Skip to content

update tags and refs #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 22, 2017
Merged

update tags and refs #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b3b8e82
update tags and refs
chris-rock Apr 22, 2017
9d54c98
simplify describe blocks
chris-rock Apr 22, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 53 additions & 15 deletions controls/docker_host_os_level1.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,10 @@
impact 1.0
title 'Create a separate partition for containers'
desc 'All Docker containers and their data and metadata is stored under /var/lib/docker directory. By default, /var/lib/docker would be mounted under / or /var partitions based on availability.'

tag 'host'
tag cis: '1.1'
tag cis: 'docker:1.1'
tag level: 1
ref 'Docker storage recommendation', url: 'http://www.projectatomic.io/docs/docker-storage-recommendation/'

describe mount('/var/lib/docker') do
Expand All @@ -55,8 +57,10 @@
impact 1.0
title 'Use the updated Linux Kernel'
desc 'Docker in daemon mode has specific kernel requirements. A 3.10 Linux kernel is the minimum requirement for Docker.'

tag 'host'
tag cis: '1.2'
tag cis: 'docker:1.2'
tag level: 1
ref 'Check kernel dependencies', url: 'https://docs.docker.com/engine/installation/binaries/#check-kernel-dependencies'
ref 'Installation list', url: 'https://docs.docker.com/engine/installation/#installation-list'

Expand All @@ -72,8 +76,10 @@
impact 1.0
title 'Harden the container host'
desc 'Containers run on a Linux host. A container host can run one or more containers. It is of utmost importance to harden the host to mitigate host security misconfiguration'

tag 'host'
tag cis: '1.3'
tag cis: 'docker:1.3'
tag level: 1
ref 'Hardening Framework dev-sec.io', url: 'http://dev-sec.io'
ref 'Docker security article', url: 'https://docs.docker.com/engine/security/security/'
ref 'CIS Benchmarks', url: 'https://benchmarks.cisecurity.org/downloads/multiform/index.cfm'
Expand All @@ -87,17 +93,21 @@
impact 1.0
title 'Remove all non-essential services from the host'
desc 'Ensure that the host running the docker daemon is running only the essential services.'

tag 'host'
tag cis: '1.4'
tag cis: 'docker:1.4'
tag level: 1
ref 'Containers & Docker: How Secure Are They?', url: 'https://blog.docker.com/2013/08/containers-docker-how-secure-are-they/'
end

control 'cis-docker-benchmark-1.5' do
impact 1.0
title 'Keep Docker up to date'
desc 'The docker container solution is evolving to maturity and stability at a rapid pace. Like any other software, the vendor releases regular updates for Docker software that address security vulnerabilities, product bugs and bring in new functionality.'

tag 'host'
tag cis: '1.5'
tag cis: 'docker:1.5'
tag level: 1
ref 'Docker installation', url: 'https://docs.docker.com/installation/'
ref 'Docker releases', url: 'https://github.com/docker/docker/releases/latest'

Expand All @@ -120,8 +130,10 @@
impact 1.0
title 'Only allow trusted users to control Docker daemon'
desc 'The Docker daemon currently requires \'root\' privileges. A user added to the \'docker\' group gives him full \'root\' access rights'

tag 'host'
tag cis: '1.6'
tag cis: 'docker:1.6'
tag level: 1
ref 'On Docker security: docker group considered harmful', url: 'https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful'
ref 'Why we do not let non-root users run Docker in CentOS, Fedora, or RHEL', url: 'http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/'

Expand All @@ -138,8 +150,10 @@
impact 1.0
title 'Audit docker daemon'
desc 'Apart from auditing your regular Linux file system and system calls, audit Docker daemon as well. Docker daemon runs with \'root\' privileges. It is thus necessary to audit its activities and usage.'

tag 'host'
tag cis: '1.7'
tag cis: 'docker:1.7'
tag level: 1
ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'

describe auditd_rules do
Expand All @@ -156,8 +170,10 @@
impact 1.0
title 'Audit Docker files and directories - /var/lib/docker'
desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /var/lib/docker is one such directory. It holds all the information about containers. It must be audited.'

