Skip to content

Commit a0114ae

Browse files
atomic111atomic111
authored
Merge pull request #29 from dev-sec/chris-rock/update-new-docker-resource
use new inspec docker resource
2 parents 2c91ecd + 68aff6c commit a0114ae

File tree

6 files changed

+85
-97
lines changed

6 files changed

+85
-97
lines changed

README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ InSpec is an open-source run-time framework and rule language used to specify co
1212

1313
## Requirements
1414

15-
* [InSpec](http://inspec.io/)
15+
* at least [InSpec](http://inspec.io/) version 1.21.0
1616

1717
### Platform
1818

@@ -107,6 +107,7 @@ inspec supermarket exec dev-sec/cis-docker-benchmark -t ssh://user@hostname --ke
107107
## License and Author
108108

109109
* Author:: Patrick Muench <[email protected]>
110+
* Author:: Christoph Hartmann <[email protected]>
110111

111112
Licensed under the Apache License, Version 2.0 (the "License");
112113
you may not use this file except in compliance with the License.

controls/container_images.rb

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -46,10 +46,10 @@
4646
ref url: 'https://github.com/docker/docker/issues/7906'
4747
ref url: 'https://www.altiscale.com/blog/making-docker-work-yarn/'
4848

49-
docker.ps.each do |id|
50-
describe docker.inspect(id) do
51-
its(%w(Config User)) { should eq CONTAINER_USER }
49+
docker.containers.running?.ids.each do |id|
50+
describe docker.object(id) do
5251
its(%w(Config User)) { should_not eq nil }
52+
its(%w(Config User)) { should eq CONTAINER_USER }
5353
end
5454
end
5555
end

controls/container_runtime.rb

Lines changed: 57 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -57,8 +57,8 @@
5757
ref 'http://wiki.apparmor.net/index.php/Main_Page'
5858

5959
only_if { %w(ubuntu debian).include? os[:name] }
60-
docker.ps.each do |id|
61-
describe docker.inspect(id) do
60+
docker.containers.running?.ids.each do |id|
61+
describe docker.object(id) do
6262
its(['AppArmorProfile']) { should include(APP_ARMOR_PROFILE) }
6363
its(['AppArmorProfile']) { should_not eq nil }
6464
end
@@ -84,8 +84,8 @@
8484
its(['selinux-enabled']) { should eq(true) }
8585
end
8686

87-
docker.ps.each do |id|
88-
describe docker.inspect(id) do
87+
docker.containers.running?.ids.each do |id|
88+
describe docker.object(id) do
8989
its(%w(HostConfig SecurityOpt)) { should_not eq nil }
9090
its(%w(HostConfig SecurityOpt)) { should include(SELINUX_PROFILE) }
9191
end
@@ -104,8 +104,8 @@
104104
ref url: 'http://man7.org/linux/man-pages/man7/capabilities.7.html'
105105
ref url: 'https://github.com/docker/docker/blob/master/oci/defaults_linux.go#L64-L79'
106106

107-
docker.ps.each do |id|
108-
describe docker.inspect(id) do
107+
docker.containers.running?.ids.each do |id|
108+
describe docker.object(id) do
109109
its(%w(HostConfig CapDrop)) { should include(/all/) }
110110
its(%w(HostConfig CapDrop)) { should_not eq nil }
111111
its(%w(HostConfig CapAdd)) { should eq CONTAINER_CAPADD }
@@ -123,8 +123,8 @@
123123
tag level: 1
124124
ref url: 'https://docs.docker.com/engine/reference/commandline/cli/'
125125

126-
docker.ps.each do |id|
127-
describe docker.inspect(id) do
126+
docker.containers.running?.ids.each do |id|
127+
describe docker.object(id) do
128128
its(%w(HostConfig Privileged)) { should eq false }
129129
its(%w(HostConfig Privileged)) { should_not eq true }
130130
end
@@ -141,8 +141,8 @@
141141
tag level: 1
142142
ref url: 'https://docs.docker.com/engine/userguide/containers/dockervolumes/'
143143

