SHA256
1
0
forked from pool/docker

- Add rules for auditd. This is required to fix bnc#959405

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=49
This commit is contained in:
Flavio Castelli 2015-12-23 10:57:20 +00:00 committed by Git OBS Bridge
parent b348880837
commit f75a1e668a
3 changed files with 37 additions and 0 deletions

27
docker-audit.rules Normal file
View File

@ -0,0 +1,27 @@
##
# Audit rules based on CIS Docker 1.6 Benchmark v1.0.0
# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
# Not all of these apply to SUSE.
# 1.8 Audit docker daemon
-w /usr/bin/docker -k docker
# 1.9 Audit Docker files and directories
-w /var/lib/docker -k docker
# 1.10 Audit /etc/docker
-w /etc/docker -k docker
# 1.11 Audit Docker files and directories - docker-registry.service
-w /usr/lib/systemd/system/docker-registry.service -k docker
# 1.12 Audit Docker files and directories - docker.service
-w /usr/lib/systemd/system/docker.service -k docker
# 1.13 Audit Docker files and directories - /var/run/docker.sock
-w /var/run/docker.sock -k docker
# 1.14 Audit Docker files and directories - /etc/sysconfig/docker
-w /etc/sysconfig/docker -k docker
# 1.15 Audit Docker files and directories - /etc/sysconfig/docker-network
-w /etc/sysconfig/docker-network -k docker
# 1.16 Audit Docker files and directories - /etc/sysconfig/docker-registry
-w /etc/sysconfig/docker-registry -k docker
# 1.17 Audit Docker files and directories - /etc/sysconfig/docker-storage
-w /etc/sysconfig/docker-storage -k docker
# 1.18 Audit Docker files and directories - /etc/default/docker
-w /etc/default/docker-k docker
## end docker audit rules

View File

@ -1,3 +1,7 @@
Wed Dec 23 10:47:04 UTC 2015 - fcastelli@suse.com
- Add rules for auditd. This is required to fix bnc#959405
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Dec 4 16:08:22 UTC 2015 - normand@linux.vnet.ibm.com Fri Dec 4 16:08:22 UTC 2015 - normand@linux.vnet.ibm.com

View File

@ -38,6 +38,7 @@ Source5: docker_systemd_lt_214.socket
Source6: docker-rpmlintrc Source6: docker-rpmlintrc
Source7: README_SUSE.md Source7: README_SUSE.md
Source8: docker-audit.rules
# TODO: remove once we figure out what is wrong with iptables on ppc64le # TODO: remove once we figure out what is wrong with iptables on ppc64le
Source100: sysconfig.docker.ppc64le Source100: sysconfig.docker.ppc64le
Patch0: fix-docker-init.patch Patch0: fix-docker-init.patch
@ -54,6 +55,7 @@ Patch103: docker_remove_journald_to_fix_dynbinary_build_on_arm.patch
Patch104: docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch Patch104: docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch
Patch105: add_bolt_arm64.patch Patch105: add_bolt_arm64.patch
Patch106: docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch Patch106: docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch
BuildRequires: audit
BuildRequires: bash-completion BuildRequires: bash-completion
BuildRequires: device-mapper-devel >= 1.2.68 BuildRequires: device-mapper-devel >= 1.2.68
BuildRequires: glibc-devel-static BuildRequires: glibc-devel-static
@ -210,6 +212,9 @@ ln -sf /sbin/service $RPM_BUILD_ROOT/usr/sbin/rcdocker
install -D -m 0644 %SOURCE3 %{buildroot}%{_prefix}/lib/udev/rules.d/80-%{name}.rules install -D -m 0644 %SOURCE3 %{buildroot}%{_prefix}/lib/udev/rules.d/80-%{name}.rules
# audit rules
install -D -m 0640 %SOURCE8 %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules
# sysconfig file # sysconfig file
%ifarch ppc64le %ifarch ppc64le
install -D -m 644 %SOURCE100 %{buildroot}/var/adm/fillup-templates/sysconfig.docker install -D -m 644 %SOURCE100 %{buildroot}/var/adm/fillup-templates/sysconfig.docker
@ -251,6 +256,7 @@ groupadd -r docker 2>/dev/null || :
%{_prefix}/lib/docker/dockerinit %{_prefix}/lib/docker/dockerinit
%{_unitdir}/%{name}.service %{_unitdir}/%{name}.service
%{_unitdir}/%{name}.socket %{_unitdir}/%{name}.socket
%config %{_sysconfdir}/audit/rules.d/%{name}.rules
%{_prefix}/lib/udev/rules.d/80-%{name}.rules %{_prefix}/lib/udev/rules.d/80-%{name}.rules
/var/adm/fillup-templates/sysconfig.docker /var/adm/fillup-templates/sysconfig.docker
%ifarch %go_arches %ifarch %go_arches