diff --git a/resources/x-docker-schema/docker-oval-proposal-form.txt b/resources/x-docker-schema/docker-oval-proposal-form.txt new file mode 100644 index 0000000..c35a450 --- /dev/null +++ b/resources/x-docker-schema/docker-oval-proposal-form.txt @@ -0,0 +1,199 @@ +-------------------------------------------------------------------------------- +OVAL Proposal Form +-------------------------------------------------------------------------------- +The OVAL Proposal Form is used by members of the community to prepare proposals +for migration into an official release of OVAL. The form will be critical in +helping the members of the community understand, review, and vet proposals. + +Once an OVAL Proposal Form is submitted to the oval-developer-list, the OVAL +Moderator will review and verify the proposal for completeness at which point +it will be ready for community review and discussion. + +When a new proposal is introduced to the community, the OVAL Moderator will +work with the OVAL Board to determine the impact of the proposal. If the +proposal is deemed a high impact change, it must be developed in the OVAL +Sandbox which will require the completion of this form as well as an OVAL +Board vote before it is migrated into an official release. More information +about the OVAL Board Voting Process can be found at [1]. If the proposal is +deemed a low impact change, the proposed change can be made directly to an +official OVAL release. + +Please direct any questions or concerns to MITRE at oval@mitre.org. + +-------------------------------------------------------------------------------- +Steps to Take +-------------------------------------------------------------------------------- +1) Review the OVAL Language Sandbox page [2] and the Requesting Changes to the +OVAL Language page [3]. + +2) Complete the form provided below. + +3) Email the completed form to the oval-developer-list at +oval-developer-list@lists.mitre.org with a subject of +"FOR REVIEW: Proposal Form". + +4) Revise the proposal, as needed, based on community discussion and feedback. + +-------------------------------------------------------------------------------- +Contact Information +-------------------------------------------------------------------------------- +1) Name: William Munyan (Bill) +2) Email Address: william.munyan@cisecurity.org +3) Phone Number (optional): + +-------------------------------------------------------------------------------- +Introduction to Proposal +-------------------------------------------------------------------------------- +1) What is the new capability? + +The OVAL schemas for Docker provide a standards-based capability to check configurations +related to a Docker installation and/or containers and images installed in a Docker +infrastructure. + +2) Why is the new capability needed? + +The Docker OVAL schemas are needed to provide a standards-based capability +to check Docker installation configuration as well as configuration of installed +containers or images. + +3) What is the version of the targeted official OVAL release? + +The targeted OVAL version for this proposal is OVAL 5.12. + +-------------------------------------------------------------------------------- +Benefits of Proposal +-------------------------------------------------------------------------------- +1) How does the proposal relate to existing OVAL use cases [4]? +The tests provide capabilities to express and assess Docker configuration for the +following OVAL use cases: + +* Configuration Management + +2) What does this proposal enable that cannot currently be accomplished in the +OVAL Language? + +The OVAL Language does not currently include any Docker-specific schemas. + +The proposed Docker schema provides the ability to check: +* Installed version information +* Currently executing process information for those processes executing within + a Docker container/image (similar to the Unix schema's process58_test) +* Information regarding a Docker installation, such as numbers of running containers, + total number of containers, backing filesystems and backing architectures +* Inspection information for any installed container or image +* Container process information, such as time when a container was created, container + up-time, status and size + +3) What alternative approaches for supporting these use cases were considered +and why is this one the best? + +We do not believe there are other alternative methods for interrogating or assessing +Docker. Most output from Docker commands is rendered as JSON, for which no OVAL +constructs currently exist. + +-------------------------------------------------------------------------------- +Impacts of Proposal +-------------------------------------------------------------------------------- +1) Which existing OVAL schemas are affected by this proposal? + +None. + +2) Does the proposal break backward compatibility with previous versions? +Please see OVAL Versioning Policy [5] for more information. + +This proposal does not break backward compatibility. + +2) How will the proposed changes impact OVAL content authors? + +This will provide OVAL content authors with the ability to create new +content based on the new tests. We have created proof-of-concept OVAL +definitions demonstrating the ability to automate useful compliance checks. + +3) How will the proposed changes impact OVAL content consumers? + +No impact to current OVAL content consumers. These changes will provide +an opportunity to use OVAL to create configuration management/assessment +content for Docker. + +4) How will the proposed changes impact existing OVAL content? + +No impact. + +5) How will the proposed changes impact existing OVAL implementations? + +The impact will depend on whether the existing OVAL implementations need to +implement Docker-specific schema features. In many cases it will not be +necessary. + +6) Are there any concerns regarding this proposal (e.g., undocumented APIs, +etc.)