Merge pull request #30 from dev-sec/chris-rock/1.12

atomic111 · web-flow · commit c3746ff4f8c4 · 2017-04-28T11:15:58.000+02:00
fix #11 implement missing 1.12 controls
diff --git a/README.md b/README.md
@@ -69,9 +69,16 @@ We use a yml attribute file to steer the configuration, the following options ar
   * `daemon_tlskey: /etc/docker/ssl/server_key.pem`
     configure the server key. cis-docker-benchmark-2.6
 
-  * `swarm_mode: Swarm: inactive`
+  * `swarm_mode: inactive`
     configure the swarm mode. cis-docker-benchmark-2.15
 
+  * `swarm_max_manager_nodes: 3`
+    configure the maximum number of swarm leaders. cis-docker-benchmark-2.16
+
+  * `swarm_port: 2377`
+    configure the swarm port. cis-docker-benchmark-2.17
+
+
 ## Usage
 
 InSpec makes it easy to run your tests wherever you need. More options listed here: [InSpec cli](http://inspec.io/docs/reference/cli/)
@@ -97,6 +104,14 @@ inspec exec cis-docker-benchmark --attrs sample_attributes.yml
 inspec supermarket exec dev-sec/cis-docker-benchmark -t ssh://user@hostname --key-files private_key --sudo
 ```
 
+### Run individual controls
+
+In order to verify individual controls, just provide the control ids to InSpec:
+
+```
+inspec exec cis-docker-benchmark --controls 'cis-docker-benchmark-1.4 cis-docker-benchmark-1.5'
+```
+
 ## Contributors + Kudos
 
 * Patrick Muench [atomic111](https://github.com/atomic111)
diff --git a/controls/container_images.rb b/controls/container_images.rb
@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 #
 # Copyright 2016, Patrick Muench
+# Copyright 2017, Christoph Hartmann
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -111,3 +112,75 @@
     its('content') { should eq '1' }
   end
 end
+
+control 'cis-docker-benchmark-4.6' do
+  impact 0.0
+  title 'Add HEALTHCHECK instruction to the container image'
+
+  tag 'daemon'
+  tag cis: 'docker:4.6'
+  tag level: 1
+
+  docker.containers.running?.ids.each do |id|
+    describe docker.object(id) do
+      its(%w(Config Healthcheck)) { should_not eq nil }
+    end
+  end
+end
+
+control 'cis-docker-benchmark-4.7' do
+  impact 0.0
+  title 'Do not use update instructions alone in the Dockerfile'
+
+  tag 'daemon'
+  tag cis: 'docker:4.6'
+  tag level: 1
+
+  docker.images.ids.each do |id|
+    describe command("docker history #{id}| grep -e 'update'") do
+      its('stdout') { should eq '' }
+    end
+  end
+end
+
+control 'cis-docker-benchmark-4.8' do
+  impact 0.0
+  title 'Remove setuid and setgid permissions in the images'
+
+  tag 'daemon'
+  tag cis: 'docker:4.8'
+  tag level: 2
+  ref url: 'https://github.com/dev-sec/linux-baseline'
+
+  describe 'docker-test' do
+    skip 'Use DevSec Linux Baseline in Container'
+  end
+end
+
+control 'cis-docker-benchmark-4.9' do
+  impact 0.3
+  title 'Use COPY instead of ADD in Dockerfile'
+
+  tag 'daemon'
+  tag cis: 'docker:4.9'
+  tag level: 1
+
+  docker.images.ids.each do |id|
+    describe command("docker history #{id}| grep 'ADD'") do
+      its('stdout') { should eq '' }
+    end
+  end
+end
+
+control 'cis-docker-benchmark-4.10' do
+  impact 0.0
+  title 'Do not store secrets in Dockerfiles'
+
+  tag 'daemon'
+  tag cis: 'docker:4.10'
+  tag level: 1
+
+  describe 'docker-test' do
+    skip 'Manually verify that you have not used secrets in images'
+  end
+end
diff --git a/controls/container_runtime.rb b/controls/container_runtime.rb
@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 #
 # Copyright 2016, Patrick Muench
+# Copyright 2017, Christoph Hartmann
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -530,3 +531,92 @@
     end
   end
 end
+
+control 'cis-docker-benchmark-5.26' do
+  impact 1.0
+  title 'Check container health at runtime'
+
+  tag 'daemon'
+  tag cis: 'docker:5.26'
+  tag level: 1
+
+  docker.containers.running?.ids.each do |id|
+    describe docker.object(id) do
+      its('State.Health.Status') { should eq 'healthy' }
+    end
+  end
+end
+
+control 'cis-docker-benchmark-5.27' do
+  impact 0.0
+  title 'Ensure docker commands always get the latest version of the image'
+
+  tag 'daemon'
+  tag cis: 'docker:5.27'
+  tag level: 1
+
+  describe 'docker-test' do
+    skip 'Not implemented yet'
+  end
+end
+
+control 'cis-docker-benchmark-5.28' do
+  impact 1.0
+  title 'Use PIDs cgroup limit'
+
+  tag 'daemon'
+  tag cis: 'docker:5.28'
+  tag level: 1
+
+  docker.containers.running?.ids.each do |id|
+    describe docker.object(id) do
+      its('HostConfig.PidsLimit') { should_not cmp 0 }
