2015-05-11 06:08:28 +02:00
#!/bin/sh
2018-01-16 13:46:49 +01:00
check_4( ) {
2021-03-10 20:47:52 +01:00
logit ""
2021-03-09 11:42:48 +01:00
local id = "4"
local desc = "Container Images and Build File"
2021-03-10 20:47:52 +01:00
checkHeader = " $id - $desc "
info " $checkHeader "
2021-03-09 11:42:48 +01:00
startsectionjson " $id " " $desc "
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
# 4.1
2018-01-16 13:46:49 +01:00
check_4_1( ) {
2021-03-09 11:42:48 +01:00
local id = "4.1"
local desc = "Ensure that a user for the container has been created (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
totalChecks = $(( totalChecks + 1 ))
2015-05-11 06:08:28 +02:00
2018-01-16 13:46:49 +01:00
# If container_users is empty, there are no running containers
if [ -z " $containers " ] ; then
2021-03-09 11:42:48 +01:00
info " $check "
2018-01-16 13:46:49 +01:00
info " * No containers running"
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "INFO" "No containers running"
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore + 0 ))
else
# We have some containers running, set failure flag to 0. Check for Users.
fail = 0
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS = $'
'
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
root_containers = ""
2018-01-16 13:46:49 +01:00
for c in $containers ; do
user = $( docker inspect --format 'User={{.Config.User}}' " $c " )
2015-05-11 06:08:28 +02:00
2019-02-13 14:58:34 +01:00
if [ " $user " = "User=0" ] || [ " $user " = "User=root" ] || [ " $user " = "User=" ] || [ " $user " = "User=[]" ] || [ " $user " = "User=<no value>" ] ; then
2018-01-16 13:46:49 +01:00
# If it's the first container, fail the test
if [ $fail -eq 0 ] ; then
2021-03-09 11:42:48 +01:00
warn " $check "
2018-01-16 13:46:49 +01:00
warn " * Running as root: $c "
2020-11-02 09:26:20 +01:00
root_containers = " $root_containers $c "
2018-01-16 13:46:49 +01:00
fail = 1
else
warn " * Running as root: $c "
2020-11-02 09:26:20 +01:00
root_containers = " $root_containers $c "
2018-01-16 13:46:49 +01:00
fi
2015-05-11 06:08:28 +02:00
fi
2018-01-16 13:46:49 +01:00
done
# We went through all the containers and found none running as root
if [ $fail -eq 0 ] ; then
2021-03-09 11:42:48 +01:00
pass " $check "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "PASS"
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore + 1 ))
else
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "WARN" "running as root" " $root_containers "
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore - 1 ))
2015-05-11 06:08:28 +02:00
fi
fi
2018-01-16 13:46:49 +01:00
# Make the loop separator go back to space
set +f; unset IFS
}
2016-12-20 16:01:58 +01:00
2017-01-23 17:06:10 +01:00
# 4.2
2018-01-16 13:46:49 +01:00
check_4_2( ) {
2021-03-09 11:42:48 +01:00
local id = "4.2"
local desc = "Ensure that containers use only trusted base images (Not Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
totalChecks = $(( totalChecks + 1 ))
2021-03-09 11:42:48 +01:00
note " $check "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "NOTE"
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore + 0 ))
}
2017-01-23 17:06:10 +01:00
# 4.3
2018-01-16 13:46:49 +01:00
check_4_3( ) {
2021-03-09 11:42:48 +01:00
local id = "4.3"
local desc = "Ensure that unnecessary packages are not installed in the container (Not Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
totalChecks = $(( totalChecks + 1 ))
2021-03-09 11:42:48 +01:00
note " $check "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "NOTE"
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore + 0 ))
}
2017-01-23 17:06:10 +01:00
# 4.4
2018-01-16 13:46:49 +01:00
check_4_4( ) {
2021-03-09 11:42:48 +01:00
local id = "4.4"
local desc = "Ensure images are scanned and rebuilt to include security patches (Not Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
totalChecks = $(( totalChecks + 1 ))
2021-03-09 11:42:48 +01:00
note " $check "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "NOTE"
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore + 0 ))
}
2017-01-23 17:06:10 +01:00
2016-04-14 23:15:16 +02:00
# 4.5
2018-01-16 13:46:49 +01:00
check_4_5( ) {
2021-03-09 11:42:48 +01:00
local id = "4.5"
local desc = "Ensure Content trust for Docker is Enabled (Scored)"
2021-03-11 07:30:01 +01:00
local remediation = "Add DOCKER_CONTENT_TRUST variable to the /etc/environment file using command echo \"DOCKER_CONTENT_TRUST=1\" | sudo tee -a /etc/environment."
