Firmware Update Manager version
[root@localhost-live liveuser]# fwupdmgr --version
client version: 1.5.0
compile-time dependency versions
gusb: 0.3.4
efivar: 37
daemon version: 1.5.0Firmware Update Manager identified devices
[test@automation-test ~]$ sudo fwupdmgr get-devices
UNO-1372G-E3AE
│
├─QUECTEL Mobile Broadband Module:
│ Device ID: 8009709f7b15ea18e2c69680834a18c79a7ec260
│ Summary: Mobile broadband device
│ Current version: EC25AFFAR07A08M4G
│ Vendor: QUALCOMM INCORPORATED
│ GUIDs: 397b2c13-36fb-582e-b26c-d4640690223d ← USB\VID_2C7C&PID_0125&REV_0318&CARRIER_DEFAULT
│ 1a2996cb-f86e-5583-a464-e1b96e1c6ae9 ← USB\VID_2C7C&PID_0125&REV_0318
│ 587bf468-6859-5522-93a7-6cce552a0aa3 ← USB\VID_2C7C&PID_0125
│ 22ae45db-f68e-5c55-9c02-4557dca238ec ← USB\VID_2C7C
│ Device Flags: • Updatable
│
├─SQF-S25M8-64G-SAE:
│ Device ID: df24e4ff1af516b7c30ec99405c9315e8cdfdab7
│ Summary: ATA Drive
│ Current version: SAFM02A3
│ Serial Number: FEB40799060801078311
│ GUIDs: e29ae95c-7d6b-5c14-bcd1-c8fc3680ab03 ← IDE\SQF-S25M8-64G-SAE_______________________SAFM02A3
│ 04acff22-1c04-5d54-842c-db9635c1eaef ← IDE\0SQF-S25M8-64G-SAE_______________________
│ 6ee7cc9a-b017-562f-b239-8ed4c7b62e85 ← SQF-S25M8-64G-SAE
│ Device Flags: • Internal device
│ • Updatable
│ • Requires AC power
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│
├─System Firmware:
Device ID: 1d70a31dd3ff0941761550a38436fc990c6c3ff0
Current version: 0.0.15
Minimum Version: 0.0.15
Vendor: Advantech (DMI:American Megatrends Inc.)
GUID: 7039436b-6acf-433b-86a1-368ec2ef7e1f
Device Flags: • Internal device
• Updatable
• Requires AC power
• Needs a reboot after installation
• Cryptographic hash verification is available
• Device is usable for the duration of the updateFirmware Update Manager security report
[root@localhost-live liveuser]# fwupdmgr security --force
Host Security ID: HSI:0 (v1.5.0)
HSI-1
✔ SPI write: Disabled
✔ TPM v2.0: Found
✔ UEFI dbx: Found
✘ SPI BIOS region: Unlocked
✘ SPI lock: Disabled
HSI-2
✔ TPM PCR0 reconstruction: Valid
✘ IOMMU: Not found
HSI-3
✘ Intel CET: Not supported
✘ Pre-boot DMA protection: Invalid
✘ Suspend-to-idle: Disabled
✘ Suspend-to-ram: Enabled
HSI-4
✘ Encrypted RAM: Not supported
✘ Intel SMAP: Not supported
Runtime Suffix -U
✘ Firmware updates: Not supported
Runtime Suffix -A
✘ Firmware attestation: Not supported
Runtime Suffix -!
✔ Linux kernel: Untainted
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Disabled
✔ UEFI secure boot: Enabled
✔ fwupd plugins: Untainted
This system has a low HSI security level.
» https://github.com/fwupd/fwupd/wiki/Low-host-security-level
Host Security ID attributes uploaded successfully, thanks!DMI Decode Output
[root@automation-test test]# dmidecode -t bios
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 2.8 present.
Handle 0x0000, DMI type 0, 24 bytes
BIOS Information
Vendor: American Megatrends Inc.
