add cis tags for control 1.1 to 2.16

Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>

Author: atomic111

controls/docker_host_os_level1.rb

@@ -43,6 +43,7 @@
   title 'Create a separate partition for containers'
   desc 'All Docker containers and their data and metadata is stored under /var/lib/docker directory. By default, /var/lib/docker would be mounted under / or /var partitions based on availability.'
   tag 'host'
+  tag cis: '1.1'
   ref 'Docker storage recommendation', url: 'http://www.projectatomic.io/docs/docker-storage-recommendation/'
 
   describe mount('/var/lib/docker') do
@@ -55,6 +56,7 @@
   title 'Use the updated Linux Kernel'
   desc 'Docker in daemon mode has specific kernel requirements. A 3.10 Linux kernel is the minimum requirement for Docker.'
   tag 'host'
+  tag cis: '1.2'
   ref 'Check kernel dependencies', url: 'https://docs.docker.com/engine/installation/binaries/#check-kernel-dependencies'
   ref 'Installation list', url: 'https://docs.docker.com/engine/installation/#installation-list'
 
@@ -71,6 +73,7 @@
   title 'Harden the container host'
   desc 'Containers run on a Linux host. A container host can run one or more containers. It is of utmost importance to harden the host to mitigate host security misconfiguration'
   tag 'host'
+  tag cis: '1.3'
   ref 'Hardening Framework dev-sec.io', url: 'http://dev-sec.io'
   ref 'Docker security article', url: 'https://docs.docker.com/engine/security/security/'
   ref 'CIS Benchmarks', url: 'https://benchmarks.cisecurity.org/downloads/multiform/index.cfm'
@@ -85,6 +88,7 @@
   title 'Remove all non-essential services from the host'
   desc 'Ensure that the host running the docker daemon is running only the essential services.'
   tag 'host'
+  tag cis: '1.4'
   ref 'Containers & Docker: How Secure Are They?', url: 'https://blog.docker.com/2013/08/containers-docker-how-secure-are-they/'
 end
 
@@ -93,6 +97,7 @@
   title 'Keep Docker up to date'
   desc 'The docker container solution is evolving to maturity and stability at a rapid pace. Like any other software, the vendor releases regular updates for Docker software that address security vulnerabilities, product bugs and bring in new functionality.'
   tag 'host'
+  tag cis: '1.5'
   ref 'Docker installation', url: 'https://docs.docker.com/installation/'
   ref 'Docker releases', url: 'https://github.com/docker/docker/releases/latest'
 
@@ -116,6 +121,7 @@
   title 'Only allow trusted users to control Docker daemon'
   desc 'The Docker daemon currently requires \'root\' privileges. A user added to the \'docker\' group gives him full \'root\' access rights'
   tag 'host'
+  tag cis: '1.6'
   ref 'On Docker security: docker group considered harmful', url: 'https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful'
   ref 'Why we do not let non-root users run Docker in CentOS, Fedora, or RHEL', url: 'http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/'
 
@@ -133,6 +139,7 @@
   title 'Audit docker daemon'
   desc 'Apart from auditing your regular Linux file system and system calls, audit Docker daemon as well. Docker daemon runs with \'root\' privileges. It is thus necessary to audit its activities and usage.'
   tag 'host'
+  tag cis: '1.7'
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   describe auditd_rules do
@@ -150,6 +157,7 @@
   title 'Audit Docker files and directories - /var/lib/docker'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /var/lib/docker is one such directory. It holds all the information about containers. It must be audited.'
   tag 'host'
+  tag cis: '1.8'
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   describe auditd_rules do
@@ -162,6 +170,7 @@
   title 'Audit Docker files and directories - /etc/docker'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /etc/docker is one such directory. It holds various certificates and keys used for TLS communication between Docker daemon and Docker client. It must be audited.'
   tag 'host'
+  tag cis: '1.9'
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   describe auditd_rules do
@@ -174,6 +183,7 @@
   title 'Audit Docker files and directories - docker.service'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. docker.service is one such file. The docker.service file might be present if the daemon parameters have been changed by an administrator. It holds various parameters for Docker daemon. It must be audited, if applicable.'
   tag 'host'
+  tag cis: '1.10'
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   if docker.path
@@ -193,6 +203,7 @@
   title 'Audit Docker files and directories - docker.socket'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. docker.socket is one such file. It holds various parameters for Docker daemon socket. It must be audited, if applicable.'
   tag 'host'
+  tag cis: '1.11'
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   if docker.socket
@@ -212,6 +223,7 @@
   title 'Audit Docker files and directories - /etc/default/docker'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /etc/default/docker is one such file. It holds various parameters for Docker daemon. It must be audited, if applicable.'
   tag 'host'
+  tag cis: '1.12'
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   only_if { os[:family] != 'centos' }
@@ -225,6 +237,7 @@
   title 'Audit Docker files and directories - /etc/docker/daemon.json'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /etc/docker/daemon.json is one such file. It holds various parameters for Docker daemon. It must be audited, if applicable.'
   tag 'host'
+  tag cis: '1.13'
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
   ref 'Daemon configuration', url: 'https://docs.docker.com/engine/reference/commandline/daemon/#daemon-configuration-file'
 
