dev-sec / cis-docker-benchmark Goto Github PK

View Code? Open in Web Editor NEW

474.0 37.0 112.0 236 KB

CIS Docker Benchmark - InSpec Profile

Home Page: https://dev-sec.io/baselines/docker/

License: Apache License 2.0

Ruby 100.00%

cis-docker-benchmark inspec docker security hardening

cis-docker-benchmark's Introduction

CIS Docker Benchmark - InSpec Profile

Description

This InSpec compliance profile implement the CIS Docker 1.13.0 Benchmark in an automated way to provide security best-practice tests around Docker daemon and containers in a production environment.

InSpec is an open-source run-time framework and rule language used to specify compliance, security, and policy requirements for testing any node in your infrastructure.

Requirements

at least InSpec version 2.3.23
Docker 1.13+

Platform

Debian 8
Ubuntu 16.04
CentOS 7

Attributes

We use a yml attribute file to steer the configuration, the following options are available:

trusted_user: vagrant define trusted user to control Docker daemon.
authorization_plugin: authz-broker define authorization plugin to manage access to Docker daemon.
log_driver: syslog define preferable way to store logs.
log_opts: /syslog-address/ define Docker daemon log-opts.
registry_cert_path: /etc/docker/certs.d directory contains various Docker registry directories.
registry_name: /etc/docker/certs.d/registry_hostname:port directory contain certificate certain Docker registry.
registry_ca_file: /etc/docker/certs.d/registry_hostname:port/ca.crt certificate file for a certain Docker registry certificate files.
container_user: vagrant define user within containers.
app_armor_profile: docker-default define apparmor profile for Docker containers.
selinux_profile: /label\:level\:s0-s0\:c1023/ define SELinux profile for Docker containers.
container_capadd: null define needed capabilities for containers. example: container_capadd: NET_ADMIN,SYS_ADMIN
managable_container_number: 25 keep number of containers on a host to a manageable total.
daemon_tlscacert : /etc/docker/ssl/ca.pem configure the certificate authority.
daemon_tlscert: /etc/docker/ssl/server_cert.pem configure the server certificate.
daemon_tlskey: /etc/docker/ssl/server_key.pem configure the server key.
swarm_mode: inactive configure the swarm mode.
swarm_max_manager_nodes: 3 configure the maximum number of swarm leaders.
swarm_port: 2377 configure the swarm port.
benchmark_version to execute also the old controls from previous benchmarks, e.g. set it to 1.12.0 to execute also the tests from cis-benchmark-1.12.0 (which is the default).

These settings can be overridden using an attributes file (e.g. --attrs <attributefile.yml>). See sample_attributes.yml as an example.

Usage

InSpec makes it easy to run your tests wherever you need. More options listed here: InSpec cli

# run profile locally
$ git clone https://github.com/dev-sec/cis-docker-benchmark
$ inspec exec cis-docker-benchmark

# run profile locally and directly from Github
$ inspec exec https://github.com/dev-sec/cis-docker-benchmark

# run profile on remote host via SSH
inspec exec cis-docker-benchmark -t ssh://user@hostname -i /path/to/key

# run profile on remote host via SSH with sudo
inspec exec cis-docker-benchmark -t ssh://user@hostname -i /path/to/key --sudo

# run profile on remote host via SSH with sudo and define attribute value
inspec exec cis-docker-benchmark --attrs sample_attributes.yml

# run profile direct from inspec supermarket
inspec supermarket exec dev-sec/cis-docker-benchmark -t ssh://user@hostname --key-files private_key --sudo

Run individual controls

In order to verify individual controls, just provide the control ids to InSpec:

inspec exec cis-docker-benchmark --controls 'cis-docker-benchmark-1.4 cis-docker-benchmark-1.5'

Contributors + Kudos

Patrick Muench atomic111
Dominik Richter arlimus
Christoph Hartmann chris-rock

License and Author

Author:: Patrick Muench [email protected]
Author:: Christoph Hartmann [email protected]

