use new InSpec attributes

Author: chris-rock

README.md

@@ -22,40 +22,42 @@ InSpec is an open-source run-time framework and rule language used to specify co
 
 ## Attributes
 
-  * `TRUSTED_USER = vagrant`
+We use a yml attribute file to steer the configuration, the following options are available:
+
+  * `trusted_user: vagrant`
     define trusted user to control Docker daemon. cis-docker-benchmark-1.6
 
-  * `AUTHORIZATION_PLUGIN = authz-broker`
+  * `authorization_plugin: authz-broker`
     define authorization plugin to manage access to Docker daemon. cis-docker-benchmark-2.11
 
-  * `LOG_DRIVER = syslog`
+  * `log_driver: syslog`
     define preferable way to store logs. cis-docker-benchmark-2.12
 
-  * `LOG_OPTS = syslog-address`
+  * `log_opts: /syslog-address/`
     define Docker daemon log-opts. cis-docker-benchmark-2.12
 
-  * `REGISTRY_CERT_PATH = '/etc/docker/certs.d/'`
+  * `registry_cert_path: /etc/docker/certs.d`
     directory contains various Docker registry directories. cis-docker-benchmark-3.7
 
-  * `REGISTRY_NAME = '/etc/docker/certs.d/registry_hostname:port'`
+  * `registry_name: /etc/docker/certs.d/registry_hostname:port`
     directory contain certificate certain Docker registry. cis-docker-benchmark-3.7
 
-  * `REGISTRY_CA_FILE = '/etc/docker/certs.d/registry_hostname:port/ca.crt'`
+  * `registry_ca_file: /etc/docker/certs.d/registry_hostname:port/ca.crt`
     certificate file for a certain Docker registry certificate files. cis-docker-benchmark-3.7 and cis-docker-benchmark-3.8
 
-  * `CONTAINER_USER = 'ubuntu'`
+  * `container_user: vagrant`
     define user within containers. cis-docker-benchmark-4.1
 
-  * `APP_ARMOR_PROFILE = 'docker-default'`
+  * `app_armor_profile: docker-default`
     define apparmor profile for Docker containers. cis-docker-benchmark-5.1
 
-  * `SELINUX_PROFILE = 'label\:level\:s0-s0\:c1023'`
+  * `selinux_profile: /label\:level\:s0-s0\:c1023/`
     define SELinux profile for Docker containers. cis-docker-benchmark-5.2
 
-  * `CONTAINER_CAPADD = nil`
-    define needed capabilities for containers. example: `CONTAINER_CAPADD="NET_ADMIN,SYS_ADMIN"` cis-docker-benchmark-5.3
+  * `container_capadd: null`
+    define needed capabilities for containers. example: `container_capadd: NET_ADMIN,SYS_ADMIN` cis-docker-benchmark-5.3
 
-  * `MANAGEABLE_CONTAINER_NUMBER = 25`
+  * `managable_container_number: 25`
     keep number of containers on a host to a manageable total. cis-docker-benchmark-6.5
 
 ## Usage
@@ -77,7 +79,7 @@ inspec exec cis-docker-benchmark -t ssh://user@hostname -i /path/to/key
 inspec exec cis-docker-benchmark -t ssh://user@hostname -i /path/to/key --sudo
 
 # run profile on remote host via SSH with sudo and define attribute value
-TRUSTED_USER=test inspec exec cis-docker-benchmark -t ssh://user@hostname --port 2222 --key-files --sudo
+inspec exec cis-docker-benchmark --attrs sample_attributes.yml
 
 # run profile direct from inspec supermarket
 inspec supermarket exec dev-sec/cis-docker-benchmark -t ssh://user@hostname --key-files private_key --sudo

controls/docker_host_os_level1.rb

@@ -21,12 +21,17 @@
 
 title 'CIS Docker Benchmark - Level 1 - Linux Host OS'
 
