2015-05-29 13:42:34 +02:00
|
|
|
#!/bin/sh
|
2018-10-25 11:34:14 +02:00
|
|
|
|
2019-10-16 09:49:18 +02:00
|
|
|
if [ -n "$nocolor" ] && [ "$nocolor" = "nocolor" ]; then
|
2018-10-25 11:34:14 +02:00
|
|
|
bldred=''
|
|
|
|
|
bldgrn=''
|
|
|
|
|
bldblu=''
|
|
|
|
|
bldylw=''
|
|
|
|
|
txtrst=''
|
|
|
|
|
else
|
|
|
|
|
bldred='\033[1;31m'
|
|
|
|
|
bldgrn='\033[1;32m'
|
|
|
|
|
bldblu='\033[1;34m'
|
|
|
|
|
bldylw='\033[1;33m' # Yellow
|
|
|
|
|
txtrst='\033[0m'
|
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
|
|
|
|
logit () {
|
2015-05-29 13:42:34 +02:00
|
|
|
printf "%b\n" "$1" | tee -a "$logger"
|
2015-05-11 06:08:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
info () {
|
2015-05-29 13:42:34 +02:00
|
|
|
printf "%b\n" "${bldblu}[INFO]${txtrst} $1" | tee -a "$logger"
|
2015-05-11 06:08:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pass () {
|
2015-05-29 13:42:34 +02:00
|
|
|
printf "%b\n" "${bldgrn}[PASS]${txtrst} $1" | tee -a "$logger"
|
2015-05-11 06:08:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
warn () {
|
2015-05-29 13:42:34 +02:00
|
|
|
printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger"
|
2015-05-11 06:08:28 +02:00
|
|
|
}
|
|
|
|
|
|
2017-03-23 11:29:58 +01:00
|
|
|
note () {
|
|
|
|
|
printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger"
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
yell () {
|
2015-05-29 13:42:34 +02:00
|
|
|
printf "%b\n" "${bldylw}$1${txtrst}\n"
|
2015-05-11 06:08:28 +02:00
|
|
|
}
|
2017-10-10 13:54:59 +02:00
|
|
|
|
2021-03-09 15:06:38 +01:00
|
|
|
appendjson () {
|
|
|
|
|
if [ -s "$logger.json" ]; then
|
|
|
|
|
tail -n 1 "$logger.json" | wc -c | xargs -I {} truncate "$logger.json" -s -{}
|
|
|
|
|
printf "},\n" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
|
|
|
else
|
|
|
|
|
printf "[" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-10 13:54:59 +02:00
|
|
|
beginjson () {
|
2021-03-09 15:06:38 +01:00
|
|
|
printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s,\n \"tests\": [" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
2017-10-10 13:54:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
endjson (){
|
2021-03-09 15:06:38 +01:00
|
|
|
printf "\n ], \"checks\": %s, \"score\": %s, \"end\": %s \n}]" "$1" "$2" "$3" | tee -a "$logger.json" 2>/dev/null 1>&2
|
2017-10-10 13:54:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
logjson (){
|
|
|
|
|
printf "\n \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
|
|
|
}
|
2017-10-23 15:38:31 +02:00
|
|
|
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
SSEP=
|
|
|
|
|
SEP=
|
|
|
|
|
startsectionjson() {
|
|
|
|
|
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", \"results\": [" "$SSEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
|
|
|
SEP=
|
|
|
|
|
SSEP=","
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
endsectionjson() {
|
|
|
|
|
printf "\n ]}" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
starttestjson() {
|
|
|
|
|
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", " "$SEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
|
|
|
SEP=","
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resulttestjson() {
|
|
|
|
|
if [ $# -eq 1 ]; then
|
2021-03-09 15:06:38 +01:00
|
|
|
printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
elif [ $# -eq 2 ]; then
|
|
|
|
|
# Result also contains details
|
2021-03-09 15:06:38 +01:00
|
|
|
printf "\"result\": \"%s\", \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
else
|
|
|
|
|
# Result also includes details and a list of items. Add that directly to details and to an array property "items"
|
Limit the number of reported items
In some evironments, there may be a very large number of images,
containers, etc not satisfying a given test. For example, in one
environment, we saw *378k* images not satisfying 4.6, mostly because
the customer was never cleaning up old images.
To avoid overly long lists of items, add a new option "-n LIMIT" that
limits the number of items included in JSON output. When the limit is
reached, the list will be truncated and a trailing (truncated) will be
added. Here's an example:
```
{"id": "5.9", "desc": "Ensure the host's network namespace is not
shared", "result": "WARN", "details": "Containers running with
networking mode 'host': k8s_POD_storage-provisioner_kube-system_ef960ef5-62c5-11e9-802f-08002719228f_0
k8s_POD_kube-proxy-xfln8_kube-system_ee70c4c3-62c5-11e9-802f-08002719228f_0 (truncated)",
"items":
["k8s_POD_storage-provisioner_kube-system_ef960ef5-62c5-11e9-802f-08002719228f_0","k8s_POD_kube-proxy-xfln8_kube-system_ee70c4c3-62c5-11e9-802f-08002719228f_0","(truncated)"]},
```
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2020-07-10 22:00:29 +02:00
|
|
|
# Also limit the number of items to $limit, if $limit is non-zero
|
|
|
|
|
if [ $limit != 0 ]; then
|
|
|
|
|
truncItems=""
|
|
|
|
|
ITEM_COUNT=0
|
|
|
|
|
for item in $3; do
|
|
|
|
|
truncItems="$truncItems $item"
|
|
|
|
|
ITEM_COUNT=$((ITEM_COUNT + 1));
|
|
|
|
|
if [ "$ITEM_COUNT" == "$limit" ]; then
|
|
|
|
|
truncItems="$truncItems (truncated)"
|
|
|
|
|
break;
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
else
|
|
|
|
|
truncItems=$3
|
|
|
|
|
fi
|
|
|
|
|
itemsJson=$(printf "["; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "]")
|
2021-03-09 15:06:38 +01:00
|
|
|
printf "\"result\": \"%s\", \"details\": \"%s: %s\", \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
fi
|
2021-03-09 12:35:40 +01:00
|
|
|
# Log remediation measure
|
|
|
|
|
if [ ! -z "$remediation" ]; then
|
|
|
|
|
printf ", \"remediation\": \"%s\"" "$remediation" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
|
|
|
if [ ! -z "$remediationImpact" ]; then
|
|
|
|
|
printf ", \"remediation-impact\": \"%s\"" "$remediationImpact" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
printf "}" | tee -a "$logger.json" 2>/dev/null 1>&2
|
2017-10-23 15:38:31 +02:00
|
|
|
}
|