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

cis-docker-benchmark's People

Contributors

Stargazers

Watchers

Forkers

netflash shoneslab qualimente emilyay jszalkowski yhuang atomic111 satheeshagowda avisri nandeshguru magnologan kutim nowheresly sydfx dhirenshumsher johnroach aschmidt75 minsang-kim geekdave davidpesticcio tstuber daydayup40 yanggongwang radhus dsingh07 elementsync wheelq muyenzo dragon040 neatnerdprime 2n2b1 randomvariable jennyoughibm artithw sean-nixon vidocapt szliuyujie commjoen james-stocks sgarcia-te franklinowusu benhe119 lbalak50 sachinpatkar sjain07p einonsy alexbmw00 unitedtraders lalaladema moisestapia alwell-kevin franklina rogerscuall helloexp steven-cm cloudops-cherif thheinen toughrunner renangraciano pkuliuliu cleanmgr112 umutbb songjlg sdmzn metaver5o ekmixon bharath6208 jalinzhang leaderdevops krisanne j4ckzh0u riddopic stevenhaddox mckma s4l10u khiemb41 git19112019 livenux bandari3 adamoutler liuliuliuzy mirrowall alainlompo int2ecall nnickie23 aviad-chen-apolicy isabella232 arifaman59 tools-haus chethansiddagiri ichibi221 adamacosta d-demirci raji999 catwhisperingninja gprasanthkumar spardda mekhanique iq-scm kial1ekb

cis-docker-benchmark's Issues

include the inspec docker resource

inspec/inspec#1566

tag the tests which belongs to a host and to a container

add a tag for each test, something like:

tag 'host' for the host security tests

and

tag 'container' for the container security tests

Wrong placement of flag in command

Describe the bug
controls/container_images.rb uses docker history to inspect commands, and the command looks like this:

command("docker --no-trunc history #{id}| grep -e 'update'")

Expected behavior
The output without error is expected. This can be achieved by placing the flag ---no-trunc at the end of command string:

command("docker history #{id} --no-trunc | grep -e 'update'")

Actual behavior
The stdout of running this command is empty because the command has an error:

unknown flag: --no-trunc
...

Example code

command(docker --no-trunc history #{id}| grep -e 'update')

OS / Environment

NAME="Ubuntu"
VERSION="20.04 LTS (Focal Fossa)"

Inspec Version

4.46.13

Baseline Version

1.12.0

Having all controls be `impact 1.0` or `impact 0.0` makes the data less than useful

thinking out loud 💭

We should look at making them go into at least 2 or 3 buckets? .3 .5 .9 would make sense to me but if they are all 0.0 and 1.0 then it doesn't really tell me anything right?

Further, in the operational setting, the data point 0 and 1 are usually reserved for the extreme cases - i.e. Not Important / Ignore and "Totally Critical - remove the system from the network". If this isn't the case again - those values start to loose any meaning and will be ignored.

incompatible character encodings: UTF-8 and ASCII-8BIT

..so I updated my inspec version so as to move ahead from this issue

Just so that you know, I used a chef gem update inspec command to update my inspec gem. Post which, I had to manually edit the /opt/chefdk/bin/inspec file to update the inspec versions.

$ inspec version
2.0.32
$ inspec exec cis-docker-benchmark
/Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:144:in `format_message': incompatible character encodings: UTF-8 and ASCII-8BIT (Encoding::CompatibilityError)
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:128:in `format_result'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:78:in `block (2 levels) in print_standard_control_results'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:77:in `each'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:77:in `block in print_standard_control_results'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:73:in `each'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:73:in `print_standard_control_results'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:50:in `block in render'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:46:in `each'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:46:in `render'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters.rb:24:in `render'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/runner.rb:111:in `block in render_output'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/runner.rb:110:in `each'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/runner.rb:110:in `render_output'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/runner.rb:134:in `run_tests'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/runner.rb:104:in `run'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/cli.rb:168:in `exec'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
        from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/bin/inspec:12:in `<top (required)>'
        from /usr/local/bin/inspec:50:in `load'
        from /usr/local/bin/inspec:50:in `<main>'

What am I missing?

check the running daemon for the configuration

we check the configuration in the daemon.json, but not the configuration of the running daemon process

Test running docker via -t docker://

Hi,
is it possible to test running dokcer with this profile? I'm trying to run it via docker and point different container.
docker run -it --rm -v $(pwd):/share -v /var/run/docker.sock:/var/run/docker.sock chef/inspec exec https://github.com/dev-sec/cis-docker-benchmark -t docker://<container_id>

All what I get is 99 skipped controls.

Update to CIS Docker 1.12.0 Benchmark

splitt controls in components

we should organize the controls in components. i mean we should split it in host.rb, daemon.rb, container.rb and swarm.rb. this should be included in the 2.0 release

@chris-rock what is your opinion?

method_missing: undefined local variable or method docker

Hello,

Trying this on my local mac machine. Getting this error straightaway. Am I doing something wrong here?