-# attributes
-attrs = {}
-# define trusted user to control Docker daemon. cis-docker-benchmark-1.6
-attrs['TRUSTED_USER'] = ENV['TRUSTED_USER'] || 'vagrant'
-# keep number of containers on a host to a manageable total. cis-docker-benchmark-6.5
-attrs['MANAGEABLE_CONTAINER_NUMBER'] = ENV['MANAGEABLE_CONTAINER_NUMBER'] || 25
+TRUSTED_USER = attribute(
+  'trusted_user',
+  description: 'define trusted user to control Docker daemon. cis-docker-benchmark-1.6',
+  default: 'vagrant'
+)
+
+MANAGEABLE_CONTAINER_NUMBER = attribute(
+  'managable_container_number',
+  description: 'keep number of containers on a host to a manageable total. cis-docker-benchmark-6.5',
+  default: 25
+)
 
 # check if docker exists
 only_if do
@@ -108,7 +113,7 @@
   end
 
   describe etc_group.where(group_name: 'docker') do
-    its('users') { should include attrs['TRUSTED_USER'] }
+    its('users') { should include TRUSTED_USER }
   end
 end
 
@@ -152,7 +157,7 @@
   ref 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   if docker.path
-    rule = '-w ' << docker.path << ' -p rwxa -k docker'
+    rule = '-w ' + docker.path + ' -p rwxa -k docker'
     describe auditd_rules do
       its(:lines) { should include(rule) }
     end
@@ -170,7 +175,7 @@
   ref 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   if docker.path
-    rule = '-w ' << docker.socket << ' -p rwxa -k docker'
+    rule = '-w ' + docker.socket + ' -p rwxa -k docker'
     describe auditd_rules do
       its(:lines) { should include(rule) }
     end
@@ -264,6 +269,6 @@
   diff = total_on_host - total_running
 
   describe diff do
-    it { should be <= (attrs['MANAGEABLE_CONTAINER_NUMBER']) }
+    it { should be <= MANAGEABLE_CONTAINER_NUMBER }
   end
 end

controls/docker_level1.rb

@@ -22,17 +22,34 @@
 title 'CIS Docker Benchmark - Level 1 - Docker'
 
 # attributes
-attrs = {}
-# directory contains various Docker registry directories. cis-docker-benchmark-3.7
-attrs['REGISTRY_CERT_PATH'] = ENV['REGISTRY_CERT_PATH'] || '/etc/docker/certs.d'
-# directory contain certificate certain Docker registry. cis-docker-benchmark-3.7
-attrs['REGISTRY_NAME'] = ENV['REGISTRY_NAME'] || '/etc/docker/certs.d/registry_hostname:port'
-# certificate file for a certain Docker registry certificate files. cis-docker-benchmark-3.7 and cis-docker-benchmark-3.8
-attrs['REGISTRY_CA_FILE'] = ENV['REGISTRY_CA_FILE'] || '/etc/docker/certs.d/registry_hostname:port/ca.crt'
-# define user within containers. cis-docker-benchmark-4.1
-attrs['CONTAINER_USER'] = ENV['CONTAINER_USER'] || 'ubuntu'
-# define needed capabilities for containers. example: `CONTAINER_CAPADD="NET_ADMIN,SYS_ADMIN"` cis-docker-benchmark-5.3
-attrs['CONTAINER_CAPADD'] = ENV['CONTAINER_CAPADD'].nil? ? ENV['CONTAINER_CAPADD'] : ENV['CONTAINER_CAPADD'].split(',')
+REGISTRY_CERT_PATH = attribute(
+  'registry_cert_path',
+  description: 'directory contains various Docker registry directories. cis-docker-benchmark-3.7',
+  default: '/etc/docker/certs.d'
+)
+
+REGISTRY_NAME = attribute(
+  'registry_name',
+  description: 'directory contain certificate certain Docker registry. cis-docker-benchmark-3.7',
+  default: '/etc/docker/certs.d/registry_hostname:port'
+)
+
+REGISTRY_CA_FILE = attribute(
+  'registry_ca_file',
+  description: 'certificate file for a certain Docker registry certificate files. cis-docker-benchmark-3.7 and cis-docker-benchmark-3.8',
+  default: '/etc/docker/certs.d/registry_hostname:port/ca.crt'
+)
+
+CONTAINER_USER = attribute(
+  'container_user',
+  description: 'define user within containers. cis-docker-benchmark-4.1',
+  default: 'ubuntu'
+)
+
+CONTAINER_CAPADD = attribute(
+  'container_capadd',
+  description: 'define needed capabilities for containers.'
+)
 
