diff --git a/docker-audit.rules b/docker-audit.rules new file mode 100644 index 0000000..1ba1e93 --- /dev/null +++ b/docker-audit.rules @@ -0,0 +1,27 @@ +## +# Audit rules based on CIS Docker 1.6 Benchmark v1.0.0 +# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf +# Not all of these apply to SUSE. +# 1.8 Audit docker daemon +-w /usr/bin/docker -k docker +# 1.9 Audit Docker files and directories +-w /var/lib/docker -k docker +# 1.10 Audit /etc/docker +-w /etc/docker -k docker +# 1.11 Audit Docker files and directories - docker-registry.service +-w /usr/lib/systemd/system/docker-registry.service -k docker +# 1.12 Audit Docker files and directories - docker.service +-w /usr/lib/systemd/system/docker.service -k docker +# 1.13 Audit Docker files and directories - /var/run/docker.sock +-w /var/run/docker.sock -k docker +# 1.14 Audit Docker files and directories - /etc/sysconfig/docker +-w /etc/sysconfig/docker -k docker +# 1.15 Audit Docker files and directories - /etc/sysconfig/docker-network +-w /etc/sysconfig/docker-network -k docker +# 1.16 Audit Docker files and directories - /etc/sysconfig/docker-registry +-w /etc/sysconfig/docker-registry -k docker +# 1.17 Audit Docker files and directories - /etc/sysconfig/docker-storage +-w /etc/sysconfig/docker-storage -k docker +# 1.18 Audit Docker files and directories - /etc/default/docker +-w /etc/default/docker-k docker +## end docker audit rules diff --git a/docker.changes b/docker.changes index aaf7c69..5fe194c 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,7 @@ +Wed Dec 23 10:47:04 UTC 2015 - fcastelli@suse.com + +- Add rules for auditd. This is required to fix bnc#959405 + ------------------------------------------------------------------- Fri Dec 4 16:08:22 UTC 2015 - normand@linux.vnet.ibm.com diff --git a/docker.spec b/docker.spec index 32f9576..a3ba49b 100644 --- a/docker.spec +++ b/docker.spec @@ -38,6 +38,7 @@ Source5: docker_systemd_lt_214.socket Source6: docker-rpmlintrc Source7: README_SUSE.md +Source8: docker-audit.rules # TODO: remove once we figure out what is wrong with iptables on ppc64le Source100: sysconfig.docker.ppc64le Patch0: fix-docker-init.patch @@ -54,6 +55,7 @@ Patch103: docker_remove_journald_to_fix_dynbinary_build_on_arm.patch Patch104: docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch Patch105: add_bolt_arm64.patch Patch106: docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch +BuildRequires: audit BuildRequires: bash-completion BuildRequires: device-mapper-devel >= 1.2.68 BuildRequires: glibc-devel-static @@ -210,6 +212,9 @@ ln -sf /sbin/service $RPM_BUILD_ROOT/usr/sbin/rcdocker install -D -m 0644 %SOURCE3 %{buildroot}%{_prefix}/lib/udev/rules.d/80-%{name}.rules +# audit rules +install -D -m 0640 %SOURCE8 %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules + # sysconfig file %ifarch ppc64le install -D -m 644 %SOURCE100 %{buildroot}/var/adm/fillup-templates/sysconfig.docker @@ -251,6 +256,7 @@ groupadd -r docker 2>/dev/null || : %{_prefix}/lib/docker/dockerinit %{_unitdir}/%{name}.service %{_unitdir}/%{name}.socket +%config %{_sysconfdir}/audit/rules.d/%{name}.rules %{_prefix}/lib/udev/rules.d/80-%{name}.rules /var/adm/fillup-templates/sysconfig.docker %ifarch %go_arches