Merge pull request #23 from dev-sec/chris-rock/tags

update tags and refs

Author: atomic111

controls/docker_host_os_level1.rb

@@ -42,8 +42,10 @@
   impact 1.0
   title 'Create a separate partition for containers'
   desc 'All Docker containers and their data and metadata is stored under /var/lib/docker directory. By default, /var/lib/docker would be mounted under / or /var partitions based on availability.'
+
   tag 'host'
-  tag cis: '1.1'
+  tag cis: 'docker:1.1'
+  tag level: 1
   ref 'Docker storage recommendation', url: 'http://www.projectatomic.io/docs/docker-storage-recommendation/'
 
   describe mount('/var/lib/docker') do
@@ -55,8 +57,10 @@
   impact 1.0
   title 'Use the updated Linux Kernel'
   desc 'Docker in daemon mode has specific kernel requirements. A 3.10 Linux kernel is the minimum requirement for Docker.'
+
   tag 'host'
-  tag cis: '1.2'
+  tag cis: 'docker:1.2'
+  tag level: 1
   ref 'Check kernel dependencies', url: 'https://docs.docker.com/engine/installation/binaries/#check-kernel-dependencies'
   ref 'Installation list', url: 'https://docs.docker.com/engine/installation/#installation-list'
 
@@ -72,8 +76,10 @@
   impact 1.0
   title 'Harden the container host'
   desc 'Containers run on a Linux host. A container host can run one or more containers. It is of utmost importance to harden the host to mitigate host security misconfiguration'
+
   tag 'host'
-  tag cis: '1.3'
+  tag cis: 'docker:1.3'
+  tag level: 1
   ref 'Hardening Framework dev-sec.io', url: 'http://dev-sec.io'
   ref 'Docker security article', url: 'https://docs.docker.com/engine/security/security/'
   ref 'CIS Benchmarks', url: 'https://benchmarks.cisecurity.org/downloads/multiform/index.cfm'
@@ -87,17 +93,21 @@
   impact 1.0
   title 'Remove all non-essential services from the host'
   desc 'Ensure that the host running the docker daemon is running only the essential services.'
+
   tag 'host'
-  tag cis: '1.4'
+  tag cis: 'docker:1.4'
+  tag level: 1
   ref 'Containers & Docker: How Secure Are They?', url: 'https://blog.docker.com/2013/08/containers-docker-how-secure-are-they/'
 end
 
 control 'cis-docker-benchmark-1.5' do
   impact 1.0
   title 'Keep Docker up to date'
   desc 'The docker container solution is evolving to maturity and stability at a rapid pace. Like any other software, the vendor releases regular updates for Docker software that address security vulnerabilities, product bugs and bring in new functionality.'
+
   tag 'host'
-  tag cis: '1.5'
+  tag cis: 'docker:1.5'
+  tag level: 1
   ref 'Docker installation', url: 'https://docs.docker.com/installation/'
   ref 'Docker releases', url: 'https://github.com/docker/docker/releases/latest'
 
@@ -120,8 +130,10 @@
   impact 1.0
   title 'Only allow trusted users to control Docker daemon'
   desc 'The Docker daemon currently requires \'root\' privileges. A user added to the \'docker\' group gives him full \'root\' access rights'
+
   tag 'host'
-  tag cis: '1.6'
+  tag cis: 'docker:1.6'
+  tag level: 1
   ref 'On Docker security: docker group considered harmful', url: 'https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful'
   ref 'Why we do not let non-root users run Docker in CentOS, Fedora, or RHEL', url: 'http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/'
 
