update to CIS Benchmark 1.12, controls 1.1 to 2.16 #19
Conversation
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
| ref 'https://docs.docker.com/installation/' | ||
| ref 'https://github.com/docker/docker/releases/latest' | ||
|
|
||
| docker_server_version = command('docker version --format \'{{.Server.Version}}\'').stdout |
There was a problem hiding this comment.
I am going to add docker.version to inspec/inspec#1566. This should make life easier in future.
There was a problem hiding this comment.
This would result in
describe docker.version do
it { should cmp >= '1.13.1'}
end
then. We can use this syntax, once the PR has been merged. We should not block this PR
There was a problem hiding this comment.
yes, this is a great solution and makes it easier
controls/docker_host_os_level1.rb
Outdated
| describe auditd_rules do | ||
| its(:lines) { should include('-w /usr/bin/docker -p rwxa -k docker') } | ||
| end | ||
| describe service('auditd') do |
There was a problem hiding this comment.
Is it always auditd for the supported operating systems?
There was a problem hiding this comment.
yes i agree, i test now with debian and will extened this to the other operating systems
|
i will need some time to complete this pr. sorry for a long time running pr |
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
…key, also update README.md Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
atomic111
changed the title
chris-rock
left a comment
chris-rock
left a comment
There was a problem hiding this comment.
Awesome improvement @atomic111 I have two minor requests
controls/docker_level2.rb
Outdated
| ref 'docker swarm init', url: 'https://docs.docker.com/engine/reference/commandline/swarm_init/' | ||
|
|
||
| describe command('docker info') do | ||
| its('stdout') { should include 'Swarm: inactive' } |
There was a problem hiding this comment.
Do we need a variable for this request?
| end | ||
| end | ||
|
|
||
| control 'cis-docker-benchmark-2.15' do |
There was a problem hiding this comment.
should we externalize this into a swarm.rb, so that we get our normal component structure into our benchmark?
There was a problem hiding this comment.
yes i agree, but we should include this in the 2.0 release. i opened a issue #21
Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
2 participants
update the CIS benchmark to 1.12 and add the tags to the controls
this will solve the issue #11 and #8
i will start with the debian and ubuntu test.
right now it is not tested for centos