 # check if docker exists
 only_if do
@@ -251,21 +268,21 @@
   ref 'https://docs.docker.com/engine/security/certificates/'
   ref 'docs.docker.com/reference/commandline/cli/#insecure-registries'
 
-  describe file(attrs['REGISTRY_CERT_PATH']) do
+  describe file(REGISTRY_CERT_PATH) do
     it { should exist }
     it { should be_directory }
     it { should be_owned_by 'root' }
     it { should be_grouped_into 'root' }
   end
 
-  describe file(attrs['REGISTRY_NAME']) do
+  describe file(REGISTRY_NAME) do
     it { should exist }
     it { should be_directory }
     it { should be_owned_by 'root' }
     it { should be_grouped_into 'root' }
   end
 
-  describe file(attrs['REGISTRY_CA_FILE']) do
+  describe file(REGISTRY_CA_FILE) do
     it { should exist }
     it { should be_file }
     it { should be_owned_by 'root' }
@@ -280,7 +297,7 @@
   ref 'https://docs.docker.com/engine/security/certificates/'
   ref 'docs.docker.com/reference/commandline/cli/#insecure-registries'
 
-  describe file(attrs['REGISTRY_CA_FILE']) do
+  describe file(REGISTRY_CA_FILE) do
     it { should exist }
     it { should be_file }
     it { should be_readable }
@@ -505,7 +522,7 @@
 
   docker.ps.each do |id|
     describe docker.inspect(id) do
-      its(%w(Config User)) { should eq attrs['CONTAINER_USER'] }
+      its(%w(Config User)) { should eq CONTAINER_USER }
       its(%w(Config User)) { should_not eq nil }
     end
   end
@@ -552,7 +569,7 @@
     describe docker.inspect(id) do
       its(%w(HostConfig CapDrop)) { should include(/all/) }
       its(%w(HostConfig CapDrop)) { should_not eq nil }
-      its(%w(HostConfig CapAdd)) { should eq attrs['CONTAINER_CAPADD'] }
+      its(%w(HostConfig CapAdd)) { should eq CONTAINER_CAPADD }
     end
   end
 end
@@ -601,7 +618,7 @@
   ref 'https://blog.docker.com/2014/06/why-you-dont-need-to-run-sshd-in-docker/'
 
   docker.ps.each do |id|
-    execute_command = 'docker exec ' << id << ' ps -e'
+    execute_command = 'docker exec ' + id + ' ps -e'
     describe command(execute_command) do
       its('stdout') { should_not match(/ssh/) }
     end

controls/docker_level2.rb

@@ -22,17 +22,35 @@
 title 'CIS Docker Benchmark - Level 2 - Docker'
 
