update control 2.1 to 2.7

atomic111 · atomic111 · commit 65ed7262cefc · 2017-04-04T15:39:41.000+02:00
Signed-off-by: Patrick Münch &lt;patrick.muench1111@gmail.com&gt;
diff --git a/controls/docker_level1.rb b/controls/docker_level1.rb
@@ -60,8 +60,8 @@
   impact 1.0
   title 'Restrict network traffic between containers'
   desc 'By default, all network traffic is allowed between containers on the same host. If not desired, restrict all the intercontainer communication. Link specific containers together that require inter communication.'
-  ref 'https://docs.docker.com/engine/userguide/networking/default_network/container-communication/'
-  ref 'https://entwickler.de/online/development/docker-netzwerk-container-microservices-126443.html'
+  tag 'daemon'
+  ref 'Docker container networking', url: 'https://docs.docker.com/engine/userguide/networking/'
 
   describe json('/etc/docker/daemon.json') do
     its(['icc']) { should eq(false) }
@@ -72,7 +72,8 @@
   impact 1.0
   title 'Set the logging level'
   desc 'Setting up an appropriate log level, configures the Docker daemon to log events that you would want to review later. A ase log level of \'info\' and above would capture all logs except debug logs. Until and unless required, you should not run docker daemon at \'debug\' log level.'
-  ref 'https://docs.docker.com/engine/reference/commandline/daemon/'
+  tag 'daemon'
+  ref 'Docker daemon', url: 'https://docs.docker.com/engine/reference/commandline/daemon/'
 
   describe json('/etc/docker/daemon.json') do
     its(['log-level']) { should eq('info') }
@@ -83,6 +84,7 @@
   impact 1.0
   title 'Allow Docker to make changes to iptables'
   desc 'Iptables are used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Allow the Docker daemon to make changes to the iptables.'
+  tag 'daemon'
   ref 'https://docs.docker.com/v1.8/articles/networking/'
 
   describe json('/etc/docker/daemon.json') do
@@ -94,7 +96,8 @@
   impact 1.0
   title 'Do not use insecure registries'
   desc 'Docker considers a private registry either secure or insecure. By default, registries are considered secure.'
-  ref 'https://docs.docker.com/registry/insecure/'
+  tag 'daemon'
+  ref 'Insecure registry', url: 'https://docs.docker.com/registry/insecure/'
 
   describe json('/etc/docker/daemon.json') do
     its(['insecure-registries']) { should be_empty }
@@ -105,10 +108,11 @@
   impact 1.0
   title 'Do not use the aufs storage driver'
   desc 'The \'aufs\' storage driver is the oldest storage driver. It is based on a Linux kernel patch-set that is unlikely to be merged into the main Linux kernel. \'aufs\' driver is also known to cause some serious kernel crashes. \'aufs\' just has legacy support from Docker. Most importantly, \'aufs\' is not a supported driver in many Linux distributions using latest Linux kernels.'
-  ref 'https://docs.docker.com/engine/reference/commandline/cli/#daemon-storage-driver-option'
-  ref 'https://github.com/docker/docker/issues/6047'
-  ref 'http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/'
-  ref 'http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1'
+  tag 'daemon'
+  ref 'Docker daemon storage driver options', url: 'https://docs.docker.com/engine/reference/commandline/cli/#daemon-storage-driver-option'
+  ref 'permission denied if chown after chmod', url: 'https://github.com/docker/docker/issues/6047'
+  ref 'Switch from aufs to devicemapper', url: 'http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/'
+  ref 'Deep dive into docker storage drivers', url: 'http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1'
 
   describe json('/etc/docker/daemon.json') do
     its(['storage-driver']) { should_not eq('aufs') }
@@ -119,10 +123,8 @@
   impact 1.0
   title 'Configure TLS authentication for Docker daemon'
   desc 'It is possible to make the Docker daemon to listen on a specific IP and port and any other Unix socket other than default Unix socket. Configure TLS authentication to restrict access to Docker daemon via IP and port.'
-  ref 'https://docs.docker.com/engine/security/https/'
-  ref 'http://www.hnwatcher.com/r/1644394/Intro-to-Docker-Swarm-Part-2-Comfiguration-Modes-and-Requirements'
-  ref 'http://www.blackfinsecurity.com/docker-swarm-with-tls-authentication/'
-  ref 'http://tech.paulcz.net/2016/01/secure-docker-with-tls/'
+  tag 'daemon'
+  ref 'Protect Docker deamon socket', url: 'https://docs.docker.com/engine/security/https/'
 
   describe json('/etc/docker/daemon.json') do
     its(['tls']) { should eq(true) }
@@ -145,8 +147,8 @@
   impact 1.0
   title 'Set default ulimit as appropriate'
   desc 'ulimit provides control over the resources available to the shell and to processes started by it. Setting system resource limits judiciously saves you from many disasters such as a fork bomb. Sometimes, even friendly users and legitimate processes can overuse system resources and in-turn can make the system unusable.'
-  tag 'Bug: default-ulimits seems broken in daemon.json https://github.com/docker/docker/issues/22309'
-  ref 'https://docs.docker.com/engine/reference/commandline/daemon/#default-ulimits'
+  tag 'daemon'
+  ref 'Docker daemon deafult ulimits', url: 'https://docs.docker.com/engine/reference/commandline/daemon/#default-ulimits'
 
   describe json('/etc/docker/daemon.json') do
     its(['default-ulimits', 'nproc']) { should eq('1024:2408') }