Version: 5.6.5
Release Date: 09/17/2019
Address: 0xF0000
Runtime Size: 64 kB
ROM Size: 1024 kB
Characteristics:
PCI is supported
BIOS is upgradeable
BIOS shadowing is allowed
Boot from CD is supported
Selectable boot is supported
BIOS ROM is socketed
EDD is supported
5.25"/1.2 MB floppy services are supported (int 13h)
3.5"/720 kB floppy services are supported (int 13h)
3.5"/2.88 MB floppy services are supported (int 13h)
Print screen service is supported (int 5h)
8042 keyboard services are supported (int 9h)
Serial services are supported (int 14h)
Printer services are supported (int 17h)
ACPI is supported
USB legacy is supported
BIOS boot specification is supported
Targeted content distribution is supported
UEFI is supported
BIOS Revision: 5.6
Handle 0x0035, DMI type 13, 22 bytes
BIOS Language Information
Language Description Format: Long
Installable Languages: 1
en|US|iso8859-1
Currently Installed Language: en|US|iso8859-1
[root@automation-test test]# dmidecode -t system
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 2.8 present.
Handle 0x0001, DMI type 1, 27 bytes
System Information
Manufacturer: Advantech
Product Name: UNO-1372G-E3AE
Version: To be filled by O.E.M.
Serial Number: TPAC185862
UUID: ce9e33b0-5261-11ea-a398-52849db60600
Wake-up Type: Power Switch
SKU Number: To be filled by O.E.M.
Family: To be filled by O.E.M.
Handle 0x0027, DMI type 12, 5 bytes
System Configuration Options
Option 1: To Be Filled By O.E.M.
Handle 0x002E, DMI type 32, 20 bytes
System Boot Information
Status: No errors detected
[root@automation-test test]# dmidecode -t baseboard
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 2.8 present.
Handle 0x0002, DMI type 2, 15 bytes
Base Board Information
Manufacturer: Advantech
Product Name: UNO-1372G-E3AE
Version: To be filled by O.E.M.
Serial Number: To be filled by O.E.M.
Asset Tag: To be filled by O.E.M.
Features:
Board is a hosting board
Board is replaceable
Location In Chassis: To be filled by O.E.M.
Chassis Handle: 0x0003
Type: Motherboard
Contained Object Handles: 0
Handle 0x0025, DMI type 10, 6 bytes
On Board Device Information
Type: Video
Status: Enabled
Description: To Be Filled By O.E.M.
Handle 0x002F, DMI type 41, 11 bytes
Onboard Device
Reference Designation: Onboard IGD
Type: Video
Status: Enabled
Type Instance: 1
Bus Address: 0000:00:02.0
Handle 0x0030, DMI type 41, 11 bytes
Onboard Device
Reference Designation: Onboard LAN
Type: Ethernet
Status: Enabled
Type Instance: 1
Bus Address: 0000:00:19.0
Handle 0x0031, DMI type 41, 11 bytes
Onboard Device
Reference Designation: Onboard 1394
Type: Other
Status: Enabled
Type Instance: 1
Bus Address: 0000:03:1c.2
[root@automation-test test]# dmidecode -t chassis
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 2.8 present.
Handle 0x0003, DMI type 3, 25 bytes
Chassis Information
Manufacturer: To Be Filled By O.E.M.
Type: Desktop
Lock: Not Present
Version: To Be Filled By O.E.M.
Serial Number: To Be Filled By O.E.M.
Asset Tag: To Be Filled By O.E.M.
Boot-up State: Safe
Power Supply State: Safe
Thermal State: Safe
Security Status: None
OEM Information: 0x00000000
Height: Unspecified
Number Of Power Cords: 1
Contained Elements: 1
<OUT OF SPEC> (0)
SKU Number: To be filled by O.E.M.
[root@automation-test test]# dmidecode -t processor
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 2.8 present.
