Cis v1.8.0

Dockerfile

@@ -1,20 +1,21 @@
-FROM alpine:3.18@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978
+FROM alpine:3@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1
 
 LABEL \
   org.label-schema.name="docker-bench-security" \
   org.label-schema.url="https://dockerbench.com" \
   org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
 
 RUN apk add --no-cache iproute2 \
-    docker-cli \
-    dumb-init \
-    jq
+  docker-cli \
+  dumb-init \
+  jq \
+  bash
 
 COPY . /usr/local/bin/
 
 HEALTHCHECK CMD exit 0
 
 WORKDIR /usr/local/bin
 
-ENTRYPOINT [ "/usr/bin/dumb-init", "/bin/sh", "docker-bench-security.sh" ]
+ENTRYPOINT [ "/usr/bin/dumb-init", "/bin/bash", "docker-bench-security.sh" ]
 CMD [""]

README.md

@@ -6,14 +6,15 @@ The Docker Bench for Security is a script that checks for dozens of common best-
 
 We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.
 
-Release | CIS |
-:---:|:---:|
-1.6.0|1.6.0|
-1.5.0|1.5.0|
-1.3.6|1.4.0|
-1.3.5|1.2.0|
-1.3.3|1.1.0|
-1.3.0|1.13.0|
+| Release |  CIS   |
+| :-----: | :----: |
+|  1.8.0  | 1.8.0  |
+|  1.6.0  | 1.6.0  |
+|  1.5.0  | 1.5.0  |
+|  1.3.6  | 1.4.0  |
+|  1.3.5  | 1.2.0  |
+|  1.3.3  | 1.1.0  |
+|  1.3.0  | 1.13.0 |
 
 ## Running Docker Bench for Security
 
@@ -24,7 +25,7 @@ You can simply run this script from your base host by running:
 ```sh
 git clone https://github.com/docker/docker-bench-security.git
 cd docker-bench-security
-sudo sh docker-bench-security.sh
+sudo bash docker-bench-security.sh
 ```
 
