Initial v1.3.1 PR

CONTRIBUTING.md

@@ -8,13 +8,10 @@ project, and follows the same rules and principles. If you're already familiar
 with the way Docker does things, you'll feel right at home.
 
 Otherwise, go read
-[Docker's contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md).
+[Contribute to the Moby Project](https://github.com/moby/moby/blob/master/CONTRIBUTING.md).
 
 ## Development Environment Setup
 
-The only thing you need to hack on Docker Bench for Security is a POSIX 2004
-compliant shell. We try to keep the project compliant for maximum portability.
-
 ### Start hacking
 
 You can build the container that wraps the docker-bench for security:
@@ -53,12 +50,9 @@ tests/
 ```
 
 To modify the Docker Bench for Security you should first clone the repository,
-make your changes, check your code with `shellcheck`, `checkbashisms` or similar
-tools, and then sign off on your commits. After that feel free to send us a
-pull request with the changes.
+make your changes, check your code with `shellcheck`, or similar tools, and
+then sign off on your commits. After that feel free to send us a pull request
+with the changes.
 
 While this tool was inspired by the [CIS Docker 1.11.0 benchmark](https://www.cisecurity.org/benchmark/docker/)
-and its successors, feel free to add new tests. We will try to turn
-[dockerbench.com](https://dockerbench.com) into a list of good community
-benchmarks for both security and performance, and we would love community
-contributions.
+and its successors, feel free to add new tests.

README.md

@@ -2,9 +2,7 @@
 
 ![Docker Bench for Security running](img/benchmark_log.png)
 
-The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the [CIS Docker Benchmark v1.2.0](https://www.cisecurity.org/benchmark/docker/).
-
-The list with all tests is available [here](tests/TESTS.md).
+The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.3.1](https://www.cisecurity.org/benchmark/docker/).
 
 We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
 
@@ -93,13 +91,13 @@ Note that when distributions don't contain `auditctl`, the audit tests will chec
   -p PRINT     optional  Disable the printing of remediation measures. Default: print remediation measures.
 ```
 
-By default the Docker Bench for Security script will run all available CIS tests and produce 
-logs in the log folder from current directory, named `docker-bench-security.sh.log.json` and 
+By default the Docker Bench for Security script will run all available CIS tests and produce
+logs in the log folder from current directory, named `docker-bench-security.sh.log.json` and
 `docker-bench-security.sh.log`.
 
 If the docker container is used then the log files will be created inside the container in location `/usr/local/bin/log/`. If you wish to access them from the host after the container has been run you will need to mount a volume for storing them in.
 
-The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6` and community contributed checks are named `check_c_<number>`. A complete list of checks is present in [TESTS.md](tests/TESTS.md).
+The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6` and community contributed checks are named `check_c_<number>`.
 
 `sh docker-bench-security.sh -c check_2_2` will only run check `2.2 Ensure the logging level is set to 'info'`.
 