Handle 0x0034, DMI type 4, 42 bytes
Processor Information
Socket Designation: SOCKET 0
Type: Central Processor
Family: Atom
Manufacturer: Intel
ID: 79 06 03 00 FF FB EB BF
Signature: Type 0, Family 6, Model 55, Stepping 9
Flags:
FPU (Floating-point unit on-chip)
VME (Virtual mode extension)
DE (Debugging extension)
PSE (Page size extension)
TSC (Time stamp counter)
MSR (Model specific registers)
PAE (Physical address extension)
MCE (Machine check exception)
CX8 (CMPXCHG8 instruction supported)
APIC (On-chip APIC hardware supported)
SEP (Fast system call)
MTRR (Memory type range registers)
PGE (Page global enable)
MCA (Machine check architecture)
CMOV (Conditional move instruction supported)
PAT (Page attribute table)
PSE-36 (36-bit page size extension)
CLFSH (CLFLUSH instruction supported)
DS (Debug store)
ACPI (ACPI supported)
MMX (MMX technology supported)
FXSR (FXSAVE and FXSTOR instructions supported)
SSE (Streaming SIMD extensions)
SSE2 (Streaming SIMD extensions 2)
SS (Self-snoop)
HTT (Multi-threading)
TM (Thermal monitor supported)
PBE (Pending break enabled)
Version: Intel(R) Atom(TM) CPU E3845 @ 1.91GHz
Voltage: 1.2 V
External Clock: 83 MHz
Max Speed: 2400 MHz
Current Speed: 1910 MHz
Status: Populated, Enabled
Upgrade: Socket BGA1155
L1 Cache Handle: 0x0032
L2 Cache Handle: 0x0033
L3 Cache Handle: Not Provided
Serial Number: Not Specified
Asset Tag: Fill By OEM
Part Number: Fill By OEM
Core Count: 4
Core Enabled: 4
Thread Count: 4
Characteristics:
64-bit capableManagement Engine Interface Version
[test@automation-test ~]$ sudo cat /sys/class/mei/mei0/fw_ver
0:0.0.0.0
0:0.0.0.0
0:0.0.0.0TPM is identified in dmesg
[test@automation-test ~]$ dmesg | grep TPM
[ 0.000000] efi: ESRT=0xb9b3b318 ACPI=0xb936d000 ACPI 2.0=0xb936d000 SMBIOS=0xb9a7ee18 TPMEventLog=0xb618f018
[ 0.008862] ACPI: TPM2 0x00000000B9378EA8 000034 (v03 Tpm2Tabl 00000001 AMI 00000000)
[ 2.108179] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)TPM family, manufacturer and model.
[test@automation-test ~]$ tpm2_getcap properties-fixed
TPM2_PT_FAMILY_INDICATOR:
raw: 0x322E3000
value: "2.0"
TPM2_PT_LEVEL:
raw: 0
TPM2_PT_REVISION:
value: 1.16
TPM2_PT_DAY_OF_YEAR:
raw: 0xF
TPM2_PT_YEAR:
raw: 0x7E0
TPM2_PT_MANUFACTURER:
raw: 0x49465800
value: "IFX"
TPM2_PT_VENDOR_STRING_1:
raw: 0x534C4239
value: "SLB9"
TPM2_PT_VENDOR_STRING_2:
raw: 0x36363500
value: "665"TPM PCRs availability, state, and event log
[test@automation-test ~]$ tpm2_getcap pcrs
selected-pcrs:
- sha1: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
- sha256: [ ]
[test@automation-test ~]$ tpm2_pcrread
sha1:
0 : 0x3DCAEA25DC86554D94B94AA5BC8F735A49212AF8
1 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
2 : 0x3099A8A5BF2A836E69C0AD46043EB25AE05CB0AE
3 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
4 : 0x8E86B9F506FB97C75EB38FB0DE1D66E7FEB6EEBC
5 : 0xD83957907BCBAA421D3358C7821F80C8AA77D267
6 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
7 : 0xEB27A3067212DC893FE23EDBE9F21E9C728FB85A
8 : 0x39DB471F23FD1C8CA7052AAA43DCA34ED21441B1
9 : 0x84A598B4A0C4D2374FD83B19DCC38C49C39CF887
10: 0x65C6707AE9C0B71A383C874530BCE469C32D10B9