144-
docker.ps.each do |id|
145-
info = docker.inspect(id)
144+
docker.containers.running?.ids.each do |id|
145+
info = docker.object(id)
146146
info['Mounts'].each do |mounts|
147147
describe mounts['Source'] do
148148
it { should_not eq '/' }
@@ -168,7 +168,7 @@
168168
tag level: 1
169169
ref url: 'https://blog.docker.com/2014/06/why-you-dont-need-to-run-sshd-in-docker/'
170170

171-
docker.ps.each do |id|
171+
docker.containers.running?.ids.each do |id|
172172
execute_command = 'docker exec ' + id + ' ps -e'
173173
describe command(execute_command) do
174174
its('stdout') { should_not match(/ssh/) }
@@ -187,12 +187,12 @@
187187
ref url: 'https://docs.docker.com/engine/userguide/networking/default_network/binding/'
188188
ref url: 'https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/'
189189

190-
docker.ps.each do |id|
191-
info = docker.inspect(id)
192-
ports = info['NetworkSettings']['Ports'].keys
193-
ports.each do |item|
194-
info['NetworkSettings']['Ports'][item].each do |hostport|
195-
describe hostport['HostPort'].to_i.between?(1, 1024) do
190+
docker.containers.running?.ids.each do |id|
191+
container_info = docker.object(id)
192+
next unless container_info['NetworkSettings']['Ports'].nil?
193+
container_info['NetworkSettings']['Ports'].each do |_, hosts|
194+
hosts.each do |host|
195+
describe host['HostPort'].to_i.between?(1, 1024) do
196196
it { should eq false }
197197
end
198198
end
@@ -222,8 +222,8 @@
222222
ref url: 'https://docs.docker.com/engine/userguide/networking/dockernetworks/'
223223
ref url: 'https://github.com/docker/docker/issues/6401'
224224

225-
docker.ps.each do |id|
226-
describe docker.inspect(id) do
225+
docker.containers.running?.ids.each do |id|
226+
describe docker.object(id) do
227227
its(%w(HostConfig NetworkMode)) { should_not eq 'host' }
228228
end
229229
end
@@ -241,8 +241,8 @@
241241
ref url: 'https://docs.docker.com/engine/reference/commandline/cli/#run'
242242
ref url: 'https://docs.docker.com/v1.8/articles/runmetrics/'
243243

244-
docker.ps.each do |id|
245-
describe docker.inspect(id) do
244+
docker.containers.running?.ids.each do |id|
245+
describe docker.object(id) do
246246
its(%w(HostConfig Memory)) { should_not eq 0 }
247247
end
248248
end
@@ -260,8 +260,8 @@
260260
ref url: 'https://docs.docker.com/engine/reference/commandline/cli/#run'
261261
ref url: 'https://docs.docker.com/v1.8/articles/runmetrics/'
262262

263-
docker.ps.each do |id|
264-
describe docker.inspect(id) do
263+
docker.containers.running?.ids.each do |id|
264+
describe docker.object(id) do
265265
its(%w(HostConfig CpuShares)) { should_not eq 0 }
266266
its(%w(HostConfig CpuShares)) { should_not eq 1024 }
267267
end
@@ -278,8 +278,8 @@
278278
tag level: 1
279279
ref url: 'https://docs.docker.com/engine/reference/commandline/cli/#run'
280280

281-
docker.ps.each do |id|
282-
describe docker.inspect(id) do
281+
docker.containers.running?.ids.each do |id|
282+
describe docker.object(id) do
283283
its(%w(HostConfig ReadonlyRootfs)) { should eq true }
284284
end
285285
end
@@ -295,12 +295,12 @@
295295
tag level: 1
296296
ref url: 'https://docs.docker.com/engine/userguide/networking/default_network/binding/'
297297