? If so, are there any mitigating factors? + +As Docker is a rapidly evolving technology, the only concerns are that when +updated versions of Docker are released, commands, command options, and/or +APIs may change. These changes could have an impact on implementations of +the Docker schema. + +-------------------------------------------------------------------------------- +Technical Review +-------------------------------------------------------------------------------- +1) Do the schema changes follow the accepted naming and design conventions? + +Yes. + +2) Do the schema changes satisfy the requirements specified in the Requesting +Changes to the OVAL Language page [3]? + +Yes. + +3) Do the schema changes align with the targeted official release (e.g., changes +that break backward compatibility should not target a minor release)? Please +see the OVAL Versioning Policy [5] for more information. + +Yes. + +4) Have the new capabilities been successfully implemented and tested with sample +content? + +Yes. + +-------------------------------------------------------------------------------- +Resource Information +-------------------------------------------------------------------------------- +1) Provide URLs for relevant OVAL Sandbox Issues: + +N/A + +2) Provide URLs for OVAL Sandbox schemas that exemplify the proposed changes: + +https://raw.githubusercontent.com/OVALProject/Sandbox/master/x-docker-system-characteristics-schema.xsd + +https://raw.githubusercontent.com/OVALProject/Sandbox/master/x-docker-definitions-schema.xsd + +3) Provide URLs for the location of sample OVAL Definitions, +OVAL System Characteristics, and OVAL Results that exemplify the proposed +changes: + +Sample OVAL Definitions: +https://github.com/OVALProject/Sandbox/blob/master/resources/x-docker-schema/sample-docker-oval-definitions.xml + +Sample OVAL Results including System Characteristics: +https://github.com/OVALProject/Sandbox/blob/master/resources/x-docker-schema/sample-docker-oval-results.xml + +4) Provide URLs for products or tools that implement the proposed changes: + +N/A + +5) Provide URLs to any other resources that may be relevant to reviewing and +verifying the proposal: + +N/A + +-------------------------------------------------------------------------------- +References +-------------------------------------------------------------------------------- +[1] http://oval.mitre.org/community/board/voting.html +[2] http://oval.mitre.org/language/sandbox.html +[3] http://oval.mitre.org/language/about/change_requests.html +[4] http://oval.mitre.org/adoption/usecasesguide.html +[5] http://oval.mitre.org/language/about/versioning.html + diff --git a/resources/x-docker-schema/sample-docker-oval-definitions.xml b/resources/x-docker-schema/sample-docker-oval-definitions.xml new file mode 100644 index 0000000..8734527 --- /dev/null +++ b/resources/x-docker-schema/sample-docker-oval-definitions.xml @@ -0,0 +1,184 @@ + + + + 5.11 + 2009-01-12T10:41:00-05:00 + Copyright (c) 2002-2012, The MITRE Corporation. All rights reserved. The contents of this file are subject to the license described in terms.txt. + + + + + + Docker Version + Docker Version + + + + + + + + Docker Inspect + Docker Inspect + + + + + + + + Docker Info + Docker Info + + + + + + + + Docker Keyed Info + Docker Keyed Info + + + + + + + + Docker Process + Docker Process + + + + + + + + Docker Process + Docker Process + + + + + + + + Docker Exec PS + Docker Exec PS + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + MOUNTS + + + + STORAGE_DRIVER + + + .* + + + NO CONTAINER + + + 4cd4e0cccf3a + ^nginx.*$ + 0 + + + .* + oval:org.cisecurity.docker:ste:999 + + + /etc/audit/auditd.conf + ^log_file\s*=\s*([/a-zA-Z\s]+\.log) + 1 + + + + + 1.11.0 + 1.11.0 + + + + /some/content + + + + 2 + aufs + Ubuntu 15.10 + /var/lib/docker + + + STORAGE_DRIVER + aufs + + extfs + + + + 4cd4e0cccf3a + 80/tcp + + + 4cd4e0cccf3a + 1 + + + running + + + + + + + + + + + + diff --git a/resources/x-docker-schema/sample-docker-oval-results.xml b/resources/x-docker-schema/sample-docker-oval-results.xml new file mode 100644 index 0000000..0866186 --- /dev/null +++ b/resources/x-docker-schema/sample-docker-oval-results.xml @@ -0,0 +1,515 @@ + + + + cpe:/a:cisecurity.org:CIS-CAT + 3.0.28 + 5.11 + 2016-08-11T10:02:38.502-07:00 + + + + + + + + + + + + + + + + + + + + 5.11 + 2009-01-12T10:41:00-05:00 + Copyright (c) 2002-2012, The MITRE Corporation. All rights reserved. The contents of this file are subject to the license described in terms.txt. + + + + + Docker Keyed Info + Docker Keyed Info + + + + + + + + Docker Info + Docker Info + + + + + + + + Docker Inspect + Docker Inspect + + + + + + + + Docker Version + Docker Version + + + + + + + + Docker Process + Docker Process + + + + + + + + Docker Process + Docker Process + + + + + + + + Docker Exec PS + Docker Exec PS + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + STORAGE_DRIVER + + + + NO CONTAINER + + + 4cd4e0cccf3a + ^nginx.