11: 0x0000000000000000000000000000000000000000
12: 0x0000000000000000000000000000000000000000
13: 0x0000000000000000000000000000000000000000
14: 0x0000000000000000000000000000000000000000
15: 0x0000000000000000000000000000000000000000
16: 0x0000000000000000000000000000000000000000
17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
23: 0x0000000000000000000000000000000000000000
sha256:
[test@automation-test ~]$ sudo tsseventextend -sim -if /sys/kernel/security/tpm0/binary_bios_measurements
eventextend: failed, rc 0000009a
TPM_RC_INSUFFICIENT - the TPM was unable to unmarshal a value because there were not enough octets in the input buffer Handle number unspecifiedTPM persistent handles, authorization heriarchy, and ownership
[test@automation-test ~]$ tpm2_getcap properties-variable
TPM2_PT_PERSISTENT:
ownerAuthSet: 0
endorsementAuthSet: 0
lockoutAuthSet: 1
reserved1: 0
disableClear: 1
inLockout: 0
tpmGeneratedEPS: 0
reserved2: 0
TPM2_PT_STARTUP_CLEAR:
phEnable: 1
shEnable: 1
ehEnable: 1
phEnableNV: 1
reserved1: 0
orderly: 1
TPM2_PT_HR_NV_INDEX: 0x4
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x3
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x3
TPM2_PT_HR_PERSISTENT: 0x3
TPM2_PT_HR_PERSISTENT_AVAIL: 0xE
TPM2_PT_NV_COUNTERS: 0x2
TPM2_PT_NV_COUNTERS_AVAIL: 0xC
TPM2_PT_ALGORITHM_SET: 0x0
TPM2_PT_LOADED_CURVES: 0x2
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0x20
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
TPM2_PT_LOCKOUT_RECOVERY: 0x15180
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0
[test@automation-test ~]$ tpm2_getcap handles-persistent
- 0x81000001
- 0x81000002
- 0x81010001
[test@automation-test ~]$ tpm2_clear
WARNING:esys:src/tss2-esys/api/Esys_Clear.c:282:Esys_Clear_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:97:Esys_Clear() Esys Finish ErrorCode (0x00000921)
ERROR: Esys_Clear(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode
ERROR: Unable to run tpm2_clearSecure Boot
[test@automation-test ~]$ dmesg | grep Secure
[ 0.000000] secureboot: Secure boot enabled
[test@automation-test ~]$ mokutil --sb-state
SecureBoot enabled
[test@automation-test ~]$ mokutil --pk
[key 1]
SHA1 Fingerprint: a7:73:11:3b:af:af:51:29:aa:83:fd:09:12:e9:5d:a4:fa:55:5f:91
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
(Negative)1b:ed:93:e2:59:4e:2b:60:be:6b:1f:01:c9:af:a6:37
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=DO NOT TRUST - AMI Test PK
Validity
Not Before: Apr 30 22:50:15 2013 GMT
Not After : Apr 30 22:50:14 2017 GMT
Subject: CN=DO NOT TRUST - AMI Test PK
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9c:18:19:79:cd:2e:05:c9:f5:29:24:5b:f8:8e:
7f:40:9a:91:70:be:14:d9:fe:a2:d8:fd:33:60:e0:
6f:57:78:f4:0a:44:2a:d8:f5:cb:23:04:67:7f:25:
0f:cc:27:77:6b:2f:8e:e3:1c:f8:ad:9a:33:b8:0c:
26:a4:d4:41:a2:38:56:dc:eb:74:33:e0:61:09:bf:
79:a9:bb:7c:72:f8:0d:22:fa:4e:b8:2e:ed:a7:da:
e3:2f:13:9b:14:96:e8:4a:8a:80:cd:85:63:88:4f:
d8:c8:cc:1d:9a:32:4f:db:a9:56:30:fe:79:89:e7:
fd:66:b0:3f:89:8f:4d:d7:23:8c:af:3b:83:23:8c:
b3:0b:2c:fc:a7:cb:9b:c2:2f:aa:12:1e:be:83:8c:
b3:2f:77:b9:0d:37:c3:59:12:2c:9f:4d:0d:37:47:
ad:a9:92:7a:14:e5:62:d1:22:7d:af:03:25:6d:b0:
