Merge pull request #56 from dev-sec/chris-rock/unified-attributes

atomic111 · web-flow · commit 733182e6761b · 2018-10-12T14:12:49.000+02:00
unified attributes
diff --git a/Gemfile b/Gemfile
@@ -2,7 +2,7 @@ source 'https://rubygems.org'
 
 gem 'highline', '~> 1.6.0'
 
-gem 'inspec', '~> 2.0.0'
+gem 'inspec', '~> 2'
 gem 'rack', '1.6.4'
 gem 'rake'
 gem 'rubocop', '~> 0.49.0'
diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@ InSpec is an open-source run-time framework and rule language used to specify co
 
 ## Requirements
 
-* at least [InSpec](http://inspec.io/) version 1.38.8
+* at least [InSpec](http://inspec.io/) version 2.3.23
 * Docker 1.13+
 
 ### Platform
diff --git a/controls/container_images.rb b/controls/container_images.rb
@@ -23,14 +23,10 @@
 title 'Container Images and Build File'
 
 # attributes
-CONTAINER_USER = attribute(
-  'container_user',
-  description: 'define user within containers.',
-  default: 'ubuntu'
-)
+CONTAINER_USER = attribute('container_user')
 
 # check if docker exists
-only_if do
+only_if('docker not found') do
   command('docker').exist?
 end
 
diff --git a/controls/container_runtime.rb b/controls/container_runtime.rb
@@ -23,25 +23,12 @@
 title 'Container Runtime'
 
 # attributes
-CONTAINER_CAPADD = attribute(
-  'container_capadd',
-  description: 'define needed capabilities for containers.'
-)
-
-APP_ARMOR_PROFILE = attribute(
-  'app_armor_profile',
-  description: 'define apparmor profile for Docker containers.',
-  default: 'docker-default'
-)
-
-SELINUX_PROFILE = attribute(
-  'selinux_profile',
-  description: 'define SELinux profile for Docker containers.',
-  default:  /label\:level\:s0-s0\:c1023/
-)
+CONTAINER_CAPADD = attribute('container_capadd')
+APP_ARMOR_PROFILE = attribute('app_armor_profile')
+SELINUX_PROFILE = attribute('selinux_profile')
 
 # check if docker exists
-only_if do
+only_if('docker not found') do
   command('docker').exist?
 end
 
diff --git a/controls/docker_daemon_configuration.rb b/controls/docker_daemon_configuration.rb
@@ -23,68 +23,19 @@
 title 'Docker Daemon Configuration'
 
 # attributes
-DAEMON_TLSCACERT = attribute(
-  'daemon_tlscacert',
-  description: 'Trust certs signed only by this CA',
-  default: '/etc/docker/ssl/ca.pem'
-)
-
-DAEMON_TLSCERT = attribute(
-  'daemon_tlscert',
-  description: 'Path to TLS certificate file',
-  default: '/etc/docker/ssl/server_cert.pem'
-)
-
-DAEMON_TLSKEY = attribute(
-  'daemon_tlskey',
-  description: 'Path to TLS key file',
-  default: '/etc/docker/ssl/server_key.pem'
-)
-
-AUTHORIZATION_PLUGIN = attribute(
-  'authorization_plugin',
-  description: 'define authorization plugin to manage access to Docker daemon.',
-  default: 'authz-broker'
-)
-
-LOG_DRIVER = attribute(
-  'log_driver',
-  description: 'define preferable way to store logs.',
-  default: 'syslog'
-)
-
-LOG_OPTS = attribute(
-  'log_opts',
-  description: 'define Docker daemon log-opts.',
-  default: /syslog-address/
-)
-
-SWARM_MODE = attribute(
-  'swarm_mode',
-  description: 'define the swarm mode, `active` or `inactive`',
-  default: 'inactive'
-)
-
-SWARM_MAX_MANAGER_NODES = attribute(
-  'swarm_max_manager_nodes',
-  description: 'number of manager nodes in a swarm',
-  default: 3
-)
-
-SWARM_PORT = attribute(
-  'swarm_port',
-  description: 'port of the swarm node',
-  default: 2377
-)
-
-SECCOMP_DEFAULT_PROFILE = attribute(
-  'seccomp_default_profile',
-  description: 'define the default seccomp profile',
-  default: 'default'
-)
+DAEMON_TLSCACERT = attribute('daemon_tlscacert')
+DAEMON_TLSCERT = attribute('daemon_tlscert')
+DAEMON_TLSKEY = attribute('daemon_tlskey')
+AUTHORIZATION_PLUGIN = attribute('authorization_plugin')
+LOG_DRIVER = attribute('log_driver')
+LOG_OPTS = attribute('log_opts')
+SWARM_MODE = attribute('swarm_mode')
+SWARM_MAX_MANAGER_NODES = attribute('swarm_max_manager_nodes')
+SWARM_PORT = attribute('swarm_port')
+SECCOMP_DEFAULT_PROFILE = attribute('seccomp_default_profile')
 
 # check if docker exists
-only_if do
+only_if('docker not found') do
   command('docker').exist?
 end
 
diff --git a/controls/docker_daemon_configuration_files.rb b/controls/docker_daemon_configuration_files.rb
@@ -23,26 +23,12 @@
 title 'Docker Daemon Configuration Files'
 
