|
43 | 43 | title 'Create a separate partition for containers' |
44 | 44 | desc 'All Docker containers and their data and metadata is stored under /var/lib/docker directory. By default, /var/lib/docker would be mounted under / or /var partitions based on availability.' |
45 | 45 | tag 'host' |
46 | | - ref 'http://www.projectatomic.io/docs/docker-storage-recommendation/' |
| 46 | + ref 'Docker storage recommendation', url: 'http://www.projectatomic.io/docs/docker-storage-recommendation/' |
47 | 47 |
|
48 | 48 | describe mount('/var/lib/docker') do |
49 | 49 | it { should be_mounted } |
|
55 | 55 | title 'Use the updated Linux Kernel' |
56 | 56 | desc 'Docker in daemon mode has specific kernel requirements. A 3.10 Linux kernel is the minimum requirement for Docker.' |
57 | 57 | tag 'host' |
58 | | - ref 'https://docs.docker.com/engine/installation/binaries/#check-kernel-dependencies' |
59 | | - ref 'https://docs.docker.com/engine/installation/#installation-list' |
| 58 | + ref 'Check kernel dependencies', url: 'https://docs.docker.com/engine/installation/binaries/#check-kernel-dependencies' |
| 59 | + ref 'Installation list', url: 'https://docs.docker.com/engine/installation/#installation-list' |
60 | 60 |
|
61 | 61 | kernel_version = command('uname -r | grep -o \'^\w\.\w*\.\w*\'').stdout |
62 | 62 | kernel_compare = Gem::Version.new('3.10') <= Gem::Version.new(kernel_version) |
|
71 | 71 | title 'Harden the container host' |
72 | 72 | desc 'Containers run on a Linux host. A container host can run one or more containers. It is of utmost importance to harden the host to mitigate host security misconfiguration' |
73 | 73 | tag 'host' |
74 | | - ref 'http://dev-sec.io' |
75 | | - ref 'https://docs.docker.com/articles/security/' |
76 | | - ref 'https://docs.docker.com/engine/security/security/' |
77 | | - ref 'https://benchmarks.cisecurity.org/downloads/multiform/index.cfm' |
78 | | - ref 'http://docs.docker.com/articles/security/#other-kernel-security-features' |
79 | | - ref 'https://grsecurity.net/' |
80 | | - ref 'https://en.wikibooks.org/wiki/Grsecurity' |
81 | | - ref 'https://pax.grsecurity.net/' |
82 | | - ref 'http://en.wikipedia.org/wiki/PaX' |
| 74 | + ref 'Hardening Framework dev-sec.io', url: 'http://dev-sec.io' |
| 75 | + ref 'Docker security article', url: 'https://docs.docker.com/engine/security/security/' |
| 76 | + ref 'CIS Benchmarks', url: 'https://benchmarks.cisecurity.org/downloads/multiform/index.cfm' |
| 77 | + ref 'grsecurity', url: 'https://grsecurity.net/' |
| 78 | + ref 'grsecurity Wiki', url: 'https://en.wikibooks.org/wiki/Grsecurity' |
| 79 | + ref 'Homepage of The PaX Team', url: 'https://pax.grsecurity.net/' |
| 80 | + ref 'PAX Wiki', url: 'http://en.wikipedia.org/wiki/PaX' |
83 | 81 | end |
84 | 82 |
|
85 | 83 | control 'cis-docker-benchmark-1.4' do |
86 | 84 | impact 1.0 |
87 | 85 | title 'Remove all non-essential services from the host' |
88 | 86 | desc 'Ensure that the host running the docker daemon is running only the essential services.' |
89 | 87 | tag 'host' |
90 | | - ref 'https://blog.docker.com/2013/08/containers-docker-how-secure-are-they/' |
| 88 | + ref 'Containers & Docker: How Secure Are They?', url: 'https://blog.docker.com/2013/08/containers-docker-how-secure-are-they/' |
91 | 89 | end |
92 | 90 |
|
93 | 91 | control 'cis-docker-benchmark-1.5' do |
94 | 92 | impact 1.0 |
95 | 93 | title 'Keep Docker up to date' |
96 | 94 | desc 'The docker container solution is evolving to maturity and stability at a rapid pace. Like any other software, the vendor releases regular updates for Docker software that address security vulnerabilities, product bugs and bring in new functionality.' |
97 | 95 | tag 'host' |
98 | | - ref 'https://docs.docker.com/installation/' |
99 | | - ref 'https://github.com/docker/docker/releases/latest' |
| 96 | + ref 'Docker installation', url: 'https://docs.docker.com/installation/' |
| 97 | + ref 'Docker releases', url: 'https://github.com/docker/docker/releases/latest' |
100 | 98 |
|
101 | 99 | docker_server_version = command('docker version --format \'{{.Server.Version}}\'').stdout |
102 | | - docker_server_compare = Gem::Version.new('1.13.1') <= Gem::Version.new(docker_server_version) |