64:e6:cf:f6:5e:88:f6:ae:f5:07:84:82:9f:4c:0d:
57:2f:55:f7:79:30:54:61:69:ef:8c:93:8f:ee:e4:
74:e6:29:c2:2c:1a:ef:19:78:42:d7:f0:dd:13:35:
3a:f1:65:bb:fc:11:a4:7e:74:3f:12:ff:dc:bf:bd:
e8:1f:1a:b4:a3:90:74:cf:20:92:eb:39:63:b5:b0:
a3:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
2.5.29.1:
0M..d.i........"W0.n.'0%1#0!..U....DO NOT TRUST - AMI Test PK....l.....A...6PY.
Signature Algorithm: sha256WithRSAEncryption
6d:89:f6:53:7f:2a:b3:79:94:c9:a3:af:da:89:4b:81:1e:b5:
e0:b6:f4:47:de:24:77:86:6c:46:bb:3d:ce:fd:f1:e9:b9:fe:
2b:f4:55:c6:9f:13:85:cc:81:90:0b:b6:aa:86:8e:9d:07:ae:
6a:67:31:61:c5:af:3d:1c:89:63:90:53:4a:ae:b1:35:d0:8a:
02:dc:79:d0:e9:65:fc:1b:bf:e6:4b:d0:c5:2a:af:ef:ce:bb:
b4:45:62:a1:93:9d:50:70:4e:4b:ba:4b:8f:8d:94:7a:cf:1c:
8e:3f:b2:27:77:f5:22:9b:bb:ac:45:1c:e0:73:27:a4:c8:64:
d2:ed:f8:37:64:3a:b7:68:86:4a:40:45:9e:d3:86:ce:b5:d5:
f1:65:67:a7:8b:f4:39:c6:da:94:5a:ab:8b:b5:11:87:77:d7:
b7:93:66:ce:b9:d5:17:a5:d7:67:09:a6:62:29:9f:1d:31:ae:
bf:e8:39:cc:88:99:1b:d6:44:d0:27:05:93:74:63:27:2e:55:
e2:52:a1:7f:ad:7b:f4:62:70:12:e1:e2:3c:5a:46:5b:6d:1a:
70:8c:a7:44:77:a5:8b:73:d3:c1:6e:93:27:86:35:0b:ca:00:
49:0d:b6:41:6c:a6:07:9b:1c:8d:29:72:75:95:ee:55:be:d7:
93:ea:94:05Kernel Security
[root@automation-test test]# cat /sys/kernel/security/lockdown
none integrity [confidentiality]
[root@automation-test test]# ls /sys/kernel/security/ima/
ascii_runtime_measurements binary_runtime_measurements policy runtime_measurements_count violations
[root@automation-test test]# cat /sys/kernel/security/ima/runtime_measurements_count
744
[root@automation-test test]# cat /sys/kernel/security/ima/violations
0
[root@automation-test test]# head /sys/kernel/security/ima/ascii_runtime_measurements
10 d02b646654b047dbaa9188536462358067e0b9fe ima-ng sha1:f75506045a4187a0ea19d9980b1618de4904b180 boot_aggregate
10 ee115d5c92c89ef9a8d9cfb46ed9b27dcabe7d98 ima-ng sha256:6996a7623cb3a6786c74721897e71ccc5f2551a799b75bbf202109c6d0150834 /usr/lib/systemd/systemd
10 cf50e4418fd5b905306b28610f2c59403ef33a0f ima-ng sha256:6818d110df43695ec82cd1ba795e18db4bab1d433c118dc076ee6ca265c8e4ff /usr/lib64/ld-2.30.so
10 f040c33837b3dc89eae10b2e1a49d79af7d30594 ima-ng sha256:6b08859f780da18eae0c0f28587669e88370e636245a0ecb7bdf060cc4bdcb32 /etc/ld.so.cache
10 252bc0d89c9259bf577fe1290b5ea5f52f919159 ima-ng sha256:d6bf66528ed45c5b1a84eeb1b2a87d094d4bd13bfc246a4565b0bc2230ea0e0a /usr/lib64/libc-2.30.so
10 f7a9186d27d1e792672fa51a97f7eca008244da3 ima-ng sha256:b2ff18b6085946daf73797547cf678b5336d892b7a7e25b91051eea61fdac683 /usr/lib/systemd/libsystemd-shared-243.so
10 0360dc3371812be08363579d487091c294184f91 ima-ng sha256:7690817a2a4099ffaca2b4a100642d8516f8c20f10b9983effc6fecf47ef8b5c /usr/lib64/librt-2.30.so
10 4615789eff83518f2a598bd4255543b7ebc06bdd ima-ng sha256:fd83ab1223cfb25a29fa37cced8b53a8fc8d86ca0628c07433b459d549e47f6e /usr/lib64/libseccomp.so.2.4.2
10 61ef7132897f59c070263b6e21a47876480b35a0 ima-ng sha256:097304e2076d921a6fc031d40f0498afd51b06fa23526af51c9c3a96114b21fa /usr/lib64/libselinux.so.1
10 66f6bd5ea4c30f2c183a7ef21f18b1e4bf62576a ima-ng sha256:e62b7b608f3a0f897b4cd3736312d49f2c3881cac982f351fae82f13123e7952 /usr/lib64/libmount.so.1.1.0