@@ -238,6 +251,7 @@
   title 'Audit Docker files and directories - /usr/bin/docker-containerd'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /usr/bin/docker-containerd is one such file. Docker now relies on containerd and runC to spawn containers. It must be audited, if applicable.'
   tag 'host'
+  tag cis: '1.14'
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
   ref 'Containerd integration', url: 'https://github.com/docker/docker/pull/20662'
   ref 'Containerd tools', url: 'https://containerd.tools/'
@@ -252,6 +266,7 @@
   title 'Audit Docker files and directories - /usr/bin/docker-runc'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /usr/bin/docker-runc is one such file. Docker now relies on containerd and runC to spawn containers. It must be audited, if applicable.'
   tag 'host'
+  tag cis: '1.15'
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
   ref 'Containerd integration', url: 'https://github.com/docker/docker/pull/20662'
   ref 'Containerd tools', url: 'https://containerd.tools/'

controls/docker_level1.rb

@@ -79,6 +79,7 @@
   title 'Restrict network traffic between containers'
   desc 'By default, all network traffic is allowed between containers on the same host. If not desired, restrict all the intercontainer communication. Link specific containers together that require inter communication.'
   tag 'daemon'
+  tag cis: '2.1'
   ref 'Docker container networking', url: 'https://docs.docker.com/engine/userguide/networking/'
 
   describe json('/etc/docker/daemon.json') do
@@ -91,6 +92,7 @@
   title 'Set the logging level'
   desc 'Setting up an appropriate log level, configures the Docker daemon to log events that you would want to review later. A ase log level of \'info\' and above would capture all logs except debug logs. Until and unless required, you should not run docker daemon at \'debug\' log level.'
   tag 'daemon'
+  tag cis: '2.2'
   ref 'Docker daemon', url: 'https://docs.docker.com/engine/reference/commandline/daemon/'
 
   describe json('/etc/docker/daemon.json') do
@@ -103,6 +105,7 @@
   title 'Allow Docker to make changes to iptables'
   desc 'Iptables are used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Allow the Docker daemon to make changes to the iptables.'
   tag 'daemon'
+  tag cis: '2.3'
   ref 'https://docs.docker.com/v1.8/articles/networking/'
 
   describe json('/etc/docker/daemon.json') do
@@ -115,6 +118,7 @@
   title 'Do not use insecure registries'
   desc 'Docker considers a private registry either secure or insecure. By default, registries are considered secure.'
   tag 'daemon'
+  tag cis: '2.4'
   ref 'Insecure registry', url: 'https://docs.docker.com/registry/insecure/'
 
   describe json('/etc/docker/daemon.json') do
@@ -127,6 +131,7 @@
   title 'Do not use the aufs storage driver'
   desc 'The \'aufs\' storage driver is the oldest storage driver. It is based on a Linux kernel patch-set that is unlikely to be merged into the main Linux kernel. \'aufs\' driver is also known to cause some serious kernel crashes. \'aufs\' just has legacy support from Docker. Most importantly, \'aufs\' is not a supported driver in many Linux distributions using latest Linux kernels.'
   tag 'daemon'
+  tag cis: '2.5'
   ref 'Docker daemon storage driver options', url: 'https://docs.docker.com/engine/reference/commandline/cli/#daemon-storage-driver-option'
   ref 'permission denied if chown after chmod', url: 'https://github.com/docker/docker/issues/6047'
   ref 'Switch from aufs to devicemapper', url: 'http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/'
@@ -142,6 +147,7 @@
   title 'Configure TLS authentication for Docker daemon'
   desc 'It is possible to make the Docker daemon to listen on a specific IP and port and any other Unix socket other than default Unix socket. Configure TLS authentication to restrict access to Docker daemon via IP and port.'
   tag 'daemon'
+  tag cis: '2.6'
   ref 'Protect Docker deamon socket', url: 'https://docs.docker.com/engine/security/https/'
 
   describe json('/etc/docker/daemon.json') do
@@ -166,6 +172,7 @@
   title 'Set default ulimit as appropriate'
   desc 'ulimit provides control over the resources available to the shell and to processes started by it. Setting system resource limits judiciously saves you from many disasters such as a fork bomb. Sometimes, even friendly users and legitimate processes can overuse system resources and in-turn can make the system unusable.'
   tag 'daemon'
+  tag cis: '2.7'
   ref 'Docker daemon deafult ulimits', url: 'https://docs.docker.com/engine/reference/commandline/daemon/#default-ulimits'
 