 # attributes
-REGISTRY_CERT_PATH = attribute(
-  'registry_cert_path',
-  description: 'directory contains various Docker registry directories.',
-  default: '/etc/docker/certs.d'
-)
-
-REGISTRY_NAME = attribute(
-  'registry_name',
-  description: 'directory contain certificate certain Docker registry.',
-  default: '/etc/docker/certs.d/registry_hostname:port'
-)
-
-REGISTRY_CA_FILE = attribute(
-  'registry_ca_file',
-  description: 'certificate file for a certain Docker registry certificate files.',
-  default: '/etc/docker/certs.d/registry_hostname:port/ca.crt'
-)
+REGISTRY_CERT_PATH = attribute('registry_cert_path')
+REGISTRY_NAME = attribute('registry_name')
+REGISTRY_CA_FILE = attribute('registry_ca_file')
 
 # check if docker exists
-only_if do
+only_if('docker not found') do
   command('docker').exist?
 end
 
diff --git a/controls/docker_security_operations.rb b/controls/docker_security_operations.rb
@@ -23,7 +23,7 @@
 title 'Docker Security Operations'
 
 # check if docker exists
-only_if do
+only_if('docker not found') do
   command('docker').exist?
 end
 
diff --git a/controls/host_configuration.rb b/controls/host_configuration.rb
@@ -22,26 +22,12 @@
 
 title 'Host Configuration'
 
-TRUSTED_USER = attribute(
-  'trusted_user',
-  description: 'define trusted user to control Docker daemon.',
-  default: 'vagrant'
-)
-
-MANAGEABLE_CONTAINER_NUMBER = attribute(
-  'managable_container_number',
-  description: 'keep number of containers on a host to a manageable total.',
-  default: 25
-)
-
-BENCHMARK_VERSION = attribute(
-  'benchmark_version',
-  description: 'to execute also the old controls from previous benchmarks. to execute the controls, define the value as 1.12.0',
-  default: ''
-)
+TRUSTED_USER = attribute('trusted_user')
+MANAGEABLE_CONTAINER_NUMBER = attribute('managable_container_number')
+BENCHMARK_VERSION = attribute('benchmark_version')
 
 # check if docker exists
-only_if do
+only_if('docker not found') do
   command('docker').exist?
 end
 
diff --git a/inspec.yml b/inspec.yml
@@ -6,3 +6,103 @@ copyright_email: hello@dev-sec.io
 license: Apache-2.0
 summary: An InSpec Compliance Profile for the CIS Docker Benchmark
 version: 2.1.0
+inspec_version: '>= 2.3.23'
+attributes:
+  - name: container_user
+    required: false
+    description: 'define user within containers.'
+    default: 'ubuntu'
+    type: string
+  - name: container_capadd
+    required: true
+    description: 'define needed capabilities for containers.'
+    type: string
+  - name: app_armor_profile
+    required: false
+    description: 'define apparmor profile for Docker containers.'
+    default: 'docker-default'
+    type: string
+  - name: selinux_profile
+    required: false
+    description: 'define SELinux profile for Docker containers.'
+    default: label:level:s0-s0:c1023
+    type: string
+  - name: trusted_user
+    required: false
+    description: 'define trusted user to control Docker daemon.'
+    default: vagrant
+    type: string
+  - name: managable_container_number
+    required: true
+    description: 'keep number of containers on a host to a manageable total.'
+    default: 25
+    type: numeric
+  - name: benchmark_version
+    required: true
+    description: 'to execute also the old controls from previous benchmarks. to execute the controls, define the value as 1.12.0'
+    type: string
+  - name: registry_cert_path
+    required: true
+    description: 'directory contains various Docker registry directories.'
+    default: '/etc/docker/certs.d'
+    type: string
+  - name: registry_name
+    required: true
+    description: 'directory contain certificate certain Docker registry.'
+    default: '/etc/docker/certs.d/registry_hostname:port'
+    type: string
+  - name: registry_ca_file
+    required: false
+    description: 'directory contain certificate certain Docker registry.'
+    default: '/etc/docker/certs.d/registry_hostname:port/ca.crt'
+    type: string
+  - name: daemon_tlscacert
+    required: false
+    description: 'Trust certs signed only by this CA'
+    default: '/etc/docker/ssl/ca.pem'
+    type: string
+  - name: daemon_tlscert
+    required: false
+    description: 'Path to TLS certificate file'
+    default: '/etc/docker/ssl/server_cert.pem'
+    type: string
+  - name: daemon_tlskey
+    required: false
+    description: 'Path to TLS key file'
+    default: '/etc/docker/ssl/server_key.pem'
+    type: string
+  - name: authorization_plugin
+    required: false
+    description: 'define authorization plugin to manage access to Docker daemon.'
+    default: 'authz-broker'
+    type: string
+  - name: log_driver
+    required: false
+    description: 'define preferable way to store logs.'
+    default: 'syslog'
+    type: string
+  - name: log_opts
+    required: false
+    description: 'define Docker daemon log-opts.'
+    default: syslog-address
+    type: string
+  - name: swarm_mode
+    required: false
+    description: 'define the swarm mode, `active` or `inactive`'
+    default: inactive
+    type: string
+  - name: swarm_max_manager_nodes
+    required: false
+    description: 'number of manager nodes in a swarm'
+    default: 3
+    type: numeric
+  - name: swarm_port
+    required: false
+    description: 'port of the swarm node'
+    default: 2377
+    type: numeric
+  - name: seccomp_default_profile
+    required: false
+    description: 'define the default seccomp profile'
+    default: 'default'
+    type: string
