json
jq: 3 compile errorsSince you've created the log directory, perhaps rename without the .sh extension
razvanstoica89
commented
3 years ago the json file doesnt seem to be valid.
$ jq log/docker-bench-security.sh.log.json jq: error: docker/0 is not defined at <top-level>, line 1: log/docker-bench-security.sh.log.json jq: error: bench/0 is not defined at <top-level>, line 1: log/docker-bench-security.sh.log.json jq: error: security/0 is not defined at <top-level>, line 1: log/docker-bench-security.sh.log.json jq: 3 compile errors
Looks like you're trying to validate that the string "log/docker-bench-security.sh.log.json" is a valid json.
I think a better approach is cat log/docker-bench-security.log.json | jq empty.
As far as I know the only way you can get an invalid json log is to stop the script manually while it is running. Even if you run it again, you will be left with an invalid json log.
konstruktoid
commented
3 years ago Running a standrd installation without any containers:
Section A - Check results
[INFO] 1 - Host Configuration
[INFO] 1.1 - General Configuration
[NOTE] 1.1.1 - Ensure the container host has been Hardened (Not Scored)
[INFO] -c
[INFO] * Using 20.10.5, verify is it up to date as deemed necessary
[INFO] * Your operating system vendor may provide support and security maintenance for Docker
[INFO] 1.2 - Linux Hosts Specific Configuration
WARNING: No swap limit support
[WARN] -s
[INFO] -c
[INFO] * Users: vagrant
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[INFO] -c
[INFO] * File not found
[INFO] -c
[INFO] * File not found
[WARN] -s
[INFO] -c
[INFO] * File not found
[INFO] 2 - Docker daemon configuration
[WARN] -s
[PASS] -s
[PASS] -s
[PASS] -s
[PASS] -s
[INFO] -c
[INFO] * Docker daemon not listening on TCP
[INFO] -c
[INFO] * Default ulimit doesn't appear to be set
[WARN] -s
[PASS] -sLooks like you're trying to validate that the string "log/docker-bench-security.sh.log.json" is a valid json. I think a better approach is
cat log/docker-bench-security.log.json | jq empty.
You are correct, cat log/docker-bench-security.log.json | jq -r works.
razvanstoica89
commented
3 years ago Did you manage to test the changes I made?
konstruktoid
commented
3 years ago Did you manage to test the changes I made?
Yeah, but https://github.com/docker/docker-bench-security/pull/467#issuecomment-809282467 still exists.
razvanstoica89
commented
3 years ago Did you manage to test the changes I made?
Yeah, but #467 (comment) still exists.
Yes. You are right. By d0443cc I solved the problem reported in https://github.com/docker/docker-bench-security/pull/467#issuecomment-809282467 but I didn't let you know.
konstruktoid
commented
3 years ago ~$ git clone https://github.com/docker/docker-bench-security
Cloning into 'docker-bench-security'...
[...]
~$ cd docker-bench-security/
~$ git checkout -b razvanstoica89-master master
[...]
~$ git pull git://github.com/razvanstoica89/docker-bench-security.git master
[...]
~$ git log | grep -A3 d0443c
commit d0443cc817cf17452f41510954e450a320b59c6a
Author: Razvan Stoica <razvan.stoica89@gmail.com>
Date: Mon Mar 29 15:22:14 2021 +0300
~$ curl -sSL get.docker.com | sh
[...]
$ sudo bash ./docker-bench-security.sh
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.3.6
#
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# --------------------------------------------------------------------------------------------
Initializing 2021-04-08T20:42:29+00:00
Section A - Check results
[INFO] 1 - Host Configuration
[INFO] 1.1 - General Configuration
[NOTE] 1.1.1 - Ensure the container host has been Hardened (Not Scored)
[PASS] -c
[INFO] * Using 20.10.5, verify is it up to date as deemed necessary
[INFO] 1.2 - Linux Hosts Specific Configuration
WARNING: No swap limit support
[WARN] -s
[INFO] -c
[INFO] * Users:
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[INFO] -c
[INFO] * File not found
[INFO] -c
[INFO] * File not found
[WARN] -s
[INFO] -c
[INFO] * File not found
[INFO] 2 - Docker daemon configuration
[WARN] -s
[PASS] -s
[PASS] -s
[PASS] -s
[PASS] -s
[INFO] -c
[INFO] * Docker daemon not listening on TCPPlease test it using the sudo sh ./docker-bench-security.sh command as recommended in the original README.md file.
konstruktoid
commented
3 years ago sh is linked to bash on multiple distributions.
$ sudo sh ./docker-bench-security.sh
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.3.6
#
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# --------------------------------------------------------------------------------------------
Initializing 2021-04-09T09:52:09+00:00
Section A - Check results
[INFO] 1 - Host Configuration
[INFO] 1.1 - General Configuration
[NOTE] 1.1.1 - Ensure the container host has been Hardened (Not Scored)
[PASS] -c
[INFO] * Using 20.10.5, verify is it up to date as deemed necessary
[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] -s
[INFO] -c
[INFO] * Users:
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[WARN] -s
[INFO] -c
[INFO] * File not found
[INFO] -c
[INFO] * File not found
[INFO] -c
[INFO] * File not found
[WARN] -s
[INFO] -c
[INFO] * File not found
[INFO] 2 - Docker daemon configuration
[WARN] -s
[PASS] -s
[PASS] -s
[PASS] -s
[PASS] -s
[INFO] -c
[INFO] * Docker daemon not listening on TCP
^C
$ ls -l $(which sh)
lrwxrwxrwx. 1 root root 4 Jan 12 08:24 /usr/bin/sh -> bash
$ cat /etc/redhat-release
CentOS Stream release 8
$ I think I managed to fix this bug https://github.com/docker/docker-bench-security/pull/467#issuecomment-816567569
konstruktoid
commented
3 years ago Looks good, but I'm not sure about those impact statements.
E.g. [INFO] 5.31 - You should ensure that no containers mount docker.sock as a volume. Impact: None. Mounting docker.sock is basically server ownership.
razvanstoica89
commented
3 years ago These impact statements refer to the impact of the implementation of remedial measures. Not to the impact that the lack of implementation of remedial measures has.
Keep in mind that in very few situations or use cases, you want to mount docker.sock even if it is definitely not recommended.
Example: Portainer.io
konstruktoid
commented
3 years ago Looks good! And thanks for this massive, massive contribution.
Add details about remediation measures for host configuration tests