$ inspec version
1.4.1

$ inspec exec cis-docker-benchmark
/opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/rspec-expectations-3.5.0/lib/rspec/matchers.rb:967:in `method_missing': undefined local variable or method `docker' for #<#<Class:0x007f8f9cc284d0>:0x007f8f9a00b438> (NameError)
        from cis-docker-benchmark/controls/docker_daemon_configuration.rb:387:in `block in load_with_context'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/rule.rb:51:in `instance_eval'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/rule.rb:51:in `initialize'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/control_eval_context.rb:73:in `new'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/control_eval_context.rb:73:in `block (2 levels) in create'
        from cis-docker-benchmark/controls/docker_daemon_configuration.rb:374:in `load_with_context'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/profile_context.rb:146:in `instance_eval'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/profile_context.rb:146:in `load_with_context'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/profile_context.rb:130:in `load_control_file'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/profile.rb:114:in `block in collect_tests'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/profile.rb:111:in `each'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/profile.rb:111:in `collect_tests'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/runner.rb:85:in `block in load'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/runner.rb:79:in `each'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/runner.rb:79:in `load'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/runner.rb:95:in `run'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/base_cli.rb:84:in `run_tests'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/cli.rb:164:in `exec'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
        from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/bin/inspec:12:in `<top (required)>'
        from /usr/local/bin/inspec:50:in `load'
        from /usr/local/bin/inspec:50:in `<main>'

Control docker-4.7 fails when running tests on environment with redhat/ubi9-minimal

Description

Control docker-4.7 "Do not use update instructions alone in the Dockerfile" fails when running tests on environment with redhat/ubi9-minimal.

The ubi9-minimal image has an image description that includes the text "updated". The test for control docker-4.7 only checks for the presence of text "update" which results in a match and causes the control to fail.

Perhaps, the test should a more precise reference to "apt-get update" or "apt update" to avoid unexpected matches.

Reproduction steps

Execute the following commands to reproduce the issue:

docker pull redhat/ubi9-minimal:9.3-1552
git clone https://github.com/dev-sec/cis-docker-benchmark.git
inspec exec cis-docker-benchmark --controls docker-4.7

Current Behavior

inspec with control docker-4.7 fails and the following message is output to the console:
(message has been formatted for readability)

+<missing>                                                                 6 weeks ago   
/bin/sh -c #(nop) LABEL description="The Universal Base Image Minimal is a stripped down image 
that uses microdnf as a package manager. This base image is freely redistributable, but Red Hat only 
supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained 
by Red Hat and updated regularly."

Expected Behavior

Control docker-4.7 should not fail as a "RUN apt-get update" or "RUN apt update" is not being used.

OS / Environment

Ubuntu Linux 23.10
Docker 25.0.3

Inspec Version

6.6.0

Baseline Version

2.1.3

Additional information

undefined method `downcase' for nil:NilClass

When executing this profile, I get this:

/usr/local/bundle/gems/inspec-1.23.0/lib/resources/docker.rb:32:in `block (2 levels) in <class:DockerContainerFilter>': undefined method `downcase' for nil:NilClass (NoMethodError)
	from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:63:in `instance_eval'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:63:in `block in where'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:63:in `each'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:63:in `find_all'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:63:in `where'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/resources/docker.rb:32:in `block in <class:DockerContainerFilter>'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:204:in `block in create_connector'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:178:in `call'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:178:in `block (2 levels) in connect'
	from cis-docker-benchmark-master/controls/container_images.rb:50:in `block in load_with_context'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/rule.rb:51:in `instance_eval'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/rule.rb:51:in `initialize'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/control_eval_context.rb:71:in `new'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/control_eval_context.rb:71:in `block (2 levels) in create'
	from cis-docker-benchmark-master/controls/container_images.rb:37:in `load_with_context'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile_context.rb:146:in `instance_eval'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile_context.rb:146:in `load_with_context'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile_context.rb:130:in `load_control_file'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile.rb:149:in `block in collect_tests'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile.rb:146:in `each'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile.rb:146:in `collect_tests'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/dependencies/dependency_set.rb:65:in `block in each'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/dependencies/dependency_set.rb:64:in `each'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/dependencies/dependency_set.rb:64:in `each'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile.rb:144:in `collect_tests'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/runner.rb:90:in `block in load'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/runner.rb:79:in `each'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/runner.rb:79:in `load'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/runner.rb:100:in `run'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/base_cli.rb:83:in `run_tests'
	from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/cli.rb:166:in `exec'
	from /usr/local/bundle/gems/thor-0.19.4/lib/thor/command.rb:27:in `run'
	from /usr/local/bundle/gems/thor-0.19.4/lib/thor/invocation.rb:126:in `invoke_command'
	from /usr/local/bundle/gems/thor-0.19.4/lib/thor.rb:369:in `dispatch'
	from /usr/local/bundle/gems/thor-0.19.4/lib/thor/base.rb:444:in `start'
	from /usr/local/bundle/gems/inspec-1.23.0/bin/inspec:12:in `<top (required)>'
	from /usr/local/bundle/bin/inspec:17:in `load'
	from /usr/local/bundle/bin/inspec:17:in `<main>'

