2015-05-11 06:08:28 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
2018-12-11 11:47:06 +01:00
|
|
|
if [ -n "$imgList" ]; then
|
|
|
|
|
pattern=$(echo "$imgList" | sed 's/,/ /g')
|
|
|
|
|
for img in $pattern; do
|
|
|
|
|
echo "Looking for image $img"
|
|
|
|
|
sha256=$(docker image ls "$img" -q)
|
|
|
|
|
if [ -z "$sha256" ]; then
|
|
|
|
|
echo "Image $img not found. Exiting."
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
images="$images $sha256 "
|
|
|
|
|
done
|
|
|
|
|
else
|
|
|
|
|
images=$(docker images -q)
|
|
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
|
|
|
|
|
check_4() {
|
|
|
|
|
logit "\n"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_4="4"
|
|
|
|
|
desc_4="Container Images and Build File"
|
|
|
|
|
check_4="$id_4 - $desc_4"
|
|
|
|
|
info "$check_4"
|
|
|
|
|
startsectionjson "$id_4" "$desc_4"
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
|
|
|
|
# 4.1
|
2018-01-16 13:46:49 +01:00
|
|
|
check_4_1() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_4_1="4.1"
|
|
|
|
|
desc_4_1="Ensure a user for the container has been created"
|
|
|
|
|
check_4_1="$id_4_1 - $desc_4_1"
|
|
|
|
|
starttestjson "$id_4_1" "$desc_4_1"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
# If container_users is empty, there are no running containers
|
|
|
|
|
if [ -z "$containers" ]; then
|
|
|
|
|
info "$check_4_1"
|
|
|
|
|
info " * No containers running"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "No containers running"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
else
|
|
|
|
|
# We have some containers running, set failure flag to 0. Check for Users.
|
|
|
|
|
fail=0
|
|
|
|
|
# Make the loop separator be a new-line in POSIX compliant fashion
|
|
|
|
|
set -f; IFS=$'
|
|
|
|
|
'
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
root_containers=""
|
2018-01-16 13:46:49 +01:00
|
|
|
for c in $containers; do
|
|
|
|
|
user=$(docker inspect --format 'User={{.Config.User}}' "$c")
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2019-02-13 14:58:34 +01:00
|
|
|
if [ "$user" = "User=0" ] || [ "$user" = "User=root" ] || [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=<no value>" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
|
warn "$check_4_1"
|
|
|
|
|
warn " * Running as root: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
root_containers="$root_containers $c"
|
2018-01-16 13:46:49 +01:00
|
|
|
fail=1
|
|
|
|
|
else
|
|
|
|
|
warn " * Running as root: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
root_containers="$root_containers $c"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
done
|
|
|
|
|
# We went through all the containers and found none running as root
|
|
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
|
pass "$check_4_1"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "running as root" "$root_containers"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
# Make the loop separator go back to space
|
|
|
|
|
set +f; unset IFS
|
|
|
|
|
}
|
2016-12-20 16:01:58 +01:00
|
|
|
|
2017-01-23 17:06:10 +01:00
|
|
|
# 4.2
|
2018-01-16 13:46:49 +01:00
|
|
|
check_4_2() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_4_2="4.2"
|
|
|
|
|
desc_4_2="Ensure that containers use trusted base images"
|
|
|
|
|
check_4_2="$id_4_2 - $desc_4_2"
|
|
|
|
|
starttestjson "$id_4_2" "$desc_4_2"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
note "$check_4_2"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "NOTE"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
}
|
2017-01-23 17:06:10 +01:00
|
|
|
|
|
|
|
|
# 4.3
|
2018-01-16 13:46:49 +01:00
|
|
|
check_4_3() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_4_3="4.3"
|
|
|
|
|
desc_4_3="Ensure unnecessary packages are not installed in the container"
|
|
|
|
|
check_4_3="$id_4_3 - $desc_4_3"
|
|
|
|
|
starttestjson "$id_4_3" "$desc_4_3"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
note "$check_4_3"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "NOTE"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
}
|
2017-01-23 17:06:10 +01:00
|
|
|
|
|
|
|
|
# 4.4
|
2018-01-16 13:46:49 +01:00
|
|
|
check_4_4() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_4_4="4.4"
|
|
|
|
|
desc_4_4="Ensure images are scanned and rebuilt to include security patches"
|
|
|
|
|
check_4_4="$id_4_4 - $desc_4_4"
|
|
|
|
|
starttestjson "$id_4_4" "$desc_4_4"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
note "$check_4_4"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "NOTE"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
}
|
2017-01-23 17:06:10 +01:00
|
|
|
|
2016-04-14 23:15:16 +02:00
|
|
|
# 4.5
|
2018-01-16 13:46:49 +01:00
|
|
|
check_4_5() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_4_5="4.5"
|
|
|
|
|
desc_4_5="Ensure Content trust for Docker is Enabled"
|
|
|
|
|
check_4_5="$id_4_5 - $desc_4_5"
|
|
|
|
|
starttestjson "$id_4_5" "$desc_4_5"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
|
|
|
|
|
pass "$check_4_5"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_4_5"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
}
|
2016-12-20 16:01:58 +01:00
|
|
|
|
|
|
|
|
# 4.6
|
2018-01-16 13:46:49 +01:00
|
|
|
check_4_6() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_4_6="4.6"
|
|
|
|
|
desc_4_6="Ensure HEALTHCHECK instructions have been added to the container image"
|
|
|
|
|
check_4_6="$id_4_6 - $desc_4_6"
|
|
|
|
|
starttestjson "$id_4_6" "$desc_4_6"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
