Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/dev-sec/cis-docker-benchmark

CIS Docker Benchmark - InSpec Profile
https://github.com/dev-sec/cis-docker-benchmark

cis-docker-benchmark docker hardening inspec security

Last synced: about 2 months ago
JSON representation

CIS Docker Benchmark - InSpec Profile

Awesome Lists containing this project

README

        

# CIS Docker Benchmark - InSpec Profile

[![Build Status](http://img.shields.io/travis/dev-sec/cis-docker-benchmark.svg)][1]
[![Supermarket](https://img.shields.io/badge/InSpec%20Profile-CIS%20Docker%20Benchmark-brightgreen.svg)](https://supermarket.chef.io/tools/cis-docker-benchmark)
[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2]

## Description

This [InSpec](https://github.com/chef/inspec) compliance profile implement the [CIS Docker 1.13.0 Benchmark](https://downloads.cisecurity.org/) in an automated way to provide security best-practice tests around Docker daemon and containers in a production environment.

InSpec is an open-source run-time framework and rule language used to specify compliance, security, and policy requirements for testing any node in your infrastructure.

## Requirements

* at least [InSpec](http://inspec.io/) version 2.3.23
* Docker 1.13+

### Platform

* Debian 8
* Ubuntu 16.04
* CentOS 7

## Attributes

We use a yml attribute file to steer the configuration, the following options are available:

* `trusted_user: vagrant`
define trusted user to control Docker daemon.
* `authorization_plugin: authz-broker`
define authorization plugin to manage access to Docker daemon.
* `log_driver: syslog`
define preferable way to store logs.
* `log_opts: /syslog-address/`
define Docker daemon log-opts.
* `registry_cert_path: /etc/docker/certs.d`
directory contains various Docker registry directories.
* `registry_name: /etc/docker/certs.d/registry_hostname:port`
directory contain certificate certain Docker registry.
* `registry_ca_file: /etc/docker/certs.d/registry_hostname:port/ca.crt`
certificate file for a certain Docker registry certificate files.
* `container_user: vagrant`
define user within containers.
* `app_armor_profile: docker-default`
define apparmor profile for Docker containers.
* `selinux_profile: /label\:level\:s0-s0\:c1023/`
define SELinux profile for Docker containers.
* `container_capadd: null`
define needed capabilities for containers. example: `container_capadd: NET_ADMIN,SYS_ADMIN`
* `managable_container_number: 25`
keep number of containers on a host to a manageable total.
* `daemon_tlscacert : /etc/docker/ssl/ca.pem`
configure the certificate authority.
* `daemon_tlscert: /etc/docker/ssl/server_cert.pem`
configure the server certificate.
* `daemon_tlskey: /etc/docker/ssl/server_key.pem`
configure the server key.
* `swarm_mode: inactive`
configure the swarm mode.
* `swarm_max_manager_nodes: 3`
configure the maximum number of swarm leaders.
* `swarm_port: 2377`
configure the swarm port.
* `benchmark_version`
to execute also the old controls from previous benchmarks, e.g. set it to 1.12.0 to execute also the tests from cis-benchmark-1.12.0 (which is the default).

These settings can be overridden using an attributes file (e.g. --attrs ). See [sample_attributes.yml](sample_attributes.yml) as an example.

## Usage

InSpec makes it easy to run your tests wherever you need. More options listed here: [InSpec cli](http://inspec.io/docs/reference/cli/)

```sh
# run profile locally
$ git clone https://github.com/dev-sec/cis-docker-benchmark
$ inspec exec cis-docker-benchmark

# run profile locally and directly from Github
$ inspec exec https://github.com/dev-sec/cis-docker-benchmark

# run profile on remote host via SSH
inspec exec cis-docker-benchmark -t ssh://user@hostname -i /path/to/key

# run profile on remote host via SSH with sudo
inspec exec cis-docker-benchmark -t ssh://user@hostname -i /path/to/key --sudo

# run profile on remote host via SSH with sudo and define attribute value
inspec exec cis-docker-benchmark --attrs sample_attributes.yml

# run profile direct from inspec supermarket
inspec supermarket exec dev-sec/cis-docker-benchmark -t ssh://user@hostname --key-files private_key --sudo
```

### Run individual controls

In order to verify individual controls, just provide the control ids to InSpec:

```sh
inspec exec cis-docker-benchmark --controls 'cis-docker-benchmark-1.4 cis-docker-benchmark-1.5'
```

## Contributors + Kudos

* Patrick Muench [atomic111](https://github.com/atomic111)
* Dominik Richter [arlimus](https://github.com/arlimus)
* Christoph Hartmann [chris-rock](https://github.com/chris-rock)

## License and Author

* Author:: Patrick Muench
* Author:: Christoph Hartmann

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

[1]: http://travis-ci.org/dev-sec/cis-docker-benchmark
[2]: https://gitter.im/dev-sec/general
[3]: https://downloads.cisecurity.org/