dev-sec / cis-docker-benchmark Goto Github PK
View Code? Open in Web Editor NEWCIS Docker Benchmark - InSpec Profile
Home Page: https://dev-sec.io/baselines/docker/
License: Apache License 2.0
CIS Docker Benchmark - InSpec Profile
Home Page: https://dev-sec.io/baselines/docker/
License: Apache License 2.0
Version 1.13 is available here https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.13.0_Benchmark_v1.0.0.pdf
A couple of CIS controls ids have changed, therefore this may become a breaking change.
The ausearch --input-logs -k docker ...
commands in cis-docker-benchmark-5.22 and cis-docker-benchmark-5.23 take a bit too long to execute. May want to find an alternative searching mechanisms.
thinking out loud ๐ญ
We should look at making them go into at least 2 or 3 buckets? .3 .5 .9 would make sense to me but if they are all 0.0 and 1.0 then it doesn't really tell me anything right?
Further, in the operational setting, the data point 0 and 1 are usually reserved for the extreme cases - i.e. Not Important / Ignore and "Totally Critical - remove the system from the network". If this isn't the case again - those values start to loose any meaning and will be ignored.
Hi,
is it possible to test running dokcer with this profile? I'm trying to run it via docker and point different container.
docker run -it --rm -v $(pwd):/share -v /var/run/docker.sock:/var/run/docker.sock chef/inspec exec https://github.com/dev-sec/cis-docker-benchmark -t docker://<container_id>
All what I get is 99 skipped controls.
I keep getting this error:
/usr/local/bundle/gems/rspec-expectations-3.5.0/lib/rspec/matchers.rb:967:in `method_missing': undefined local variable or method `docker' for #<#<Class:0x00000003203a70>:0x000000031c9fa0> (NameError)
from cis-docker-benchmark-master/controls/container_images.rb:50:in `block in load_with_context'
On line 50, I don't see where it is defined either. Should that be getting set somewhere beforehand?
we check the configuration in the daemon.json, but not the configuration of the running daemon process
Is your feature request related to a problem? Please describe.
overuse of describe docker.object(id) do
, this is a simple line but causes up to 10000 chars to be included in the JSON, this may be fine for 1 or 2 controls across 1 or 2 docker containers, but when there are over 20 uses if this in the code and for example's sake 50 containers, this is causing over 1 million chars to be included and the JSON to extend over 8MB
Describe the solution you'd like
docker.object(id)
under the hood runs a docker inspect $INSTANCE_ID
, this returns the whole object every time.
a better option would be to use the command resource (https://docs.chef.io/inspec/resources/command/), to better filter down what is required at each instance with the docker inspect --format='{{Required item}}'
to select only the item required to verify against.
Describe alternatives you've considered
alternatively, you could do as in control 'docker-5.7'
where the item is gotten wholly and then broken down before use. In this good example, it returns a code_desc
of "false is expected to eq false"
vs in the bad example of control 'docker-4.1'
using the describe docker.object(id) do
where it returns a code_desc
of...
"#<Hashie::Mash AppArmorProfile=\"\" Args=#<Hashie::Array []> Config=#<Hashie::Mash AttachStderr=false AttachStdin=false AttachStdout=false Cmd=nil Domainname=\"\" Entrypoint=#<Hashie::Array [\"/service/launch.sh\"]>.....!! OVER 9000 chars removed !!......Running=true StartedAt=\"2022-07-05T14:42:30.809073423Z\" Status=\"running\">> [\"Config\", \"User\"] is expected to eq \"ubuntu\""
the above is well over 9k chars long (and I've removed these for brevity and security.)
Additional context
As per https://docs.chef.io/chef_compliance_phase/#result_message_limit - "Chef Automate has a 4 MB report size limit and cannot ingest reports exceeding this limitation. "
we should organize the controls in components. i mean we should split it in host.rb, daemon.rb, container.rb and swarm.rb. this should be included in the 2.0 release
@chris-rock what is your opinion?
Is your feature request related to a problem? Please describe.