 > Note: [`jq`](https://jqlang.github.io/jq/) is an optional but recommended dependency.
@@ -126,8 +127,36 @@ Note that when distributions don't contain `auditctl`, the audit tests will chec
   -x EXCLUDE   optional  Comma delimited list of patterns within a container or image name to exclude from check
   -t LABEL     optional  Comma delimited list of labels within a container or image to check
   -n LIMIT     optional  In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
-  -p PRINT     optional  Disable the printing of remediation measures. Default: print remediation measures.
+  -p PRINT     optional  Print remediation measures. Default: Don't print remediation measures.
 ```
+Subsets of tests available :
+- cis
+  - host_configuration
+  - docker_daemon_configuration
+  - docker_daemon_files
+  - container_images
+  - container_runtime
+  - docker_security_operations
+  - docker_swarm_configuration
+- cis_level1
+  - host_configuration_level1
+  - docker_daemon_configuration_level1
+  - docker_daemon_files_level1
+  - container_images_level1
+  - container_runtime_level1
+  - docker_security_operations_level1
+  - docker_swarm_configuration_level1
+- cis_controls_v8_ig1
+- cis_controls_v8_ig2
+- cis_controls_v8_ig3
+- docker_enterprise_configuration
+  - docker_enterprise_configuration_level1
+- docker_trusted_registry_configuration
+- universal_control_plane_configuration
+- community
+  - community_checks
+- all
+
 
 By default the Docker Bench for Security script will run all available CIS tests and produce
 logs in the log folder from current directory, named `docker-bench-security.log.json` and
@@ -137,16 +166,16 @@ If the docker container is used then the log files will be created inside the co
 
 The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6` and community contributed checks are named `check_c_<number>`.
 
-`sh docker-bench-security.sh -c check_2_2` will only run check `2.2 Ensure the logging level is set to 'info'`.
+`bash docker-bench-security.sh -c check_2_2` will only run check `2.2 Ensure the logging level is set to 'info'`.
 
-`sh docker-bench-security.sh -e check_2_2` will run all available checks except `2.2 Ensure the logging level is set to 'info'`.
+`bash docker-bench-security.sh -e check_2_2` will run all available checks except `2.2 Ensure the logging level is set to 'info'`.
 
-`sh docker-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group
+`bash docker-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group
 
-`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run all available checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
+`bash docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run all available checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
 
-`sh docker-bench-security.sh -c container_images,container_runtime` will run just the container_images and container_runtime checks
+`bash docker-bench-security.sh -c container_images,container_runtime` will run just the container_images and container_runtime checks
 
-`sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`
+`bash docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`
 
 Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.

docker-bench-security.sh

@@ -44,11 +44,11 @@ Usage: ${myname}.sh [OPTIONS]
 
 Example:
   - Only run check "2.2 - Ensure the logging level is set to 'info'":
-      sh docker-bench-security.sh -c check_2_2
+      bash docker-bench-security.sh -c check_2_2
   - Run all available checks except the host_configuration group and "2.8 - Enable user namespace support":
-      sh docker-bench-security.sh -e host_configuration,check_2_8
+      bash docker-bench-security.sh -e host_configuration,check_2_8
   - Run just the container_images checks except "4.5 - Ensure Content trust for Docker is Enabled":
-      sh docker-bench-security.sh -c container_images -e check_4_5
+      bash docker-bench-security.sh -c container_images -e check_4_5
 
 Options:
   -b           optional  Do not print colors

functions/functions_lib.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 host_configuration() {
   check_1
@@ -29,6 +29,16 @@ host_configuration() {
 
 host_configuration_level1() {
   check_1
+  check_1_1
+  check_1_1_1
+  check_1_1_2
+  check_1_1_3
+  check_1_1_4
+  check_1_1_5
+  check_1_1_6
+  check_1_2
+  check_1_2_1
+  check_1_2_2
   check_1_end
 }
 
@@ -82,11 +92,25 @@ docker_daemon_configuration() {
   check_2_16
   check_2_17
   check_2_18
+  check_2_19
   check_2_end
 }
 
 docker_daemon_configuration_level1() {
   check_2
+  check_2_1
+  check_2_2
+  check_2_3
+  check_2_4
+  check_2_5
+  check_2_6
+  check_2_7
+  check_2_8
+  check_2_9
+  check_2_15
+  check_2_16
+  check_2_17
+  check_2_19
   check_2_end
 }
 
@@ -121,6 +145,24 @@ docker_daemon_files() {
 
 docker_daemon_files_level1() {
   check_3
+  check_3_1
+  check_3_2
+  check_3_3
+  check_3_4
+  check_3_5
+  check_3_6
+  check_3_7
+  check_3_8
+  check_3_9
+  check_3_10
+  check_3_11
+  check_3_12
+  check_3_13
+  check_3_14
+  check_3_15
+  check_3_16
+  check_3_23
+  check_3_24
   check_3_end
 }
 
@@ -143,6 +185,15 @@ container_images() {
 
 container_images_level1() {
   check_4
+  check_4_1
+  check_4_2
+  check_4_3
+  check_4_4
+  check_4_6
+  check_4_7
+  check_4_9
+  check_4_10
+  check_4_12
   check_4_end
 }
 
@@ -186,6 +237,34 @@ container_runtime() {
 
 container_runtime_level1() {
   check_5
+  check_5_1
+  check_5_2
+  check_5_4
+  check_5_5
+  check_5_6
+  check_5_7
+  check_5_8
+  check_5_9
+  check_5_10
+  check_5_11
+  check_5_12
+  check_5_13
+  check_5_14
+  check_5_15
+  check_5_16
+  check_5_17
+  check_5_18
+  check_5_19
+  check_5_20
+  check_5_21
+  check_5_22
+  check_5_25
+  check_5_26
+  check_5_27
+  check_5_28
+  check_5_29
+  check_5_31
+  check_5_32
   check_5_end
 }
 
@@ -219,6 +298,15 @@ docker_swarm_configuration() {
 
 docker_swarm_configuration_level1() {
   check_7
+  check_7_1
+  check_7_2
+  check_7_3
+  check_7_4
+  check_7_5
+  check_7_6
+  check_7_7
+  check_7_8
+  check_7_9
   check_7_end
 }
 
@@ -311,8 +399,8 @@ cis_controls_v8_ig1() {
   check_1_1_2
   check_1_1_3
   check_2_1
-  check_2_13
   check_2_14
+  check_2_15
   check_3_1
   check_3_2
   check_3_3
@@ -380,14 +468,14 @@ cis_controls_v8_ig2() {
   check_2_3
   check_2_4
   check_2_5
-  check_2_7
   check_2_8
-  check_2_11
-  check_2_13
+  check_2_9
+  check_2_12
   check_2_14
   check_2_15
   check_2_16
-  check_2_18
+  check_2_17
+  check_2_19
   check_3_1
   check_3_2
   check_3_3
@@ -480,14 +568,14 @@ cis_controls_v8_ig3() {
   check_2_3
   check_2_4
   check_2_5
-  check_2_7
   check_2_8
-  check_2_11
-  check_2_13
+  check_2_9
+  check_2_12
   check_2_14
   check_2_15
   check_2_16
-  check_2_18
+  check_2_17
+  check_2_19
   check_3_1
   check_3_2
   check_3_3

tests/1_host_configuration.sh

@@ -275,14 +275,14 @@ check_1_1_8() {
 }
 check_1_1_9() {
   local id="1.1.9"
-  local desc="Ensure auditing is configured for Docker files and directories - docker.socket (Automated)"
+  local desc="Ensure auditing is configured for Docker files and directories - docker.sock (Automated)"
   local remediation
-  remediation="Install auditd. Add -w $(get_service_file docker.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
+  remediation="Install auditd. Add -w $(get_service_file docker.sock) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
   local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
   local check="$id - $desc"
   starttestjson "$id" "$desc"
 
-  file="$(get_service_file docker.socket)"
+  file="$(get_service_file docker.sock)"
   if [ -e "$file" ]; then
     if command -v auditctl >/dev/null 2>&1; then
       if auditctl -l | grep "$file" >/dev/null 2>&1; then