| 100 | + docker_server_compare = Gem::Version.new('17.03') <= Gem::Version.new(docker_server_version) |
103 | 101 |
|
104 | 102 | docker_client_version = command('docker version --format \'{{.Client.Version}}\'').stdout |
105 | | - docker_client_compare = Gem::Version.new('1.13.1') <= Gem::Version.new(docker_client_version) |
| 103 | + docker_client_compare = Gem::Version.new('17.03') <= Gem::Version.new(docker_client_version) |
106 | 104 |
|
107 | 105 | describe docker_server_compare do |
108 | 106 | it { should eq true } |
|
118 | 116 | title 'Only allow trusted users to control Docker daemon' |
119 | 117 | desc 'The Docker daemon currently requires \'root\' privileges. A user added to the \'docker\' group gives him full \'root\' access rights' |
120 | 118 | tag 'host' |
121 | | - ref 'https://docs.docker.com/articles/security/#docker-daemon-attack-surface' |
122 | | - ref 'https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful' |
123 | | - ref 'http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/' |
| 119 | + ref 'On Docker security: docker group considered harmful', url: 'https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful' |
| 120 | + ref 'Why we do not let non-root users run Docker in CentOS, Fedora, or RHEL', url: 'http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/' |
124 | 121 |
|
125 | 122 | describe group('docker') do |
126 | 123 | it { should exist } |
|
136 | 133 | title 'Audit docker daemon' |
137 | 134 | desc 'Apart from auditing your regular Linux file system and system calls, audit Docker daemon as well. Docker daemon runs with \'root\' privileges. It is thus necessary to audit its activities and usage.' |
138 | 135 | tag 'host' |
139 | | - ref 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html' |
| 136 | + ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html' |
140 | 137 |
|
141 | 138 | describe auditd_rules do |
142 | 139 | its(:lines) { should include('-w /usr/bin/docker -p rwxa -k docker') } |
143 | 140 | end |
144 | | - describe service('auditd') do |
| 141 | + describe service('auditd') do |
145 | 142 | it { should be_installed } |
146 | 143 | it { should be_enabled } |
147 | 144 | it { should be_running } |
|
152 | 149 | impact 1.0 |
153 | 150 | title 'Audit Docker files and directories - /var/lib/docker' |
154 | 151 | desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /var/lib/docker is one such directory. It holds all the information about containers. It must be audited.' |
155 | | - ref 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html' |
| 152 | + tag 'host' |
| 153 | + ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html' |
156 | 154 |
|
157 | 155 | describe auditd_rules do |
158 | 156 | its(:lines) { should include('-w /var/lib/docker/ -p rwxa -k docker') } |
|
163 | 161 | impact 1.0 |
164 | 162 | title 'Audit Docker files and directories - /etc/docker' |
165 | 163 | desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /etc/docker is one such directory. It holds various certificates and keys used for TLS communication between Docker daemon and Docker client. It must be audited.' |
166 | | - ref 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html' |
| 164 | + tag 'host' |
| 165 | + ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html' |
167 | 166 |
|
168 | 167 | describe auditd_rules do |
169 | 168 | its(:lines) { should include('-w /etc/docker/ -p rwxa -k docker') } |
|
174 | 173 | impact 1.0 |
175 | 174 | title 'Audit Docker files and directories - docker.service' |
176 | 175 | desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. docker.service is one such file. The docker.service file might be present if the daemon parameters have been changed by an administrator. It holds various parameters for Docker daemon. It must be audited, if applicable.' |
177 | | - ref 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html' |
| 176 | + tag 'host' |
| 177 | + ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html' |
178 | 178 |
|
179 | 179 | if docker.path |
180 | 180 | rule = '-w ' + docker.path + ' -p rwxa -k docker' |
|
0 commit comments