Update the benchmark to the latest CIS Docker Benchmark 1.2.0
Describe the solution you'd like
Describe alternatives you've considered
n/a
Additional context
n/a
Hello,
Trying this on my local mac machine. Getting this error straightaway. Am I doing something wrong here?
$ inspec version
1.4.1
$ inspec exec cis-docker-benchmark
/opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/rspec-expectations-3.5.0/lib/rspec/matchers.rb:967:in `method_missing': undefined local variable or method `docker' for #<#<Class:0x007f8f9cc284d0>:0x007f8f9a00b438> (NameError)
from cis-docker-benchmark/controls/docker_daemon_configuration.rb:387:in `block in load_with_context'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/rule.rb:51:in `instance_eval'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/rule.rb:51:in `initialize'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/control_eval_context.rb:73:in `new'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/control_eval_context.rb:73:in `block (2 levels) in create'
from cis-docker-benchmark/controls/docker_daemon_configuration.rb:374:in `load_with_context'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/profile_context.rb:146:in `instance_eval'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/profile_context.rb:146:in `load_with_context'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/profile_context.rb:130:in `load_control_file'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/profile.rb:114:in `block in collect_tests'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/profile.rb:111:in `each'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/profile.rb:111:in `collect_tests'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/runner.rb:85:in `block in load'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/runner.rb:79:in `each'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/runner.rb:79:in `load'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/runner.rb:95:in `run'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/base_cli.rb:84:in `run_tests'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec/cli.rb:164:in `exec'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/bin/inspec:12:in `<top (required)>'
from /usr/local/bin/inspec:50:in `load'
from /usr/local/bin/inspec:50:in `<main>'
..so I updated my inspec version so as to move ahead from this issue
Just so that you know, I used a chef gem update inspec
command to update my inspec gem. Post which, I had to manually edit the /opt/chefdk/bin/inspec
file to update the inspec versions.
$ inspec version
2.0.32
$ inspec exec cis-docker-benchmark
/Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:144:in `format_message': incompatible character encodings: UTF-8 and ASCII-8BIT (Encoding::CompatibilityError)
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:128:in `format_result'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:78:in `block (2 levels) in print_standard_control_results'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:77:in `each'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:77:in `block in print_standard_control_results'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:73:in `each'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:73:in `print_standard_control_results'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:50:in `block in render'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:46:in `each'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters/cli.rb:46:in `render'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/reporters.rb:24:in `render'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/runner.rb:111:in `block in render_output'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/runner.rb:110:in `each'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/runner.rb:110:in `render_output'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/runner.rb:134:in `run_tests'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/runner.rb:104:in `run'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/lib/inspec/cli.rb:168:in `exec'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
from /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
from /Users/mrinalmukherjee/.chefdk/gem/ruby/2.3.0/gems/inspec-2.0.32/bin/inspec:12:in `<top (required)>'
from /usr/local/bin/inspec:50:in `load'
from /usr/local/bin/inspec:50:in `<main>'
What am I missing?
i think we should rename the control titles in a more general way.
example: docker-baseline-xx
this should be included in the 2.0 release
@chris-rock your opinion?
