Item 2.6 on v1.3.5 showing daemon not listening on tcp

[zshrine]

Hi,

While running the scan, my result for 2.6 is as per below.
{"id": "2.6", "desc": "Ensure TLS authentication for Docker daemon is configured", "result": "INFO", "details": "Docker daemon not listening on TCP"},

But my daemon.json has been configured to listen on tcp.

"hosts": ["unix:///var/run/docker.sock", "tcp://xx.xx.xx.xx:2376"], 
"tls": true,
"tlsverify": true,
"tlscacert":"/var/lib/docker/certs/ca.pem",
"tlscert":"/var/lib/docker/certs/server-cert.pem",
"tlskey":"/var/lib/docker/certs/server-key.pem",

I noticed that in 2_docker_daemon_configuration.sh, line, 153, the $CONFIG_FILE will always be null. Seems like u need to call the method get_docker_configuration_file_args to set the variable.

Also, seems like encapsulating the grep command with square brackets will regard the command as string instead. I tested with below.

$ if [ grep -i 'tcp://'"$CONFIG_FILE" 2>/dev/null 1>&2 ]; then echo hello; fi
$ if grep -i 'tcp://'"$CONFIG_FILE" 2>/dev/null 1>&2 ; then echo hello; fi
hello

I modified 2_docker_daemon_configuration.sh as per below to get the result I want.

echo "config file is $CONFIG_FILE"
get_docker_configuration_file_args "NA"
echo "config file is $CONFIG_FILE again"
  totalChecks=$((totalChecks + 1))
  if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2 || \
    [ $(get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://') >/dev/null 2>&1 ]; then
echo "passed the first if?";

My log result is as per below:

# ./docker-bench-security.sh -l 2.6.log -c check_2_6
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------

Initializing Thu Dec 12 14:40:33 +08 2019

config file is
config file is /etc/docker/daemon.json again
passed the first if?
[PASS] 2.6  - Ensure TLS authentication for Docker daemon is configured

[INFO] Checks: 1
[INFO] Score: 1

Thanks!

[konstruktoid]

Thanks again, will check.

[konstruktoid]

Can you test #411?

[zshrine]

Seems like $CONFIG_FILE is still empty.

$ ls /etc/docker/daemon.json
/etc/docker/daemon.json
$ ./docker-bench-security.sh -c check_2_6
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------

Initializing Tue Dec 17 15:39:42 +08 2019

grep: : No such file or directory
[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
[INFO]      * Docker daemon not listening on TCP

[INFO] Checks: 1
[INFO] Score: 0

[konstruktoid]

$CONFIG_FILE is not set when using the -c flag.

[zshrine]

Ok. Tested a full scan, it is working. Thanks!

[konstruktoid]

You're welcome, but I don't know why it's not working when using -c.

[zshrine]

$CONFIG_FILE is set with this method get_docker_configuration_file_args. The first occurrence of this method being called is in check_2_1.

My guess is that probably $CONFIG_FILE was already set in the previous methods for check_2_6 to work.

Since the first condition for check_2_6 is if grep -qi 'tcp://' "$CONFIG_FILE" || \ and is reliant on the variable $CONFIG_FILE.

[konstruktoid]

True, but $CONFIG_FILE is set at https://github.com/docker/docker-bench-security/blob/master/helper_lib.sh#L85-L96 and helper_lib.sh is always included, and there's not difference from using -c or not.

[zshrine]

I think running helper_lib.sh just declares the method, it does not actually run the method. I did a small test. Maybe you want to try doing an echo inside one of the methods to prove this?

$. helper_lib.sh
$echo $CONFIG_FILE

$echo $auditrules
/etc/audit/audit.rules

[konstruktoid]

You're correct again, added so that we get the configuration file before the tests.

[zshrine]

Glad I was able to help. This project helped me out a lot too. :)

[konstruktoid]

Thank you @zshrine :)