@@ -17,76 +17,60 @@ InSpec is an open-source run-time framework and rule language used to specify co
1717
1818### Platform
1919
20- - Debian 8
21- - Ubuntu 16.04
22- - CentOS 7
20+ * Debian 8
21+ * Ubuntu 16.04
22+ * CentOS 7
2323
2424## Attributes
2525
2626We use a yml attribute file to steer the configuration, the following options are available:
2727
28- * ` trusted_user: vagrant `
29- define trusted user to control Docker daemon.
30-
31- * ` authorization_plugin: authz-broker `
32- define authorization plugin to manage access to Docker daemon.
33-
34- * ` log_driver: syslog `
35- define preferable way to store logs.
36-
37- * ` log_opts: /syslog-address/ `
38- define Docker daemon log-opts.
39-
40- * ` registry_cert_path: /etc/docker/certs.d `
41- directory contains various Docker registry directories.
42-
43- * ` registry_name: /etc/docker/certs.d/registry_hostname:port `
44- directory contain certificate certain Docker registry.
45-
46- * ` registry_ca_file: /etc/docker/certs.d/registry_hostname:port/ca.crt `
47- certificate file for a certain Docker registry certificate files.
48-
49- * ` container_user: vagrant `
50- define user within containers.
51-
52- * ` app_armor_profile: docker-default `
53- define apparmor profile for Docker containers.
54-
55- * ` selinux_profile: /label\:level\:s0-s0\:c1023/ `
56- define SELinux profile for Docker containers.
57-
58- * ` container_capadd: null `
59- define needed capabilities for containers. example: ` container_capadd: NET_ADMIN,SYS_ADMIN `
60-
61- * ` managable_container_number: 25 `
62- keep number of containers on a host to a manageable total.
63-
64- * ` daemon_tlscacert : /etc/docker/ssl/ca.pem `
65- configure the Trust certs.
66-
67- * ` daemon_tlscert: /etc/docker/ssl/server_cert.pem `
68- configure the server certificate.
69-
70- * ` daemon_tlskey: /etc/docker/ssl/server_key.pem `
71- configure the server key.
72-
73- * ` swarm_mode: inactive `
74- configure the swarm mode.
75-
76- * ` swarm_max_manager_nodes: 3 `
77- configure the maximum number of swarm leaders.
78-
79- * ` swarm_port: 2377 `
80- configure the swarm port.
81-
82- * ` benchmark_version `
83- to execute also the old controls from previous benchmarks, e.g. set it to 1.12.0 to execute also the tests from cis-benchmark-1.12.0
28+ * ` trusted_user: vagrant `
29+ define trusted user to control Docker daemon.
30+ * ` authorization_plugin: authz-broker `
31+ define authorization plugin to manage access to Docker daemon.
32+ * ` log_driver: syslog `
33+ define preferable way to store logs.
34+ * ` log_opts: /syslog-address/ `
35+ define Docker daemon log-opts.
36+ * ` registry_cert_path: /etc/docker/certs.d `
37+ directory contains various Docker registry directories.
38+ * ` registry_name: /etc/docker/certs.d/registry_hostname:port `
39+ directory contain certificate certain Docker registry.
40+ * ` registry_ca_file: /etc/docker/certs.d/registry_hostname:port/ca.crt `
41+ certificate file for a certain Docker registry certificate files.
42+ * ` container_user: vagrant `
43+ define user within containers.
44+ * ` app_armor_profile: docker-default `
45+ define apparmor profile for Docker containers.
46+ * ` selinux_profile: /label\:level\:s0-s0\:c1023/ `
47+ define SELinux profile for Docker containers.
48+ * ` container_capadd: null `
49+ define needed capabilities for containers. example: ` container_capadd: NET_ADMIN,SYS_ADMIN `
50+ * ` managable_container_number: 25 `
51+ keep number of containers on a host to a manageable total.
52+ * ` daemon_tlscacert : /etc/docker/ssl/ca.pem `
53+ configure the
54+ * ` daemon_tlscert: /etc/docker/ssl/server_cert.pem `
55+ configure the server certificate.
56+ * ` daemon_tlskey: /etc/docker/ssl/server_key.pem `
57+ configure the server key.
58+ * ` swarm_mode: inactive `
59+ configure the swarm mode.
60+ * ` swarm_max_manager_nodes: 3 `
61+ configure the maximum number of swarm leaders.
62+ * ` swarm_port: 2377 `
63+ configure the swarm port.
64+ * ` benchmark_version `
65+ to execute also the old controls from previous benchmarks, e.g. set it to 1.12.0 to execute also the tests from cis-benchmark-1.12.0 (which is the default).
66+
67+ These settings can be overriden using an attributes file (e.g. --attrs <attributefile.yml>). See [ sample_attributes.yml] ( sample_attributes.yml ) as an example.
8468
8569## Usage
8670
8771InSpec makes it easy to run your tests wherever you need. More options listed here: [ InSpec cli] ( http://inspec.io/docs/reference/cli/ )
8872
89- ```
73+ ``` sh
9074# run profile locally
9175$ git clone https://github.com/dev-sec/cis-docker-benchmark
9276$ inspec exec cis-docker-benchmark
@@ -111,7 +95,7 @@ inspec supermarket exec dev-sec/cis-docker-benchmark -t ssh://user@hostname --ke
11195
11296In order to verify individual controls, just provide the control ids to InSpec:
11397
114- ```
98+ ``` sh
11599inspec exec cis-docker-benchmark --controls ' cis-docker-benchmark-1.4 cis-docker-benchmark-1.5'
116100```
117101
@@ -121,7 +105,6 @@ inspec exec cis-docker-benchmark --controls 'cis-docker-benchmark-1.4 cis-docker
121105* Dominik Richter [ arlimus] ( https://github.com/arlimus )
122106* Christoph Hartmann [ chris-rock] ( https://github.com/chris-rock )
123107
124-
125108## License and Author
126109
127110* Author:: Patrick Muench <patrick.muench1111@gmail.com >
@@ -131,7 +114,7 @@ Licensed under the Apache License, Version 2.0 (the "License");
131114you may not use this file except in compliance with the License.
132115You may obtain a copy of the License at
133116
134- http://www.apache.org/licenses/LICENSE-2.0
117+ < http://www.apache.org/licenses/LICENSE-2.0 >
135118
136119Unless required by applicable law or agreed to in writing, software
137120distributed under the License is distributed on an "AS IS" BASIS,
0 commit comments