tag 'host'
tag cis: '1.8'
tag cis: 'docker:1.8'
tag level: 1
ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'

describe auditd_rules do
Expand All @@ -169,8 +185,10 @@
impact 1.0
title 'Audit Docker files and directories - /etc/docker'
desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /etc/docker is one such directory. It holds various certificates and keys used for TLS communication between Docker daemon and Docker client. It must be audited.'

tag 'host'
tag cis: '1.9'
tag cis: 'docker:1.9'
tag level: 1
ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'

describe auditd_rules do
Expand All @@ -182,8 +200,10 @@
impact 1.0
title 'Audit Docker files and directories - docker.service'
desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. docker.service is one such file. The docker.service file might be present if the daemon parameters have been changed by an administrator. It holds various parameters for Docker daemon. It must be audited, if applicable.'

tag 'host'
tag cis: '1.10'
tag cis: 'docker:1.10'
tag level: 1
ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'

if docker.path
Expand All @@ -202,8 +222,10 @@
impact 1.0
title 'Audit Docker files and directories - docker.socket'
desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. docker.socket is one such file. It holds various parameters for Docker daemon socket. It must be audited, if applicable.'

tag 'host'
tag cis: '1.11'
tag cis: 'docker:1.11'
tag level: 1
ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'

if docker.socket
Expand All @@ -222,8 +244,10 @@
impact 1.0
title 'Audit Docker files and directories - /etc/default/docker'
desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /etc/default/docker is one such file. It holds various parameters for Docker daemon. It must be audited, if applicable.'

tag 'host'
tag cis: '1.12'
tag cis: 'docker:1.12'
tag level: 1
ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'

only_if { os[:family] != 'centos' }
Expand All @@ -236,8 +260,10 @@
impact 1.0
title 'Audit Docker files and directories - /etc/docker/daemon.json'
desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /etc/docker/daemon.json is one such file. It holds various parameters for Docker daemon. It must be audited, if applicable.'

tag 'host'
tag cis: '1.13'
tag cis: 'docker:1.13'
tag level: 1
ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
ref 'Daemon configuration', url: 'https://docs.docker.com/engine/reference/commandline/daemon/#daemon-configuration-file'

Expand All @@ -250,8 +276,10 @@
impact 1.0
title 'Audit Docker files and directories - /usr/bin/docker-containerd'
desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /usr/bin/docker-containerd is one such file. Docker now relies on containerd and runC to spawn containers. It must be audited, if applicable.'

tag 'host'
tag cis: '1.14'
tag cis: 'docker:1.14'
tag level: 1
ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
ref 'Containerd integration', url: 'https://github.com/docker/docker/pull/20662'
ref 'Containerd tools', url: 'https://containerd.tools/'
Expand All @@ -265,8 +293,10 @@
impact 1.0
title 'Audit Docker files and directories - /usr/bin/docker-runc'
desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /usr/bin/docker-runc is one such file. Docker now relies on containerd and runC to spawn containers. It must be audited, if applicable.'

tag 'host'
tag cis: '1.15'
tag cis: 'docker:1.15'
tag level: 1
ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
ref 'Containerd integration', url: 'https://github.com/docker/docker/pull/20662'
ref 'Containerd tools', url: 'https://containerd.tools/'
Expand All @@ -281,6 +311,10 @@
impact 1.0
title 'Avoid image sprawl'
desc 'Do not keep a large number of container images on the same host. Use only tagged images as appropriate.'

tag 'host'
tag cis: 'docker:6.4'
tag level: 1
ref 'http://craiccomputing.blogspot.de/2014/09/clean-up-unused-docker-containers-and.html'
ref 'https://forums.docker.com/t/command-to-remove-all-unused-images/20/7'
ref 'https://github.com/docker/docker/issues/9054'
Expand All @@ -301,6 +335,10 @@
impact 1.0
title 'Avoid container sprawl'
desc 'Do not keep a large number of containers on the same host.'

tag 'host'
tag cis: 'docker:6.5'
tag level: 1
ref 'https://zeltser.com/security-risks-and-benefits-of-docker-application/'
ref 'http://searchsdn.techtarget.com/feature/Docker-networking-How-Linux-containers-will-change-your-network'

Expand Down
Loading