When executing this profile, I get this:
/usr/local/bundle/gems/inspec-1.23.0/lib/resources/docker.rb:32:in `block (2 levels) in <class:DockerContainerFilter>': undefined method `downcase' for nil:NilClass (NoMethodError)
from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:63:in `instance_eval'
from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:63:in `block in where'
from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:63:in `each'
from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:63:in `find_all'
from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:63:in `where'
from /usr/local/bundle/gems/inspec-1.23.0/lib/resources/docker.rb:32:in `block in <class:DockerContainerFilter>'
from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:204:in `block in create_connector'
from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:178:in `call'
from /usr/local/bundle/gems/inspec-1.23.0/lib/utils/filter.rb:178:in `block (2 levels) in connect'
from cis-docker-benchmark-master/controls/container_images.rb:50:in `block in load_with_context'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/rule.rb:51:in `instance_eval'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/rule.rb:51:in `initialize'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/control_eval_context.rb:71:in `new'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/control_eval_context.rb:71:in `block (2 levels) in create'
from cis-docker-benchmark-master/controls/container_images.rb:37:in `load_with_context'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile_context.rb:146:in `instance_eval'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile_context.rb:146:in `load_with_context'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile_context.rb:130:in `load_control_file'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile.rb:149:in `block in collect_tests'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile.rb:146:in `each'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile.rb:146:in `collect_tests'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/dependencies/dependency_set.rb:65:in `block in each'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/dependencies/dependency_set.rb:64:in `each'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/dependencies/dependency_set.rb:64:in `each'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/profile.rb:144:in `collect_tests'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/runner.rb:90:in `block in load'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/runner.rb:79:in `each'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/runner.rb:79:in `load'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/runner.rb:100:in `run'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/base_cli.rb:83:in `run_tests'
from /usr/local/bundle/gems/inspec-1.23.0/lib/inspec/cli.rb:166:in `exec'
from /usr/local/bundle/gems/thor-0.19.4/lib/thor/command.rb:27:in `run'
from /usr/local/bundle/gems/thor-0.19.4/lib/thor/invocation.rb:126:in `invoke_command'
from /usr/local/bundle/gems/thor-0.19.4/lib/thor.rb:369:in `dispatch'
from /usr/local/bundle/gems/thor-0.19.4/lib/thor/base.rb:444:in `start'
from /usr/local/bundle/gems/inspec-1.23.0/bin/inspec:12:in `<top (required)>'
from /usr/local/bundle/bin/inspec:17:in `load'
from /usr/local/bundle/bin/inspec:17:in `<main>'
In PR #43 we added new controls for 1.13 Not all have an automatic test: https://github.com/dev-sec/cis-docker-benchmark/pull/43/files/85b55d19fb0c152cf2df6df90e419f06614be9c1#diff-157b69b578cf12843b1a4586db95e71aR61
@grdnrio proposed to do the following:
## Enable and disable content trust per-shell or per-invocation
In a shell, you can enable content trust by setting the DOCKER_CONTENT_TRUST environment variable. Enabling per-shell is useful because you can have one shell configured for trusted operations and another terminal shell for untrusted operations. You can also add this declaration to your shell profile to have it turned on always by default.
To enable content trust in a bash shell enter the following command:
export DOCKER_CONTENT_TRUST=1
Control docker-4.7 "Do not use update instructions alone in the Dockerfile" fails when running tests on environment with redhat/ubi9-minimal.
The ubi9-minimal image has an image description that includes the text "updated". The test for control docker-4.7 only checks for the presence of text "update" which results in a match and causes the control to fail.
Perhaps, the test should a more precise reference to "apt-get update" or "apt update" to avoid unexpected matches.
Execute the following commands to reproduce the issue:
docker pull redhat/ubi9-minimal:9.3-1552
git clone https://github.com/dev-sec/cis-docker-benchmark.git
inspec exec cis-docker-benchmark --controls docker-4.7
inspec with control docker-4.7 fails and the following message is output to the console:
(message has been formatted for readability)
+<missing> 6 weeks ago
/bin/sh -c #(nop) LABEL description="The Universal Base Image Minimal is a stripped down image
that uses microdnf as a package manager. This base image is freely redistributable, but Red Hat only
supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained
by Red Hat and updated regularly."
Control docker-4.7 should not fail as a "RUN apt-get update" or "RUN apt update" is not being used.
Ubuntu Linux 23.10
Docker 25.0.3
6.6.0
2.1.3
I tried the following commands, but both of them only result in an error Input 'container_capadd' is required and does not have a value.
. The readme says I need a yml attribute file, but there is no mention how this file can be passed to the script.