rename control titles

i think we should rename the control titles in a more general way.

example: docker-baseline-xx

this should be included in the 2.0 release

@chris-rock your opinion?

Verify enable content trust per-shell or per-invocation check

In PR #43 we added new controls for 1.13 Not all have an automatic test: https://github.com/dev-sec/cis-docker-benchmark/pull/43/files/85b55d19fb0c152cf2df6df90e419f06614be9c1#diff-157b69b578cf12843b1a4586db95e71aR61

@grdnrio proposed to do the following:

## Enable and disable content trust per-shell or per-invocation
In a shell, you can enable content trust by setting the DOCKER_CONTENT_TRUST environment variable. Enabling per-shell is useful because you can have one shell configured for trusted operations and another terminal shell for untrusted operations. You can also add this declaration to your shell profile to have it turned on always by default.

To enable content trust in a bash shell enter the following command:

export DOCKER_CONTENT_TRUST=1

Update to CIS 1.13

Version 1.13 is available here https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.13.0_Benchmark_v1.0.0.pdf

A couple of CIS controls ids have changed, therefore this may become a breaking change.

Commands in cis-docker-benchmark-5.22 and cis-docker-benchmark-5.23 take too long to execute

The ausearch --input-logs -k docker ... commands in cis-docker-benchmark-5.22 and cis-docker-benchmark-5.23 take a bit too long to execute. May want to find an alternative searching mechanisms.

docker variable not defined

I keep getting this error:

/usr/local/bundle/gems/rspec-expectations-3.5.0/lib/rspec/matchers.rb:967:in `method_missing': undefined local variable or method `docker' for #<#<Class:0x00000003203a70>:0x000000031c9fa0> (NameError)
	from cis-docker-benchmark-master/controls/container_images.rb:50:in `block in load_with_context'

On line 50, I don't see where it is defined either. Should that be getting set somewhere beforehand?

Examples not working

I tried the following commands, but both of them only result in an error Input 'container_capadd' is required and does not have a value.. The readme says I need a yml attribute file, but there is no mention how this file can be passed to the script.

# run profile locally
$ git clone https://github.com/dev-sec/cis-docker-benchmark
$ inspec exec cis-docker-benchmark

# run profile locally and directly from Github
$ inspec exec https://github.com/dev-sec/cis-docker-benchmark

OS / Environment
Ubuntu 18.04.2 LTS

Inspec Version

3.7.1

Baseline Version

a281d230fbe52f9ef7f88c5a4147dbce6af07ae9

Overuse of `describe docker.object(id) do`

Is your feature request related to a problem? Please describe.

overuse of describe docker.object(id) do, this is a simple line but causes up to 10000 chars to be included in the JSON, this may be fine for 1 or 2 controls across 1 or 2 docker containers, but when there are over 20 uses if this in the code and for example's sake 50 containers, this is causing over 1 million chars to be included and the JSON to extend over 8MB

Describe the solution you'd like

docker.object(id) under the hood runs a docker inspect $INSTANCE_ID, this returns the whole object every time.

a better option would be to use the command resource (https://docs.chef.io/inspec/resources/command/), to better filter down what is required at each instance with the docker inspect --format='{{Required item}}' to select only the item required to verify against.

Describe alternatives you've considered

alternatively, you could do as in control 'docker-5.7' where the item is gotten wholly and then broken down before use. In this good example, it returns a code_desc of "false is expected to eq false" vs in the bad example of control 'docker-4.1' using the describe docker.object(id) do where it returns a code_desc of...