   describe json('/etc/docker/daemon.json') do

controls/docker_level2.rb

@@ -62,6 +62,7 @@
   title 'Enable user namespace support'
   desc 'Enable user namespace support in Docker daemon to utilize container user to host user re-mapping. This recommendation is beneficial where containers you are using do not have an explicit container user defined in the container image. If container images that you are using have a pre-defined non-root user, this recommendation may be skipped since this feature is still in its infancy and might give you unpredictable issues and complexities.'
   tag 'daemon'
+  tag cis: '2.8'
   ref 'User namespeces', url: 'http://man7.org/linux/man-pages/man7/user_namespaces.7.html'
   ref 'Docker daemon configuration', url: 'https://docs.docker.com/engine/reference/commandline/daemon/'
   ref 'Routing out root: user namespaces in docker', url: 'http://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf'
@@ -85,6 +86,7 @@
   title 'Confirm default cgroup usage'
   desc 'The --cgroup-parent option allows you to set the default cgroup parent to use for all the containers. If there is no specific use case, this setting should be left at its default.'
   tag 'daemon'
+  tag cis: '2.9'
   ref 'Docker daemon configuration', url: 'https://docs.docker.com/engine/reference/commandline/daemon/'
 
   describe json('/etc/docker/daemon.json') do
@@ -97,6 +99,7 @@
   title 'Do not change base device size until needed'
   desc 'In certain circumstances, you might need containers bigger than 10G in size. In these cases, carefully choose the base device size.'
   tag 'daemon'
+  tag cis: '2.10'
   ref 'Docker daemon storage driver options', url: 'https://docs.docker.com/engine/reference/commandline/daemon/#storage-driver-options'
 
   describe json('/etc/docker/daemon.json') do
@@ -109,6 +112,7 @@
   title 'Use authorization plugin'
   desc 'Docker’s out-of-the-box authorization model is all or nothing. Any user with permission to access the Docker daemon can run any Docker client command. The same is true for callers using Docker’s remote API to contact the daemon. If you require greater access control, you can create authorization plugins and add them to your Docker daemon configuration. Using an authorization plugin, a Docker administrator can configure granular access policies for managing access to Docker daemon.'
   tag 'daemon'
+  tag cis: '2.11'
   ref 'Access authorization', url: 'https://docs.docker.com/engine/reference/commandline/daemon/#access-authorization'
   ref 'Auhtorization plugins', url: 'https://docs.docker.com/engine/extend/plugins_authorization/'
   ref 'Twistlock authorization plugin', url: 'https://github.com/twistlock/authz'
@@ -126,6 +130,7 @@
   title 'Configure centralized and remote logging'
   desc 'Docker now supports various log drivers. A preferable way to store logs is the one that supports centralized and remote logging.'
   tag 'daemon'
+  tag cis: '2.12'
   ref 'Logging overview', url: 'https://docs.docker.com/engine/admin/logging/overview/'
 
   describe json('/etc/docker/daemon.json') do
@@ -144,6 +149,7 @@
   title 'Disable operations on legacy registry (v1)'
   desc 'The latest Docker registry is v2. All operations on the legacy registry version (v1) should be restricted.'
   tag 'daemon'
+  tag cis: '2.13'
   ref 'Docker daemon storage driver options', url: 'https://docs.docker.com/engine/reference/commandline/daemon/#storage-driver-options'
   ref 'Proposal: Provenance step 1 - Transform images for validation and verification', url: 'https://github.com/docker/docker/issues/8093'
   ref 'Proposal: JSON Registry API V2.1', url: 'https://github.com/docker/docker/issues/9015'
@@ -163,6 +169,7 @@
   title 'Enable live restore'
   desc 'The \'--live-restore\' enables full support of daemon-less containers in docker. It ensures that docker does not stop containers on shutdown or restore and properly reconnects to the container when restarted.'
   tag 'daemon'
+  tag cis: '2.14'
   ref 'Add --live-restore flag', url: 'https://github.com/docker/docker/pull/23213'
 
   describe json('/etc/docker/daemon.json') do
@@ -175,6 +182,20 @@
   title 'Do not enable swarm mode, if not needed'
   desc 'Do not enable swarm mode on a docker engine instance unless needed.'
   tag 'daemon'
+  tag cis: '2.15'
+  ref 'docker swarm init', url: 'https://docs.docker.com/engine/reference/commandline/swarm_init/'
+
+  describe command('docker info') do
+    its('stdout') { should include 'Swarm: inactive' }
+  end
+end
+
+control 'cis-docker-benchmark-2.16' do
+  impact 1.0
+  title 'Control the number of manager nodes in a swarm'
+  desc 'Ensure that the minimum number of required manager nodes is created in a swarm.'
+  tag 'daemon'
+  tag cis: '2.16'
   ref 'docker swarm init', url: 'https://docs.docker.com/engine/reference/commandline/swarm_init/'
 
   describe command('docker info') do