*$ + 0 + + + .* + + + .* + oval:org.cisecurity.docker:ste:999 + + + + MOUNTS + + + /etc/audit/auditd.conf + ^log_file\s*=\s*([/a-zA-Z\s]+\.log) + 1 + + + + + + 1.11.0 + 1.11.0 + + + 4cd4e0cccf3a + 1 + + + running + + + 2 + aufs + Ubuntu 15.10 + /var/lib/docker + + + + /some/content + + + + 4cd4e0cccf3a + 80/tcp + + + STORAGE_DRIVER + aufs + + extfs + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 4cd4e0cccf3a + + + + + + + + + + + + + cpe:/a:cisecurity.org:CIS-CAT + 3.0.28 + 5.11 + 2016-08-11T10:02:38.541-07:00 + + + Ubuntu + 4.2.0-36-generic + amd64 + ubuntu + + + vethb7b7a7c + + ?��>?k + + + docker0 + 172.17.0.1 + ?B&?+� + + + eno16777736 + 192.168.132.151 + ??)#*� + + + + + + + + + + + + + + + + + + + + + + + + + + 4cd4e0cccf3a + + + + + + + + + STORAGE_DRIVER + aufs + + /var/lib/docker/aufs + extfs + 14 + true + + + + 2 + 1 + 0 + 1 + 2 + aufs + /var/lib/docker/aufs + extfs + 14 + true + json-file + cgroupfs + 4.2.0-36-generic + Ubuntu 15.10 + linux + x86_64 + ubuntu + JAOR:4K4O:DNS2:U4QH:YCMS:YQJP:6YP7:UY73:ZPP3:WAT3:BCEG:N43V + /var/lib/docker + false + false + + + NO CONTAINER + + + 4cd4e0cccf3a + nginx: master process nginx -g daemon off; + 00:00:00 + 1 + 0 + 20 + 0 + TS + 17:02:22 + ? + 0 + + 4294967295 + CAP_CHOWN + CAP_DAC_OVERRIDE + CAP_DAC_READ_SEARCH + CAP_FOWNER + CAP_FSETID + CAP_KILL + CAP_SETGID + CAP_SETUID + CAP_SETPCAP + CAP_LINUX_IMMUTABLE + CAP_NET_BIND_SERVICE + CAP_NET_BROADCAST + CAP_NET_ADMIN + CAP_NET_RAW + CAP_IPC_LOCK + CAP_IPC_OWNER + CAP_SYS_MODULE + CAP_SYS_RAWIO + CAP_SYS_CHROOT + CAP_SYS_PTRACE + CAP_SYS_ADMIN + CAP_SYS_BOOT + CAP_SYS_NICE + CAP_SYS_RESOURCE + CAP_SYS_TIME + CAP_SYS_TTY_CONFIG + CAP_MKNOD + CAP_LEASE + CAP_AUDIT_WRITE + CAP_AUDIT_CONTROL + CAP_SETFCAP + CAP_MAC_OVERRIDE + CAP_MAC_ADMIN + + 1 + + + 4cd4e0cccf3a + nginx: worker process + 00:00:00 + 5 + 1 + 20 + 104 + TS + 17:02:22 + ? + 104 + + 4294967295 + CAP_CHOWN + CAP_DAC_OVERRIDE + CAP_DAC_READ_SEARCH + CAP_FOWNER + CAP_FSETID + CAP_KILL + CAP_SETGID + CAP_SETUID + CAP_SETPCAP + CAP_LINUX_IMMUTABLE + CAP_NET_BIND_SERVICE + CAP_NET_BROADCAST + CAP_NET_ADMIN + CAP_NET_RAW + CAP_IPC_LOCK + CAP_IPC_OWNER + CAP_SYS_MODULE + CAP_SYS_RAWIO + CAP_SYS_CHROOT + CAP_SYS_PTRACE + CAP_SYS_ADMIN + CAP_SYS_BOOT + CAP_SYS_NICE + CAP_SYS_RESOURCE + CAP_SYS_TIME + CAP_SYS_TTY_CONFIG + CAP_MKNOD + CAP_LEASE + CAP_AUDIT_WRITE + CAP_AUDIT_CONTROL + CAP_SETFCAP + CAP_MAC_OVERRIDE + CAP_MAC_ADMIN + + 1 + + + 4cd4e0cccf3a + nginx + "nginx -g 'daemon off" + 2016-04-15 12:24:41 -0700 PDT + 3 months + 80/tcp + 443/tcp + running + 0 B + some-nginx + + + e456c8aafc1f + hello-world + "/hello" + 2016-04-15 06:45:33 -0700 PDT + 3 months + + exited + 0 B + gigantic_yonath + + + 4cd4e0cccf3a + MOUNTS + + /usr/share/nginx/html + ro + rprivate + false + /some/content + + + + 1.11.1 + 1.23 + go1.5.4 + 5604cbe + Tue Apr 26 23 + linux/amd64 + 1.11.1 + 1.23 + go1.5.4 + 5604cbe + Tue Apr 26 23 + linux/amd64 + + + + + + \ No newline at end of file diff --git a/x-docker-definitions-schema.xsd b/x-docker-definitions-schema.xsd new file mode 100644 index 0000000..9395971 --- /dev/null +++ b/x-docker-definitions-schema.xsd @@ -0,0 +1,1303 @@ + + + + + + The following is a proposal for the experimental tests, objects, and states that will support assessment of Docker containers. Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here. + The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org. + + Experimental Schema for Docker + 5.11 + 5/28/2015 8:00:00 AM + Copyright (c) 2002-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. + + + + + + + + + + + + + + The execps_test is designed to mirror the existing unix process58_test, but executed for specified docker container(s)/image(s). Authors should use the docker process_test to obtain containers to test, + feeding each container_or_image into this execps_test in order to collect the running processes for that container. + It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an execps_object and the optional state element specifies the data to check. + + + + execps_test + execps_object + execps_state + execps_item + + + + + + - the object child element of a execps_test must reference a execps_object + + + - the state child element of a execps_test must reference a execps_state + + + + + + + + + + + + + + + + + + + The execps_object element is used by an execps_test. This object mirrors the Unix process58_object, but adds the ability to collect + running process information for specific container(s)/image(s). + + + + + + + + + + + + This is the id of the container or image from which we're gathering running process information, usually funneled from a docker process_object component + + + + + The command_line entity is the string used to start the process. This includes any parameters that are part of the command line. + + + + + The pid entity is the process ID of the process. + + + + + + + + + + + + + + The execps_state element defines the different metadata associated with a UNIX process running inside a docker container/image. + This includes the command line, pid, ppid, priority, and user id. Please refer to the individual elements in the schema for more + details about what each represents. + + + + + + + + + This