Merge pull request #1 from dev-sec/chris-rock/attributes

atomic111 · atomic111 · commit b171fd2d3a0d · 2016-05-31T11:13:58.000+02:00
determine attribute values at the beginning
diff --git a/controls/docker_host_os_level1.rb b/controls/docker_host_os_level1.rb
@@ -20,6 +20,14 @@
 
 title 'CIS Docker Benchmark - Level 1 - Linux Host OS'
 
+# attributes
+attrs = {}
+# define trusted user to control Docker daemon. cis-docker-benchmark-1.6
+attrs['TRUSTED_USER'] = ENV['TRUSTED_USER'] || 'vagrant'
+# keep number of containers on a host to a manageable total. cis-docker-benchmark-6.5
+attrs['MANAGEABLE_CONTAINER_NUMBER'] = ENV['MANAGEABLE_CONTAINER_NUMBER'] || 25
+
+# check if docker exists
 only_if do
   command('docker').exist?
 end
@@ -99,7 +107,7 @@
   end
 
   describe etc_group.where(group_name: 'docker') do
-    its('users') { should include ENV['TRUSTED_USER'] || 'vagrant' }
+    its('users') { should include attrs['TRUSTED_USER'] }
   end
 end
 
@@ -245,6 +253,6 @@
   diff = total_on_host - total_running
 
   describe diff do
-    it { should be <= (ENV['MANAGEABLE_CONTAINER_NUMBER'] || 25) }
+    it { should be <= (attrs['MANAGEABLE_CONTAINER_NUMBER']) }
   end
 end
diff --git a/controls/docker_level1.rb b/controls/docker_level1.rb
@@ -20,6 +20,20 @@
 
 title 'CIS Docker Benchmark - Level 1 - Docker'
 
+# attributes
+attrs = {}
+# directory contains various Docker registry directories. cis-docker-benchmark-3.7
+attrs['REGISTRY_CERT_PATH'] = ENV['REGISTRY_CERT_PATH'] || '/etc/docker/certs.d'
+# directory contain certificate certain Docker registry. cis-docker-benchmark-3.7
+attrs['REGISTRY_NAME'] = ENV['REGISTRY_NAME'] || '/etc/docker/certs.d/registry_hostname:port'
+# certificate file for a certain Docker registry certificate files. cis-docker-benchmark-3.7 and cis-docker-benchmark-3.8
+attrs['REGISTRY_CA_FILE'] = ENV['REGISTRY_CA_FILE'] || '/etc/docker/certs.d/registry_hostname:port/ca.crt'
+# define user within containers. cis-docker-benchmark-4.1
+attrs['CONTAINER_USER'] = ENV['CONTAINER_USER'] || 'ubuntu'
+# define needed capabilities for containers. example: `CONTAINER_CAPADD="NET_ADMIN,SYS_ADMIN"` cis-docker-benchmark-5.3
+attrs['CONTAINER_CAPADD'] = ENV['CONTAINER_CAPADD'].nil? ? ENV['CONTAINER_CAPADD'] : ENV['CONTAINER_CAPADD'].split(',')
+
+# check if docker exists
 only_if do
   command('docker').exist?
 end
@@ -236,21 +250,21 @@
   ref 'https://docs.docker.com/engine/security/certificates/'
   ref 'docs.docker.com/reference/commandline/cli/#insecure-registries'
 
-  describe file(ENV['REGISTRY_CERT_PATH'] || '/etc/docker/certs.d') do
+  describe file(attrs['REGISTRY_CERT_PATH']) do
     it { should exist }
     it { should be_directory }
     it { should be_owned_by 'root' }
     it { should be_grouped_into 'root' }
   end
 
-  describe file(ENV['REGISTRY_NAME'] || '/etc/docker/certs.d/registry_hostname:port') do
+  describe file(attrs['REGISTRY_NAME']) do
     it { should exist }
     it { should be_directory }
     it { should be_owned_by 'root' }
     it { should be_grouped_into 'root' }
   end
 
-  describe file(ENV['REGISTRY_CA_FILE'] || '/etc/docker/certs.d/registry_hostname:port/ca.crt') do
+  describe file(attrs['REGISTRY_CA_FILE']) do
     it { should exist }
     it { should be_file }
     it { should be_owned_by 'root' }
@@ -265,7 +279,7 @@
   ref 'https://docs.docker.com/engine/security/certificates/'
   ref 'docs.docker.com/reference/commandline/cli/#insecure-registries'
 