 # attributes
-attrs = {}
-# define authorization plugin to manage access to Docker daemon. cis-docker-benchmark-2.11
-attrs['AUTHORIZATION_PLUGIN'] = [ENV['AUTHORIZATION_PLUGIN'] || 'authz-broker']
-# define preferable way to store logs. cis-docker-benchmark-2.12
-attrs['LOG_DRIVER'] = ENV['LOG_DRIVER'] || 'syslog'
-# define Docker daemon log-opts. cis-docker-benchmark-2.12
-attrs['LOG_OPTS'] = ENV['LOG_OPTS'] || /syslog-address/
-# define apparmor profile for Docker containers. cis-docker-benchmark-5.1
-attrs['APP_ARMOR_PROFILE'] = ENV['APP_ARMOR_PROFILE'] || 'docker-default'
-# define SELinux profile for Docker containers. cis-docker-benchmark-5.2
-attrs['SELINUX_PROFILE'] = ENV['SELINUX_PROFILE'] || /label\:level\:s0-s0\:c1023/
+AUTHORIZATION_PLUGIN = attribute(
+  'authorization_plugin',
+  description: 'define authorization plugin to manage access to Docker daemon. cis-docker-benchmark-2.11',
+  default: 'authz-broker'
+)
+
+LOG_DRIVER = attribute(
+  'log_driver',
+  description: 'define preferable way to store logs. cis-docker-benchmark-2.12',
+  default: 'syslog'
+)
+
+LOG_OPTS = attribute(
+  'log_opts',
+  description: 'define Docker daemon log-opts. cis-docker-benchmark-2.12',
+  default: /syslog-address/
+)
+
+APP_ARMOR_PROFILE = attribute(
+  'app_armor_profile',
+  description: 'define apparmor profile for Docker containers. cis-docker-benchmark-5.1',
+  default: 'docker-default'
+)
+
+SELINUX_PROFILE = attribute(
+  'selinux_profile',
+  description: 'define SELinux profile for Docker containers. cis-docker-benchmark-5.2',
+  default:  /label\:level\:s0-s0\:c1023/
+)
 
 # check if docker exists
 only_if do
@@ -88,7 +106,7 @@
     its(['authorization-plugins']) { should_not be_empty }
   end
   describe json('/etc/docker/daemon.json') do
-    its(['authorization-plugins']) { should eq(attrs['AUTHORIZATION_PLUGIN']) }
+    its(['authorization-plugins']) { should eq([AUTHORIZATION_PLUGIN]) }
   end
 end
 
@@ -103,10 +121,10 @@
     its(['log-driver']) { should_not be_empty }
   end
   describe json('/etc/docker/daemon.json') do
-    its(['log-driver']) { should eq(attrs['LOG_DRIVER']) }
+    its(['log-driver']) { should eq(LOG_DRIVER) }
   end
   describe json('/etc/docker/daemon.json') do
-    its(['log-opts']) { should include(attrs['LOG_OPTS']) }
+    its(['log-opts']) { should include(LOG_OPTS) }
   end
 end
 
@@ -148,7 +166,7 @@
   only_if { os[:family] == ('ubuntu' || 'debian') }
   docker.ps.each do |id|
     describe docker.inspect(id) do
-      its(['AppArmorProfile']) { should include(attrs['APP_ARMOR_PROFILE']) }
+      its(['AppArmorProfile']) { should include(APP_ARMOR_PROFILE) }
       its(['AppArmorProfile']) { should_not eq nil }
     end
   end
@@ -172,7 +190,7 @@
   docker.ps.each do |id|
     describe docker.inspect(id) do
       its(%w(HostConfig SecurityOpt)) { should_not eq nil }
-      its(%w(HostConfig SecurityOpt)) { should include(attrs['SELINUX_PROFILE']) }
+      its(%w(HostConfig SecurityOpt)) { should include(SELINUX_PROFILE) }
     end
   end
 end

sample_attributes.yml

@@ -0,0 +1,12 @@
+trusted_user: vagrant
+managable_container_number: 25
+registry_cert_path: /etc/docker/certs.d
+registry_name: /etc/docker/certs.d/registry_hostname:port
+registry_ca_file: /etc/docker/certs.d/registry_hostname:port/ca.crt
+container_user: vagrant
+container_capadd: null
+authorization_plugin: authz-broker
+log_driver: syslog
+log_opts: /syslog-address/
+app_armor_profile: docker-default
+selinux_profile: /label\:level\:s0-s0\:c1023/