298-
docker.ps.each do |id|
299-
info = docker.inspect(id)
300-
ports = info['NetworkSettings']['Ports'].keys
301-
ports.each do |item|
302-
info['NetworkSettings']['Ports'][item].each do |hostip|
303-
describe hostip['HostIp'] do
298+
docker.containers.running?.ids.each do |id|
299+
container_info = docker.object(id)
300+
next unless container_info['NetworkSettings']['Ports'].nil?
301+
container_info['NetworkSettings']['Ports'].each do |_, hosts|
302+
hosts.each do |host|
303+
describe host['HostIp'].to_i.between?(1, 1024) do
304304
it { should_not eq '0.0.0.0' }
305305
end
306306
end
@@ -318,14 +318,15 @@
318318
tag level: 1
319319
ref url: 'https://docs.docker.com/engine/reference/commandline/cli/#restart-policies'
320320

321-
docker.ps.each do |id|
322-
info = docker.inspect(id)
323-
only_if { info['HostConfig']['RestartPolicy']['Name'] != 'no' }
324-
describe info do
325-
its(%w(HostConfig RestartPolicy Name)) { should eq 'on-failure' }
326-
end
327-
describe info do
328-
its(%w(HostConfig RestartPolicy MaximumRetryCount)) { should eq 5 }
321+
docker.containers.running?.ids.each do |id|
322+
describe.one do
323+
describe docker.object(id) do
324+
its(%w(HostConfig RestartPolicy Name)) { should eq 'no' }
325+
end
326+
describe docker.object(id) do
327+
its(%w(HostConfig RestartPolicy Name)) { should eq 'on-failure' }
328+
its(%w(HostConfig RestartPolicy MaximumRetryCount)) { should eq 5 }
329+
end
329330
end
330331
end
331332
end
@@ -341,8 +342,8 @@
341342
ref url: 'https://docs.docker.com/engine/reference/run/#pid-settings'
342343
ref url: 'http://man7.org/linux/man-pages/man7/pid_namespaces.7.html'
343344

344-
docker.ps.each do |id|
345-
describe docker.inspect(id) do
345+
docker.containers.running?.ids.each do |id|
346+
describe docker.object(id) do
346347
its(%w(HostConfig PidMode)) { should_not eq 'host' }
347348
end
348349
end
@@ -359,8 +360,8 @@
359360
ref url: 'https://docs.docker.com/engine/reference/run/#ipc-settings'
360361
ref url: 'http://man7.org/linux/man-pages/man7/pid_namespaces.7.html'
361362

362-
docker.ps.each do |id|
363-
describe docker.inspect(id) do
363+
docker.containers.running?.ids.each do |id|
364+
describe docker.object(id) do
364365
its(%w(HostConfig IpcMode)) { should_not eq 'host' }
365366
end
366367
end
@@ -376,8 +377,8 @@
376377
tag level: 1
377378
ref url: 'https://docs.docker.com/engine/reference/commandline/cli/#run'
378379

379-
docker.ps.each do |id|
380-
describe docker.inspect(id) do
380+
docker.containers.running?.ids.each do |id|
381+
describe docker.object(id) do
381382
its(%w(HostConfig Devices)) { should be_empty }
382383
end
383384
end
@@ -393,8 +394,8 @@
393394
tag level: 1
394395
ref url: 'https://docs.docker.com/engine/reference/commandline/cli/#setting-ulimits-in-a-container'
395396

396-
docker.ps.each do |id|
397-
describe docker.inspect(id) do
397+
docker.containers.running?.ids.each do |id|
398+
describe docker.object(id) do
398399
its(%w(HostConfig Ulimits)) { should eq nil }
399400
end
400401
end
@@ -412,7 +413,7 @@
412413
ref url: 'https://docs.docker.com/engine/reference/run/'
413414
ref url: 'https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt'
414415