-  describe file(ENV['REGISTRY_CA_FILE'] || '/etc/docker/certs.d/registry_hostname:port/ca.crt') do
+  describe file(attrs['REGISTRY_CA_FILE']) do
     it { should exist }
     it { should be_file }
     it { should be_readable }
@@ -493,7 +507,7 @@
     raw = command("docker inspect #{id}").stdout
     info = json('').parse(raw)
     describe info[0] do
-      its(%w(Config User)) { should eq ENV['CONTAINER_USER'] || 'ubuntu' }
+      its(%w(Config User)) { should eq attrs['CONTAINER_USER'] }
       its(%w(Config User)) { should_not eq nil }
     end
   end
@@ -543,8 +557,7 @@
     describe info[0] do
       its(%w(HostConfig CapDrop)) { should include(/all/) }
       its(%w(HostConfig CapDrop)) { should_not eq nil }
-      # its(%w(HostConfig CapAdd)) { should eq ENV['CONTAINER_CAPADD']&.split(',') }
-      its(%w(HostConfig CapAdd)) { should eq ENV['CONTAINER_CAPADD'].nil? ? ENV['CONTAINER_CAPADD'] : ENV['CONTAINER_CAPADD'].split(',') }
+      its(%w(HostConfig CapAdd)) { should eq attrs['CONTAINER_CAPADD'] }
     end
   end
 end
diff --git a/controls/docker_level2.rb b/controls/docker_level2.rb
@@ -20,6 +20,20 @@
 
 title 'CIS Docker Benchmark - Level 2 - Docker'
 
+# attributes
+attrs = {}
+# define authorization plugin to manage access to Docker daemon. cis-docker-benchmark-2.11
+attrs['AUTHORIZATION_PLUGIN'] = [ENV['AUTHORIZATION_PLUGIN'] || 'authz-broker']
+# define preferable way to store logs. cis-docker-benchmark-2.12
+attrs['LOG_DRIVER'] = ENV['LOG_DRIVER'] || 'syslog'
+# define Docker daemon log-opts. cis-docker-benchmark-2.12
+attrs['LOG_OPTS'] = ENV['LOG_OPTS'] || /syslog-address/
+# define apparmor profile for Docker containers. cis-docker-benchmark-5.1
+attrs['APP_ARMOR_PROFILE'] = ENV['APP_ARMOR_PROFILE'] || 'docker-default'
+# define SELinux profile for Docker containers. cis-docker-benchmark-5.2
+attrs['SELINUX_PROFILE'] = ENV['SELINUX_PROFILE'] || /label\:level\:s0-s0\:c1023/
+
+# check if docker exists
 only_if do
   command('docker').exist?
 end
@@ -73,7 +87,7 @@
     its(['authorization-plugins']) { should_not be_empty }
   end
   describe json('/etc/docker/daemon.json') do
-    its(['authorization-plugins']) { should eq([ENV['AUTHORIZATION_PLUGIN'] || 'authz-broker']) }
+    its(['authorization-plugins']) { should eq(attrs['AUTHORIZATION_PLUGIN']) }
   end
 end
 
@@ -88,10 +102,10 @@
     its(['log-driver']) { should_not be_empty }
   end
   describe json('/etc/docker/daemon.json') do
-    its(['log-driver']) { should eq(ENV['LOG_DRIVER'] || 'syslog') }
+    its(['log-driver']) { should eq(attrs['LOG_DRIVER']) }
   end
   describe json('/etc/docker/daemon.json') do
-    its(['log-opts']) { should include(ENV['LOG_OPTS'] || /syslog-address/) }
+    its(['log-opts']) { should include(attrs['LOG_OPTS']) }
   end
 end
 
@@ -136,7 +150,7 @@
     raw = command("docker inspect #{id}").stdout
     info = json('').parse(raw)
     describe info[0] do
-      its(['AppArmorProfile']) { should include(ENV['APP_ARMOR_PROFILE'] || 'docker-default') }
+      its(['AppArmorProfile']) { should include(attrs['APP_ARMOR_PROFILE']) }
       its(['AppArmorProfile']) { should_not eq nil }
     end
   end
@@ -163,7 +177,7 @@
     info = json('').parse(raw)
     describe info[0] do
       its(%w(HostConfig SecurityOpt)) { should_not eq nil }
-      its(%w(HostConfig SecurityOpt)) { should include(ENV['SELINUX_PROFILE'] || /label\:level\:s0-s0\:c1023/) }
+      its(%w(HostConfig SecurityOpt)) { should include(attrs['SELINUX_PROFILE']) }
     end
   end
 end
