Merge pull request #5 from atomic111/master

add ruby 2.3.1 to travis.yml

Author: chris-rock

.travis.yml

@@ -6,6 +6,7 @@ rvm:
   - 1.9.3
   - 2.0.0
   - 2.2.0
+  - 2.3.1
 
 bundler_args: --without integration
 script: bundle exec rake

README.md

@@ -1,5 +1,9 @@
 # CIS Docker Benchmark - InSpec Profile
 
+[![Build Status](http://img.shields.io/travis/dev-sec/cis-docker-benchmark.svg)][1]
+[![Supermarket](https://img.shields.io/badge/CIS%20Docker%20Benchmark-InSpec%20Profile-brightgreen.svg)](https://supermarket.chef.io/tools/cis-docker-benchmark)
+[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2]
+
 ## Description
 
 This [InSpec](https://github.com/chef/inspec) compliance profile implement the [CIS Docker 1.11.0 Benchmark](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker16.110) in an automated way to provide security best-practice tests around Docker daemon and containers in a production environment.
@@ -102,4 +106,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 
-[1]: https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf
+[1]: http://travis-ci.org/dev-sec/cis-docker-benchmark
+[2]: https://gitter.im/dev-sec/general
+[3]: https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf

controls/docker_host_os_level1.rb

@@ -1,4 +1,5 @@
 # encoding: utf-8
+# frozen_string_literal: true
 #
 # Copyright 2016, Patrick Muench
 #
@@ -150,14 +151,14 @@
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. docker.service is one such file. The docker.service file might be present if the daemon parameters have been changed by an administrator. It holds various parameters for Docker daemon. It must be audited, if applicable.'
   ref 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
-  unless docker.path.nil?
+  if docker.path
     rule = '-w ' << docker.path << ' -p rwxa -k docker'
     describe auditd_rules do
       its(:lines) { should include(rule) }
     end
   else
     describe 'audit docker service' do
-      skip "Cannot determine docker path"
+      skip 'Cannot determine docker path'
     end
   end
 end
@@ -168,14 +169,14 @@
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. docker.service is one such file. The docker.service file might be present if the daemon parameters have been changed by an administrator. It holds various parameters for Docker daemon. It must be audited, if applicable.'
   ref 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
-  unless docker.path.nil?
+  if docker.path
     rule = '-w ' << docker.socket << ' -p rwxa -k docker'
     describe auditd_rules do
       its(:lines) { should include(rule) }
     end
   else
     describe 'audit docker service' do
-      skip "Cannot determine docker socket"
+      skip 'Cannot determine docker socket'
     end
   end
 end

controls/docker_level1.rb

@@ -1,4 +1,5 @@
 # encoding: utf-8
+# frozen_string_literal: true
 #
 # Copyright 2016, Patrick Muench
 #
@@ -581,13 +582,13 @@
     info['Mounts'].each do |mounts|
       describe mounts['Source'] do
         it { should_not eq '/' }
-        it { should_not match(/\/boot/) }
-        it { should_not match(/\/dev/) }
-        it { should_not match(/\/etc/) }
-        it { should_not match(/\/lib/) }
-        it { should_not match(/\/proc/) }
-        it { should_not match(/\/sys/) }
-        it { should_not match(/\/usr/) }
+        it { should_not match(%r{\/boot}) }
+        it { should_not match(%r{\/dev}) }
+        it { should_not match(%r{\/etc}) }
+        it { should_not match(%r{\/lib}) }
+        it { should_not match(%r{\/proc}) }
+        it { should_not match(%r{\/sys}) }
+        it { should_not match(%r{\/usr}) }
       end
     end
   end

controls/docker_level2.rb

@@ -1,4 +1,5 @@
 # encoding: utf-8
+# frozen_string_literal: true
 #
 # Copyright 2016, Patrick Muench
 #

libraries/docker.rb

@@ -1,3 +1,23 @@
+# encoding: utf-8
+#
+# Copyright 2016, Christoph Hartmann
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# author: Christoph Hartmann
+# author: Dominik Richter
+# author: Patrick Muench
+
 require 'yaml'
 
 class Docker < Inspec.resource(1)
@@ -26,7 +46,7 @@ def path
     params = parse_systemd_values(cmd.stdout.chomp)
 
     # return the value
-    params["FragmentPath"]
+    params['FragmentPath']
   end
 
   def socket
@@ -37,7 +57,7 @@ def socket
     params = parse_systemd_values(cmd.stdout.chomp)
 
     # return the value
-    params["FragmentPath"]
+    params['FragmentPath']
   end
 
   private
@@ -47,7 +67,7 @@ def parse_systemd_values(stdout)
     SimpleConfig.new(
       stdout,
       assignment_re: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/,
-      multiple_values: false,
+      multiple_values: false
     ).params
   end
 end