# run profile locally
$ git clone https://github.com/dev-sec/cis-docker-benchmark
$ inspec exec cis-docker-benchmark
# run profile locally and directly from Github
$ inspec exec https://github.com/dev-sec/cis-docker-benchmark
OS / Environment
Ubuntu 18.04.2 LTS
Inspec Version
3.7.1
Baseline Version
a281d230fbe52f9ef7f88c5a4147dbce6af07ae9
Describe the bug
controls/container_images.rb
uses docker history
to inspect commands, and the command looks like this:
command("docker --no-trunc history #{id}| grep -e 'update'")
Expected behavior
The output without error is expected. This can be achieved by placing the flag ---no-trunc
at the end of command string:
command("docker history #{id} --no-trunc | grep -e 'update'")
Actual behavior
The stdout of running this command is empty because the command has an error:
unknown flag: --no-trunc
...
Example code
command(docker --no-trunc history #{id}| grep -e 'update')
OS / Environment
NAME="Ubuntu"
VERSION="20.04 LTS (Focal Fossa)"
Inspec Version
4.46.13
Baseline Version
1.12.0
chef-compliance version
Version: 1.12.1(latest)
I was trying to upload cis-docker-benchmark profile to compliance. I am getting following error.!!
Profile is valid
Generate temporary profile archive at /var/folders/ks/x873n92n6vb62rrt_qfpt8f40000gp/T/cis-docker-benchmark20171221-24480-wzaned.tar.gz
I, [2017-12-21T12:29:16.364667 #24480] INFO -- : Generate archive /var/folders/ks/x873n92n6vb62rrt_qfpt8f40000gp/T/cis-docker-benchmark20171221-24480-wzaned.tar.gz.
I, [2017-12-21T12:29:16.381412 #24480] INFO -- : Finished archive generation.
Start upload to walmart45/cis-docker-benchmark
Uploading to Chef Compliance
Error during profile upload:
"Failed to POST /owners/walmart45/compliance/cis-docker-benchmark/tar."
compliance log shows.!!
/var/log/chef-compliance/core/current
2017-12-21_18:29:16.84343 18:29:16.840 DEB => Extracting incoming tar to /var/opt/chef-compliance/core/runtime/compliance-profiles/upload_525211858
2017-12-21_18:29:16.84344 18:29:16.843 DEB => Extracted upload to /var/opt/chef-compliance/core/runtime/compliance-profiles/upload_525211858
2017-12-21_18:29:16.84344 18:29:16.843 DEB => Found compliance root folder in /var/opt/chef-compliance/core/runtime/compliance-profiles/upload_525211858
2017-12-21_18:29:16.84344 18:29:16.843 DEB => Run: cd /var/opt/chef-compliance/core/runtime/compliance-profiles/upload_525211858 && inspec [check . --format json --profiles-path /var/opt/chef-compliance/core/runtime/compliance-profiles]
2017-12-21_18:29:18.27781 WARN: Unresolved specs during Gem::Specification.reset:
2017-12-21_18:29:18.27782 net-ssh (< 5.0, >= 2.6.5, >= 2.9)
2017-12-21_18:29:18.27782 ffi (>= 1.0.1)
2017-12-21_18:29:18.27783 multi_json (> 1.10)> 2)
2017-12-21_18:29:18.27783 rainbow (
2017-12-21_18:29:18.27783 rspec (> 3)> 2.4)
2017-12-21_18:29:18.27783 addressable (
2017-12-21_18:29:18.27783 WARN: Clearing out unresolved specs.
2017-12-21_18:29:18.27783 Please report a bug if this causes problems.
