2021-05-25 20:49:46 +02:00
#!/bin/bash
2018-01-17 16:11:04 +01:00
check_c( ) {
2021-03-10 20:47:52 +01:00
logit ""
2021-03-09 11:42:48 +01:00
local id = "99"
local desc = "Community contributed checks"
2021-03-10 20:47:52 +01:00
checkHeader = " $id - $desc "
info " $checkHeader "
2021-03-09 11:42:48 +01:00
startsectionjson " $id " " $desc "
2018-01-17 16:11:04 +01:00
}
check_c_1( ) {
2021-03-16 09:05:49 +01:00
local id = "C.1"
2021-05-25 20:49:46 +02:00
local desc = "This is a example check for a Automated check"
local remediation = "This is an example remediation measure for a Automated check"
local remediationImpact = "This is an example remediation impact for a Automated check"
local check = " $id - $desc "
2021-03-16 09:05:49 +01:00
starttestjson " $id " " $desc "
if docker info --format= '{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>& 2; then
pass -s " $check "
logcheckresult "PASS"
2021-03-29 14:22:14 +02:00
return
fi
if docker info --format= '{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
info -c " $check "
logcheckresult "INFO"
2021-03-29 14:22:14 +02:00
return
2021-03-16 09:05:49 +01:00
fi
2021-03-29 14:22:14 +02:00
warn -s " $check "
logcheckresult "WARN"
2021-03-16 09:05:49 +01:00
}
check_c_1_1( ) {
local id = "C.1.1"
2021-05-25 20:49:46 +02:00
local desc = "This is a example check for a Manual check"
local remediation = "This is an example remediation measure for a Manual check"
local remediationImpact = "This is an example remediation impact for a Manual check"
local check = " $id - $desc "
2021-03-16 09:05:49 +01:00
starttestjson " $id " " $desc "
2018-01-18 11:29:20 +01:00
if docker info --format= '{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -c " $check "
logcheckresult "PASS"
2021-03-29 14:22:14 +02:00
return
fi
if docker info --format= '{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
info -c " $check "
logcheckresult "INFO"
2021-03-29 14:22:14 +02:00
return
2018-01-17 16:11:04 +01:00
fi
2021-03-29 14:22:14 +02:00
warn -c " $check "
logcheckresult "WARN"
2018-01-17 16:11:04 +01:00
}
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2019-08-27 14:53:42 +02:00
check_c_2( ) {
docker_version = $( docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4)
2021-03-09 11:42:48 +01:00
local id = "C.2"
local desc = "Ensure operations on legacy registry (v1) are Disabled"
2021-03-22 08:43:56 +01:00
local remediation = "Start docker daemon with --disable-legacy-registry=false flag. Starting with Docker 17.12, support for V1 registries has been removed, and the --disable-legacy-registry flag can no longer be used."
local remediationImpact = "Prevents the docker daemon from pull, push, and login operations against v1 registries."
2021-05-25 20:49:46 +02:00
local check = " $id - $desc "
2021-03-09 11:42:48 +01:00
starttestjson " $id " " $desc "
2019-08-27 14:53:42 +02:00
if [ " $docker_version " -lt 1712 ] ; then
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2021-03-29 14:22:14 +02:00
return
fi
if get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2021-03-29 14:22:14 +02:00
return
2019-08-27 14:53:42 +02:00
fi
2021-03-29 14:22:14 +02:00
warn -s " $check "
logcheckresult "WARN"
return
2019-08-27 14:53:42 +02:00
fi
2021-03-29 14:22:14 +02:00
local desc = " $desc (Deprecated) "
2021-05-25 20:49:46 +02:00
local check = " $id - $desc "
2021-03-29 14:22:14 +02:00
info -c " $check "
logcheckresult "INFO"
2019-08-27 14:53:42 +02:00
}
2021-07-08 12:10:12 +02:00
check_c_5_3_1( ) {
local id = "C.5.3.1"
local desc = "Ensure that CAP_DAC_READ_SEARCH Linux kernel capability is disabled (Automated)"
local remediation = "Please refer to https://github.com/cdk-team/CDK/wiki/Exploit:-cap-dac-read-search for PoC."