2021-03-10 20:47:52 +01:00
local remediationImpact = "This prevents users from working with tagged images unless they contain a signature."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
totalChecks = $(( totalChecks + 1 ))
if [ " x $DOCKER_CONTENT_TRUST " = "x1" ] ; then
2021-03-09 11:42:48 +01:00
pass " $check "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "PASS"
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore + 1 ))
else
2021-03-09 11:42:48 +01:00
warn " $check "
2021-03-10 20:47:52 +01:00
saveRemediation --id " ${ id } " --rem " ${ remediation } " --imp " ${ remediationImpact } "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "WARN"
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore - 1 ))
fi
}
2016-12-20 16:01:58 +01:00
# 4.6
2018-01-16 13:46:49 +01:00
check_4_6( ) {
2021-03-09 11:42:48 +01:00
local id = "4.6"
local desc = "Ensure that HEALTHCHECK instructions have been added to container images (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
totalChecks = $(( totalChecks + 1 ))
fail = 0
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
no_health_images = ""
2018-01-16 13:46:49 +01:00
for img in $images ; do
if docker inspect --format= '{{.Config.Healthcheck}}' " $img " 2>/dev/null | grep -e "<nil>" >/dev/null 2>& 1; then
if [ $fail -eq 0 ] ; then
fail = 1
2021-03-09 11:42:48 +01:00
warn " $check "
2018-01-16 13:46:49 +01:00
fi
imgName = $( docker inspect --format= '{{.RepoTags}}' " $img " 2>/dev/null)
if ! [ " $imgName " = '[]' ] ; then
warn " * No Healthcheck found: $imgName "
2020-11-02 09:26:20 +01:00
no_health_images = " $no_health_images $imgName "
else
warn " * No Healthcheck found: $img "
no_health_images = " $no_health_images $img "
2018-01-16 13:46:49 +01:00
fi
2017-01-23 16:16:02 +01:00
fi
2018-01-16 13:46:49 +01:00
done
if [ $fail -eq 0 ] ; then
2021-03-09 11:42:48 +01:00
pass " $check "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "PASS"
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore + 1 ))
else
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "WARN" "Images w/o HEALTHCHECK" " $no_health_images "
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore - 1 ))
2016-12-20 16:01:58 +01:00
fi
2018-01-16 13:46:49 +01:00
}
2016-12-20 16:01:58 +01:00
# 4.7
2018-01-16 13:46:49 +01:00
check_4_7( ) {
2021-03-09 11:42:48 +01:00
local id = "4.7"
local desc = "Ensure update instructions are not used alone in the Dockerfile (Not Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
totalChecks = $(( totalChecks + 1 ))
fail = 0
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
update_images = ""
2018-01-16 13:46:49 +01:00
for img in $images ; do
if docker history " $img " 2>/dev/null | grep -e "update" >/dev/null 2>& 1; then
if [ $fail -eq 0 ] ; then
fail = 1
2021-03-09 11:42:48 +01:00
info " $check "
2018-01-16 13:46:49 +01:00
fi
imgName = $( docker inspect --format= '{{.RepoTags}}' " $img " 2>/dev/null)
if ! [ " $imgName " = '[]' ] ; then
info " * Update instruction found: $imgName "
2020-11-02 09:26:20 +01:00
update_images = " $update_images $imgName "
2018-01-16 13:46:49 +01:00
fi
2017-01-23 16:16:02 +01:00
fi
2018-01-16 13:46:49 +01:00
done
if [ $fail -eq 0 ] ; then
2021-03-09 11:42:48 +01:00
pass " $check "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "PASS"