is the id of the container or image from which we're gathering running process information, usually funneled from a docker process_object component + + + + + This is the string used to start the process. This includes any parameters that are part of the command line. + + + + + This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more. + + + + + This is the process ID of the process. + + + + + This is the process ID of the process's parent process. + + + + + This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call. + + + + + This is the real user id which represents the user who has created the process. + + + + + A platform specific characteristic maintained by the scheduler: RT (real-time), TS (timeshare), FF (fifo), SYS (system), etc. + + + + + This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past. + + + + + This is the TTY on which the process was started, if applicable. + + + + + This is the effective user id which represents the actual privileges of the process. + + + + + A boolean that when true would indicates that ExecShield is enabled for the process. + + + + + The loginuid shows which account a user gained access to the system with. The /proc/XXXX/loginuid shows this value. + + + + + An effective capability associated with the process. See linux/include/linux/capability.h for more information. + + + + + An selinux domain label associated with the process. + + + + + The session ID of the process. + + + + + + + + + + + + + + + The info_test is used to collect and evaluate a "flattened" subset of output from the "docker info" command. + It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. + The required object element references an info_object and the optional state element specifies the data to check. + + + + info_test + info_object + info_state + info_item + + + + + + - the object child element of a info_test must reference a info_object + + + - the state child element of a info_test must reference a info_state + + + + + + + + + + + + + + + + + + + The info_object element is used by an info_test to define the different information resulting from the "docker info" command output. This is an + empty object. + + + + + + + + + + + + The info_state element defines the different metadata associated with an installation of docker. + This includes the number of containers, running containers, images, etc. Please refer to the individual elements in the schema + for more details about what each represents. + + + + + + + + + The total number of containers + + + + + The number of currently running containers + + + + + The number of currently paused containers + + + + + The number of currently stopped containers + + + + + The total number of images + + + + + Storage Driver + + + + + Storage Driver Root Directory + + + + + Storage Driver Backing Filesystem + + + + + Storage Driver Directory Count + + + + + Indicates if "dirperm1" is supported for the Storage Driver + + + + + Logging driver + + + + + Cgroup driver + + + + + Docker kernel version + + + + + Operating System + + + + + OSType + + + + + Architecture + + + + + Name + + + + + ID + + + + + Docker root directory + + + + + Debug mode (client) + + + + + Debug mode (server) + + + + + + + + + + + + + + + The docker inspect test is used to validate low-level information on a container or image. + By default, the "docker inspect" command will render all results in a JSON array. + It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType + description for more information. The required object element references an inspect_object and the optional state + element specifies the data to check. + + + + inspect_test + inspect_object + inspect_state + inspect_item + + + + + + - the object child element of an inspect_test must reference an inspect_object + + + - the state child element of an inspect_test must reference an inspect_state + + + + + + + + + + + + + + + + + + + Determine what information is to be collected from the "docker inspect" output for a container or image. + The inspect_object element is used by an inspect_test to define the different information about the current docker container or image. + + + + + + + + + + + + The name of the container or image for which information is to be collected. + + + + + Enumeration defining how to format the output of the "docker inspect" command. See the enumeration values for their respective "--format" strings. + + + + + + + + + + + + + + The inspect_state element defines the different metadata associated with output from the "docker inspect" command. + This includes the container/image interrogated and property/value pairs. Please refer to the individual elements in + the schema for more details about what each represents. + + + + + + + + + The name of the container or image for which information is to be collected. + + + + + Enumeration defining how to format the output of the "docker inspect" command. See the enumeration values for their respective "--format" strings. + + + + + The inspect_property_values element specifies how to test items in the result set of the specified docker inspect output. + + + + - datatype attribute for the result entity of a docker inspect_state must be 'record' + + + + + + + + + + + + + + + + + + + + + + Output of "docker info" is a whitespace-significant listing of key-value pairs, delimited by colons. + It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. + The