[root@automation-test test]# getenforce
Enforcing
[root@automation-test test]# systemctl status usbguard
● usbguard.service - USBGuard daemon
Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-06-23 11:16:53 PDT; 7min ago
Docs: man:usbguard-daemon(8)
Main PID: 789 (usbguard-daemon)
Tasks: 3 (limit: 9356)
Memory: 6.7M
CGroup: /system.slice/usbguard.service
└─789 /usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf
[root@automation-test test]# tuned-adm active
Current active profile: latency-performance[root@automation-test docker-bench-security]# bash docker-bench-security.sh
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------
Initializing Tue 23 Jun 2020 11:27:49 AM PDT
[INFO] 1 - Host Configuration
[INFO] 1.1 - General Configuration
[NOTE] 1.1.1 - Ensure the container host has been Hardened (Not Scored)
[INFO] 1.1.2 - Ensure that the version of Docker is up to date (Not Scored)
[INFO] * Using 19.03.11, verify is it up to date as deemed necessary
[INFO] * Your operating system vendor may provide support and security maintenance for Docker
[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created (Scored)
[INFO] 1.2.2 - Ensure only trusted users are allowed to control Docker daemon (Scored)
[INFO] * docker:x:978:test
[PASS] 1.2.3 - Ensure auditing is configured for the Docker daemon (Scored)
[PASS] 1.2.4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored)
[PASS] 1.2.5 - Ensure auditing is configured for Docker files and directories - /etc/docker (Scored)
[PASS] 1.2.6 - Ensure auditing is configured for Docker files and directories - docker.service (Scored)
[PASS] 1.2.7 - Ensure auditing is configured for Docker files and directories - docker.socket (Scored)
[INFO] 1.2.8 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored)
[INFO] * File not found
[INFO] 1.2.9 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Scored)
[INFO] * File not found
[PASS] 1.2.10 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored)
[PASS] 1.2.11 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Scored)
[INFO] 1.2.12 - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc (Scored)
[INFO] * File not found
[INFO] 2 - Docker daemon configuration
[PASS] 2.1 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[PASS] 2.2 - Ensure the logging level is set to 'info' (Scored)
[PASS] 2.3 - Ensure Docker is allowed to make changes to iptables (Scored)
[PASS] 2.4 - Ensure insecure registries are not used (Scored)
[PASS] 2.5 - Ensure aufs storage driver is not used (Scored)
[INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured (Scored)
[INFO] * Docker daemon not listening on TCP
[PASS] 2.7 - Ensure the default ulimit is configured appropriately (Not Scored)
default
[PASS] 2.8 - Enable user namespace support (Scored)
[PASS] 2.9 - Ensure the default cgroup usage has been confirmed (Scored)
[PASS] 2.10 - Ensure base device size is not changed until needed (Scored)
0.5]
[PASS] 2.11 - Ensure that authorization for Docker client commands is enabled (Scored)
[PASS] 2.12 - Ensure centralized and remote logging is configured (Scored)