2017-12-21_18:29:18.54880 /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/rspec-expectations-3.7.0/lib/rspec/matchers.rb:960:in method_missing': undefined local variable or method
auditd' for #<#Class:0x000000040f9ca0:0x00000002de9b10> (NameError)
2017-12-21_18:29:18.54882 from ./controls/host_configuration.rb:187:in block in load_with_context' 2017-12-21_18:29:18.54882 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/rule.rb:49:in
instance_eval'
2017-12-21_18:29:18.54882 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/rule.rb:49:in initialize' 2017-12-21_18:29:18.54882 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/control_eval_context.rb:71:in
new'
2017-12-21_18:29:18.54883 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/control_eval_context.rb:71:in block (2 levels) in create' 2017-12-21_18:29:18.54883 from ./controls/host_configuration.rb:173:in
load_with_context'
2017-12-21_18:29:18.54883 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile_context.rb:146:in instance_eval' 2017-12-21_18:29:18.54883 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile_context.rb:146:in
load_with_context'
2017-12-21_18:29:18.54884 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile_context.rb:130:in load_control_file' 2017-12-21_18:29:18.54884 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:151:in
block in collect_tests'
2017-12-21_18:29:18.54884 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:148:in each' 2017-12-21_18:29:18.54884 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:148:in
collect_tests'
2017-12-21_18:29:18.54884 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:454:in load_checks_params' 2017-12-21_18:29:18.54885 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:447:in
load_params'
2017-12-21_18:29:18.54885 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:141:in params' 2017-12-21_18:29:18.54885 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:307:in
controls_count'
2017-12-21_18:29:18.54886 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/profile.rb:278:in check' 2017-12-21_18:29:18.54886 from /opt/chef-compliance/embedded/lib/ruby/gems/2.2.0/gems/inspec-1.34.9/lib/inspec/cli.rb:69:in
check'
what am i missing here? need to update rspec version?
please guide me to resolve this issue.
Thanks in advance.
load_with_context': undefined method `each' for nil:NilClass (NoMethodError) exception in cis-docker-benchmark-master/controls/container_runtime.rb:194
> inspec exec https://github.com/dev-sec/cis-docker-benchmark/archive/master.zip
cis-docker-benchmark-master/controls/container_runtime.rb:194:in `block (2 levels) in load_with_context': undefined method `each' for nil:NilClass (NoMethodError)
from cis-docker-benchmark-master/controls/container_runtime.rb:191:in `each'
from cis-docker-benchmark-master/controls/container_runtime.rb:191:in `block in load_with_context'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/rule.rb:49:in `instance_eval'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/rule.rb:49:in `initialize'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/control_eval_context.rb:71:in `new'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/control_eval_context.rb:71:in `block (2 levels) in create'
from cis-docker-benchmark-master/controls/container_runtime.rb:180:in `load_with_context'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/profile_context.rb:146:in `instance_eval'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/profile_context.rb:146:in `load_with_context'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/profile_context.rb:130:in `load_control_file'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/profile.rb:151:in `block in collect_tests'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/profile.rb:148:in `each'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/profile.rb:148:in `collect_tests'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/runner.rb:89:in `block in load'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/runner.rb:78:in `each'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/runner.rb:78:in `load'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/runner.rb:99:in `run'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/base_cli.rb:83:in `run_tests'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/lib/inspec/cli.rb:159:in `exec'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/thor-0.20.0/lib/thor/command.rb:27:in `run'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/thor-0.20.0/lib/thor/invocation.rb:126:in `invoke_command'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/thor-0.20.0/lib/thor.rb:387:in `dispatch'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/thor-0.20.0/lib/thor/base.rb:466:in `start'
from /opt/cloudcoreo/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.36.1/bin/inspec:12:in `<top (required)>'
from ./inspec:23:in `load'
from ./inspec:23:in `<main>'
add a tag for each test, something like:
tag 'host' for the host security tests
and
tag 'container' for the container security tests
As seen in #24, CIS changes control identifiers in minor versions. Therefore we should define our own control ids to ensure the same control stays the same control over time.
control 'cis-docker-benchmark-1.5' do
impact 1.0
title 'Keep Docker up to date'
will become:
control 'host-1.3' do
impact 1.0
title 'Keep Docker up to date'
desc 'The docker container solution is evolving to maturity and stability at a rapid pace. Like any other software, the vendor releases regular updates for Docker software that address security vulnerabilities, product bugs and bring in new functionality.'
tag 'host'
tag cis: 'docker:1.5'
tag level: 1
To ensure we can map the same control to multiple CIS Benchmark versions, we are going to add more tags for each control:
tag cis: [
'docker-1.12:1.3',
'docker-1.13:1.2'
]
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.