required object element references a keyedinfo_object and the optional state element specifies the data to check. + + + + keyedinfo_test + keyedinfo_object + keyedinfo_state + keyedinfo_item + + + + + + - the object child element of a keyedinfo_test must reference a keyedinfo_object + + + - the state child element of a keyedinfo_test must reference a keyedinfo_state + + + + + + + + + + + + + + + + + + + The keyedinfo_object element is used by a keyedinfo_test to define the key(s) to be collected from the output of the "docker info" command + + + + + + + + + + + + + The "key" field represents the name of a main section (non-indented in the output) of the "docker info" output. When processing the output of + the "docker info" command, any fields which are indented represent "subvalues" and are collected as a record of fields. An example key is "STORAGE_DRIVER" which would + collect the "Storage Driver" section of the "docker info" output. The collected value would be on the same output line as the "Storage Driver". If the output indicates + "Storage Driver: aufs", the collected value would be "aufs". Subvalues would be organized into a record containing fields named "Root Dir", "Backing Filesystem", and "Dirs". + + + + + + + + + + + + + + + The keyedinfo_state element defines the different metadata associated with output from the "docker info" command. + This includes the container/image interrogated and property/value pairs. Please refer to the individual elements in the + schema for more details about what each represents. + + + + + + + + + The name of the key for the docker version element + + + + + The value associated with the key for the docker version element + + + + + The subvalues element specifies how to test items in the result set of the specified docker info output. + + + + - datatype attribute for the result entity of a docker info_state must be 'record' + + + + + + + + + + + + + + + + + + + + + + The "docker ps" command can be used in a number of ways, and is likely to be used as a prerequisite to ascertain container IDs in support of issuing other commands, + such as "docker port" and "docker inspect". "docker ps -q" lists the running containers. "docker ps -a" lists all containers (even if they're not running). + It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element + references an _object and the optional state element specifies the data to check. + + + + process_test + process_object + process_state + process_item + + + + + + - the object child element of a process_test must reference a process_object + + + - the state child element of a process_test must reference a process_state + + + + + + + + + + + + + + + + + + + The process_object element is used by a process_test to define the different information about the containers/instances being utilized in a Docker installation. + The process_object specifies the name of a container or instance for which to collect information. The container or instance name is to be utilized as the argument + to the "docker ps [container_or_instance] --format=[]" command. When pattern matching, implementations should utilize the "docker ps -a" switch to query all containers + and parse for matching items. + + + + + + + + + + + + + + The container or instance field is to filter the "docker ps" command to collect information about specific + docker containers. When pattern matching, implementations should utilize the "docker ps -a" switch to query all containers + and parse for matching items. + + + + + + + The container or instance field is used as the argument to the "docker ps" command to collect information about specific + docker containers/instances. When pattern matching, implementations should utilize the "docker ps -a" switch to query all containers + and parse for matching items. + + + + + + + + + + + + + + + + The process_state element defines the different metadata associated with output from the "docker ps" command. + This includes the container/image interrogated and information about status, running time, and exposed ports. + Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + + Container ID + + + + + Image ID + + + + + Quoted Command + + + + + Time when the container was created + + + + + Elapsed time since the container was started + + + + + Exposed Ports + + + + + Container Status + + + + + Container disk size + + + + + Container names + + + + + All labels assigned to the container + + + + + Names of the volumes mounted in this container + + + + + + + + + + + + + + + The version_test element is used to define output of the "docker version" command. + It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the + TestType description for more information. The required object element references a version_object and the + optional state element specifies the data to check. + + + + version_test + version_object + version_state + version_item + + + + + + - the object child element of a _test must reference a _object + + + - the state child element of a test must reference a _state + + + + + + + + + + + + + + + + + + + The version_object element is used by a version_test to define output of the "docker version" command. The version_object is + an empty object. + + + + + + + + + + + + The version_state allows for the comparison of all version information resulting from the "docker version" command. + The output of