local remediationImpact = ""
local check = " $id - $desc "
starttestjson " $id " " $desc "
fail = 0
caps_containers = ""
for c in $containers ; do
container_caps = $( docker inspect --format 'CapAdd={{ .HostConfig.CapAdd }}' " $c " )
caps = $( echo " $container_caps " | tr "[:lower:]" "[:upper:]" | \
sed 's/CAPADD/CapAdd/' )
if echo " $caps " | grep -q "DAC_READ_SEARCH" ; then
# If it's the first container, fail the test
if [ $fail -eq 0 ] ; then
warn -s " $check "
warn " * CAP_DAC_READ_SEARCH added to $c "
caps_containers = " $caps_containers $c "
fail = 1
continue
fi
warn " * CAP_DAC_READ_SEARCH added to $c "
caps_containers = " $caps_containers $c "
fi
done
# We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ] ; then
pass -s " $check "
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "CAP_DAC_READ_SEARCH capability added for containers" " $caps_containers "
}
check_c_5_3_2( ) {
local id = "C.5.3.2"
local desc = "Ensure that CAP_SYS_MODULE Linux kernel capability is disabled (Automated)"
local remediation = "Please refer to https://xcellerator.github.io/posts/docker_escape/ for PoC."
local remediationImpact = ""
local check = " $id - $desc "
starttestjson " $id " " $desc "
fail = 0
caps_containers = ""
for c in $containers ; do
container_caps = $( docker inspect --format 'CapAdd={{ .HostConfig.CapAdd }}' " $c " )
caps = $( echo " $container_caps " | tr "[:lower:]" "[:upper:]" | \
sed 's/CAPADD/CapAdd/' )
if echo " $caps " | grep -q "SYS_MODULE" ; then
# If it's the first container, fail the test
if [ $fail -eq 0 ] ; then
warn -s " $check "
warn " * CAP_SYS_MODULE added to $c "
caps_containers = " $caps_containers $c "
fail = 1
continue
fi
warn " * CAP_SYS_MODULE added to $c "
caps_containers = " $caps_containers $c "
fi
done
# We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ] ; then
pass -s " $check "
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "CAP_SYS_MODULE capability added for containers" " $caps_containers "
}
check_c_5_3_3( ) {
local id = "C.5.3.3"
local desc = "Ensure that CAP_SYS_ADMIN Linux kernel capability is disabled (Automated)"
local remediation = "Please refer to https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ for PoC."
local remediationImpact = ""
local check = " $id - $desc "
starttestjson " $id " " $desc "
fail = 0
caps_containers = ""
for c in $containers ; do
container_caps = $( docker inspect --format 'CapAdd={{ .HostConfig.CapAdd }}' " $c " )
caps = $( echo " $container_caps " | tr "[:lower:]" "[:upper:]" | \
sed 's/CAPADD/CapAdd/' )
if echo " $caps " | grep -q "SYS_ADMIN" ; then
# If it's the first container, fail the test
if [ $fail -eq 0 ] ; then
warn -s " $check "
warn " * CAP_SYS_ADMIN added to $c "
caps_containers = " $caps_containers $c "
fail = 1
continue
fi
warn " * CAP_SYS_ADMIN added to $c "
caps_containers = " $caps_containers $c "
fi
done
# We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ] ; then
pass -s " $check "
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "CAP_SYS_ADMIN capability added for containers" " $caps_containers "
}
check_c_5_3_4( ) {
local id = "C.5.3.4"
local desc = "Ensure that CAP_SYS_PTRACE Linux kernel capability is disabled (Automated)"
local remediation = "Please refer to https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap_sys_ptrace"
local remediationImpact = ""
local check = " $id - $desc "
starttestjson " $id " " $desc "
fail = 0
caps_containers = ""
for c in $containers ; do
container_caps = $( docker inspect --format 'CapAdd={{ .HostConfig.CapAdd }}' " $c " )
caps = $( echo " $container_caps " | tr "[:lower:]" "[:upper:]" | \
sed 's/CAPADD/CapAdd/' )
if echo " $caps " | grep -q "SYS_PTRACE" ; then
# If it's the first container, fail the test
if [ $fail -eq 0 ] ; then
warn -s " $check "
warn " * CAP_SYS_PTRACE added to $c "
caps_containers = " $caps_containers $c "
fail = 1
continue
fi
warn " * CAP_SYS_PTRACE added to $c "
caps_containers = " $caps_containers $c "
fi
done
# We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ] ; then
pass -s " $check "
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "CAP_SYS_PTRACE capability added for containers" " $caps_containers "
}
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
check_c_end( ) {
endsectionjson
}