no_health_images=""
|
2018-01-16 13:46:49 +01:00
|
|
|
for img in $images; do
|
|
|
|
|
if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then
|
|
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
|
fail=1
|
|
|
|
|
warn "$check_4_6"
|
|
|
|
|
fi
|
|
|
|
|
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
|
|
|
|
|
if ! [ "$imgName" = '[]' ]; then
|
|
|
|
|
warn " * No Healthcheck found: $imgName"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
no_health_images="$no_health_images $imgName"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2017-01-23 16:16:02 +01:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
done
|
|
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
|
pass "$check_4_6"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Images w/o HEALTHCHECK" "$no_health_images"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2016-12-20 16:01:58 +01:00
|
|
|
|
|
|
|
|
# 4.7
|
2018-01-16 13:46:49 +01:00
|
|
|
check_4_7() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_4_7="4.7"
|
|
|
|
|
desc_4_7="Ensure update instructions are not use alone in the Dockerfile"
|
|
|
|
|
check_4_7="$id_4_7 - $desc_4_7"
|
|
|
|
|
starttestjson "$id_4_7" "$desc_4_7"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
update_images=""
|
2018-01-16 13:46:49 +01:00
|
|
|
for img in $images; do
|
|
|
|
|
if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then
|
|
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
|
fail=1
|
|
|
|
|
info "$check_4_7"
|
|
|
|
|
fi
|
|
|
|
|
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
|
|
|
|
|
if ! [ "$imgName" = '[]' ]; then
|
|
|
|
|
info " * Update instruction found: $imgName"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
update_images="$update_images $imgName"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2017-01-23 16:16:02 +01:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
done
|
|
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
|
pass "$check_4_7"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-07-01 20:01:10 +02:00
|
|
|
currentScore=$((currentScore + 0))
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "Update instructions found" "$update_images"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2016-12-20 16:01:58 +01:00
|
|
|
|
2017-01-23 17:06:10 +01:00
|
|
|
# 4.8
|
2018-01-16 13:46:49 +01:00
|
|
|
check_4_8() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_4_8="4.8"
|
|
|
|
|
desc_4_8="Ensure setuid and setgid permissions are removed in the images"
|
|
|
|
|
check_4_8="$id_4_8 - $desc_4_8"
|
|
|
|
|
starttestjson "$id_4_8" "$desc_4_8"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
note "$check_4_8"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "NOTE"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
}
|
2017-01-23 17:06:10 +01:00
|
|
|
|
2016-12-20 16:01:58 +01:00
|
|
|
# 4.9
|
2018-01-16 13:46:49 +01:00
|
|
|
check_4_9() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_4_9="4.9"
|
|
|
|
|
desc_4_9="Ensure COPY is used instead of ADD in Dockerfile"
|
|
|
|
|
check_4_9="$id_4_9 - $desc_4_9"
|
|
|
|
|
starttestjson "$id_4_9" "$desc_4_9"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
add_images=""
|
2018-01-16 13:46:49 +01:00
|
|
|
for img in $images; do
|
2019-03-19 14:27:02 +01:00
|
|
|
if docker history --format "{{ .CreatedBy }}" --no-trunc "$img" | sed '$d' |\
|
|
|
|
|
grep -q 'ADD'; then
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
|
fail=1
|
|
|
|
|
info "$check_4_9"
|
|
|
|
|
fi
|
|
|
|
|
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
|
|
|
|
|
if ! [ "$imgName" = '[]' ]; then
|
|
|
|
|
info " * ADD in image history: $imgName"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
add_images="$add_images $imgName"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
|
|
|
|
currentScore=$((currentScore + 0))
|
2017-01-23 16:16:02 +01:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
done
|
|
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
|
pass "$check_4_9"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2019-03-14 10:32:39 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
else
|
2019-01-24 16:46:51 +01:00
|
|
|
resulttestjson "INFO" "Images using ADD" "$add_images"
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2017-01-23 17:06:10 +01:00
|
|
|
|
|
|
|
|
# 4.10
|
2018-01-16 13:46:49 +01:00
|
|
|
check_4_10() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_4_10="4.10"
|
|
|
|
|
desc_4_10="Ensure secrets are not stored in Dockerfiles"
|
|
|
|
|
check_4_10="$id_4_10 - $desc_4_10"
|
|
|
|
|
starttestjson "$id_4_10" "$desc_4_10"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
note "$check_4_10"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "NOTE"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
}
|
2017-01-23 17:06:10 +01:00
|
|
|
|
|
|
|
|
# 4.11
|
2018-01-16 13:46:49 +01:00
|
|
|
check_4_11() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_4_11="4.11"
|
|
|
|
|
desc_4_11="Ensure verified packages are only Installed"
|
|
|
|
|
check_4_11="$id_4_11 - $desc_4_11"
|
|
|
|
|
starttestjson "$id_4_11" "$desc_4_11"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
note "$check_4_11"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "NOTE"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
}
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
|
|
|
|
check_4_end() {
|
|
|
|
|
endsectionjson
|
|
|
|
|
}
|