the "docker version" command contains two sections of information; Docker Client information, and Docker Server information. + Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + + Docker client version string + + + + + Docker client API version + + + + + Docker client GO version + + + + + Docker client Git commit hash + + + + + The date this Docker client was built + + + + + Docker client Operating System architecture + + + + + Docker server version + + + + + Docker server API version + + + + + Docker server GO version + + + + + Docker server Git commit hash + + + + + The date this Docker server was built + + + + + Docker server Operating System architecture + + + + + + + + + + + + + + The EntityObjectDockerInfoKeyType complex type restricts a string value to a specific set of values: + + + + + + The total number of containers. This key should result in the collection of sub-values for counts of running, paused, and stopped containers + + + + + The total number of images. No sub-values collected + + + + + The docker server version. No sub-values collected + + + + + Docker storage driver. Sub-values include Root Dir, Backing Filesystem, Number of Dirs, Dirpirm1 Supported + + + + + Logging driver; No sub-values collected + + + + + Cgroup driver; No sub-values collected + + + + + Installed plugins; Will have sub-values + + + + + Docker kernel version; No sub-values + + + + + Underlying operating system; No sub-values + + + + + Operating System type; No sub-values + + + + + Underlying OS architecture; No sub-values + + + + + Installation name; no sub-values + + + + + Docker installation ID; No sub-values + + + + + Docker root directory; No sub-values + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityStateDockerInfoKeyType complex type restricts a string value to a specific set of values: + + + + + + The total number of containers. This key should result in the collection of sub-values for counts of running, paused, and stopped containers + + + + + The total number of images. No sub-values collected + + + + + The docker server version. No sub-values collected + + + + + Docker storage driver. Sub-values include Root Dir, Backing Filesystem, Number of Dirs, Dirpirm1 Supported + + + + + Logging driver; No sub-values collected + + + + + Cgroup driver; No sub-values collected + + + + + Installed plugins; Will have sub-values + + + + + Docker kernel version; No sub-values + + + + + Underlying operating system; No sub-values + + + + + Operating System type; No sub-values + + + + + Underlying OS architecture; No sub-values + + + + + Installation name; no sub-values + + + + + Docker installation ID; No sub-values + + + + + Docker root directory; No sub-values + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityObjectInspectPropertyType complex type restricts a string value to a specific set of values: + + + + + + Equates to execution of "docker inspect --format='{{.Config.User}}'" + + + + + Equates to execution of "docker inspect --format='{{.AppArmorProfile}}'" + + + + + Equates to execution of "docker inspect --format='{{.NetworkSettings.Ports}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.SecurityOpt}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.CapAdd}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.CapDrop}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.Privileged}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.NetworkMode}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.Memory}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.CpuShares}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.ReadonlyRootfs}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.RestartPolicy.Name}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.RestartPolicy.MaximumRetryCount}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.PidMode}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.IpcMode}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.Devices}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.Ulimits}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.UTSMode}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.CgroupParent}}'" + + + + + Equates to execution of "docker inspect --format='{{.Mounts}}'" + + + + + Equates to execution of "docker inspect --format='{{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}'" + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityStateInspectPropertyType complex type restricts a string value to a specific set of values: + + + + + + Equates to execution of "docker inspect --format='{{.Config.User}}'" + + + + + Equates to execution of "docker inspect --format='{{.AppArmorProfile}}'" + + + + + Equates to execution of "docker inspect --format='{{.NetworkSettings.Ports}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.SecurityOpt}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.CapAdd}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.CapDrop}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.Privileged}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.NetworkMode}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.Memory}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.CpuShares}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.ReadonlyRootfs}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.RestartPolicy.Name}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.RestartPolicy.MaximumRetryCount}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.PidMode}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.IpcMode}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.Devices}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.Ulimits}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.UTSMode}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.CgroupParent}}'" + + + + + Equates