 "#<Hashie::Mash AppArmorProfile=\"\" Args=#<Hashie::Array []> Config=#<Hashie::Mash AttachStderr=false AttachStdin=false AttachStdout=false Cmd=nil Domainname=\"\" Entrypoint=#<Hashie::Array [\"/service/launch.sh\"]>.....!! OVER 9000 chars removed !!......Running=true StartedAt=\"2022-07-05T14:42:30.809073423Z\" Status=\"running\">> [\"Config\", \"User\"] is expected to eq \"ubuntu\""

the above is well over 9k chars long (and I've removed these for brevity and security.)

Additional context

As per https://docs.chef.io/chef_compliance_phase/#result_message_limit - "Chef Automate has a 4 MB report size limit and cannot ingest reports exceeding this limitation. "

Implement latest CIS Benchmark

Is your feature request related to a problem? Please describe.

Update the benchmark to the latest CIS Docker Benchmark 1.2.0

Describe the solution you'd like

Find missing controls compared to existing version
Implement missing controls in InSpec

Describe alternatives you've considered

n/a

Additional context

n/a

uploading cis docker profile to chef compliance

chef-compliance version
Version: 1.12.1(latest)
I was trying to upload cis-docker-benchmark profile to compliance. I am getting following error.!!

Profile is valid
Generate temporary profile archive at /var/folders/ks/x873n92n6vb62rrt_qfpt8f40000gp/T/cis-docker-benchmark20171221-24480-wzaned.tar.gz
I, [2017-12-21T12:29:16.364667 #24480] INFO -- : Generate archive /var/folders/ks/x873n92n6vb62rrt_qfpt8f40000gp/T/cis-docker-benchmark20171221-24480-wzaned.tar.gz.
I, [2017-12-21T12:29:16.381412 #24480] INFO -- : Finished archive generation.
Start upload to walmart45/cis-docker-benchmark
Uploading to Chef Compliance
Error during profile upload:
"Failed to POST /owners/walmart45/compliance/cis-docker-benchmark/tar."

compliance log shows.!!
/var/log/chef-compliance/core/current

2017-12-21_18:29:16.84343 18:29:16.840 DEB => Extracting incoming tar to /var/opt/chef-compliance/core/runtime/compliance-profiles/upload_525211858
2017-12-21_18:29:16.84344 18:29:16.843 DEB => Extracted upload to /var/opt/chef-compliance/core/runtime/compliance-profiles/upload_525211858
2017-12-21_18:29:16.84344 18:29:16.843 DEB => Found compliance root folder in /var/opt/chef-compliance/core/runtime/compliance-profiles/upload_525211858
2017-12-21_18:29:16.84344 18:29:16.843 DEB => Run: cd /var/opt/chef-compliance/core/runtime/compliance-profiles/upload_525211858 && inspec [check . --format json --profiles-path /var/opt/chef-compliance/core/runtime/compliance-profiles]
2017-12-21_18:29:18.27781 WARN: Unresolved specs during Gem::Specification.reset:
2017-12-21_18:29:18.27782 net-ssh (< 5.0, >= 2.6.5, >= 2.9)
2017-12-21_18:29:18.27782 ffi (>= 1.0.1)
2017-12-21_18:29:18.27783 multi_json (> 1.10)
2017-12-21_18:29:18.27783 rainbow (> 2)
2017-12-21_18:29:18.27783 rspec (> 3)
2017-12-21_18:29:18.27783 addressable (> 2.4)
2017-12-21_18:29:18.27783 WARN: Clearing out unresolved specs.
2017-12-21_18:29:18.27783 Please report a bug if this causes problems.
2017-12-21_18:29:18.54880 /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/rspec-expectations-3.7.0/lib/rspec/matchers.rb:960:in method_missing': undefined local variable or method auditd' for #<#Class:0x000000040f9ca0:0x00000002de9b10> (NameError)
2017-12-21_18:29:18.54882 from ./controls/host_configuration.rb:187:in block in load_with_context' 2017-12-21_18:29:18.54882 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/rule.rb:49:in instance_eval'
2017-12-21_18:29:18.54882 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/rule.rb:49:in initialize' 2017-12-21_18:29:18.54882 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/control_eval_context.rb:71:in new'
2017-12-21_18:29:18.54883 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/control_eval_context.rb:71:in block (2 levels) in create' 2017-12-21_18:29:18.54883 from ./controls/host_configuration.rb:173:in load_with_context'
2017-12-21_18:29:18.54883 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile_context.rb:146:in instance_eval' 2017-12-21_18:29:18.54883 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile_context.rb:146:in load_with_context'
2017-12-21_18:29:18.54884 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile_context.rb:130:in load_control_file' 2017-12-21_18:29:18.54884 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:151:in block in collect_tests'
2017-12-21_18:29:18.54884 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:148:in each' 2017-12-21_18:29:18.54884 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:148:in collect_tests'
2017-12-21_18:29:18.54884 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:454:in load_checks_params' 2017-12-21_18:29:18.54885 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:447:in load_params'
2017-12-21_18:29:18.54885 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:141:in params' 2017-12-21_18:29:18.54885 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:307:in controls_count'
2017-12-21_18:29:18.54886 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:278:in check' 2017-12-21_18:29:18.54886 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/cli.rb:69:in check'