@@ -134,5 +132,3 @@ git clone https://github.com/docker/docker-bench-security.git
 cd docker-bench-security
 docker-compose run --rm docker-bench-security
 ```
-
-This script was built to be POSIX 2004 compliant, so it should be portable across any Unix platform.

docker-bench-security.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 # --------------------------------------------------------------------------------------------
 # Docker Bench for Security
 #
@@ -36,7 +36,7 @@ usage () {
   cat <<EOF
 Docker Bench for Security - Docker, Inc. (c) 2015-$(date +"%Y")
 Checks for dozens of common best-practices around deploying Docker containers in production.
-Inspired by the CIS Docker Benchmark v1.2.0.
+Based on the CIS Docker Benchmark 1.3.1.
 
 Usage: ${myname}.sh [OPTIONS]
 
@@ -58,7 +58,7 @@ Options:
   -i INCLUDE   optional  Comma delimited list of patterns within a container or image name to check
   -x EXCLUDE   optional  Comma delimited list of patterns within a container or image name to exclude from check
   -n LIMIT     optional  In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
-  -p PRINT     optional  Disable the printing of remediation measures. Default: print remediation measures.
+  -p PRINT     optional  Print remediation measures. Default: Don't print remediation measures.
 
 Complete list of checks: <https://github.com/docker/docker-bench-security/blob/master/tests/>
 Full documentation: <https://github.com/docker/docker-bench-security>
@@ -70,9 +70,10 @@ EOF
 if [ ! -d log ]; then
   mkdir log
 fi
+
 logger="log/${myname}.log"
 limit=0
-printremediation="1"
+printremediation="0"
 globalRemediation=""
 
 # Get the flags
@@ -90,7 +91,7 @@ do
   i) include="$OPTARG" ;;
   x) exclude="$OPTARG" ;;
   n) limit="$OPTARG" ;;
-  p) printremediation="0" ;;
+  p) printremediation="1" ;;
   *) usage; exit 1 ;;
   esac
 done
@@ -101,8 +102,7 @@ done
 yell_info
 
 # Warn if not root
-ID=$(id -u)
-if [ "x$ID" != "x0" ]; then
+if [ "$(id -u)" != "0" ]; then
   warn "$(yell 'Some tests might require root to run')\n"
   sleep 3
 fi
@@ -118,7 +118,7 @@ beginjson "$version" "$(date +%s)"
 
 # Load all the tests from tests/ and run them
 main () {
-  logit "\n${bldylw}Section A - Check results${txtrsr}"
+  logit "\n${bldylw}Section A - Check results${txtrst}"
 
   # Get configuration location
   get_docker_configuration_file

functions/functions_lib.sh

@@ -5,65 +5,60 @@ host_configuration() {
   check_1_1
   check_1_1_1
   check_1_1_2
+  check_1_1_3
+  check_1_1_4
+  check_1_1_5
+  check_1_1_6
+  check_1_1_7
+  check_1_1_8
+  check_1_1_9
+  check_1_1_10
+  check_1_1_11
+  check_1_1_12
+  check_1_1_13
+  check_1_1_14
+  check_1_1_15
+  check_1_1_16
+  check_1_1_17
+  check_1_1_18
   check_1_2
   check_1_2_1
   check_1_2_2
-  check_1_2_3
-  check_1_2_4
-  check_1_2_5
-  check_1_2_6
-  check_1_2_7
-  check_1_2_8
-  check_1_2_9
-  check_1_2_10
-  check_1_2_11
-  check_1_2_12
   check_1_end
 }
 
 host_configuration_level1() {
   check_1
-  check_1_1
-  check_1_1_1
-  check_1_1_2
-  check_1_2
-  check_1_2_1
-  check_1_2_2
-  check_1_2_3
-  check_1_2_5
-  check_1_2_6
-  check_1_2_7
-  check_1_2_8
-  check_1_2_9
-  check_1_2_10
-  check_1_2_11
-  check_1_2_12
   check_1_end
 }
 
-host_general_configuration() {
-  check_1
+linux_hosts_specific_configuration() {
   check_1_1
   check_1_1_1
   check_1_1_2
-  check_1_end
+  check_1_1_3
+  check_1_1_4
+  check_1_1_5
+  check_1_1_6
+  check_1_1_7
+  check_1_1_8
+  check_1_1_9
+  check_1_1_10
+  check_1_1_11
+  check_1_1_12
+  check_1_1_13
+  check_1_1_14
+  check_1_1_15
+  check_1_1_16
+  check_1_1_17
+  check_1_1_18
 }
 
-linux_hosts_specific_configuration() {
+host_general_configuration() {
   check_1
   check_1_2
   check_1_2_1
   check_1_2_2
-  check_1_2_3
-  check_1_2_4
-  check_1_2_5
-  check_1_2_6
-  check_1_2_7
-  check_1_2_8
-  check_1_2_9
-  check_1_2_10
-  check_1_2_11
-  check_1_2_12
   check_1_end
 }
 
@@ -86,22 +81,12 @@ docker_daemon_configuration() {
   check_2_15
   check_2_16
   check_2_17
+  check_2_18
   check_2_end
 }
 
 docker_daemon_configuration_level1() {
   check_2
-  check_2_1
-  check_2_2
-  check_2_3
-  check_2_4
-  check_2_5
-  check_2_6
-  check_2_7
-  check_2_13
-  check_2_14
-  check_2_16
-  check_2_17
   check_2_end
 }
 
@@ -129,33 +114,13 @@ docker_daemon_files() {
   check_3_20
   check_3_21
   check_3_22
+  check_3_23
+  check_3_24
   check_3_end
 }
 
 docker_daemon_files_level1() {
   check_3
-  check_3_1
-  check_3_2
-  check_3_3
-  check_3_4
-  check_3_5
-  check_3_6
-  check_3_7
-  check_3_8
-  check_3_9
-  check_3_10
-  check_3_11
-  check_3_12
-  check_3_13
-  check_3_14
-  check_3_15
-  check_3_16
-  check_3_17
-  check_3_18
-  check_3_19
-  check_3_20
-  check_3_21
-  check_3_22
   check_3_end
 }
 
@@ -177,14 +142,6 @@ container_images() {
 
 container_images_level1() {
   check_4
-  check_4_1
-  check_4_2
-  check_4_3
-  check_4_4
-  check_4_6
-  check_4_7
-  check_4_9
-  check_4_10
   check_4_end
 }
 
@@ -227,34 +184,6 @@ container_runtime() {
 
 container_runtime_level1() {
   check_5
-  check_running_containers
-  check_5_1
-  check_5_3
-  check_5_4
-  check_5_5
-  check_5_6
-  check_5_7
-  check_5_8
-  check_5_9
-  check_5_10
-  check_5_11
-  check_5_12
-  check_5_13
-  check_5_14
-  check_5_15
-  check_5_16
-  check_5_17
-  check_5_18
-  check_5_19
-  check_5_20
-  check_5_21
-  check_5_24
-  check_5_25
-  check_5_26
-  check_5_27
-  check_5_28
-  check_5_30
-  check_5_31
   check_5_end
 }
 
@@ -289,11 +218,6 @@ docker_swarm_configuration() {
 
 docker_swarm_configuration_level1() {
   check_7
-  check_7_1
-  check_7_2
-  check_7_3
-  check_7_4
-  check_7_7
   check_7_end
 }
 
@@ -366,7 +290,6 @@ cis() {
   container_runtime
   docker_security_operations
   docker_swarm_configuration
-  docker_enterprise_configuration
 }
 
 cis_level1() {
@@ -377,7 +300,6 @@ cis_level1() {
   container_runtime_level1
   docker_security_operations_level1
   docker_swarm_configuration_level1
-  docker_enterprise_configuration_level1
 }
 
 # Community contributed
@@ -388,5 +310,6 @@ community() {
 # All
 all() {
   cis
+  docker_enterprise_configuration
   community
 }

functions/helper_lib.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # Returns the absolute path of a given string
 abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; }
@@ -145,6 +145,6 @@ yell "# ------------------------------------------------------------------------
 # Docker, Inc. (c) 2015-$(date +"%Y")
 #
 # Checks for dozens of common best-practices around deploying Docker containers in production.
-# Inspired by the CIS Docker Benchmark v1.2.0.
+# Based on the CIS Docker Benchmark 1.3.1.
 # --------------------------------------------------------------------------------------------"
 }