2021-05-25 20:49:46 +02:00
#!/bin/bash
2017-07-07 11:43:15 +02:00
2018-01-16 13:46:49 +01:00
check_7( ) {
2021-03-10 20:47:52 +01:00
logit ""
2021-03-09 11:42:48 +01:00
local id = "7"
local desc = "Docker Swarm Configuration"
2021-03-10 20:47:52 +01:00
checkHeader = " $id - $desc "
info " $checkHeader "
2021-03-09 11:42:48 +01:00
startsectionjson " $id " " $desc "
2018-01-16 13:46:49 +01:00
}
2017-07-07 11:43:15 +02:00
2018-01-16 13:46:49 +01:00
check_7_1( ) {
2021-03-09 11:42:48 +01:00
local id = "7.1"
2021-05-25 20:49:46 +02:00
local desc = "Ensure that the minimum number of manager nodes have been created in a swarm (Automated)"
2021-03-18 09:31:22 +01:00
local remediation = "If an excessive number of managers is configured, the excess nodes can be demoted to workers using command: docker node demote <manager node ID to be demoted>"
local remediationImpact = "None."
2021-05-25 20:49:46 +02:00
local check = " $id - $desc "
2021-03-09 11:42:48 +01:00
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>& 1; then
managernodes = $( docker node ls | grep -c "Leader" )
2019-08-27 16:03:29 +02:00
if [ " $managernodes " -eq 1 ] ; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2021-03-29 14:22:14 +02:00
return
2018-01-16 13:46:49 +01:00
fi
2021-03-29 14:22:14 +02:00
warn -s " $check "
logcheckresult "WARN"
return
2017-07-07 11:43:15 +02:00
fi
2021-03-29 14:22:14 +02:00
pass -s " $check (Swarm mode not enabled) "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
}
2017-07-07 11:43:15 +02:00
2023-12-17 15:57:54 +01:00
check_7_2( ) {
local id = "7.2"
2021-05-25 20:49:46 +02:00
local desc = "Ensure that swarm services are bound to a specific host interface (Automated)"
2021-03-18 09:31:22 +01:00
local remediation = "Resolving this issues requires re-initialization of the swarm, specifying a specific interface for the --listen-addr parameter."
local remediationImpact = "None."
2021-05-25 20:49:46 +02:00
local check = " $id - $desc "
2021-03-09 11:42:48 +01:00
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>& 1; then
2020-05-08 13:09:52 +02:00
$netbin -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>& 1
2018-01-16 13:46:49 +01:00
if [ $? -eq 1 ] ; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
2021-05-25 20:49:46 +02:00
logcheckresult "PASS"
2021-03-29 14:22:14 +02:00
return
2018-01-16 13:46:49 +01:00
fi
2021-03-29 14:22:14 +02:00
warn -s " $check "
logcheckresult "WARN"
return
2017-07-07 11:43:15 +02:00
fi
2021-03-29 14:22:14 +02:00
pass -s " $check (Swarm mode not enabled) "
2021-05-25 20:49:46 +02:00
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
}
2017-07-07 11:43:15 +02:00
2023-12-17 15:57:54 +01:00
check_7_3( ) {
local id = "7.3"
2021-05-25 20:49:46 +02:00
local desc = "Ensure that all Docker swarm overlay networks are encrypted (Automated)"
2021-03-18 09:31:22 +01:00
local remediation = "You should create overlay networks the with --opt encrypted flag."
local remediationImpact = "None."
2021-05-25 20:49:46 +02:00
local check = " $id - $desc "
2021-03-09 11:42:48 +01:00
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-11-14 21:24:35 +01:00
fail = 0
unencrypted_networks = ""
for encnet in $( docker network ls --filter driver = overlay --quiet) ; do
if docker network inspect --format '{{.Name}} {{ .Options }}' " $encnet " | \
2018-01-16 13:46:49 +01:00
grep -v 'encrypted:' 2>/dev/null 1>& 2; then
2018-11-14 21:24:35 +01:00
# If it's the first container, fail the test
if [ $fail -eq 0 ] ; then
2021-03-16 09:05:49 +01:00
warn -s " $check "
2018-11-14 21:24:35 +01:00
fail = 1
2018-01-16 13:46:49 +01:00
fi
2018-11-14 21:24:35 +01:00
warn " * Unencrypted overlay network: $( docker network inspect --format '{{ .Name }} ({{ .Scope }})' " $encnet " ) "
unencrypted_networks = " $unencrypted_networks $( docker network inspect --format '{{ .Name }} ({{ .Scope }})' " $encnet " ) "
fi
done
# We went through all the networks and found none that are unencrypted
if [ $fail -eq 0 ] ; then
2021-03-29 14:22:14 +02:00
pass -s " $check "
2021-05-25 20:49:46 +02:00
logcheckresult "PASS"
2021-03-29 14:22:14 +02:00
return
2018-01-16 13:46:49 +01:00
fi
2021-03-29 14:22:14 +02:00
logcheckresult "WARN" "Unencrypted overlay networks:" " $unencrypted_networks "
2018-01-16 13:46:49 +01:00
}
2017-07-07 11:43:15 +02:00
2023-12-17 15:57:54 +01:00
check_7_4( ) {
local id = "7.4"
2021-05-25 20:49:46 +02:00
local desc = "Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual)"
2021-03-18 09:31:22 +01:00
local remediation = "You should follow the docker secret documentation and use it to manage secrets effectively."
local remediationImpact = "None."