@@ -138,8 +150,10 @@
   impact 1.0
   title 'Audit docker daemon'
   desc 'Apart from auditing your regular Linux file system and system calls, audit Docker daemon as well. Docker daemon runs with \'root\' privileges. It is thus necessary to audit its activities and usage.'
+
   tag 'host'
-  tag cis: '1.7'
+  tag cis: 'docker:1.7'
+  tag level: 1
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   describe auditd_rules do
@@ -156,8 +170,10 @@
   impact 1.0
   title 'Audit Docker files and directories - /var/lib/docker'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /var/lib/docker is one such directory. It holds all the information about containers. It must be audited.'
+
   tag 'host'
-  tag cis: '1.8'
+  tag cis: 'docker:1.8'
+  tag level: 1
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   describe auditd_rules do
@@ -169,8 +185,10 @@
   impact 1.0
   title 'Audit Docker files and directories - /etc/docker'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /etc/docker is one such directory. It holds various certificates and keys used for TLS communication between Docker daemon and Docker client. It must be audited.'
+
   tag 'host'
-  tag cis: '1.9'
+  tag cis: 'docker:1.9'
+  tag level: 1
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   describe auditd_rules do
@@ -182,8 +200,10 @@
   impact 1.0
   title 'Audit Docker files and directories - docker.service'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. docker.service is one such file. The docker.service file might be present if the daemon parameters have been changed by an administrator. It holds various parameters for Docker daemon. It must be audited, if applicable.'
+
   tag 'host'
-  tag cis: '1.10'
+  tag cis: 'docker:1.10'
+  tag level: 1
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   if docker.path
@@ -202,8 +222,10 @@
   impact 1.0
   title 'Audit Docker files and directories - docker.socket'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. docker.socket is one such file. It holds various parameters for Docker daemon socket. It must be audited, if applicable.'
+
   tag 'host'
-  tag cis: '1.11'
+  tag cis: 'docker:1.11'
+  tag level: 1
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   if docker.socket
@@ -222,8 +244,10 @@
   impact 1.0
   title 'Audit Docker files and directories - /etc/default/docker'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /etc/default/docker is one such file. It holds various parameters for Docker daemon. It must be audited, if applicable.'
+
   tag 'host'
-  tag cis: '1.12'
+  tag cis: 'docker:1.12'
+  tag level: 1
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
   only_if { os[:family] != 'centos' }
@@ -236,8 +260,10 @@
   impact 1.0
   title 'Audit Docker files and directories - /etc/docker/daemon.json'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /etc/docker/daemon.json is one such file. It holds various parameters for Docker daemon. It must be audited, if applicable.'
+
   tag 'host'
-  tag cis: '1.13'
+  tag cis: 'docker:1.13'
+  tag level: 1
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
   ref 'Daemon configuration', url: 'https://docs.docker.com/engine/reference/commandline/daemon/#daemon-configuration-file'
 
@@ -250,8 +276,10 @@
   impact 1.0
   title 'Audit Docker files and directories - /usr/bin/docker-containerd'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /usr/bin/docker-containerd is one such file. Docker now relies on containerd and runC to spawn containers. It must be audited, if applicable.'
+
   tag 'host'
-  tag cis: '1.14'
+  tag cis: 'docker:1.14'
+  tag level: 1
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
   ref 'Containerd integration', url: 'https://github.com/docker/docker/pull/20662'
   ref 'Containerd tools', url: 'https://containerd.tools/'
@@ -265,8 +293,10 @@
   impact 1.0
   title 'Audit Docker files and directories - /usr/bin/docker-runc'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /usr/bin/docker-runc is one such file. Docker now relies on containerd and runC to spawn containers. It must be audited, if applicable.'
+
   tag 'host'
-  tag cis: '1.15'
+  tag cis: 'docker:1.15'
+  tag level: 1
   ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
   ref 'Containerd integration', url: 'https://github.com/docker/docker/pull/20662'
   ref 'Containerd tools', url: 'https://containerd.tools/'
@@ -281,6 +311,10 @@
   impact 1.0
   title 'Avoid image sprawl'
   desc 'Do not keep a large number of container images on the same host. Use only tagged images as appropriate.'
+
+  tag 'host'
+  tag cis: 'docker:6.4'
+  tag level: 1
   ref 'http://craiccomputing.blogspot.de/2014/09/clean-up-unused-docker-containers-and.html'
   ref 'https://forums.docker.com/t/command-to-remove-all-unused-images/20/7'
   ref 'https://github.com/docker/docker/issues/9054'
@@ -301,6 +335,10 @@
   impact 1.0
   title 'Avoid container sprawl'
   desc 'Do not keep a large number of containers on the same host.'
+
+  tag 'host'
+  tag cis: 'docker:6.5'
+  tag level: 1
   ref 'https://zeltser.com/security-risks-and-benefits-of-docker-application/'
   ref 'http://searchsdn.techtarget.com/feature/Docker-networking-How-Linux-containers-will-change-your-network'