2018-07-01 20:01:10 +02:00
currentScore = $(( currentScore + 0 ))
2018-01-16 13:46:49 +01:00
else
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "INFO" "Update instructions found" " $update_images "
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore + 0 ))
2016-12-20 16:01:58 +01:00
fi
2018-01-16 13:46:49 +01:00
}
2016-12-20 16:01:58 +01:00
2017-01-23 17:06:10 +01:00
# 4.8
2018-01-16 13:46:49 +01:00
check_4_8( ) {
2021-03-09 11:42:48 +01:00
local id = "4.8"
local desc = "Ensure setuid and setgid permissions are removed (Not Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
totalChecks = $(( totalChecks + 1 ))
2021-03-09 11:42:48 +01:00
note " $check "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "NOTE"
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore + 0 ))
}
2017-01-23 17:06:10 +01:00
2016-12-20 16:01:58 +01:00
# 4.9
2018-01-16 13:46:49 +01:00
check_4_9( ) {
2021-03-09 11:42:48 +01:00
local id = "4.9"
local desc = "Ensure that COPY is used instead of ADD in Dockerfiles (Not Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
totalChecks = $(( totalChecks + 1 ))
fail = 0
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
add_images = ""
2018-01-16 13:46:49 +01:00
for img in $images ; do
2019-03-19 14:54:38 +01:00
if docker history --format "{{ .CreatedBy }}" --no-trunc " $img " | \
2019-03-20 09:57:19 +01:00
sed '$d' | grep -q 'ADD' ; then
2018-01-16 13:46:49 +01:00
if [ $fail -eq 0 ] ; then
fail = 1
2021-03-09 11:42:48 +01:00
info " $check "
2018-01-16 13:46:49 +01:00
fi
imgName = $( docker inspect --format= '{{.RepoTags}}' " $img " 2>/dev/null)
if ! [ " $imgName " = '[]' ] ; then
info " * ADD in image history: $imgName "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
add_images = " $add_images $imgName "
2018-01-16 13:46:49 +01:00
fi
currentScore = $(( currentScore + 0 ))
2017-01-23 16:16:02 +01:00
fi
2018-01-16 13:46:49 +01:00
done
if [ $fail -eq 0 ] ; then
2021-03-09 11:42:48 +01:00
pass " $check "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "PASS"
2019-03-14 10:32:39 +01:00
currentScore = $(( currentScore + 0 ))
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
else
2019-01-24 16:46:51 +01:00
resulttestjson "INFO" "Images using ADD" " $add_images "
2016-12-20 16:01:58 +01:00
fi
2018-01-16 13:46:49 +01:00
}
2017-01-23 17:06:10 +01:00
# 4.10
2018-01-16 13:46:49 +01:00
check_4_10( ) {
2021-03-09 11:42:48 +01:00
local id = "4.10"
local desc = "Ensure secrets are not stored in Dockerfiles (Not Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
totalChecks = $(( totalChecks + 1 ))
2021-03-09 11:42:48 +01:00
note " $check "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "NOTE"
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore + 0 ))
}
2017-01-23 17:06:10 +01:00
# 4.11
2018-01-16 13:46:49 +01:00
check_4_11( ) {
2021-03-09 11:42:48 +01:00
local id = "4.11"
local desc = "Ensure only verified packages are are installed (Not Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
totalChecks = $(( totalChecks + 1 ))
2021-03-09 11:42:48 +01:00
note " $check "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
resulttestjson "NOTE"
2018-01-16 13:46:49 +01:00
currentScore = $(( currentScore + 0 ))
}
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
check_4_end( ) {
endsectionjson
}