[PASS] 2.13 - Ensure live restore is enabled (Scored)
[PASS] 2.14 - Ensure Userland Proxy is Disabled (Scored)
[PASS] 2.15 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Not Scored)
[PASS] 2.16 - Ensure that experimental features are not implemented in production (Scored)
[PASS] 2.17 - Ensure containers are restricted from acquiring new privileges (Scored)
[INFO] 3 - Docker daemon configuration files
[PASS] 3.1 - Ensure that the docker.service file ownership is set to root:root (Scored)
[PASS] 3.2 - Ensure that docker.service file permissions are appropriately set (Scored)
[PASS] 3.3 - Ensure that docker.socket file ownership is set to root:root (Scored)
[PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive (Scored)
[PASS] 3.5 - Ensure that the /etc/docker directory ownership is set to root:root (Scored)
[PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Scored)
[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root (Scored)
[INFO] * Directory not found
[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictively (Scored)
[INFO] * Directory not found
[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root (Scored)
[INFO] * No TLS CA certificate found
[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Scored)
[INFO] * No TLS CA certificate found
[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root (Scored)
[INFO] * No TLS Server certificate found
[INFO] 3.12 - Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Scored)
[INFO] * No TLS Server certificate found
[INFO] 3.13 - Ensure that the Docker server certificate key file ownership is set to root:root (Scored)
[INFO] * No TLS Key found
[INFO] 3.14 - Ensure that the Docker server certificate key file permissions are set to 400 (Scored)
[INFO] * No TLS Key found
[PASS] 3.15 - Ensure that the Docker socket file ownership is set to root:docker (Scored)
[PASS] 3.16 - Ensure that the Docker socket file permissions are set to 660 or more restrictively (Scored)
[PASS] 3.17 - Ensure that the daemon.json file ownership is set to root:root (Scored)
[PASS] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive (Scored)
[INFO] 3.19 - Ensure that the /etc/default/docker file ownership is set to root:root (Scored)
[INFO] * File not found
[INFO] 3.20 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Scored)
[INFO] * File not found
[INFO] 3.21 - Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Scored)
[INFO] * File not found
[INFO] 3.22 - Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Scored)
[INFO] * File not found
[INFO] 4 - Container Images and Build File
[INFO] 4.1 - Ensure that a user for the container has been created (Scored)
[INFO] * No containers running
[NOTE] 4.2 - Ensure that containers use only trusted base images (Not Scored)
[NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container (Not Scored)
[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches (Not Scored)
[PASS] 4.5 - Ensure Content trust for Docker is Enabled (Scored)
[PASS] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Scored)
[PASS] 4.7 - Ensure update instructions are not use alone in the Dockerfile (Not Scored)