+      its('HostConfig.PidsLimit') { should_not cmp(-1) }
+    end
+  end
+end
+
+control 'cis-docker-benchmark-5.29' do
+  impact 0.0
+  title "Do not use Docker's default bridge docker0"
+
+  tag 'daemon'
+  tag cis: 'docker:5.29'
+  tag level: 2
+
+  describe 'docker-test' do
+    skip 'Not implemented yet'
+  end
+end
+
+control 'cis-docker-benchmark-5.30' do
+  impact 1.0
+  title "Do not share the host's user namespaces"
+
+  tag 'daemon'
+  tag cis: 'docker:5.30'
+  tag level: 1
+
+  docker.containers.running?.ids.each do |id|
+    describe docker.object(id) do
+      its('HostConfig.UsernsMode') { should eq '' }
+    end
+  end
+end
+
+control 'cis-docker-benchmark-5.31' do
+  impact 1.0
+  title 'Do not mount the Docker socket inside any containers'
+
+  tag 'daemon'
+  tag cis: 'docker:5.31'
+  tag level: 1
+
+  docker.containers.running?.ids.each do |id|
+    docker.object(id).Mounts.each do |mount|
+      describe mount do
+        its('Source') { should_not include 'docker.sock' }
+      end
+    end
+  end
+end
diff --git a/controls/docker_daemon_configuration.rb b/controls/docker_daemon_configuration.rb
@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 #
 # Copyright 2016, Patrick Muench
+# Copyright 2017, Christoph Hartmann
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -59,9 +60,21 @@
 )
 
 SWARM_MODE = attribute(
-  'SWARM_MODE',
-  description: 'define the swarm mode, active or inactive',
-  default:  'Swarm: inactive'
+  'swarm_mode',
+  description: 'define the swarm mode, `active` or `inactive`',
+  default: 'inactive'
+)
+
+SWARM_MAX_MANAGER_NODES = attribute(
+  'swarm_max_manager_nodes',
+  description: 'number of manager nodes in a swarm',
+  default: 3
+)
+
+SWARM_PORT = attribute(
+  'swarm_port',
+  description: 'port of the swarm node',
+  default: 2377
 )
 
 # check if docker exists
@@ -319,8 +332,53 @@
   tag cis: 'docker:2.15'
   tag level: 2
   ref 'docker swarm init', url: 'https://docs.docker.com/engine/reference/commandline/swarm_init/'
+  describe docker.info do
+    its('Swarm.LocalNodeState') { should eq SWARM_MODE }
+  end
+end
+
+control 'cis-docker-benchmark-2.16' do
+  impact 1.0
+  title 'Control the number of manager nodes in a swarm'
+  desc 'Ensure that the minimum number of required manager nodes is created in a swarm.'
 
-  describe command('docker info') do
-    its('stdout') { should include SWARM_MODE }
+  tag 'daemon'
+  tag cis: 'docker:2.16'
+  tag level: 2
+
+  only_if { SWARM_MODE == 'active' }
+  describe docker.info do
+    its('Swarm.Managers') { should cmp <= SWARM_MAX_MANAGER_NODES }
+  end
+end
+
+control 'cis-docker-benchmark-2.17' do
+  impact 1.0
+  title 'Bind swarm services to a specific host interface'
+
+  tag 'daemon'
+  tag cis: 'docker:2.17'
+  tag level: 2
+
+  only_if { SWARM_MODE == 'active' }
+  describe port(SWARM_PORT) do
+    its('addresses') { should_not include '0.0.0.0' }
+    its('addresses') { should_not include '::' }
+  end
+end
+
+control 'cis-docker-benchmark-2.18' do
+  impact 1.0
+  title 'Disable Userland Proxy'
+
+  tag 'daemon'
+  tag cis: 'docker:2.18'
+  tag level: 2
+
+  describe json('/etc/docker/daemon.json') do
+    its(['userland-proxy']) { should eq(false) }
+  end
+  describe processes('dockerd').commands do
+    it { should include 'userland-proxy=false' }
   end
 end
diff --git a/controls/docker_daemon_configuration_files.rb b/controls/docker_daemon_configuration_files.rb
@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 #
 # Copyright 2016, Patrick Muench
+# Copyright 2017, Christoph Hartmann
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
diff --git a/controls/docker_security_operations.rb b/controls/docker_security_operations.rb
@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 #
 # Copyright 2016, Patrick Muench
+# Copyright 2017, Christoph Hartmann
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
diff --git a/controls/host_configuration.rb b/controls/host_configuration.rb
@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 #
 # Copyright 2016, Patrick Muench
+# Copyright 2017, Christoph Hartmann
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`	`# frozen_string_literal: true`
`3`	`3`	`#`
`4`	`4`	`# Copyright 2016, Patrick Muench`
	`5`	`+# Copyright 2017, Christoph Hartmann`
`5`	`6`	`#`
`6`	`7`	`# Licensed under the Apache License, Version 2.0 (the "License");`
`7`	`8`	`# you may not use this file except in compliance with the License.`