what am i missing here? need to update rspec version?
please guide me to resolve this issue.

Thanks in advance.

use own control number scheme

As seen in #24, CIS changes control identifiers in minor versions. Therefore we should define our own control ids to ensure the same control stays the same control over time.

control 'cis-docker-benchmark-1.5' do
  impact 1.0
  title 'Keep Docker up to date'

will become:

control 'host-1.3' do
  impact 1.0
  title 'Keep Docker up to date'
  desc 'The docker container solution is evolving to maturity and stability at a rapid pace. Like any other software, the vendor releases regular updates for Docker software that address security vulnerabilities, product bugs and bring in new functionality.'

  tag 'host'
  tag cis: 'docker:1.5'
  tag level: 1

To ensure we can map the same control to multiple CIS Benchmark versions, we are going to add more tags for each control:

tag cis: [
   'docker-1.12:1.3',
   'docker-1.13:1.2'
]

load_with_context': undefined method `each' for nil:NilClass (NoMethodError) exception in cis-docker-benchmark-master/controls/container_runtime.rb:194

> inspec exec https://github.com/dev-sec/cis-docker-benchmark/archive/master.zip
cis-docker-benchmark-master/controls/container_runtime.rb:194:in `block (2 levels) in load_with_context': undefined method `each' for nil:NilClass (NoMethodError)
	from cis-docker-benchmark-master/controls/container_runtime.rb:191:in `each'
	from cis-docker-benchmark-master/controls/container_runtime.rb:191:in `block in load_with_context'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/rule.rb:49:in `instance_eval'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/rule.rb:49:in `initialize'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/control_eval_context.rb:71:in `new'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/control_eval_context.rb:71:in `block (2 levels) in create'
	from cis-docker-benchmark-master/controls/container_runtime.rb:180:in `load_with_context'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/profile_context.rb:146:in `instance_eval'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/profile_context.rb:146:in `load_with_context'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/profile_context.rb:130:in `load_control_file'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/profile.rb:151:in `block in collect_tests'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/profile.rb:148:in `each'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/profile.rb:148:in `collect_tests'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/runner.rb:89:in `block in load'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/runner.rb:78:in `each'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/runner.rb:78:in `load'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/runner.rb:99:in `run'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/base_cli.rb:83:in `run_tests'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/cli.rb:159:in `exec'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/thor-0.20.0/lib/thor/command.rb:27:in `run'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/thor-0.20.0/lib/thor/invocation.rb:126:in `invoke_command'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/thor-0.20.0/lib/thor.rb:387:in `dispatch'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/thor-0.20.0/lib/thor/base.rb:466:in `start'
	from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/bin/inspec:12:in `<top (required)>'
	from ./inspec:23:in `load'
	from ./inspec:23:in `<main>'

dev-sec / cis-docker-benchmark Goto Github PK

cis-docker-benchmark's Introduction

CIS Docker Benchmark - InSpec Profile

Description

Requirements

Platform

Attributes

Usage

Run individual controls

Contributors + Kudos

License and Author

cis-docker-benchmark's People

Contributors

Stargazers

Watchers

Forkers

cis-docker-benchmark's Issues

Description

Reproduction steps

Current Behavior

Expected Behavior

OS / Environment

Inspec Version

Baseline Version

Additional information

Recommend Projects

Recommend Topics

Recommend Org