[NOTE] 4.8 - Ensure setuid and setgid permissions are removed (Not Scored)
[PASS] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Not Scored)
[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles (Not Scored)
[NOTE] 4.11 - Ensure only verified packages are are installed (Not Scored)
[INFO] 5 - Container Runtime
[INFO] * No containers running, skipping Section 5
[INFO] 6 - Docker Security Operations
[INFO] 6.1 - Ensure that image sprawl is avoided (Not Scored)
[INFO] * There are currently: 0 images
[INFO] 6.2 - Ensure that container sprawl is avoided (Not Scored)
[INFO] * There are currently a total of 0 containers, with 0 of them currently running
[INFO] 7 - Docker Swarm Configuration
[PASS] 7.1 - Ensure swarm mode is not Enabled, if not needed (Scored)
[PASS] 7.2 - Ensure that the minimum number of manager nodes have been created in a swarm (Scored) (Swarm mode not enabled)
[PASS] 7.3 - Ensure that swarm services are bound to a specific host interface (Scored) (Swarm mode not enabled)
[PASS] 7.4 - Ensure that all Docker swarm overlay networks are encrypted (Scored)
[PASS] 7.5 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Not Scored) (Swarm mode not enabled)
[PASS] 7.6 - Ensure that swarm manager is run in auto-lock mode (Scored) (Swarm mode not enabled)
[PASS] 7.7 - Ensure that the swarm manager auto-lock key is rotated periodically (Not Scored) (Swarm mode not enabled)
[PASS] 7.8 - Ensure that node certificates are rotated as appropriate (Not Scored) (Swarm mode not enabled)
[PASS] 7.9 - Ensure that CA certificates are rotated as appropriate (Not Scored) (Swarm mode not enabled)
[PASS] 7.10 - Ensure that management plane traffic is separated from data plane traffic (Not Scored) (Swarm mode not enabled)
[INFO] 8 - Docker Enterprise Configuration
[INFO] * Community Engine license, skipping section 8
[INFO] Checks: 76
[INFO] Score: 44Network Connection: ethernet, wifi, gsm
enp8s0: connected to enp8s0
"Intel I210"
ethernet (igb), C4:00:AD:4A:D0:00, hw, mtu 1500
ip4 default, ip6 default
inet4 192.168.0.12/24
route4 0.0.0.0/0
route4 192.168.0.0/24
inet6 2601:1c0:6c01:d430:320:406c:6046:957c/64
inet6 2601:1c0:6c01:d430::c/128
inet6 fe80::16db:370f:ff84:fd20/64
route6 2601:1c0:6c01:d430::/60
route6 2601:1c0:6c01:d430::/64
route6 ::/0
route6 2601:1c0:6c01:d430::c/128
route6 fe80::/64
route6 ff00::/8
wlp3s0: connected to Wifi-SSID
"Realtek RTL8821AE"
wifi (rtl8821ae), C0:E4:34:E7:BF:A9, hw, mtu 1500
inet4 192.168.0.14/24
route4 0.0.0.0/0
route4 192.168.0.0/24
inet6 2601:1c0:6c01:d430:79d:d089:48fb:feae/64
inet6 2601:1c0:6c01:d430::e/128
inet6 fe80::9b29:2e93:681b:243c/64
route6 2601:1c0:6c01:d430::/60
route6 2601:1c0:6c01:d430::/64
route6 ::/0
route6 ff00::/8
route6 fe80::/64
route6 2601:1c0:6c01:d430::e/128
cdc-wdm0: connected to T-Mobile
"cdc-wdm0"
gsm (option1, qmi_wwan), hw, iface wwp0s20u4u4i4, mtu 1500
inet4 29.136.133.211/29
route4 29.136.133.208/29
route4 0.0.0.0/0Serial Ports
[test@automation-test ~]$ dmesg | egrep --color 'serial|ttyS'
[ 2.128630] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[ 2.156140] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A