2.7 false positive when log_opt set

docker / docker-bench-security

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

Apache License 2.0

9.17k stars 1.02k forks source link

2.7 false positive when log_opt set #498

Open dhrapson opened 2 years ago

dhrapson commented 2 years ago

I'm using this excellent utility to assess compliance. We set the following in our /etc/docker/daemon.json:

{
"log-opt": syslog-address=tcp://<some_ip>
}

Doing this causes check_2_7 to trigger incorrectly because of the logic in this line: https://github.com/docker/docker-bench-security/blob/cd1619c375c0867d58655d30a216a928ba825507/tests/2_docker_daemon_configuration.sh#L157

The output is [WARN] * Docker daemon currently listening on TCP without TLS when it is not listening on TCP at all.

konstruktoid commented 2 years ago

Thanks for creating this issue @dhrapson, I'll have a look as soon as possible.

konstruktoid commented 2 years ago

So sorry for the long delay @dhrapson, could you please test https://github.com/docker/docker-bench-security/pull/501?

aretandic commented 2 years ago

Hello @konstruktoid. Wanted to notify you that this fix is not working as expected unfortunately. It now incorrectly work with 2.7 check and not providing positive results at all with some configuration of daemon.json.

"hosts": [ "tcp://127.0.0.1:2376", "unix:///var/run/docker.sock" ],

I have such configuration of daemon.json and then grep -E "host.*tcp://" /etc/docker/daemon.json will not show anything. if i will set configuration to:

"hosts": ["tcp://127.0.0.1:2376","unix:///var/run/docker.sock"],

Code will return error docker-bench-security.sh: 157: [: "hosts":: unexpected operator, I assume because grep will return [ in output. I think that it could be fixed by grep -Ez, but it will return docker-bench-security.sh: 157: [: "hosts":: unexpected operator error. Please take a look

aretandic commented 2 years ago

For me I solved issue like this: $(grep -Ez 'host.*tcp://([0-9].)+' "$CONFIG_FILE" | grep -Ea 'tcp://([0-9].)+') But it will not help if there are other tcp addresses in code, unfortunately didn't have enough time to take a dipper look into it

konstruktoid commented 2 years ago

Yeah, the drawbacks of parsing json using shell. I guess the best way would be to add jq to the dependencies and use that to parse the config, and use the current semi-working code as fallback.