to execution of "docker inspect --format='{{.Mounts}}'" + + + + + Equates to execution of "docker inspect --format='{{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}'" + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + diff --git a/x-docker-system-characteristics-schema.xsd b/x-docker-system-characteristics-schema.xsd new file mode 100644 index 0000000..327f1b0 --- /dev/null +++ b/x-docker-system-characteristics-schema.xsd @@ -0,0 +1,706 @@ + + + + + + The following is a proposal for the experimental system characteristics that will support assessment of Docker implementations. Each item is an extension of the standard item element defined in the Core System Characteristics Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different items and their relationship to the Core System Characteristics Schema is not outlined here. + The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org. + + Experimental Schema for Docker System Characteristics + 5.11 + 5/28/2015 8:00:00 AM + Copyright (c) 2002-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. + + + + + + + + + + + + + + Mirror the Unix process58_item, but inside a docker container/image. Within a docker container/image, parse the Output of /usr/bin/ps. See ps(1). + + + + + + + + This is the id of the container or image from which we're gathering running process information, usually funneled from a docker process_object component. + + + + + This is the string used to start the process. This includes any parameters that are part of the command line. + + + + + This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more. + + + + + This is the process ID of the process. + + + + + This is the process ID of the process's parent process. + + + + + This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call. + + + + + This is the real user id which represents the user who has created the process. + + + + + A platform specific characteristic maintained by the scheduler: RT (real-time), TS (timeshare), FF (fifo), SYS (system), etc. + + + + + This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past. + + + + + This is the TTY on which the process was started, if applicable. + + + + + This is the effective user id which represents the actual privileges of the process. + + + + + A boolean that when true would indicates that ExecShield is enabled for the process. + + + + + The loginuid shows which account a user gained access to the system with. The /proc/XXXX/loginuid shows this value. + + + + + An effective capability associated with the process. See linux/include/linux/capability.h for more information. + + + + + An selinux domain label associated with the process. + + + + + The session ID of the process. + + + + + + + + + + + + + + + The info_item represents a "flattened" output from the "docker info" command, selecting only a relevant subset of information from the output. + Each item extends the standard ItemType as defined in the oval-system-characteristics-schema and one should refer to the ItemType description for more information. + + + + + + + + + The total number of containers + + + + + The number of currently running containers + + + + + The number of currently paused containers + + + + + The number of currently stopped containers + + + + + The total number of images + + + + + Storage Driver + + + + + Storage Driver Root Directory + + + + + Storage Driver Backing Filesystem + + + + + Storage Driver Directory Count + + + + + Indicates if "dirperm1" is supported for the Storage Driver + + + + + Logging driver + + + + + Cgroup driver + + + + + Docker kernel version + + + + + Operating System + + + + + OSType + + + + + Architecture + + + + + Name + + + + + ID + + + + + Docker root directory + + + + + Debug mode (client) + + + + + Debug mode (server) + + + + + + + + + + + + + + + Each inspect_item formats the output of the "docker inspect" command. See the enumeration values for their respective "--format" strings. + Each item extends the standard ItemType as defined in the oval-system-characteristics-schema and one should refer to the ItemType description for more information. + + + + + + + + + The name of the container or image for which information is to be collected. + + + + + Enumeration defining how to format the output of the "docker inspect" command. See the enumeration values for their respective "--format" strings. + + + + + The formatted output value(s) based on the "docker inspect" format string + + + + + The formatted output value(s) based on the "docker inspect" format string. + For each field, the @name attribute represents the sub-key name, and the element value represents the sub-key's value + + + + - datatype attribute for the result entity of a docker keyedinfo_state must be 'record' + + + + + + + + + + + + + + + + + + + + + + The keyedinfo_item indicates a more relational representation of the output from the "docker info" command. Certain keyed elements contain values which are then + further broken