415-
docker.ps.each do |id|
416+
docker.containers.running?.ids.each do |id|
416417
raw = command("docker inspect --format '{{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}' #{id}").stdout
417418
describe raw.delete("\n").delete('\"').delete(' ') do
418419
it { should_not eq 'shared' }
@@ -431,8 +432,8 @@
431432
ref url: 'https://docs.docker.com/engine/reference/run/'
432433
ref url: 'http://man7.org/linux/man-pages/man7/pid_namespaces.7.html'
433434

434-
docker.ps.each do |id|
435-
describe docker.inspect(id) do
435+
docker.containers.running?.ids.each do |id|
436+
describe docker.object(id) do
436437
its(%w(HostConfig UTSMode)) { should_not eq 'host' }
437438
end
438439
end
@@ -453,8 +454,8 @@
453454
ref url: 'https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt'
454455
ref url: 'https://github.com/docker/docker/pull/17034'
455456

456-
docker.ps.each do |id|
457-
describe docker.inspect(id) do
457+
docker.containers.running?.ids.each do |id|
458+
describe docker.object(id) do
458459
its(%w(HostConfig SecurityOpt)) { should include(/seccomp/) }
459460
its(%w(HostConfig SecurityOpt)) { should_not include(/seccomp[=|:]unconfined/) }
460461
end
@@ -502,8 +503,8 @@
502503
ref url: 'https://docs.docker.com/engine/reference/run/#specifying-custom-cgroups'
503504
ref url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html'
504505

505-
docker.ps.each do |id|
506-
describe docker.inspect(id) do
506+
docker.containers.running?.ids.each do |id|
507+
describe docker.object(id) do
507508
its(%w(HostConfig CgroupParent)) { should be_empty }
508509
end
509510
end
@@ -523,8 +524,8 @@
523524
ref url: 'https://lwn.net/Articles/475678/'
524525
ref url: 'https://lwn.net/Articles/475362/'
525526

526-
docker.ps.each do |id|
527-
describe docker.inspect(id) do
527+
docker.containers.running?.ids.each do |id|
528+
describe docker.object(id) do
528529
its(%w(HostConfig SecurityOpt)) { should include(/no-new-privileges/) }
529530
end
530531
end

controls/docker_daemon_configuration_files.rb

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@
5555
tag level: 1
5656
ref url: 'https://docs.docker.com/engine/admin/systemd/'
5757

58-
describe file(docker.path) do
58+
describe file(docker_helper.path) do
5959
it { should exist }
6060
it { should be_file }
6161
it { should be_owned_by 'root' }
@@ -73,7 +73,7 @@
7373
tag level: 1
7474
ref url: 'https://docs.docker.com/engine/admin/systemd/'
7575

76-
describe file(docker.path) do
76+
describe file(docker_helper.path) do
7777
it { should exist }
7878
it { should be_file }
7979
it { should be_readable.by('owner') }
@@ -98,7 +98,7 @@
9898
ref url: 'https://github.com/YungSang/fedora-atomic-packer/blob/master/oem/docker.socket'
9999
ref url: 'https://daviddaeschler.com/2014/12/14/centos-7rhel-7-and-docker-containers-on-boot/'
100100

101-
describe file(docker.socket) do
101+
describe file(docker_helper.socket) do
102102
it { should exist }
103103
it { should be_file }
104104
it { should be_owned_by 'root' }
@@ -118,7 +118,7 @@
118118
ref url: 'https://github.com/YungSang/fedora-atomic-packer/blob/master/oem/docker.socket'
119119
ref url: 'https://daviddaeschler.com/2014/12/14/centos-7rhel-7-and-docker-containers-on-boot/'
120120

121-
describe file(docker.socket) do
121+
describe file(docker_helper.socket) do
122122
it { should exist }
123123
it { should be_file }
124124
it { should be_readable.by('owner') }

0 commit comments

Comments
 (0)