2021-05-25 20:49:46 +02:00
local check = " $id - $desc "
2021-03-09 11:42:48 +01:00
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>& 1; then
if [ " $( docker secret ls -q | wc -l) " -ge 1 ] ; then
2021-03-16 09:05:49 +01:00
pass -c " $check "
logcheckresult "PASS"
2021-03-29 14:22:14 +02:00
return
2018-01-16 13:46:49 +01:00
fi
2021-03-29 14:22:14 +02:00
info -c " $check "
logcheckresult "INFO"
return
2017-07-07 11:43:15 +02:00
fi
2021-03-29 14:22:14 +02:00
pass -c " $check (Swarm mode not enabled) "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
}
2017-07-07 11:43:15 +02:00
2023-12-17 15:57:54 +01:00
check_7_5( ) {
local id = "7.5"
2021-05-25 20:49:46 +02:00
local desc = "Ensure that swarm manager is run in auto-lock mode (Automated)"
2021-03-18 09:31:22 +01:00
local remediation = "If you are initializing a swarm, use the command: docker swarm init --autolock. If you want to set --autolock on an existing swarm manager node, use the command: docker swarm update --autolock."
local remediationImpact = "A swarm in auto-lock mode will not recover from a restart without manual intervention from an administrator to enter the unlock key. This may not always be desirable, and should be reviewed at a policy level."
2021-05-25 20:49:46 +02:00
local check = " $id - $desc "
2021-03-09 11:42:48 +01:00
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>& 1; then
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2021-03-29 14:22:14 +02:00
return
2018-01-16 13:46:49 +01:00
fi
2021-03-29 14:22:14 +02:00
pass -s " $check "
logcheckresult "PASS"
return
2017-07-07 11:43:15 +02:00
fi
2021-03-29 14:22:14 +02:00
pass -s " $check (Swarm mode not enabled) "
2021-05-25 20:49:46 +02:00
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
}
2017-07-07 11:43:15 +02:00
2023-12-17 15:57:54 +01:00
check_7_6( ) {
local id = "7.6"
2021-05-25 20:49:46 +02:00
local desc = "Ensure that the swarm manager auto-lock key is rotated periodically (Manual)"
2021-03-18 09:31:22 +01:00
local remediation = "You should run the command docker swarm unlock-key --rotate to rotate the keys. To facilitate auditing of this recommendation, you should maintain key rotation records and ensure that you establish a pre-defined frequency for key rotation."
local remediationImpact = "None."
2021-05-25 20:49:46 +02:00
local check = " $id - $desc "
2021-03-09 11:42:48 +01:00
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
note -c " $check "
logcheckresult "NOTE"
2021-03-29 14:22:14 +02:00
return
2018-01-16 13:46:49 +01:00
fi
2021-03-29 14:22:14 +02:00
pass -c " $check (Swarm mode not enabled) "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
}
2017-07-07 11:43:15 +02:00
2023-12-17 15:57:54 +01:00
check_7_7( ) {
local id = "7.7"
2021-05-25 20:49:46 +02:00
local desc = "Ensure that node certificates are rotated as appropriate (Manual)"
2021-03-18 09:31:22 +01:00
local remediation = "You should run the command docker swarm update --cert-expiry 48h to set the desired expiry time on the node certificate."
local remediationImpact = "None."
2021-05-25 20:49:46 +02:00
local check = " $id - $desc "
2021-03-09 11:42:48 +01:00
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>& 1; then
if docker info 2>/dev/null | grep "Expiry Duration: 2 days" ; then
2021-03-16 09:05:49 +01:00
pass -c " $check "
logcheckresult "PASS"
2021-03-29 14:22:14 +02:00
return
2018-01-16 13:46:49 +01:00
fi
2021-03-29 14:22:14 +02:00
info -c " $check "
logcheckresult "INFO"
return
2017-07-07 11:43:15 +02:00
fi
2021-03-29 14:22:14 +02:00
pass -c " $check (Swarm mode not enabled) "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
}
2017-07-07 11:43:15 +02:00
2023-12-17 15:57:54 +01:00
check_7_8( ) {
local id = "7.8"
2021-05-25 20:49:46 +02:00
local desc = "Ensure that CA certificates are rotated as appropriate (Manual)"
2021-03-18 09:31:22 +01:00
local remediation = "You should run the command docker swarm ca --rotate to rotate a certificate."
local remediationImpact = "None."
2021-05-25 20:49:46 +02:00
local check = " $id - $desc "
2021-03-09 11:42:48 +01:00
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
info -c " $check "
logcheckresult "INFO"
2021-03-29 14:22:14 +02:00
return
2018-01-16 13:46:49 +01:00
fi
2021-03-29 14:22:14 +02:00
pass -c " $check (Swarm mode not enabled) "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
}
2017-07-07 11:43:15 +02:00
2023-12-17 15:57:54 +01:00
check_7_9( ) {
local id = "7.9"
2021-05-25 20:49:46 +02:00
local desc = "Ensure that management plane traffic is separated from data plane traffic (Manual)"
2021-03-18 09:31:22 +01:00
local remediation = "You should initialize the swarm with dedicated interfaces for management and data planes respectively. Example: docker swarm init --advertise-addr=192.168.0.1 --data-path-addr=17.1.0.3"
local remediationImpact = "This requires two network interfaces per node."
2021-05-25 20:49:46 +02:00
local check = " $id - $desc "
2021-03-09 11:42:48 +01:00
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
info -c " $check "
logcheckresult "INFO"
2021-03-29 14:22:14 +02:00
return
2018-01-16 13:46:49 +01:00
fi
2021-03-29 14:22:14 +02:00
pass -c " $check (Swarm mode not enabled) "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
}
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
check_7_end( ) {
endsectionjson
}