down into sub-key/value pairs, here using record types. Each item extends the standard ItemType as defined in the oval-system-characteristics-schema + and one should refer to the ItemType description for more information. + + + + + + + + + The name of the key for the docker version element + + + + + The value associated with the key for the docker version element + + + + + The inspect_property_values element specifies how to test items in the result set of the specified docker inspect output. + + + + - datatype attribute for the result entity of a docker inspect_state must be 'record' + + + + + + + + + + + + + + + + + + + + + + The process_item element is collected using a process_object and defines the different information about the containers/instances being utilized in a Docker installation. + The process_object specifies the name of a container or instance for which to collect information. The container or instance name is to be utilized as the argument + to the "docker ps [container_or_instance] --format=[]" command. When pattern matching, implementations should utilize the "docker ps -a" switch to query all containers + and parse for matching items. Each item extends the standard ItemType as defined in the oval-system-characteristics-schema and one should refer to the ItemType description for more information. + + + + + + + + + Container ID + + + + + Image ID + + + + + Quoted Command + + + + + Time when the container was created + + + + + Elapsed time since the container was started + + + + + Exposed Ports + + + + + Container Status + + + + + Container disk size + + + + + Container names + + + + + All labels assigned to the container + + + + + Names of the volumes mounted in this container + + + + + + + + + + + + + + + The version_item will render all version information resulting from the "docker version" command. The output of the "docker version" command contains two sections + of information; Docker Client information, and Docker Server information. Each item extends the standard ItemType as defined in the oval-system-characteristics-schema + and one should refer to the ItemType description for more information. + + + + + + + + + Docker client version string + + + + + Docker client API version + + + + + Docker client GO version + + + + + Docker client Git commit hash + + + + + The date this Docker client was built + + + + + Docker client Operating System architecture + + + + + Docker server version + + + + + Docker server API version + + + + + Docker server GO version + + + + + Docker server Git commit hash + + + + + The date this Docker server was built + + + + + Docker server Operating System architecture + + + + + + + + + + + + + + The EntityItemDockerInfoKeyType complex type restricts a string value to a specific set of values: + + + + + + The total number of containers. This key should result in the collection of sub-values for counts of running, paused, and stopped containers + + + + + The total number of images. No sub-values collected + + + + + The docker server version. No sub-values collected + + + + + Docker storage driver. Sub-values include Root Dir, Backing Filesystem, Number of Dirs, Dirpirm1 Supported + + + + + Logging driver; No sub-values collected + + + + + Cgroup driver; No sub-values collected + + + + + Installed plugins; Will have sub-values + + + + + Docker kernel version; No sub-values + + + + + Underlying operating system; No sub-values + + + + + Operating System type; No sub-values + + + + + Underlying OS architecture; No sub-values + + + + + Installation name; no sub-values + + + + + Docker installation ID; No sub-values + + + + + Docker root directory; No sub-values + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityItemInspectPropertyType complex type restricts a string value to a specific set of values: + + + + + + Equates to execution of "docker inspect --format='{{.Config.User}}'" + + + + + Equates to execution of "docker inspect --format='{{.AppArmorProfile}}'" + + + + + Equates to execution of "docker inspect --format='{{.NetworkSettings.Ports}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.SecurityOpt}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.CapAdd}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.CapDrop}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.Privileged}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.NetworkMode}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.Memory}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.CpuShares}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.ReadonlyRootfs}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.RestartPolicy.Name}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.RestartPolicy.MaximumRetryCount}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.PidMode}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.IpcMode}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.Devices}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.Ulimits}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.UTSMode}}'" + + + + + Equates to execution of "docker inspect --format='{{.HostConfig.CgroupParent}}'" + + + + + Equates to execution of "docker inspect --format='{{.Mounts}}'" + + + + + Equates to execution of "docker inspect --format='{{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}'" + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + +